Hacker News new | past | comments | ask | show | jobs | submit login
I lost €4k in a Facebook scam (github.com/niek)
614 points by babuskov on Sept 14, 2020 | hide | past | favorite | 405 comments

As someone who's fairly involved with the e-commerce/digital marketing space, let me just say I'm amazed by how brazenly nasty this scam is.

The TikTok promotional program is actually a real thing that does give around that amount of ad credit, and they have been promoting it very aggressively on Facebook with for a long while now, so it makes sense that OP would've not had any mental red flags triggered by the designs and creatives used by the scammers. The real killer is that PayPal is actually well within their rights to process this transaction (as part of the billing agreement generated when you link PayPal to Facebook Ads Manager: there actually was real ad spend in a real Facebook ad auction), so it's down to Facebook itself to refund the ad spend. (As an aside, I'm actually impressed that OP managed to reach Facebook support at all, and that they acknowledged or even understood what the problem was. I have had worse experiences in the past with FB...). What's really amazing to me is that the scammers managed to get on Google Play with thousands of obviously fake reviews, and get through Facebook ad review at all.

The scammer silently removing OP as an admin from their own ad account, preventing them from noticing or stopping the fraudulent ad campaign is just icing.

I suppose the real lesson to be learned is to simply avoid installing native applications when you can help it. OP didn't screenshot the login screen in app, so I can only assume it was a real Facebook oauth flow, but honestly at that point it's already too late. If anything OP should be grateful that the native app running on what was presumably his personal device didn't do anything worse.

> I suppose the real lesson to be learned is to

...never, ever buy or even take anything from anyone who approaches you without you being the original initiator of the communication. Simple rule that applies to both online and real world and makes your life simpler and safer.

This is an old tip my father gave me 40+ years ago that applies to banking, mortgages, insurance, investing, credit cards, and all personal finance.

Also a very good rule of thumb for recreational drugs and other illicit activities.

This is my strategy as well. If I want something I initiate a search. Incoming sales attempts do not exist in my universe.

Be careful which search result you click:


If you want to see where Google search results really point to, you can right click it and then hover over it to get the real destination... it's been like this for 15+ years (google changes the destination on-click).

Thanks, I'll be sure to explain this to all my friends and family, right after I teach them what onclick, "real destination", "hover", etc. mean.

I think that it is pretty screwed up that browsers allow this "feature"...

Just checked; and while they did indeed use to change the URL (on mousedown (!) - which was infuriating, because right-clicking to copy URLs produced a mess I'd then have to pass to data:text/plain,... in a new tab to extract the URL-encoded... agh), they currently really do just leave the link alone now.

They just fire off a request to google.com/url?... to track the click before letting you on your merry way.


That used to be my strategy until a salesman knocked on my door offering heavily discounted ceiling insulation, which is something I had half-heartedly always wanted but never got round to buying. He said my address was one chosen by the government to give a subsidy to but funds were limited so it was first come first served or risk missing out. Sounded suspicious so I checked with the government who confirmed everything the salesman said was true. I got a 2nd quote from another installer but the door-knocker was cheaper so I bought his. I wouldn't have known the subsidy was available without him and would have missed out on a genuine rare high-value giveaway.

Same with phone calls or mail. Look them up on the web and go through their web site for numbers/email addresses

Great point. When the IRS phone call scam first came around it scared the crap out of me for a second but a quick search revealed the truth.

Also works nicely against advertising too, a good principle ;)

The sad thing is, this is simultaneously the only way to stay safe AND also the underpinning of almost the entire ad industry - and in turn about half of the money that funds what we think of as "the internet" today.

It really sucks that it seems like we've built the most important infrastructure of our generation effectively on quicksand.

There's a current scam going on right now where people are getting calls to get in on the ground floor of the "Stripe IPO"...

Really nice guideline for work. Should spread it around.

meh, he calls out the exact mistake he made. If I see an ad and like the product, I go to the domain. If the domain is legit (e.g. not developgameonline@gmail.com), you can start to feel pretty good about it. We run ads. If you google my companies name ("seekwell"), the entire first page is properties that we've owned for years. This includes podcasts and youtube videos.

It's ok for the initial pull to be an ad, but only buy from the source.

Not at all fool-proof.

What if they can register a very similar / regional domain that you didn’t set up already?

Normal rules don’t apply when you’re a criminal so spoofing SSL cert names is something you might as well do too. It’s just not practical to examine and confirm the cert manually of every company you interact with online.

These internets are dangerous, even if you know what you’re doing.

The people here posting about how clever/careful they are, which is why they haven't been scammed, are the ones I see as most likely to get scammed (if they haven't been already without realizing). You're best protection against being tricked is realizing that you can be tricked.

*your. This was the last straw. I've finally had enough of my OnePlus autoincorrecting me all the time.

> Normal rules don’t apply when you’re a criminal so spoofing SSL cert names is something you might as well do too

SAN dnsNames in certificates in the Web PKI are verified by the issuer - these days using one of the Ten Blessed Methods. It would certainly be possible to obtain certificates for a name you don't actually own, but it's a bit beyond the usual casual crooks that run scams like this. We see what appear to be nation state adversaries doing it, as part of wider targetted hijack schemes (e.g. to intercept IMAP credentials for a foreign government agency) but it's definitely not something you see an ad scammer doing.

Any vaguely competent modern browser checks the certificate is trusted in the Web PKI and that it matches the SAN dnsNames to the FQDN in the URL exactly so there's no room for any funny business there.

And human readable names in end entity certificates are largely irrelevant. Nobody looks at them, who cares?

You are replying to a point that the GP didn't make. This was the precursor for the might-as-well-go-for-letsencrypt statement:

"What if they can register a very similar / regional domain that you didn’t set up already?"

In other words, they register fakebook.com and then just go get a TLS cert for it. If you're not looking carefully, you might not notice the difference.

Whether the CA system, with fungible, interchangeable certificates that can be issued by dozens of CA's (pinning excepted), is worth sinking lots of trust into is an entirely different matter ;)

The Web PKI does a pretty good job of making the web browser do what lay people assume it did anyway. Surely this is news.ycombinator.com or else why does it says so in the URL bar? Without the Web PKI there was no assurance of that whatsoever, which is not intuitively obvious.

But a very similar domain is the wrong domain. This is not a great novelty, people are aware that a ROJEX watch isn't the real deal, no surprise Fakebook isn't the social media site you actually wanted either.

In terms of authentication, this is where WebAuthn shines because it's tied to that actual domain name. Even if you're 100% dead certain this is really Facebook, your WebAuthn authenticator can't help you. There is no "Look, I know the URL says Fakebook, but ignore that, I am 100% sure this is really Facebook, just shut up and take my money" button.

So my point was that having news.ycombimator.com in the title and address bar is not going to flag anything if they both match and have a SSL cert that's been signed by an authority.

Probably more relevant is that if I have registered luxowatch.com to sell my lovely watches, but am a small store, I certainly won't have registered (as yet) a bunch of global domains. There's nothing stopping you registering luxowatch.co.uk or luxowatch.net with a valid SSL cert to scam my potential customers. Cloning my site to one of those domains (with cert) can be done almost instantly for close to zero cost.

You're proving my point, Google the companies name. I'd like to see an example of a fake company you can Google and get good results on.

> OP didn't screenshot the login screen in app, so I can only assume it was a real Facebook oauth flow

My guess would be that it was an in-app phishing page. Many legitimate login flows result in the official login page opening in a web view and asking for a password, which is indistinguishable from a phishing page.

> but honestly at that point it's already too late. If anything OP should be grateful that the native app running on what was presumably his personal device didn't do anything worse.

On phones, sandboxing significantly reduces the risk. Yes, it is possible to break out of the sandboxes if you have an exploit for that device, but it's a lot harder than on desktop where by default anything you install has full control over everything and could just steal all the users' passwords.

> Many legitimate login flows result in the official login page opening in a web view and asking for a password, which is indistinguishable from a phishing page.

I don't understand how Google/Facebook/etc can allow this to happen, let alone encourage it. I'm just baffled.

AFAIK Google doesn't encourage it and made some efforts to block it: https://auth0.com/blog/google-blocks-oauth-requests-from-emb...

Hasn't been 100% effective unfortunately, and even if it was, it's really hard to make users understand that this flow is incredibly dangerous.

And while Google on Android can simply go through system libraries, Facebook doesn't have the option if the app is not installed. They have to open something that will allow the user to log in (usually a browser), which is something the app can fake (in the case of the browser, just fake the whole browser UI, fake address bar included).

I misunerstood the part I quoted, I thought it was about web pages asking you to log in via Google/Facebook. So the problem I was thinking of is more generally entering Google credentials into logins provided to us by a third party. The "don't use the link in your email to log into google, go to gmail.com instead" advice has been seriously degraded by this. It should always be that if you aren't already logged in, you have to go yourself to gmail/facebook/etc and log in there.

It wasn't oauth, it was a normal facebook login. The application didn't fake anything, but simply extracted the session cookie after login.

How could they prevent it?

Ban apps that do that.

And how are they supposed to do that? If it's a fake login (aka phishing) page facebook wouldn't even know about it. The only effective way is dissuade consumers from entering their login credentials in-app, but even that's tricky because if it's a malicious app they could "fake" a web browser complete with a fake "address bar".

This is why "with a password manager" is a crucial part of the puzzle.

You have to fail at several steps if you're entering your credentials in this scenario.

They're supposed to ban the legitimate apps, so as to not normalize the interface that leads to phishing attempts. Right now, it's totally encouraged by google to enter your login credentials by clicking "log in with google" at a random site and just typing into the fields presented to you.

I'm curious if the oAuth flow requested a specific scope to have permission to remove the user from their Ads account. If so, did Facebook make it clear that the permission was be requested.

I must say that it was a pretty clever scheme.

Permissions scoping is a really under-utilized tool.

I see this most often with extensions, which usually want to act on all domains when they should really need an allow list of just 1-2 domains. There are also many app integrations that use an API token that just straight bypasses login with NO security restrictions.

I would use a lot more app integrations if I knew I could trust the host platform to keep the apps honest.

I think we're missing a lot of innovation because we lack secure and reliable integration points between commodity services. Banking and Health are the most obvious issues. It should be trivial for me to authorize a third-party app to download transaction history from any bank without giving it the ability to change anything. I should be able to assemble my entire medical history by pulling from any medical office I interact with, and push that to any provider I choose to use.

There are lots of industry incentives to prevent this though. It's just like the Cable Card saga. You need strong, un-captured, technically-literate regulators to fix this stuff and unleash broader innovation.

It's possible that the attack didn't happen through the regular oauth credential request flow — if the OP logged in to Facebook inside of an app-controlled webview, the app could have just exfiltrated the user's login cookie and performed the change using "first-party" Facebook APIs.

The problem with many attacks is we've now been trained to do dumb things - like putting our password into webviews inside 3rd party apps - by reputable companies. So it doesn't feel as insane as it should do.

Yes. A thousand times yes.

oAuth outside a browser is just training people to be phished.

It's not just limited to webview's and tech companies.

When my bank calls me up about an issue with my account, they won't talk to me unless I give them my date of birth and email address for 'data protection' purposes.

They're always really confused when I say I will have to call them back.

This is what I think too. WebView doesn't show the domain of the page, and it is not possible to see if you are really in Facebook login page, or somewhere the attacker controls. Unless the attacker was using Yubikey or some sort of hardware token, the victim would have entered the TOTP code too, which the attacker can ask and pass to authenticate successfully.

How does a YubiKey prevent that kind of relay attack? If those keys blindly sign whatever's given to them, there's got to be a way to trick a user into signing something malicious.

This [1] says that U2F avoids phishing by having the browser tell the 2FA device the domain, but that seems a bit weak to me. The same site even has an app where the info is relayed via a browser plugin, so literally relaying the data that's supposed to be trusted. The only way I can see that actually working is if the security key knew to only sign challenges for a specific domain.

1. https://krypt.co/blog/posts/prevent-phishing-on-the-web-with...

The security of the browser implementation is important. It provides the origin for the security hardware to sign, and the authenticating server ("relying party") verifies it. If your browser tells the key it's google.com when it's really evil.com, then sure, you can log into google.com if the user signs the request.

The WebAuthn spec says: "Direct communication between client and authenticator means the client can enforce the scope restrictions for credentials. By contrast, if the communication between client and authenticator is mediated by some third party, then the client has to trust the third party to enforce the scope restrictions and control access to the authenticator. Failure to do either could result in a malicious Relying Party receiving authentication assertions valid for other Relying Parties, or in a malicious user gaining access to authentication assertions for other users."


If you click further into the older FIDO spec, they cover this more explicitly: "Malicious software on the FIDO user device is able to read, tamper with, or spoof the endpoint of inter-process communication channels between the FIDO Client and browser or Relying Party application. Consequences: Adversary is able to subvert [SA-2].

Mitigations: On platforms where [SA-2] is not strong the security of the system may depend on preventing malicious applications from being loaded onto the FIDO user device. Such protections, e.g. app store policing, are outside the scope of FIDO."


I learned a lot from that. Thanks!

When you do a login with Facebook, does the popup show you what permissions are being requested? I know I've seen that before.

I fell to a (now) very obvious scam on Instagram. It seems to me that it's really easy to bypass their checks. It was a fake ad for a real product. They accepted PayPal and it took forever to get PayPal to refund me. Worst yet, even after multiple escalations PayPal continued to be on the website. Instagram continued to show me ads for the exact same product from different domains. I realized that PayPal is next to useless if you're a victim of fraud. It's much better to use a credit card directly (esp Amex or Discover) and challenge fraud than PayPal.

I use PayPal as a front to my bank account via SEPA Direct Debit, which has an 8-week no questions asked refund policy. If PayPal doesn’t cooperate when I raise the issue I can easily get my money back through my bank. But I still like to dispute just so the business goes on record for fraudulent transaction.

You should be careful relying on that. While many Direct Debit systems have some sort of quick refund guarantee, they don't guarantee that you get to keep the money.

The normal flow will be your bank reimburses you from their own pocket. Then goes after the merchant to recover the funds, however if the merchant can present evidence that the charge is valid then the your bank will attempt to claw the money back from you.

Now the important question is here is what is a "valid" payment. Normally the direct debit scheme will outline that that is, and it probably some very simple like there's evidence that you requested the funds are removed from your account. With something like PayPal they can probably claim that the request was valid, at least the bit between PayPal and the bank was, and that the onwards movement of money is a separate issue that doesn't fall under the direct debit guarantee.

It's worth really digging through the small print on these things, they're frequently a lot less helpful than you think, and PayPal has managed to exploit these little holes to their benefit.

Personally I avoid using PayPal where possible and stick to debit/credit card where you have a very simple relationship between you, your bank and the merchant. Which makes disputes much easier, and places the law very much on your side. All this comes from experience dealing with disputes from the banks perspective, and trying to get the right result for the customer, while dealing with payment schemes, and regulatory obligations.

Good call. I was referring to SEPA Direct Debit. I should have been clearer. With SEPA Direct Debit, I get an 8-week no questions asked refund, regardless of the nature of the business. In fact, I've used it to recover money from government agencies and businesses that auto-renewed annual contracts without my consent.

In the US, debit cards do not have the same consumer protections that credit cards do. If you’ve gotten refunds from your bank for debit card fraud, you are lucky.


“ But if the item was bought with a debit card, it cannot be reversed unless the merchant is willing to do so. What is more, debit card theft victims do not get their refund until an investigation has been completed. Credit card holders, on the other hand, are not assessed the disputed charges; the amount is usually deducted immediately and restored only if the dispute is withdrawn or settled in the merchant's favor. While some credit and debit card providers offer zero-liability protection to their customers, the law is much more forgiving for credit card holders.”

Direct debit is not a debit card. It's an authorisation to pull funds from your debit account as needed.

If that’s what he’s doing, that’s even worse than a debit card in terms of risk and lack of protection.

It might help to read a little about how SEPA Direct Debit works. To begin, it's a European scheme, not American. Not every merchant can sign up for SEPA Direct Debit. They need another bank to be their guarantor (called your SEPA Direct Debit Creditor). When I have issues with a transaction and order a refund within 8 weeks of the transaction, I get my money back, no questions asked. I've used this to recover money from all sorts of businesses and government agencies.

The business can only dispute if I requested for my money back _after_ the 8 weeks. That's when the evidence and back-and-forth with the business comes in.

I recently made a purchase that turned out to be fraudulent on paypal, and somehow had no trouble getting my money back relatively promptly. Maybe have taken about a week from when I filed "I never got the product, I think the whole website was fraud".

Be careful, you can still get scammed here. I got hit for a $75 scam product that I bought with my CC, mistakenly thinking I would be protected. The scammers knew what they were doing though. They ship you a super super super cheap version of the product from china, taking advantage of those low low China -> US shipping rates, so that they have certificate of delivery. So you can't say you never got the product. And in that case, both paypal and the CC company require that you send the item back. Shipping the item back to china costs more than the item itself. So there's no point. Scammers won.

Maybe it's because the banks are all pretty good and modern in Canada, but I honestly just don't get PayPal. My credit cards are all very easy to pay with, fraud detected quickly and easy to dispute, and many purchase types insured.

"If anything OP should be grateful that the native app running on what was presumably his personal device didn't do anything worse."

I don't understand why any of these actions would be taken with a mobile phone ...

What I mean is, managing advertising campaigns and budgets and managing assets and spend, etc., is kind of a complicated workflow ... further, it's a fairly critical business process involving a lot of money.

I can see ordering some workroom supplies or paying a hosting bill with my phone ... but creating and managing ad campaigns ? That seems very unwieldy and inefficient. Google adwords, through the web based interface, is very complex and there's a lot of functions there. I can't imagine trying to do this on a phone.

So what am I missing here ?

It's not that unreasonable. When I am on the road, it can be days between sitting at a desktop. If I can do something on my mobile, I'll do it, or try.

I don't get involved in ad buys.

Laptops exist as a very efficient middle way between a desktop and a mobile phone: all the desktop functionality and the benefit of mobility. This is not an add :p

Yeah, except I cannot always carry around my laptop, as my small mobile is already heavy enough.

I don't understand the need for snark here on your part, do you not think I have already considered it?

By "desktop" I meant "desktop environment".

> so I can only assume it was a real Facebook oauth flow,

another reason why we should be training users to only do oAuth in a browser with a password manager.

It's one last solid line of defence.

OAuth in a native app is a security risk.

That's not a silver bullet though. If the password manager does a poor job of domain matching, the user gets accustomed to having to manually search for logins once in a while.

Agreed. Not perfect but much better than nothing.

> The scammer silently removing OP as an admin from their own ad account, preventing them from noticing or stopping the fraudulent ad campaign is just icing.

This hints of not having 2 factor authentication anywhere in the chain?

Would definitely advise to setup 2 factor authentication on anything managing 5 figure sums.

How would that help? They were removed via the API, no passwords were stolen.

2FA is how you protect your credentials from being stolen and used. This wasn't a case of credentials being stolen, this is a case of someone being tricked into authorizing a separate account to take action. They hacker didn't change his credentials to lock him out, it literally revoked access from him Facebook login to the ad account.

I'm using "login" and "account" specifically here to highlight the difference. On systems where there are likely to be multiple people that need access, there's a distinction between the "service account" and "logins or user accounts" that can control it. Generally, when the service account is created by a login, that login is added implicitly as a controlling user account with full privileges, and other user accounts (logins) can be added with varying levels of control. This situation appears to have been along the lines of the following:

1. User "real_user" create facebook ads account id 123456, and real_user is the admin of the ads account id 123456.

2. At some point real_user adds "scam_user" to the facebook ads account id 123456 with full admin permissions.

3. scam_user uses the full admin permissions it has for facebook ads account 123456 to remove access for real_user.

Note that is is a fully legitimate and common action to take in systems like this. If you are a business and pay someone to manage your facebook ads, they are likely the admin on the account (and you may be too), and if they leave and you hire a new person to manage it, you would want to revoke the old employee's account access and add access to the new employee's account.

This is how you handle it on Google Suite, Zoom's business accounts, Active Directory in Windows domains, etc. The real problem here is that the scammer got enough permissions to revoke the original user, and the original user did not get an email notification. I'm not sure if facebook ads allows adding accounts with limited permissions so only certain actions can be taken and part of the scam was making the permissions asked for non-obvious, or if that's a permissions distinction facebook ads doesn't support.

Maybe the oauth scope requested edit access to the FB business manager? That way the scammer can remove OP from the business and add himself via the API

I was surprised too since OP's writeup indicates that he has 2FA on everything. You would think that you'd at least get an email or push notification if you get removed from an ad account/notification settings get changed, so it seems like an oversight by FB.

Hardly anybody does the "when changing an email address on an account send an email to the old address to allow them to revert the change and temporarily lock the account". It seems like such an obvious thing to do.

> I suppose the real lesson to be learned is to simply avoid installing native applications when you can help it.

I looked at the playstore page and it immediately raised many red flags. The app isn't by Tiktok or Bytedance.

It's like clicking on a similar looking domain link in your email.

> avoid installing native applications when you can help it

Why couldn't a web site have stolen his credentials in the same way?

I guess you’ll have a better chance to spot the URL is fake than in an app where you won’t see it

And notice that you're logged out which is unusual in many cases.

And a bunch of other potential signals that would be missing in a native app.

It's not foolproof but it's a step forward.

The real lesson is to install ublock origin and be done with deceptive advertising.

Last time I tried to find nvidia drivers for windows 1st result was an obvious scam/crapware. This is not acceptable that big tech companies are making money while not taking responsibility for advertisements.

Is this something that could have just as easily happened through Apple's app store? This sounds like exactly the type of thing that those 30% app store cuts should be going towards to prevent (regardless of the platform).

To me the lesson is the same old basic web security practice: don't click links, navigate to pages yourself. When he saw the ad that interested him he should have googled the offer instead of clicking on the ad.

Tiktok is giving away $3K in ad credit per customer? And the regular price isn't massively overpriced?

>Sure, the developer name "Develop App" sounds strange and should I have looked better, the developgameonline@gmail.com developer email and com.acazira.tforbusiness package name would have definitely raised some concerns.

Come on, dude.

I will say that even the most experienced techies among us sometimes become complacent and let our guard down. It's exhausting having to constantly second-guess every application you want to run.

(Not interested in starting another platform flame war, but this is the main reason I don't use Android. I deal with enough paranoia running Windows daily. Maybe I'm misinformed, but I'm also probably not unique in this respect)

I'm curious if this fake TikTok app would probably have been blocked at the outset in the Apple App Store review process because it's trying to masquerade as another business ?

>I'm curious if this fake TikTok app would probably have been blocked at the outset in the Apple App Store review process because it's trying to masquerade as another business ?

I bet that it is possible to slip through the review process however there's also a safeguard on the developer account creation. Apple wouldn't let you create a developer account using vouchers, PayPal or prepaid cards, at least not from countries where scams are commonplace. Also you would be asked to provide documentation of company registration to have an account named “Develop App”.

It is a common theme on HN to trash Apple on its "draconian restrictions" but the reality is that Apple AppStore is a safe place to be. You don't have to study the App before downloading it, you first download then decide if you want to keep it and security is never a concern. The Apple tax is something I am happy to pay for that luxury.

I am a developer and I have no idea what com.acazira.tforbusiness means. What keeps it from being com.toktik.forbusiness?

On AppStore this is something that you type it by yourself on the project configuration screen in XCode and I don't remember reading any restrictions about it, only recommendation to use reverse domain name notation to prevent conflicts.

> I don't remember reading any restrictions about it

You can never change it. This is how you get com.toyopagroup.picaboo (Snapchat) or com.yourcompany.TestWithCustomTabs (AccuWeather).

Haha, this possibly explains why the accuweather app is not the best made app ever.

This is too funny. Thanks for sharing!

Thank you for sharing. This is hilarious!

I will second this "security as a tax is well worth it" mindset, I'm a programmer, and like to think I'm security savvy, but I CANNOT babysit my non-tech-savvy wife 24/7 and having her on iphone / macbook is a weight off my shoulders as far as appstore security, as married assets are shared assets and the "weakest link" plays in the security arena...

I’m a programmer and having taken graduate classes in Security Analytics and have a hard time convincing myself that I’m security savvy.

It’s such a cat and mouse game that has massive jumps in acceleration when it comes to ‘novel’ ways attackers create new exploits.

Having Apple taking it seriously even for people like me is a huge win.

No matter how much you learn, you will still never know what you don’t know. A zero day is by definition something you don’t know and therefore we recognize that there is some futility in trying to defend against everything that ever was and all that ever will be

There's a decent case for using anomaly detection in an attempt to solve some zero day attacks. The idea of not knowing what you don't know, can be used in such scenarios. I 'know' what looks right, and I won't allow for anything that doesn't look right. That doesn't solve all problems, but can certainly cut down on a large amount of them.

What I did see a lot of though in a lot of the case studies/readings/etc, was seemingly anytime advancements were made in one area, closing off particular patterns or styles of exploitation. The energy and resources often would switch to another domain, and there's a mad scramble to solve it.

Just my two-cents, and a bit off topic.

> I 'know' what looks right, and I won't allow for anything that doesn't look right.

The way I view it, it's sort of like when a player glitches themselves outside of the boundaries of the level in a video game and are able to bypass all the battles the game has in store for them and walk directly to the objective. Anomaly detection only works if they are playing inside the realm of the system but if something manages to break out of the sandbox then detection can be bypassed because it was never a condition thought possible and therefore not checked for.

For Example, you can have code to detect abnormal requests http requests, but if there is a vulnerability in a webserver's memory management of reading bytes from a socket then it allows the attacker to "breakout" of the system before you can detect it. Now you might be saying well we can detect when they breach memory but it just creates another cat and mouse game at a different level. This all assumes there are no bugs in the anomaly detection systems themselves

Apple takes it more seriously than the Windows teams do, sure.

That's not to say Apple is perfect. Their "root"/"" login bypass zero-day was absolutely unacceptable, even compared with Microsoft's problems.

Other than that, I'd trust an Apple device over a windows device any day of the week.

That's a key part of the security landscape that many techie users just don't seem to get. Maybe you'd like to be able to run your own code natively without jumping through a bunch of hoops, and distribute code you wrote without it having to be blessed by some megacorp that might not care too much about you. And maybe you're doing nothing but good and useful things when you use those abilities.

But there are a ton of bad actors out there who will also use those abilities to scam and steal. You can stereotype it as only clueless users falling for that, and there's even a little truth to it, but 1. Some are quite good and nobody is perfect, you can still get scammed yourself, and 2. It seems not cool to just write off everybody who isn't a tech expert, throw them to the wolves, blame them for falling for any scams.

That's a key part of the security landscape that many techie users just don't seem to get.

I get it. And I don't think the threat justifies handing complete control of our computing environments to a single corporation.

But there are a ton of bad actors out there who will also use those abilities to scam and steal.

Bad actors often set up fake websites. Should computers and phones have mandatory browser filters so you can only go to approved sites?

Bad actors often set up fake websites. Should computers and phones have mandatory browser filters so you can only go to approved sites?

Well they don't, but browsers do spend an inordinate amount of effort trying to make sure that bad websites can't do anything other than show you things. I'm pretty sure that all of the browser vendors will pay 5-6 figure sums for any exploit chains that would allow a website to do things like read files without permission or execute code on the OS. And people regularly complain about the ever-tightening restrictions on what websites are allowed to do.

That's also the case for apps though, at least on iOS apps are sandboxed almost as well as web sites to my knowledge.

What a false dichotomy. I don't see a problem with the way Microsoft handles it, allowing you to run unsigned apps but only after clear warnings about the consequences and a moderately obscured install button. People ignoring these warnings without understanding them are not being thrown to the wolves, they're consciously deciding to do something they know to be dangerous. Apple's upcoming blocking of anything they don't approve of on macs is not an okay solution to this.

False dichotomy.

Google could up its Play Store review process + not installing from outside the store would result in the exact same security advantages you're talking about, while still letting you install from third party sources if you're a power user.

Google probably could implement similar security. But the problem is as of today, 2020, they don’t.

Yes, but it's not because Android allows sideloading that the Google Play store is poor quality. Apple could allow sideloading and still have a better quality app store.

But until they do the dichotomy isn’t false

This doesn't preclude there being competing app-stores on the platform, though. I'm glad Apple's is the way it is (overall). And if alternatives popped up I would probably mostly stick with the first-party one. But having an alternate channel means you can circumvent Apple's review process when they're being especially unreasonable, and the competition would probably force them to improve their own offering as well. Everybody wins (except maybe Apple).

It's not necessary nor useful to create a false dichotomy. The safety of the AppStore may be a reason to have a strict review policy, but it should not become an excuse to abuse of that policy. The price tag of safety is certainly some amount of freedom, but it's worrisome that people are learning to accept this without also distinguishing when this relationship is being usurped for other means.

If something simply doesn’t exist, how reasonable is it to assume that it could exist? How am I supposed to differentiate the statement that something could exist from fairytales?

Not being an android user and not being familiar with the Play story I might have glanced over "Develop App" having internally misread it as "Developer App" and thinking it was a category, not the developer's name.

I might have glanced over "Develop App" having internally misread it as "Developer App"

I bet many thousands of people on HN would have done the same thing.

I think it's an issue with reading comprehension. In general, comprehension seems to have plummeted in the last five to ten years. I send people e-mails asking two questions, and only get the first one answered. People read a headline and think it means something other than what it says. Flamewars erupt online over something that nobody actually wrote, but someone thinks they saw.

It seems to be rooted in the fact that these days people skim text, rather than read what is written. I don't know if it's because of general information overload, or a lack of attention to detail, or if the mindless scrolling of phone apps has trained us that visual impressions of words are good enough.

Or, if I can put on my old man hat, maybe it's just that people aren't as good at reading as they think, and that if people looked at a book half as often as they look at their telephones, they might get some good reading practice.

It is also the case that people aren't as good at writing as they think. I've seen people write pages and pages of text to say a few simple things, don't separate the important from the unimportant, etc, and then wonder why others don't take 15 minutes out of their busy day to read the incessant, flavorless text until they find the actual point.

A good way to write text where you're going to ask people for stuff is to write it in a top-down manner, where first of all you mention "I want X", then you quickly summarize what exactly you want and why, and then write a more detailed paragraph on the various nuances, always making sure to cut everything down to its absolute essentials.

I really like that style. It's related to the Inverted Pyramid style in journalism, meaning others have thought a lot about how to get important information up to the front of a piece of writing.


I learned about this in journalism class in high school over 20 years ago and it's still one of the most valuable lessons I remember from high school. As someone with ADHD, I really appreciate when people follow this style.

Blog articles, especially medium, are really bad about this. I've clicked on headlines about an interesting topic only to find the article no even mention the topic from the headline until 2/3 of the way into the article.

I didn't know it had a name, thanks!

> I've seen people write pages and pages of text to say a few simple things

Heh...reminds me of a couple anecdotes from my days in school.

Sometimes as we were being handed back tests/quizzes that had some questions that required a couple sentences to answer, there'd be times where I did exactly that. I wrote only a couple sentences. Meanwhile, I glance at the person next to me to discover that they had wrote two entire paragraphs. I got marked as having a correct answer with only two sentences, so what the hell were they writing about?

Then I had a teacher who, before the final exam, said that every question is able to be answered in four sentences or less. If you write several paragraphs, you would lose points for wasting his time, even if your answer was correct.

> In general, comprehension seems to have plummeted in the last five to ten years. I send people e-mails asking two questions, and only get the first one answered.

OMG, this happens to be all the time, and I don't even use email as a primary communication mechanism. It's so frustrating. I think the case is that people are reading and responding to emails on the go on their phone and so don't have/take the time to write a full response.

In the "old days" it was appropriate to answer emails by leaving a partial quote in place and responding below that for each answer. Something changed (I blame Outlook) and now that never happens.

> It seems to be rooted in the fact that these days people skim text, rather than read what is written. I don't know if it's because of general information overload, or a lack of attention to detail, or if the mindless scrolling of phone apps has trained us that visual impressions of words are good enough.

I think it is the former. I'm perfectly capable of reading a poem or code word-for-word, but as soon as I'm in my browser something "clicks" and I'm just skimming text. It is usually completely subconscious, but while reading your comment for example, I realized I was only reading half of each sentence.

> I send people e-mails asking two questions, and only get the first one answered.

This has been bugging me for at least 10 years, and also extends to IM. If it's IM, I ask one at a time.

If it's email, I either have to ask one at a time, form the two questions into one, or turn it into a sandwich - question 1, question 2, rephrase question 1.

What I really want to do is grab them by the shoulders and shake them, shouting "You saw the second question - yes?!?!"

> It seems to be rooted in the fact that these days people skim text, rather than read what is written. I don't know if it's because of general information overload, or a lack of attention to detail, or if the mindless scrolling of phone apps has trained us that visual impressions of words are good enough.

One aspect is that it's a parasitic efficiency increase. The 80/20 rule applies here; you can answer 80% of the emails by skimming. If you just don't handle, or poorly handle, the 20% of the emails that take 80% of the time, you get a bunch of time back.

I also think that the overload comes from notifications, not general information. We get a crazy number of notifications from our personal devices (and many/most people check them), and during the work day that's compounded with all the systems at work that send notifications. I think that we've subconsciously taught people to work between the notifications. It can feel like if you don't respond to them in real time then you might end up with an insurmountable backlog of notifications to handle, so people have acclimated to handling them in real time. Each time someone responds to an IM, a mental timer starts, counting down how long it is until it thinks the next notification might come. Or, conversely, you're in a notification lull, and you start thinking this is your only time to get anything done towards the sprint, so you smash out fast responses to the notifications you do get, trying not to break your train of thought.

Others may have different experiences, but I get notifications from so many systems and people that it can be overwhelming. And the tools we are offered to manage it suck. Slack's notification settings are better than what I had before with Lync, but they're still lackluster. Email has the best filtering record so far, but it is also by far the most abused by tools.

Some things I would love to see in a chat system: * Chat and notification filters based on whether the user is a bot or not * A sane "handle this later" queue or some kind of integration with a task manager to let me click to create a ticket * A way to communicate busy-ness through my status. Either a level I can manually set, or a system that can guesstimate it (i.e. "curryst has 8 active private chats right now") so we can all gauge whether what we need is that important right now * Customizable options to batch notifications. I would love it if I could have Slack batch my notifications and just send me one notification per minute that says "3 new messages"

My holy grail is if they would let me write my own functions to determine whether to notify for an event, batch it into the next batched notification, or to not alert at all. Most of these desktop clients are in Electron anyways, just let me pass it a path to a Javascript file that exports functions to filter notifications.

Being an Android user, I looked for the developer's name, saw "Develop App" and thought it was a category and I was just mistaken about where on the page the developer's name was supposed to be. This was all instinctive, I didn't sit down to think about it, though.

It doesn't help that the developer name and category have the exact same visual style, I guess.

Exactly this, it doesn't really stand out. Obviously I wouldn't have installed the app if I would have noticed.

I wasn't trying to excoriate you for your mistake, so I apologize if that's how it comes across.

I did try to modulate the harshness of "Come on, dude" with the rest of my comment. Like I said, sometimes we let our guard down. So it's understandable if you got fooled.

In hindsight there are more red flags in just that screenshot ("More by Develop App", obviously fake reviews to point out just two), but God knows I've clicked through installs for shit apps on iOS many times.

No worries, no offense taken.

I still can't believe myself I fell for this, as said I have 2FA on all accounts and I'm normally very cautious. I guess it's a combination of all the factors here at play: Facebook allowing a fake TikTok Ads advertiser, the ad looking very legit (referring to an existing ad credit program), Google allowing a fake TikTok Ads app with fake reviews, and not getting any notifications until the amount was charged from my PayPal account.

FWIW, Given the surrounding context, I interpreted "Come on, dude" as an exhortation for the author to cut themselves some slack. I agree that 100% correct 100% of the time is an exhausting bar to maintain, and one that we should be working very hard to ease this requirement.

I think it's worth pointing out that the difficulty / impossibility of achieving that bar (at least in the general case) is one of, if not the central tenet of Christianity, ostensibly the dominant religion of the West for something like 1500 years. Regardless of one's metaphysical beliefs, it's worth remembering that arguments for the necessity of grace and slack in positive interactions have a long historical precedent, and I find we ignore them at our peril.

I didn't notice it the first time I looked either :-(

Bad spelling and grammar used to be a great indicator of something being amiss, but the volume of it in legit business these days has made me so desensitized that I didn't even blink at this one.

The big red flag I saw was that “Tik Tok” is in the wrong font in every screenshot.

The gmail address as a red flag yes, but the package name? Nah.

Given that a lot of companies outsource app development to third-party companies that in many cases mostly reskin and extend an existing app that they sell to many clients, a package name that could be from a development shop likely wouldn't cause concern.

Sure Tik-Tok has a significant in-house development staff, but they're focused on the backend and client apps and Sales and Marketing may not have much access to them. It may be much easier for those departments to fully outsource that development to a vertical-market vendor, particularly if it's SaaS and the resulting app(s) aren't integrating with internal systems except via downloaded CSV files.

And literally nothing stops someone from creating a tiktokforbusiness domain and fixing the developer name.

I believe they are saying they didn't NOTICE the "developgameonline@gmail.com developer email and com.acazira.tforbusiness package"; if they had, that would have raised alarm bells. I don't think these are visible on the page without clicking. "the developer name 'Develop App'" is visible, although I don't know how many pay attention to it. They are retrospectively thinking they probably should have thought that wasn't right, and motivated them to look further.

It's the problem of Facebook and PayPal that they have inadequate protections and blame the users for that. I think the issue is of allowing a payment to go through without triggering any security checks. Probably some basic checks should also be done whether a company publishing an app actually exist.

I wouldn't blame PayPal as much, this is on Facebook in my opinion. Recurring payments are a good thing, we don't want constant re-authorization when the relationship has been established.

Facebook on the other hand should have handled it differently. I don't know how their permission screen for app authorization looks, but I guess it should have a huge red warning sign if it includes a permission to allow the app to spend your money.

The problem is that people are now trained to click popup windows without reading the contents, just to make them go away thanks to brilliant GDPR and cookie law. I am not sure if a huge red warning sign would have helped. People are blind to these things.

> I'm curious if this fake TikTok app would probably have been blocked at the outset in the Apple App Store review process because it's trying to masquerade as another business ?

Maybe this is too risky to do on the Apple App Store because you need to /pay/ for an account to publish on the app store, which means you more or less need to verify yourself. Doing something like this would make it too easy to lead back to you and get in trouble?

>It's exhausting having to constantly second-guess every application you want to run.

Maybe try to have a sip of coffee before jumping for that $3000. Let's not pretend that this is just ToS fatigue. The only reason they installed this app is for the free money.

So yes, maybe if someone is offering you thousands of dollars, you should consider that to be the time to second-guess what's happening.

Any free app I always look at the developer name. Generic name that looks like it could be trying to mislead? Always a bad sign.

Who gets together and says, "I have the perfect name for a new dev shop: Develop Apps".

I don't know looking at the other parts the app looks legit, however TikTok asking for facebook login? That is where I would stop and think for a little bit.

"Sign up for TikTok", "Continue with Facebook". It's literally the first screen you see from the official app, so it's not unbelievable. Social sign in is pervasive.

The most experienced techies use adblockers which would have completely nullified this scam - OP does not fall into this group IMO.

So.... False sense of security is OK, just because "Apple". Give me a break...

I've actually stopped using google's spam filter and starting looking into the spam occasionally.

With no data, if one slips through it shouldn't be up to the spam filter if I can be scammed!

edit: that was a particularly bad typo to make. I mean scammed, not spammed :)

> Initiated a PayPal chargeback process - PayPal responded: "we’ve determined there was no unauthorized use"

Just wanted to highlight this. Things like this is why I avoid PayPal as much as possible. For many years now.


The payment is authorized by the author (i.e. his PP account wasn't stolen), the whole thing being a scam is irrelevant and PayPal shouldn't be the judge here (if you got scammed and send some physical items to the scammer, can you ask the post office to take it back?)

I sold digital goods on eBay a few times (like, less than 10 times) and I've already got 3 (!) people claiming their purchase is "unauthorized" after I sent them the goods (redeem codes, so I can't really let them "return"). I'm more than glad that PayPal took my stance instead of giving them chargeback, since they're likely trying to scam me.

> I sold digital goods on eBay a few times (like, less than 10 times) and I've already got 3 (!) people claiming their purchase is "unauthorized" after I sent them the goods (redeem codes, so I can't really let them "return").

This shit is why I don't sell on eBay anymore.

I have a friend who sells stuff on eBay a lot (or at least, used to), and he says about 5% of his sales go to scammers who will request refunds claiming they never received an item.

Of course, now that I think more on it, I wonder how many of those 5% were scammers versus how many of them simply had their package stolen from their front door.

Tracking numbers exist. What package delivery does not include a tracking number?

Doesn't matter. About 5 years ago I sold a thing on Amazon, shipped it, and the buyer claimed the box was empty. I had photos of the item, the box, and the shipping confirmation came through Amazon's own systems. I even had messages from the buyer about the item. Amazon refunded the buyer his $250 and charged me $250. That was the last thing I ever sold on Amazon, and I also didn't buy anything on the site again until this year.

This shit is why when I had a medium-ticket item (Starcraft II Collector's Edition, sold for ~$300 at the time), I used the Fulfilled by Amazon feature. It cost me more, but I believed that having Amazon know before it shipped out that it was a sealed box, I'd be much less likely to get scammed.

Having a tracking number doesn't matter if the scam buyer tells PayPal/eBay that you mailed them a brick and not the item you actually ordered.

The tracking number reports the package as delivered, someone came by and picked it up after it was left at the front door.

I think you mean signatory required?

A brick and mortar business normally sees more than 5% loss so if that is a real number it is great.

If the author had payed with a credit card, he could have gotten a refund, and it would be the responsibility of the credit card Issuer to track down the merchant and get a refund.

And if he has paid with a debit card or wire transfer, he would be even more out of luck than PayPal.

Why would we (I'm genuinely asking here) consider PayPal more similar to CC than the others? My point being, it could be (closer to) either, and both make sense to me. PP doesn't necessarily need to operate like CC.

After all, CC as a service charges much more with processing fees from merchants and sometimes annual fees from the customers. It's meant to provide a "better/premium" service.

Not necessarily.

The payment is authorized by the author (i.e. his PP account wasn't stolen), the whole thing being a scam is irrelevant and PayPal shouldn't be the judge here (if you got scammed and send some physical items to the scammer, can you ask the post office to take it back?)

PayPal does have a 6 month purchase protection policy in many cases. So... maybe, if you manage to argue that this was a purchase that you're entitled to protection for. But that's a different channel and probably a different physical department at the company.

In my limited times with Paypal with scam-like charges, Paypal never approves my request.

On the other hand, all my credits card companies, Citi/Chase/etc. approved my similar requests after a review process.

I thought PayPal had a reputation for pro-actively blocking payments for really bad reasons, and now they won't block payment when it's a clear case of fraud?

Why does anyone still use PayPal?

I think a big reason is that the alternatives are worse across some dimensions. Credit cards are especially bad, since they are trivial to steal (and its at best painful to address fraud, and at worst you can lose a lot of money). So, basically paypal hides your credit card. But, as the OP noted, other things now count as your credit card! In his case, his Facebook account connected to Paypal connected to his bank was, effectively, a credit card that got stolen.

And sadly there are people (on this thread) who still blame the OP. Of course the payment wasn't authorized, and the OP is very articulate about what happened. At the end of the day, money middle-men are very effective at pointing fingers at one-another, the effect being that the user will throw up their hands and give up. (This happened to me once and cost me about $15k, and I was unable to recover any of it). But what makes it even worse is how conditioned we all are to accepting blame for what is, ultimately, an authentication mistake made by the financial institution(s).

> Why does anyone still use PayPal?

Paypal.com -> Subscriptions -> Unsubscribe

Paypal makes it two or three clicks to unsub from any reoccurring payment. No dark patterns or "call us" required. I use it whenever I can for subscription services.

If it's that easy, why are there still so many people using PayPal?

By the way, I did this ages ago, deleted my account, closed what I could, and I still regularly get a mail from PayPal that they changed their terms.

I'm talking about payments to third parties. When you use PayPal to subscribe to a service you can easily unsubscribe where sometimes services make it difficult to do so otherwise.

For example the New York Times forces you to call and speak to a retention specialist if you want to cancel and you paid by credit card. With PayPal it's 3 clicks.

because 95% of the time there's no problem, but if there is one paypal is just going to give you the middle finger in most cases and say "not our problem".

I've been in two different situations where I have had obviously fraudulent charges on my PayPal. In both cases, PayPal denied my claim.

In both cases, Discover approved charge-backs for the PayPal charges to my card.

Did PayPal ban you after the Discover charge-back?

Oddly, I have actually been told in the past by PayPal to file a $1500 dispute with my credit card company (AmEx in my case) because for whatever reason they couldn't handle it internally. Didn't get banned.

Nope, still use them for a handful of things (for convenience.) The charge-backs were of significant size too ($300-$500.) This was around 2012-2013 for one and around 2015 for the other.

Anecdata here as well. I've had two times where I had to contest a Paypal purchase. In both cases, Paypal took a reasonably short amount of time to rule in my favor. (Both however were for clear-cut cases of "online vendor took an order and didn't bother to ship anything at all nor reply to Paypal inquiries".)

I've never had a problem with a chargeback either because, I'm honest and if I made a stupid purchase then I sucked it up. But when I've been duped or someone swiped my number there was never a problem. It helps if you keep alerts on for anything above a certain amount, mine is $50 and I check my cards weekly for weird charges.

The amazing thing is that they are equally unpleasant to deal with as a merchant. You'd think they just favoured one side, but no, they screw both sides.

PayPal fraud protection is mostly about making sure PayPal isn't the one holding the bag in the end. Any actual prevention of fraud is secondary at best.

They have a recent change that is anti merchant, when someone request for a refund they wont give back the transaction fee. Seller lose out on the sale and pay paypal a transaction fee, buyer get their full money and paypal keeps the transaction fee. It used to be returned to the merchant.

I'm honestly surprised Paypal is still in business. Everybody hates Paypal.

The power of network effect.

You can't afford to not accept PayPal because all the buyers have it, and all the buyers have it because you can pay with it everywhere.

An alternative network would have a hard time getting users to sign up.

yeah it's more like "we've had 100 complaints about this one guy, probably ought to shut him down now"

A consumer can still file a chargeback through the financial institution (of the payment method used in the transaction) after PayPal declines the dispute. Hopefully, the author was charged on his credit card and not his PayPal balance. Debit cards and bank accounts are in a gray area for this case.

I have a VISA credit card and a VISA debit card.

I was under the assumption that the VISA debit card offers me the same protections as the crecit card but I think I was wrong...

> Are PayPal purchases covered? You are unlikely to be protected under debit card Chargeback schemes for items purchased using PayPal. In these cases the act of loading money onto your PayPal account counts as the debit card transaction so, unless the money fails to be credited, it won't be covered. PayPal runs its own purchase protection scheme which extends some cover to your purchases, but it is in house rather than regulated by law.

Consumer protections are based on your country's laws, but credit cards will generally have stronger protections than debit cards and bank accounts. In the US, the consumer's liability for unauthorized credit card use is capped at $50, while the liability for unauthorized debit card and bank account use is capped at $50 (2 days), capped at $500 (3-60 days), or is unlimited (61+ days) depending on when you report it. Most American financial institutions go beyond the law to promise $0 liability for unauthorized credit card use.


In the US, you don't have to pay the disputed portion of a credit card bill while the chargeback investigation is ongoing. Most financial institutions will issue a temporary credit to make this clear.


If anyone here is familiar with Dutch law, the author might appreciate your input.

IIRC the institutions distributing debit cards (banks, credit unions, whatever the heck PayPal is, etc) will often 'voluntarily' give you effectively the same protections as for credit cards at their discretion because they want you to have and use those cards and the benefit they get through transaction fees, etc. outweighs the cost of the fraud that happens.

Details are likely spelled out in the multipage 5-pt text pamphlet that you received with a new debit card at some point.

Yes, I've seen debit cards that have $0 liability guarantees backed by the financial institution. Since this reflects well on the institution, it will typically advertise the guarantee somewhere prominent, such as a list of features.

In the US, debit cards command different processing fees for the card issuer depending on how the transaction is processed. Sometimes, when using a debit card in person, the checkout terminal will ask the customer to choose "credit" or "debit" for the transaction. Choosing "credit" instead of "debit" grants the card issuer a much larger processing fee. Some financial institutions only offer certain features (including liability guarantees or rewards) when the debit card is used to make a "credit" transaction. Almost all online debit card transactions are processed as "credit" (which does not require you to enter a PIN).

About the status of PayPal: it is licensed as a money transmitter but manages a network of bank subsidiaries and third-party bank accounts to profit from interest rate arbitrage and perform other activities that banks would do.


But how would that work in this case? The customer authorized paypal to be used for facebook ads, someone ran facebook ads using their account. If I give my Amazon log in credentials to someone and they order a bunch of expensive TVs to their house without my knowledge, can I get a chargeback?

Yes, in the US. If the person makes the transaction without your permission, it is considered fraud and is legitimate grounds for a chargeback, even if you provided them with the means to make the purchase (credit card information, account credentials, etc.) in the first place.

In the US, you may also want to file a fraud report to the FTC and to your local police department.


That's weird. As a merchant, I get requests for refunds and even if I provide all the details about the transaction (for me that would be a license key and proof the license key was used) they always side with the buyer.

Really, the only way to not get PayPal to approve a refund is to work with the customer and solve the problem so the customer cancels the refund request.

I think it's A) because it's Facebook. and B) because this type of scam is very prevalent, and no-one wants to be stuck with the numerous bills for it.

Exactly this. In my recent experience PayPal is also absolutely inaccessible for a chargeback resolution. This was the reason I left booking.com, now I am considering to get rid of PayPal. In my opinion no serious transaction should ever be done on either platform.

What issues did you have with Booking.com and what are good alternatives?

I absolutely loathe them for their high-pressure sales tactics (their site is full of dark patterns and booking there is outright stressful; it feels like you're trying to browse while a drill sergeant is constantly yelling into your ear "BOOK NOW YOU WORTHLESS SCUM, BOOK, BOOK, WHAT ARE YOU WAITING FOR YOU IMBECILE, CLICK IT, BOOK, NOW, NOW YOU MAGGOT") - however, unfortunately they often do have the best price (by far) or are the only place certain accommodations are available, and aside from the drill sergeant, their UX is absolutely perfect.

I've been burned far too often with sites that let you go through the entire flow only to tack on ridiculous fees for payment or simply fail to process your credit card.

Just checking you know that many banks would take the same stance.

American Express has never denied a chargeback I've initiated. When you say "many banks", of course don't bank with someone who is going to screw you, like Paypal or Wells Fargo (and Bank of America or JP Morgan Chase, to a lesser extent). This should be common (US centric) knowledge by now.

Amex doesn't but visa/master/etc depend on the issuing bank and they can (and do) refuse. More in other countries vs USA as far as I understand.

Agreed, but if your time has value, (if you can) structure your financial transactions in a way and with service providers that derisks you having to spend hours chasing down your own money when you shouldn't have to (or going through the motions and being told you're SOL). And never use Paypal!

On some services. You would almost certainly be able to recoup the money if it was paid for via credit card.

I doubt many banks would refuse a charge-back considering this transaction obviously didn't use 3DSecure since it went through PayPal. You'd probably get your PayPal account shutdown if it went through though.

If the money left your account because you did a thing, even if you did the thing because you were defrauded, a bunch of banks are going to decline to repay you.

Here's news about a new protection scheme in the UK. But this is new (only came in last year), and it doesn't cover all banks. https://www.bbc.co.uk/news/business-48385426

> New protection for individuals tricked into transferring money to fraudsters has now taken effect - but not all banks are signed up to the scheme.

> Some 84,000 bank customers lost money - sometimes tens of thousands of pounds - last year after being caught out.

> Only a fraction of the amount lost was refunded by banks. Now a new code should mean more will be reimbursed.

> The refund will come from a central pot in cases when neither the bank nor the customer are to blame.

See especially this bit:

> Some of the more elaborate frauds see the con-artists using social media and other avenues such as data breaches to gather information about their victim, making it more likely that potential victims believe they are genuine.

> In all these cases, the individual authorises the payment. Banks have often refused to refund these frauds as a result.

Paypal is 100% right in this case though

Is it though? It surely is authenticated but is it authorized? By whom? Certainly not by the user.

The user has authorized PayPal to give money to Facebook. Facebook wasn't authorized by the user themselves to run the ad campaign, but PayPal is doing exactly what it should.

And if the same charges had been made on a Visa card, we wouldn't be having this conversation.

If I have a Visa card saved in the Starbucks app, and somebody uses my Starbucks app, I did not authorize Visa for that transaction. It would be no different than losing the card. If somebody picks up my card and swipes it, "Visa is doing exactly what it should" but also it wasn't an authorized transaction and should be reversed.

I'm not sure. When you give authorization for "all future payments to Starbucks until I tell you otherwise" (which is what you're doing with recurring payments being set up between FB and PP), you're authorizing that payment to Starbucks. You're not authorizing Starbucks to take whatever they want, but that's between you and them, not you and Visa. Visa just happens to be very accommodating and will often pressure the vendor.

Losing your card would have been similar to the OP's PayPal account being hacked.

In what world would paypal be right? Facebook allowed a scammer to advertise on their platform, and then allowed the same scammer to steal 4k. Facebook is as much complicit in this crime as the criminal himself. Paypal was charged by Facebook. Facebook should not be entitled to the 4k and PayPal should take it back.

I came here to say this as well. PayPal is garbage and should never be used, at least as a consumer. There are much better options available. I have never had PayPal side with me in any dispute, no matter how one sided it was. I closed my account in 2014. Haven't missed it.

Trust your bank more. Find a good trust worthy local bank or credit union.

Back in 2004 or so, I logged into online banking and saw that where I had about $3000 the day before, I now had less than $100. Mortified, I looked and saw that there were a couple of Paypal transactions being processed. I didn't see anything in my email, and I logged into Paypal and didn't see anything on the summary screen, but when I looked at the fully history, I saw two eBay purchases: One for a hacked PS2, one for a laptop. I was able to contact both sellers: The guy with the PS2 hadn't shipped his yet, and canceled. The laptop seller lamented that he had mailed it right away - to the Philippines. To this day, I don't know how this guy in the Philippines accessed my Paypal account - I did manage to reach out to him, but he expected me to pay him to give up his secrets, and I'm not playing that game.

Anyhow, I called my bank and explained to them that these were fraudulent transactions, and thank goodness you have them on hold but haven't processed them, because my rent is coming up and could you please release the money.

The bank refused. I'd been a member of the same institution for probably a dozen years, had a car loan out through them, was on track to get a mortgage through them in a few years, and they told me that even though I had caught it that very morning, about as soon as I could possibly have caught it, that there was nothing they could do.

Paypal, on the other hand, asked me to sign an affidavit, and a couple of weeks later, fully refunded my account.

I've held Paypal above banks ever since. In retrospect, eBay had acquired Paypal only two years prior, and this transaction happening on eBay probably garnered additional scrutiny at the time. However, nearly every time I read about someone's Paypal account getting locked out, it turns out they weren't paying attention to the Terms of Service - which are, without a doubt, designed to minimize fraudulent use of Paypal as a payment provider. It's why you can't do pre-sales on Paypal - it leaves them open to liability.

For better or for worse, the overwhelming narrative becomes "Paypal sucks", but as you start to look at the big boy payment providers, you'll discover that Paypal is often more permissive by comparison, with rates that are comparable to or better than the big boys when you're running with such small transactional values. And if you end up going to some upstart that will let you do things Paypal won't, that party's only going to last as long as those providers don't get stung by regulatory fees or plain old fraud.

While it's nice to hear a good story, PayPal is not a bank and a PayPal account lacks the consumer protections that bank accounts in many countries (including the US) receive by law. PayPal takes advantage of this lack of consumer protection to freeze accounts and hold funds for up to 180 days on grounds that aren't necessarily reasonable or disclosed.








Financial institutions do not have this kind of control over bank accounts. All bank accounts inherit a level of trustworthiness from consumer protection laws that only apply to bank accounts. PayPal does not.

When PayPal freezes/limits an account in a way that a bank account could not legally be subject to, the problem is not the account holder, but PayPal itself.

I wonder what would happen if the author shows this article to PayPal (if not done already), showing that also Facebook confirmed the scam and Google taking down the app.

> The scammer used my Facebook auth token to remove me from the Facebook Business entity. Strangely enough this is possible without getting any emails from Facebook. I had no way to check my Business entity or Ad account on Facebook to see what's going on.

This is an error on the Facebook side. Actions like this should never be possible without appropriate confirmation or re-requesting the password for 2FA confirmation.

I can sort of see why this is allowed.

* Employee starts a Facebook business page using their personal Facebook account.

* They add their boss to it.

* Employee is fired.

* Boss removed employee from Facebook business page.

edit: Should still send a notification email but I'm guessing angry "why did you remove me from X" reactions are why they don't. Not good but there's a logic behind it.

Sure, but then [employee]'s payment methods should be removed along with them. If they were using the company / boss's card or PayPal, then surely the company / boss should be able to add it back again without too much undue trouble.

Sure although I'd guess having all your advertising campaigns paused (as there's no billing info anymore) would annoy many people especially if they didn't notice or weren't aware it happened. It may in aggregate be cheaper for Facebook to just eat the cost of refunding these things versus providing more friction to their users.

The additional confirmation is not from the user being removed, it's from the user doing the removal. In this example the API/oauth was enough to do this. There really should be an additional confirmation certain times. Like how Google sometimes requires you to put in your password/2fa again, despite previously authenticating or saying something like "don't ask me again".

I presume the scammer added a new account, made it an admin and then used that to take over. So it's not the removal that's the issue but adding a new admin on the account. Of course if you allow this type of activity through oauth I don't think there's a good way to re-authenticate.

In that case, adding a new admin should require re-authentication.

I think the trick here was to prompt the user with a fake oauth screen. Many legit apps show the oauth screen using a web frame inside that app. It is absolutely stupid that it is still a common occurrence.

If you need to enter your credentials when using sign-in-using-xxx, be VERY cautious. Even if you have 2FA enabled, the fake oauth screen can just ask you for the 2FA code. You have no way of knowing whether the login page is keylogged or hijacked.

This was pretty much an exact question I had about OAuth 10 months ago:

Something I still don't understand about the OAuth flow is how it's _not_ training users to be more easily phished for actual usernames and passwords. The very first step is "If you are not logged into the third-party, display a login-form from the third-party."

The thing is, you never really know off-hand if you're logged into the third-party (provider) or not without opening a second tab and going directly to the third-party's site, since you're always getting logged out after various timeouts, cookie-clearing, browser-closing, and computer-restarting events.

What prevents an OAuth client application from displaying an OAuth process that shows a fake login form, which looks identical to the provider's login form, to get the user to enter their provider username and password before they realize the URL is off? It seems like it trains users that it's normal for websites to launch a Gmail login form and this is perfectly safe.


I think you're right. Users are being trained to enter their passwords and 2FA tokens everywhere with the false promise that 2FA makes it secure. Even U2F using a signed challenge seems iffy to me.

This [1] says "In fact, the spec requires that browsers only expose the API in secure contexts", so if that's correct it's better, but still not good enough.

This [2] looks like it does U2F by grabbing the challenges via browser plugin and relaying them to a phone app for signing.

Trusting the browser to "expose the API in secure contexts" seems like a failure because it's assuming nothing else can collect the credentials or send a challenge to a security key. Is that true? Could I write an app that would phish a user into signing a challenge with their security key?

1. https://security.stackexchange.com/a/206549/134291

2. https://krypt.co

> Could I write an app that would phish a user into signing a challenge with their security key?

What sort of app? A full-blown Windows/ OS X/ Linux desktop application? Yes.

You definitely should not install software that asks you to interact with your FIDO authenticator in this way unless you really trust it. I trust the Operating System vendor installed OpenSSH packages, I would not trust some random github project.

The two big phone ecosystems won't let you talk directly to a third party authenticator or to their built-in platform authenticator. The authenticator talks to them, and they talk to you. So while it would be possible to make a Windows EXE program that says "Touch authenticator to stroke your 3D pet" or whatever and actually steals your Facebook login credential this way, it should not be possible to put something on Google Play or Apple's iPhone store that does the same thing.

Edited to add: For Android at least there is a concept of "Privileged" apps that get to do stuff that is otherwise impossible to ask a user for permission to do. The ability to fill out WebAuthn-style rpId values (for WebAuthn these are Internet FQDNs) is locked behind such a privilege. So, Chrome has privilege, release builds of Firefox have privilege, and so on, but yet another fly-by-night app developer who uploads Flappy Bird clones to the Play Store can't use this feature.

Without this privilege when you talk to the authenticator (either a platform authenticator or a 3rd party one) the OS will insist on picking an rpId with a platform specific prefix. So e.g. maybe your app can ask for rpId android-584fac03:google.com but there's no way (without privilege) to get just google.com, which is a problem because that's the value you'd need in order to get working Google credentials.

If you want your app to talk to your own web site, you can build a bunch of extra goops (in Android at least) to enable that, but part of what will happen is your web site's backend code needs to explicitly go "OK, I should allow android-584fac03:my-private-app even though that's nowhere close to my actual FQDN" so that seems safe enough.

I'd guess it's a fake oauth screen as well. I coded one of the first (I think) Tinder auto likers for Android back in 2013, and the only way I could do it was get the real facebook username and password and log into Tinder on the phone in the background. I just put up a fake Oauth HTML page in a webview and saved the login, with a disclaimer of course, but nearly everybody ignored it. I was surprised how easy it all was.

> Even if you have 2FA enabled, the fake oauth screen can just ask you for the 2FA code.

Not all 2FA is “enter a code”; it's a lot harder for a fake oauth screen to send a request to your registered authentication device.

EDIT: this doesn't really help, as a reply points out. OTOH, separate side channel verification of logon from unexpected devices does.

Is it? Couldn't the backend (or even a human attacker) just type the credentials you provide into the real login page, giving you the "tap yes" push notification just the same?

Come to think of it, you're right. I was mentally combining that 2FA method with “new device attempted login” detection, but the latter is usually separate from 2FA. If a login system uses that and provides notice and requires confirmation through a side channel, rather than merely providing informational notice, it will stop (or at least, make it easier to stop; a second user mistake or preexisting side-channel compromise is still possible) the attack. If it's just notice, it at may limit the impact or streamline recovery from the attack.

But now that I think about it, it would make sense to combine new device notification with push-notice 2FA for exactly that reason, since you've got a push channel that takes a confirmation already, flag unexpected devices in that channel as well and it becomes much more secure.

Yup. Notice that this can't work on WebAuthn (or its predecessor U2F), which is why everything should do WebAuthn and you should ignore attempts to downgrade you to any other method.

An attacker can play the legitimate WebAuthn request from the real site, which will (statistically certain) be nonsense if played by their phishing site.

Or they make their own request, which doesn't help them because it's not valid on the real site they want to sign into so it's pointless.

In this case the application shows real facebook in a webview and after user logged in, the application retrieved the session cookie from the webview. How webauthn will behave here?

If you can steal the session cookie and the session cookie is what you needed then WebAuthn doesn't change anything.

And even if you find a correct oauth address, you still have the risk that you understand what permissions you give and facebook implements them correctly.

This wasn't mentioned anywhere in the article sadly

Your mistake is using "Log in with Facebook" on a mobile device.

Since neither iOS nor Android have any kind of trusted UI, there is no way you can be sure if you are logging into Facebook on an app, or just giving that app your credentials for them to do as they please.

Until iOS or Android get trusted UI for these usecases, I suggest using browsers on windows/Mac/Linux where you can see the in the address bar which company you are giving credentials to, and can't as easily be faked.

If you must use a mobile device to log into Facebook via a third party app, I suggest using a new Facebook account each time.

> If you must use a mobile device to log into Facebook via a third party app, I suggest using a new Facebook account each time.

I might be wrong about this as I've not used Facebook for many years now, but doesn't Facebook require a phone number for new accounts nowadays, and requires you to use your real name as well?

It's actually even nastier than that. If you fail their automated checks for fake accounts, they'll lock your account and require you to submit a photo of your face and ID card.

No I have an older relative who creates a new account every other week for whatever reason.

Think of how many accounts are created for games reasons. Some games require friends taking action to progress. Some allow friends to send prizes like lives/money/resource.

> No I have an older relative who creates a new account every other week for whatever reason.

Could be like my grandma who would occasionally manually log out of the app, but then the next time she loaded the app, rather than actually logging in again, she'd create a new account because that's what she did the first time she loaded the app and thought she had to do that every time.

I don't feel comfortable tying any two logins together for any site, regardless of mobile vs. desktop. Choosing to log into any site using facebook, google, etc. is setting up for trouble. I much prefer a strong password manager and separate logins for everything.

It's possible to do "trusted UI" on iOS/Android by opening a browser window that shows you're actually logging into facebook-dot-com. That still wouldn't prevent these scams from working because users don't necessarily know how to tell the difference between "trusted UI" and "scam UI".

Except it isn't... Because the app can just show a UI that looks like a browser window, and there's no way for the user to know.

If you open a browser window, there is going to be some things that can't be faked 100% accurately, e.g. on iOS there will be a link back to the app at the top left, there is going to be an animation, and so on.

It could be faked 95% accurately, but that's moot, because like I said, the user hasn't necessarily learned what "trusted UI" is in the first place.


Looks like it was a real Facebook login webview.

...which is different from a browser window, running inside the actual system browser.

The difference may of course be subtle, but even obviously fake logins can work on the untrained eye.

(OP here)

While you are absolutely right, I want to highlight that this was done in a quite sophisticated way. It's actually the real login page of Facebook in a webview. I have 2FA on all my accounts including FB, so it looked very legit. Once you have logged in, they seem to grep the token and close the webview.

You mean they extracted your primary full access token, not the generated restricted oauth token?

If your app has a webview in it, on both iOS and Android, you have full access to run script inside that webview and take/set cookies for any domain. You can easily take the auth cookie.

Some Google auth cookies can only be used on the same tls session that created them[1]. That means the TLS session resumption information (which can be tied to hardware platform features like the TPM) is required to make use of a stolen auth cookie. Unfortunately while that approach has big security benefits, it's pretty anti-user-privacy.

[1]: https://nakedsecurity.sophos.com/2018/10/25/could-tls-sessio...

Yes, pretty sure. It wasn't an oauth screen but the actual FB login screen.

iOS will redirect you to your Facebook app

Delete the app. There’s no reason to install it.

iOS has trusted UI via "double-tap-side-hardware-power-button". So it's a trusted trigger, and a presumably native UI.

I've been very impressed by eBay/PayPal providing "very good" almost native-feeling payment integration (swipe-to-pay, UI coming up from the bottom of the screen), so it may not last forever, but interesting to hear of the depth of scamming possible on phone UI's (and probably desktop UI's too).

> Your mistake is...

Not mine. I just posted what Niek van der Maas wrote on his GitHub. I don't think he's even reading this HN thread.

Actually I am ;)

Cool :)

There's many things that stand out

1) Google Playstore allowing someone to impede on the TikTok brand.

2) The app getting 10k+ fake reviews. At this point can you trust the review system if it can be so easily manipulated?

3) "Strangely enough this is possible without getting any emails from Facebook." Facebook security is weak here. You shouldn't be able to change ownership without explicit 2fa verification. oauth tokens can be easily phished. password + 2fa device is much much harder.

In general the trend I see is that Facebook and Google are driven to making ad purchasing as frictionless as possible. Having scammers, click-farms, fake reviews on their platform is good for them, it helps them make more money. They'll happily tradeoff human oversight/support and security for automated algorithms that optimize $$$ growth.

Apple AppStore is polarizing. Some feel it has too much control, but on the other hand I find a lot less scammy apps in Apple AppStore than Google Playstore.

I lost $2k in a Facebook scam that I'm really not proud of. A company spoofed BitMain's FB page and ran ads for their newest AntMiner models saying they had a batch that was ready to ship in limited supply. The BitMain FB account looked legit. The website itself obviously had an SSL cert (and was a pixel for pixel clone of their real site, except the product was in stock), but what I didn't notice was the microscopically small presence of a dot over one of the characters. It was an IDN homograph attack, and looking at the website and not noticing the unicode character, everything else looked right.

The fact that they took BTC as payment didn't raise any red flags either, because, you know, BitMain does.

I'm mostly infuriated at Facebook for not validating the company name or doing anything resembling protecting their audience. I lent them too much credibility because it looked like they were ads from the real company's page, and so I let down my guard elsewhere.

I've never otherwise been hacked or scammed, and I know allllll of the basics to look out for, but this one still infuriates me for making a fool of myself.

What browser are you using that is displaying IDN unaltered?

Every now and then I catch myself not doing this but by and large I always type out URLs for ads/emailed links by hand. It takes out a lot of the attack surface for me, and it looks like in this case it would have worked.

I wouldn't bet on proofreading even if the address was all ascii. It's inherently unsafe to click a random link, think you ended up in the right place and start doing all sorts of things.

Not blaming you at all, but a good tip is to look at the number of “likes” a page has and see if it sounds reasonable. Definitely not foolproof though.

Nope. Easily faked. There are centres where people get paid $5-10/day to like, follow, comment, etc here. They use bots too.

You can purchase an official ID under $10. Many Indian marketing firms use them.

Oh absolutely. I admit it’s not foolproof, but if a page named “Amazon” only had 100,000 likes, I’d be a bit suspicious. For comparison, the actual Amazon FB page has 19 million likes IIRC.

I have been scammed only once by a company so far. It was oyo (another gem run by softbank). They sold all my information, made me paid twice and left with such a poor service. Few of their actual employees were the scammers along with the hotel manager (likely) so I wasn't suspicious... because ya know, you are supposed to trust official communication portals.

It opened my eyes to how far scam can go. A billion dollar valuation or millions of likes says nothing.

I filed a complaint but have yet to follow up due to covid. It was a visit due to medical reasons so we didn't focus too much on it.

And this is why BitCoin will never fully take off.

If you made this transaction with your credit card, you could call up your bank two weeks later and get your $2k back that day.

BitCoin? Kiss that virtual fool's gold goodbye.

BIT-Coin is not a replacement for credit card so it's like comparing apples to oranges.

Think of it more like cash. If you give someone 2k in cash nobody is going to find that person and refund you.

>BIT-Coin is not a replacement for credit card so it's like comparing apples to oranges.

Except it's being used almost exactly like credit cards, so it is an apples to apples comparison.

>Think of it more like cash. If you give someone 2k in cash nobody is going to find that person and refund you.

Wrong. Tons of cash and debit card transactions can be undone, and banks can and will give you money back from fraudulent transactions.

6 months by law in the EU.

120 days in the US by law, unless I'm mistaken.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact