5 Likes
The breach happened on September 30 and the company didn’t notice until a full month and a half later. A lot of things can happen in a month and a half.
The techbros pushing back against regulations and security while promoting plans like these are probably counting on that (pun intended):
8 Likes
58,000 customer’s information.
They had that many customers???
5 Likes
Well, duh.
3 Likes
Companies that use toll by plate might start using other methods to compare the make/model of the car to the plate number to reduce billing errors caused by fraud. The systems that manage physical plate numbers need a lot of work for another reason, too. Billing (or mailing anything) should end after the plates are returned. It’s not that difficult to check the date when that happened:
Toll companies in multiple US regions have databases that link drivers to every plate number they’ve ever registered. With some states forcing more frequent replacement, this seems like a recipe for billing errors to increase. 
5 Likes
Wow, this is a well executed social hack…
According to tripwire.com’s Graham Cluely, phishers will use Google Forms to create a security alert message, and then change the form’s settings to automatically send a copy of the completed form to any email address entered into the form. The attacker then sends an invitation to complete the form to themselves, not to their intended victim.
“So, the attacker receives the invitation to fill out the form – and when they complete it, they enter their intended victim’s email address into the form, not their own,” Cluely wrote in a December 2023 post. “The attackers are taking advantage of the fact that the emails are being sent out directly by Google Forms (from the google.com domain). It’s an established legitimate domain that helps to make the email look more legitimate and is less likely to be intercepted en route by email-filtering solutions.”
Basically they are tricking Google Forms, AI and account recovery into complicity in the attack.
Another reason to work up the escape velocity to get out of the Google orbit.
8 Likes
7 Likes
Huh. Got some paypal phishes that managed to fool my DKIM plugin into thinking they were actually from paypal.
4 Likes
I always choose non-SMS based MFA when available, but so few companies seem to offer anything else. Apps are the best option, yet they aren’t available in most cases.
4 Likes
My Swiss bank, for all retail customers, in the 90’s, gave you a calculator. When you put your chip-and-PIN bank card in card reader of the calculator, you entered your PIN. You would then type in the challenge you got, after logging into the bank web site, and return the response.
A FIDO2 / Yubikey would be my first choice these days, at least for convenience. I would personally prefer one manufactured in the west. I assume that phones themselves are back-doored at the hardware or firmware level.
What?! Your paranoid!! 
Yes, but I’m usually right and since it’s possible, it will happen.
SMS authentication… I’ll have to dig through my notes but IIRC that’s been identified for a long time as a vulnerability.
Edit: I wish I could take the FBI notice back to ~ 1993 and rub a few noses in it.
5 Likes
Meanwhile my online-only bank just recently upgraded from single factor 6-digit PIN to 6-digit PIN + SMS authentication.
6 Likes
phones themselves are back-doored
This, of course, leads me to wonder how badly the 
got into the phone back doors that are probably there under the same CALEA mandate, or a related regulation.
3 Likes
As long as SIMjacking has been a thing, SMS has been a shitshow for 2FA. One-time password generators are better (TOTP has issues), challenge/response ones work better, and passkeys are super spiffy.
1 Like
That’s still three factors, is the PIN functionality available in an app?
1 Like
A PIN and a phone number capable of receiving a code is 2 factors. Where’s the third?
4 Likes
You don’t have a password?
Nope, the PIN was all you needed to login until they added the SMS factor.
I keep telling financial institutions and utility companies that all I have is a landline, so that won’t work. 
Now they call me with codes or send an email, because the only other option I offer is for them to buy me a phone.
4 Likes
Ick, but still that’s better than just the PIN…
Looking at the PIN:
6 digits?
Can you change it?
How many times could you make a mistake before getting blocked?