PieFedHere’s how SIM swap in alleged bitcoin pump-and-dump scheme worked
Alphane Moonarstechnica.com/security/2024/10/how-alleged-si…
29 Comments
Comments from other communities
Oh my god, someone please tell me about understanding of the following facts are wrong:
They did all of that, compromised a SEC employee and the official SEC Twitter account, to move the price of Bitcoin only around 2.2%.
They could have just put sell orders in, and waited a month.
Here's the hourly BTC high and low prices for the day in question, Jan. 9th., 2024
All that risk, just to bump the price up $1,000, when it was already trading between $45-47k.
That is so dumb, so painfully dumb, that I almost feel bad about laughing my ass off about this. JFC.
Idiot. Why did they not run those searches over the tor network to anonymize themselves? That is quite frankly stupid. And the fact that the SEC was using SMS-based two-factor authentication is also stupid. One time pads or bust motherfuckers.
More like the *in*security exchange commission
Deleted by author
OTP 2FA Codes are one time pads
They're actually not, they're algorithmically derived state machines, most are public key hashes of secrets concatenated to the current time in seconds from the epoch.
Ideally they would be otp, but that would also be obnoxious.
Oh, interesting. Okay. In that case, they are totally misusing the term.
Yeah, I think it's because that's where the model originated, and that's basically what it's supposed to be, but having almost everyone synchronized on time gives us a new trick because we can just generate 'keys' and have them expire, so even if you manage to get one by force, it's only valid a short window. Instead of one time pad they often call them one time passwords.
You need extended access to a generator over time to be able to use it, which gives the user a chance to report it for invalidation.
Not perfect, but it does its job fine especially compared to passwords or sms (where you're at the mercy of the minimum wage kid down at the mall's Verizon kiosk).
Ars having some fun selecting quotes.
I was going to say that hindsight is 20/20, but in this case the hindsight sounds pretty short sighted as well.
It sounds like Mr. Council was the fall guy for his co-conspirators. He did all the in person stuff, with his own face, and it doesn't sound like he thought particularly deeply about the need to cover his tracks until it was too late.
Considering he did a search for "how can I know for sure if I am being investigated by the FBI", he can't be the sharpest knife in the drawer.
It's fair for him to try and do an internet search for US federal police processes, but the question style does not inspire confidence.
I should get in the habit of Googling "how to renew expiring fed mitm certificate" every few weeks for the microscopic chance the joke might some day pay off big time.
you know, here in ZA (and across Africa) services got past the “your phone number is your security layer” thing in the early 10s because we had fraud and related issues way back
but no, the US is insistent that they have to retread that path and learn those lessons over. can’t go and learn from an african country, that wouldn’t be fitting of
an imperial hellholeA First World Countrywhy no, I’m not salty about services making me have worse security settings at all, why do you ask…
Yeah security in the USA has always been pretty bad. Iirc it often had to do with monopoly like structures keeping the advances at bay because it costs money to upgrade. Did the bank cards move away from magnetic strips already?
they ever so very slowly started doing chip (not necessarily with PIN) from 4~6y ago, state depending
probably need to give them another decade.
Mostly. Half the time the chip will work. Half the time it fails because you inserted it too fast or two slow or because it was Tuesday so it falls back to the magnetic strip.
Surely this is more secure right? ... right?
lol god that’s even worse :/
so have nfc and value-capped transactions even made inroads there yet?
NFC: yes. Most new credit and debit cards have NFC. Can tap to pay at pretty much any retail store and some smaller businesses. There are still weirdly many phone models without NFC (especially lower end), but the situation is slowly improving.
Value-capped transactions: not really a thing if I understand right.
it’s embarrassing as fuck though when NFC’s either broken at the terminal or really finicky, so you have to get the cashier to slowly, painfully re-request the payment twice before giving up and seeing if your chip still works
or you’re at Walmart or CVS and they intentionally disabled it in all their stores for asshole reasons
even more embarrassing: I accidentally call it NFT and the cashier knows what that is and thinks I’m a fucking idiot
“have you got tap?” / “can i tap?” is a common local verbiage here
(also “got snapscan?” but that’s more popular in some cities than others, depending how much inroads snapscan has made)
(we also still have a fairly healthy cash market)
You'd be surprised, but many countries with much lower GDP/capita have far more developed/sophisticated ICT services than the US, not to mention far more competition.
This is not just my personal view, I've had Americans (who have travelled the world) mention this as well.
I wouldn't be :) have visited many of them, and worked in a fair couple too
what was shocking (on my first visit there) is how absolutely fucking antiquated US infra is across multiple dimensions. not shocking these days, I now understand so many of the reasons for it
that understanding also makes so much of what comes out of the US (and its weird obsessions with specific non-solutions) make a lot more sense
@froztbyte oh I absolutely hate using SMS for authentication
I had to do some eGovernment-related stuff recently and I think I had to wait for and type in an SMS one-time-code like 8 times until I got what I wanted
A spring day can be colder than an autumn day. And for which parts of the world it's autumn and for which it's spring, you guess.
That
is because people deciding on security are interested in firm connections between accounts and people.
It's an environment where surveillance is companies' incentive for profit, and so on, you've surely read about all that.
Guys, this was a compliment to African countries becoming better while the West sinks lower, why are all the downvotes?
probably because the vagueposting in the top half of your comment wasn’t actually clearly stating what it meant, and the latter half suffers from internet-stalking-horse incorrect conclusionism
just a guess tho.
Well, both your guesses are subjective, especially the "incorrect" part ; should probably keep them in that dark stinky place you keep your pride
congrats on subjectively being an utter shithead to an African while supposedly complementing African countries in your trainwreck of a post
fuck off now
“you just don’t understand me!” wails the sealion at the door