Asklemmy

43895 readers

1404 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it's welcome here!

Open-ended question
Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
Not ad nauseam inducing: please make sure it is a question that would be new to most members
An actual topic of discussion

Looking for support?

Looking for a community?

Lemmyverse: community search
sub.rehab: maps old subreddits to fediverse options, marks official as such
!lemmy411@lemmy.ca: a community for finding communities

~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~

founded 5 years ago

MODERATORS

How do scammers overtake a youtube account with 2fa enabled (piped.kavin.rocks)

submitted 10 months ago* (last edited 10 months ago) by Extrasvhx9he to c/asklemmy@lemmy.ml

17 comments fedilink hide all child comments

Saw a video of a youtuber that got his account overtaken which has 2fa enabled (not sure which method but I'm thinking sms). He says he didn't get phished, downloaded anything and his session cookies weren't stolen and I believe him. The only clue is that he received a sms otp from google but was invalid when he inputted it which let's me to believe he relied on SMS for 2fa in the first place. My theory is he reused passwords and his number was overtaken but I'm not sure if that's the case since he did receive the google otp so that leaves out the common phone rep social engineering methods of porting out and fowarding. What else could it be? My paranoia is kinda acting up

Tldr: A YouTuber's account was hacked despite having 2FA. While unsure of the exact method, potential factors include relying on SMS OTP and the possibility of password reuse. No session cookies were stolen, nothing downloaded and no links clicked

Edit for timestamp: its kinda difficult since he jumps around a lot but he begins to talk about it around the 2min 30sec mark and stops at around the 6min mark

you are viewing a single comment's thread
view the rest of the comments

[–] gravitas_deficiency@sh.itjust.works 7 points 10 months ago (1 children)

Off the top of my head:

persistent auth cookie hijack
MITM SMS attack

[–] intensely_human@lemm.ee 4 points 10 months ago (1 children)

With SMS I don’t think it’s MITM. If you can reprogram a sim chip (or build a new one) the phone network just sends you a person’s messages.

I think. Haven’t done it myself.

[–] damium@programming.dev 2 points 10 months ago

There is also SMS passive reading using LEO intercept. Hacked police email accounts are used to gain access to carrier systems where they use "imminent threat" no warrant lookups to pull the SMS in real time.

SMS is a terrible form of 2FA, better than none but not by much.