IIRC they can steal a login cookie and thereby circumvent 2FA.
Asklemmy
A loosely moderated place to ask open-ended questions
If your post meets the following criteria, it's welcome here!
- Open-ended question
- Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
- Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
- Not ad nauseam inducing: please make sure it is a question that would be new to most members
- An actual topic of discussion
Looking for support?
Looking for a community?
- Lemmyverse: community search
- sub.rehab: maps old subreddits to fediverse options, marks official as such
- !lemmy411@lemmy.ca: a community for finding communities
~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~
this is what happened to Linus Tech Tips channel: https://www.theverge.com/2023/3/24/23654996/linus-tech-tips-channel-hack-session-token-elon-musk-crypto-scam
I've also seen social engineering attacks where they trick a cell phone company into cloning a SIM card
PSA: SMS 2FA is not secure! Use a hardware key or mobile app instead
He did talk about session cookies/tokens in the video which is a possibility but I'm under the impression that this is not what happened since he was already aware of that possibility and didn't do anything to facilitate that.
I believe there is another method where you can intercept an SMS text somehow. I read about it a while back so I don't know the specifics, but I know that since SMS is unsecure there is a way to grab the data while it's being sent to you
Difficult to tell what happened without knowing the full context.
It has happened that scammers call support, say they're XYZ and lost their 2fa device. 2fa gets disabled and they can overtake the account in some old fashioned way.
Also there is SIM splitting and other techniques. Also the youtuber could be wrong. These attacks are very subtle until it's too late.
Give us a link (with timestamp if it's long), maybe someone can find out more. [Edit: Thx for the link.]
Damn I assumed google customer reps couldn't do that without verifying. How do you even protect from that? Besides not using one account for everything
Edit: I assumed porting out scam too but what confuses me about it was that his carrier line was still actively recieveing SMS and my understanding is that after a port out, the old sim becomes invalid/not working.
Sure, customer reps shouldn't help with account recovery unless they get proper verification. I'm sure many companies have learned from past mistakes. I think that's the only way to solve it. I'm not sure though if this is what has happened here... These crypto people seem to have hacked many accounts last year.
Maybe related video from Linus Tech Tips incident last march: https://piped.video/watch?v=yGXaAWbzl5A
Adam Koralik talks a bit fast and some details aren't clear to me. For example if he got recovery mails and sms from his own actions or if this was the scammer. Also I'm not sure how 2fa works with YouTube. I certainly hope changing the account password makes it ask for the second factor or it's next to useless. If this is the case he must have gotten phished or there is another unknown security issue in the process. Or his password didn't get changed in the first place. But that also can't be it since he clearly tells he got the notification mails for a password change and changed recovery methods.
Concerning your edit: I've read that, too. That your connection drops, once a new SIM card gets activated. That might take a while, though, or not happen with some carriers or under certain circumstances. As far as i know a cell network is a crazy mix of technology. And from his description it's not even clear to me when he talks about SMS and when he talks about notification emails or push notifications.
And in other youtubers' videos I've heard they usually seperate their accounts so that it's not the same account for private stuff on their phone and the important youtube stuff all mixed in the same account.
Off the top of my head:
- persistent auth cookie hijack
- MITM SMS attack
With SMS I don’t think it’s MITM. If you can reprogram a sim chip (or build a new one) the phone network just sends you a person’s messages.
I think. Haven’t done it myself.
There is also SMS passive reading using LEO intercept. Hacked police email accounts are used to gain access to carrier systems where they use "imminent threat" no warrant lookups to pull the SMS in real time.
SMS is a terrible form of 2FA, better than none but not by much.
Non-piped link: https://youtu.be/8pgvhlelQO4
Here is an alternative Piped link(s):
https://piped.video/8pgvhlelQO4
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I'm open-source; check me out at GitHub.
Lmao
If he wasn't trying to log in then how did he have anywhere to input a 2FA code? If he was trying to log in its possible that his PC was compromised by malware and he got his credentials + 2FA stolen by EvilProxy
Edit: checked out a bit of the video for context. It sure sounds like that it was probably bad 2FA set up. Does Google still support security questions? If he’s had partner for a decade then surely security questions were set up as a second factor. I don’t know if they are still supported though