Two Fucktor Authentifuckingcation

I get salty when I have receive and then enter a code to pay my bill. I am 100% confident that exactly zero strangers are trying to pay my bills. And if they are, I’m not going to stop them.

This sequence is very similar to how a person recently had his Apple account and entire digital life stolen (which started with a supposedly fraudulent charge on their Apple-branded credit card).

A person calls or texts you that they are sending a code, but they are actually a hacker trying to break into your account with a password reset request. By giving them the code that was generated by the website, you just approved the password reset. They then log in and permanently lock you out of your account. If it’s Apple, they are completely unwilling to help you get access back.

In the case of the person who wrote the article, they said they had all of their account passwords on their Apple account. The hacker also remotely erased and locked all of their devices (iPhone, iPad, and MacBook) by marking them as lost/stolen, and stole tens of thousands of dollars from their bank and retirement accounts before they could lock them down.

Truly a nightmare.

Details here:

What’s TOTP? Is that where you say remember this device? Because that doesn’t always work either, sometimes it makes you recertify, or in the case of being in another country it says you have to redo it.

TOTP = Time-based One-Time Password

No remembered device. You pre-set up a special token (like a secret master password) associated to your account with an app like FreeOTP. This does not require any SMS, cellular, or Internet connection, but you do need to load the token onto your device somehow, say by scanning a QR code.

Subsequently, as one of the factors to log into your account, it will ask for what is usually a 6-digit random code that changes every 30 seconds. To get the current code at any given moment, you click on the account in the FreeOTP app.

Nearly every 2FA scheme I’ve used has multiple options- text, email, phone call, or some sort of authenticator app like Google Authenticate or Okta Verify. None have strictly limited me to texts.

Maybe it’s different for you, I don’t know.

My credit union decided to outsource their mastercard. The new people insisted on verification by text, and had no workaround. They were a US concern, and couldn’t text a foreign number. I had to close my account because they could not solve the problem, which meant I also could not pay them. I also closed my credit union accounts (after a decade plus) and let them know why, but it was such an edge case they didn’t really care.

Back then they charged you extra for touch tone, which was particularly obnoxious because touch tone is cheaper for the phone company than pulse. The cost is the time you are on the line, which is longer with pulse. I had a phone in the '80s that did both, and found that I could switch to touch tone and it worked though I officially had a pulse only line. It took them years to find out.

Back when they started loyalty programs, we registered for Safeway using our landline because that was the number we remembered more. No problem, until I got a new phone and the app didn’t copy over. I foolishly used my mobile number for the newly loaded app, and they still haven’t been able to integrate the two accounts. Another supermarket app I used the landline number for had no issues.

No.

Someone tried to use my credit card fraudulently. I have no reason to assume the bank suddenly required two factor authentication for that transaction — they’ve never required two factor authentication when I’ve swiped the card or given the number to a website or read it to a merchant over the phone. I assume something looked suspicious to the bank. They didn’t say.

Two factor authentication is being required if I want them to send me a replacement card. Except it’s actually three or four factor authentication, since

• they emailed ME at the email address they have for me, and I received the email and confirmed i hadn’t made the transaction;
• they then texted me a code to read back to them over the telephone, which I did;
• then they said they had to call me and speak another code to me, but neither one of my telephones would do

Would you find it annoying?

I’m glad I don’t need this card.

Most of mine do, except the Chase United card I have. This was 4 years ago so maybe it’s different now.

I have not see that before.

Key words are the first two - “back then”.

I grew up with rotary phones, though we did get some touch phones in the house at some point although we still had rotary service. There was a T(one) / P(ulse) button on the side of them. If I was calling some 800 # I would have the phone on P but after I connected could switch the phone to T so that I could use touchtones to choose an option or input something (acct #, etc.). Just needed to remember to switch it back to P at the end of the call or that phone couldn’t make the next call you tried to make because our service didn’t recognize tones to place a call.

Does rotary service exist anywhere anymore?

I’m not certain, but I think pulse dialing still works wherever the plain old telephone system over copper still exists. The touch tone switches are always(?) backward compatible. The real question is whether there’s any area that support only pulse dialing. I have the feeling not, but don’t know.

The problem I had was my parents’ phone only had the rotary pulses and no way to produce tones. And the insurance company phone automation didn’t support pulse phones. (This was 30 years ago in any case. I ultimately had to call an agent who could do it for me.)

That first word is important Nearly. I have had VOIP (voice over ip) for years, which was very useful when living and traveling overseas. If I needed some code, I could just choose voice and I got the phone call and entered the code. Capital One decided that no, this was no longer going to be an option, it was text or nothing. They had, at one point, allowed the voice thing, but then it was gone and there was no other option. I don’t have great service inside my house, so even when not traveling overseas the whole text thing was, do something on the computer, walk outside and hope the text comes through before it expires. Now they allow you to authenticate via their app, but as far as I know, even today, they require a cell phone number to even open an account at their physical location.

They also think that if you are using a VPN while using their app on your phone, that you unlocked using a bio metric, you need to get a text. You can’t use the app itself to validate because that is what you are trying to access.

Fortunately I have switched to VOIP service that allows you set it up to receive texts which I have going directly to an email address where I can read it handily regardless of where I am, or how bad the cell signal is.

//i\\

I remember having to set this up on my modem. If you chose the wrong one, you couldn’t connect to whatever dial-up internet service you had.

//i\\

30+ (more like 40) years ago it wasn’t. We had a phone with 12 buttons that would produce either pulse (dialing) or tones but only rotary/pulse service. If I tried to make a call when the physical phone switch was set to T(one) nothing happened because the phone line didn’t recognize the tones I was keying.

The email probably wasn’t from the bank. It was from a scammer that had enough information about you, including your email and CC information, to initiate an attack on your account.

There was no fraudulent transaction. There was only an e-mail or text from the scammer saying there was, in the hopes that you would follow the next step in the attack, which was to trick you into giving them the 2FA code. Which you did.

Try this: Call the number on the back of your card and talk to someone who you are sure is from the CC issuer and ask about what they do when a fraudulent charge is suspected. I’d bet that what you went through doesn’t resemble what the official policy is.

Yeah, this whole thing the way it was written in the OP screams scam to me. Clicking a link in an email/text saying there was a fraudulent charge!?? Never do that! Legitimate banks will never have you click on a random link, they will have you call them. “Dear Cardholder” instead of your full name?

Never initiate correspondence with banking/credit cards by clicking on something sent to you out of the blue. Always begin by calling the number on your card or opening the app for that bank.

This is not true. I have received emails from credit cards when I made a purchase they thought was fraudulent, which the yes/no links. I clicked on the link for yes to indicate I had authorized it and then re-did the transaction.

//i\\

I agree with the other posters. How do you know you are actually being contacted by your bank and not by a scammer? That was the whole point of my previous post.

It’s ok to respond to a text with a YES/NO text response.

It is absolutely NOT OK to click on a random link to that someone sends you by text or email. If your bank does this, they are following very insecure practices. Both of these can be spoofed.

If you suspect fraud or want to contact your credit card issuer, should always either call the number on the back of your credit card, or log into the bank website or app. In other words, something you initiate. Never talk to someone on the phone who calls you (regarding anything financial, internet security-related, or support), or click on any incoming links, or give security codes to unsolicited incoming texts.

Everyone should read the story I posted above. The incident only happened a couple of weeks ago. I actually forwarded to my family and friends, saying it was one of the scariest fraud stories I’ve seen in a long time, since it could happen to any of us.

This is a major red alert. I don’t believe that any legitimate transaction ever includes a step like this. This sounds like a scammer trying to get you to act as a man-in-the-middle to give them a 2FA code that you are only supposed to enter into the sender’s web site. Once they have it, THEY will enter the code in the web site and get access to your account.

In most cases, when I get a 2FA code, it arrives with a big warning about giving it to anyone else for exactly this reason. Looking at the last few such texts I’ve received from various companies, I see:

We will NEVER ask you for this code. If anyone asks, it’s a SCAM. Only use the code in the XXX site or app.

Don’t share this code. We’ll NEVER call to ask for this code.

Don’t share this code with anyone; our employees will never ask for the code.

Never share you XXX code with anyone. We’ll NEVER call or text you for it.

DO NOT share. We will NEVER call you to ask for this code.

If someone asks for your code, STOP; it’s a SCAM. We will never contact you for this code.