Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
Security IT

Hackers Are Turning Tech Support Into a Threat (msn.com) 38

Posted by msmash from the weakest-link dept.
Hackers have stolen hundreds of millions of dollars from cryptocurrency holders and disrupted major retailers by targeting outsourced call centers used by American corporations to reduce costs, WSJ reported Thursday. The attackers exploit low-paid call center workers through bribes and social engineering to bypass two-factor authentication systems protecting bank accounts and online portals.

Coinbase faces potential losses of $400 million after hackers compromised data belonging to 97,000 customers by bribing call center workers in India with payments of $2,500. The criminals also used malicious tools that exploited vulnerabilities in Chrome browser extensions to collect customer data in bulk.

TaskUs, which handled Coinbase support calls, shut down operations at its Indore, India facility and laid off 226 workers. Retail attacks targeted Marks & Spencer and Harrods with hackers impersonating corporate executives to pressure tech support workers into providing network access. The same technique compromised MGM Resorts systems in 2023. Call center employees typically possess sensitive customer information including account balances and recent transactions that criminals use to masquerade as legitimate company representatives.

Hackers Are Turning Tech Support Into a Threat More | Reply

Hackers Are Turning Tech Support Into a Threat

Comments Filter:
  • It's like one gets what one pays for or something...

  • Race to the bottom. (Score:3)

    by SeaFox ( 739806 ) on Thursday June 19, 2025 @02:53PM (#65461549)

    Have higher standards in hiring/outsourcing, and be willing to pay for those types of employees. When you're paying the same as the local McDonald's don't be surprised when you get fuckheads for applicants.

    • Some countries have data sovereignty regulations where personal, financial, medical and government data has to be

      - hosted in the country
      - accessible only by people inside the country
      - on computers located in the country
      - On computers not accessible by people outside of the country

      https://en.wikipedia.org/wiki/... [wikipedia.org]

      • I don't think this is true. Why would there be so many call centers in India and Pakistan if countries restricted data to their own borders?

      • Re: (Score:2)

        by SeaFox ( 739806 )

        Okay... and your point? We're not talking about any industries where data-sovereignty is a concern. The article is about private U.S. tech companies outsourcing their support to overseas companies to save money (like it says in sentence one of TFS), then being surprised when those outsourcers have less-than-honest employees. They're on the other side of the world from their clients, it's much less risk for them to not follow data security requirements.

    • Re: (Score:1)

      by mjwx ( 966435 )

      Have higher standards in hiring/outsourcing, and be willing to pay for those types of employees. When you're paying the same as the local McDonald's don't be surprised when you get fuckheads for applicants.

      You've probably never visited the developing world, a job in McDonald's is relatively high paying in places like India as you typically require a tertiary education for it. Collages run courses on working in fast food (hospitality or some such). A quick google suggests a McD's worker is on R14,000 p/m and call centre works starts at R15,000 p/m/

      Your point stands though, even if working in McD's isn't an unskilled weekend job for a 16 yr old like it is in developed economies.

      I find that where a company

  • You DO get what you pay for (Score:3)

    by bubblyceiling ( 7940768 ) on Thursday June 19, 2025 @03:19PM (#65461589)
    Its the same as in China, you get what you pay for. A lot of companies such as IBM, AMD, GE, Walmart, have hugely successful outsourced ops. But they hire their own people, set up their own offices, provide a better QoL & salaries to attract & retain talent.

    Outsourcing to a third party will always lead to problems as they too want to make as much profit as possible.

  • How do they send the bribes to the call center workers? Or are they possibly screwing them as well and just convincing them they will receive something?

    • How do they send the bribes to the call center workers? Or are they possibly screwing them as well and just convincing them they will receive something?

      Bitcoin? $2,500US converted to Indian Rupees is 2/3 of the annual median wage... That's plenty of incentive to figure out how to use bitcoin or some other crypto-currency.

  • Switch to Firefox.

  • in a far off country where you can't sue, this should have been expected.

    • More than that, any competent bad actor is going to attack the weakest link in the chain. If that happens to be low-paid boiler room call center phoneslaps, then that's where the crosshairs are going to go.

      It's no different than your complex password only being as complex as finding someone who knows it, and beating on them with a $10 hammer until they give it to you.

  • Thats not how "multi-factor" works (Score:3)

    by Murdoch5 ( 1563847 ) on Thursday June 19, 2025 @03:35PM (#65461621) Homepage

    The attackers exploit low-paid call center workers through bribes and social engineering to bypass two-factor authentication systems protecting bank accounts and online portals.

    If you can bypass it, it's not an authentication factor. If the secret isn't held by the user, it's not an authentication factor. If you could bribe the factor away, how is a factor? This is why I laugh at companies who think emailing you a code to enter the system is somehow a security metric of value. I have to generate the value, independent of the system, such as using a Yubi Key, or a TOTP authentication token. If the system provides it to me, it's meaningless.

    • I If you could bribe the factor away, how is a factor? ...I have to generate the value, independent of the system, such as using a Yubi Key, or a TOTP authentication token.

      Because - and I can't believe I have to explain this - if you have the generated value so that you can validate your identity to the computer, there's no way the computer can verify whether I paid you $50,000 for that code. There's no way for the computer to validate whether the data exports I perform are for backup purposes, or to extort the company.

      So, whether we're dealing with metal keys, or 8192-bit SSL certificates combined with a 24-character password and an iris scanner...the human holding the means

      • I think you missed my point, if you can bypass the second (or additional) factor, it's not a factor. I have 40+ accounts in my Yubi Authenticator, to access those codes I need my Yubi Key. If any of those companies can bypass needing to get those codes, which some of them can ..., it's not a useful factor. When TD Bank sends me an SMS code to login, that's not useful, they generated the code, so it's really just double single factor.

        I know plenty of companies who have "multifactor" but the additional

        • Let me ask you this: What do you do if you somehow lost access to your Yubi-keys? Do you have any recovery methods at all? If so, that's your answer.

          • I have a backup key, that is in a safe upstairs. I have all the QR codes backed up into a VeraCrypt container that is stored locally, on my server, and in two remote locations, one in Europe, and one in the US. The passphrase to open that container is 256 characters long, and I don't actually know what it is, but I know where it is, it's also key-file protected.

            I've set things up so if I lose access, it's truly my fault.

            • I do something similar. One of my FIDO tokens is a Trezor device. This means that if I lose it, I load the BIP-39 passphrase, load the app, load the encrypted token sheet, and I'm back with those. Downside is that I have to have a working Trezor device. I also have a backup Yubikey stored offsite, but that won't help much if there is something catastrophic. This is why I try to not just have FIDO access only.

              Key management here is tough. Too secure, you lose all your data. Have the core recovery keys

            • Ok great, but this article is about tech support. Just how many of those accounts you protect with such access, where if you lost it, would you find it acceptable that it is truly inaccessible forever more? Your email? Your bank account??

              I’ve managed many help desks, and a constant high volume is “I forgot my password” or “I can’t access this please help me”. I get what you’re saying about putting responsibility in users hands, but the large paying customers are
              • You're absolutely right that most customers aren't ready for responsibility, but, the separation between where they are, and where they should be is like a 30-year-old using diapers because they're not potty-trained. If the tooling was bad, if the programs didn't exist, if everything required hours of detailed command line setup, with terrible documentation, fine, I'd grant the ignorance. The reality is, that the tooling is excellent, the programs are fantastic, and everything is simple to set up and use.

            • Can you imagine the average chump putting in this much effort to stay secure?

              • No, but that's a bad argument! I can't get the "average" person to switch from Google / Microsoft to Proton / Linux. This isn't some tinfoil hat rant in 1994 after PGP comes out that the world will end if you don't encrypt and sign your email. We know the outcome, we've seen it unfold many, many times, and every time we see articles about X, Y and Z, all going over the importance and need to be careful, but almost no one cares.
          • Sorry, do I have any recovery? Nope, I delete recovery keys, if I need to use one, that's unacceptable, and if the system is really set up for multifactor, they only get generated once, and then wiped from all memory.

    • So you never considered that an employee of the company can add / remove MFA methods from the account? I.e. "I will pay you $500 if you add this email account as a MFA on account X using the permissions you've been granted to remediate account access issues."

      Of course email / SMS MFA is terrible. This has been known for a long time. But even if they're using TOTP or a hardware device like a Yubikey, there is nothing preventing a customer service agent empowered to make account changes to add the TOTP see

      • If you can just remove or redirect the MFA, it's useless. Not questionable valuable, absolutely useless.

        • So you would rather have a world where you call customer service because you had a problem with your MFA device, and the answer is "too fucking bad, you're locked out of your retirement account forever because there's nothing we can do. Hope you didn't want your hundreds of thousands of dollars!"

          Tell us you've never thought about the customer experience, without telling us you've never thought about the customer experience.

          • I think about customer experience, absolutely, but the excuse can't continue to be the customer is stupid. Let's assume all my Yubi Keys failed, and let's assume ProtonPass logged out, would I be screwed? No! I can still recover everything because I've setup everything to be recoverable. Hell, let's assume this computer died, and the NVMe disk was bricked. Let's assume my two servers in the house both died, the Black one and the Orange one. Let's assume all their disks failed, and I could not recover t

      • One company I worked for handled recoveries where all else fails in a simple way. If all was lost, they would send a registered letter to the person at their stored snail mail address. The letter had a recovery code on it. Yes, it would take days to get there, but registered mail is good enough for security, and would allow someone access to their stuff, even if it means waiting a week for that recovery code.

    • If you can bypass it, it's not an authentication factor.

      Of course it is. It's like saying your password isn't a password because it can be reset and changed by the root account. The authentication remains an authentication factor. Just that no one needs to be authenticated for certain administrative actions to take place.

      You're confusing authentication with a privileged instruction.

      • Take a look at Proton, where if someone resets your password, all the data in the account is effectively screwed, since it's encrypted out of your control. That's how MFA should work, and with Proton it does, if you screw around with the system, the system becomes unusable for you.

Slashdot Top Deals

Marriage is the triumph of imagination over intelligence. Second marriage is the triumph of hope over experience.

Close