Have I Been Pwned owner, pwned - Hypertext
htxt.co.za
A phishing attack managed to fool Troy Hunt into handing over MailChimp credentials.
  • A jetlagged Troy Hunt accidentally clicked a link and logged into an account only to realise he had been phished.
  • Despite reacting quickly, attackers were able to export a mailing list for Hunt’s personal blog.
  • Hunt has detailed the attack and warned his subscribers in a timely fashion.
  • sugar_in_your_tea@sh.itjust.worksEnglish
    7·
    5 days ago

    There are two types of texts:

    • 2FA - usually says something like “we’ll never text you this code, don’t give it to anyone”
    • ID verification - pushed by a rep while on a call, and doesn’t have the “we’ll never text you this code” bit

    The first is needed for user-initiated actions, the second is only used to ensure the person you’re talking to has access to the device on file.

    When I called the actual bank, they did the second one to reset my account credentials, and again when I set up the MFA app after the trip. It’s absolutely a thing.

    Scammers do the first and cannot do the second, which is why they have the warning text on the first and not the second (though there is different warning, which makes it clear they’re different).