Hackers Are Turning Tech Support Into a Threat

Hackers have stolen hundreds of millions of dollars from cryptocurrency holders and disrupted major retailers by targeting outsourced call centers used by American corporations to reduce costs, WSJ reported Thursday. The attackers exploit low-paid call center workers through bribes and social engineering to bypass two-factor authentication systems protecting bank accounts and online portals.

Coinbase faces potential losses of $400 million after hackers compromised data belonging to 97,000 customers by bribing call center workers in India with payments of $2,500. The criminals also used malicious tools that exploited vulnerabilities in Chrome browser extensions to collect customer data in bulk.

TaskUs, which handled Coinbase support calls, shut down operations at its Indore, India facility and laid off 226 workers. Retail attacks targeted Marks & Spencer and Harrods with hackers impersonating corporate executives to pressure tech support workers into providing network access. The same technique compromised MGM Resorts systems in 2023. Call center employees typically possess sensitive customer information including account balances and recent transactions that criminals use to masquerade as legitimate company representatives.

Re:

[Growlley]

enough about Redneck America - this stories about India,

Karmacoin

[kackle]

It's like one gets what one pays for or something...

Race to the bottom.

[SeaFox]

Have higher standards in hiring/outsourcing, and be willing to pay for those types of employees. When you're paying the same as the local McDonald's don't be surprised when you get fuckheads for applicants.

Re:

[JBeretta]

According to what I could find online, the average (median) outsourced call center worker in India is paid pretty close to the national median wage once they have about 3 years of experience. And being a call-center worker in India is considered a "respectable job".

Outsourcing aside, how much does an employee need to be paid for y'all to consider it "reasonable"?

For the record, I'm not a fan of outsourcing.. But it hardly seems like these folks are being taken advantage of. Entry level pay is low, but

Data sovereignty

[will4]

Some countries have data sovereignty regulations where personal, financial, medical and government data has to be

- hosted in the country
- accessible only by people inside the country
- on computers located in the country
- On computers not accessible by people outside of the country

https://en.wikipedia.org/wiki/... [wikipedia.org]

Re: Data sovereignty

[Fortnite_Beast]

I don't think this is true. Why would there be so many call centers in India and Pakistan if countries restricted data to their own borders?

Re:

[SeaFox]

Okay... and your point? We're not talking about any industries where data-sovereignty is a concern. The article is about private U.S. tech companies outsourcing their support to overseas companies to save money (like it says in sentence one of TFS), then being surprised when those outsourcers have less-than-honest employees. They're on the other side of the world from their clients, it's much less risk for them to not follow data security requirements.

You DO get what you pay for

[bubblyceiling]

Its the same as in China, you get what you pay for. A lot of companies such as IBM, AMD, GE, Walmart, have hugely successful outsourced ops. But they hire their own people, set up their own offices, provide a better QoL & salaries to attract & retain talent.

Outsourcing to a third party will always lead to problems as they too want to make as much profit as possible.

How are bribes delivered?

[spitzak]

How do they send the bribes to the call center workers? Or are they possibly screwing them as well and just convincing them they will receive something?

Re:

[JBeretta]

How do they send the bribes to the call center workers? Or are they possibly screwing them as well and just convincing them they will receive something?

Bitcoin? $2,500US converted to Indian Rupees is 2/3 of the annual median wage... That's plenty of incentive to figure out how to use bitcoin or some other crypto-currency.

Chrome browser extensions

[PPH]

Switch to Firefox.

When you pay techs $0.50 an hour

[Tablizer]

in a far off country where you can't sue, this should have been expected.

Re:

[MachineShedFred]

More than that, any competent bad actor is going to attack the weakest link in the chain. If that happens to be low-paid boiler room call center phoneslaps, then that's where the crosshairs are going to go.

It's no different than your complex password only being as complex as finding someone who knows it, and beating on them with a $10 hammer until they give it to you.

Re:

[fatwilbur]

Ahem, it’s a $5 wrench. Get your facts straight.

Re:

[ihavesaxwithcollies]

How can you find a $5 wrench in this trump economy?

Thats not how "multi-factor" works

[Murdoch5]

The attackers exploit low-paid call center workers through bribes and social engineering to bypass two-factor authentication systems protecting bank accounts and online portals.

If you can bypass it, it's not an authentication factor. If the secret isn't held by the user, it's not an authentication factor. If you could bribe the factor away, how is a factor? This is why I laugh at companies who think emailing you a code to enter the system is somehow a security metric of value. I have to generate the value, independent of the system, such as using a Yubi Key, or a TOTP authentication token. If the system provides it to me, it's meaningless.

Re:

[Voyager529]

I If you could bribe the factor away, how is a factor? ...I have to generate the value, independent of the system, such as using a Yubi Key, or a TOTP authentication token.

Because - and I can't believe I have to explain this - if you have the generated value so that you can validate your identity to the computer, there's no way the computer can verify whether I paid you $50,000 for that code. There's no way for the computer to validate whether the data exports I perform are for backup purposes, or to extort the company.

So, whether we're dealing with metal keys, or 8192-bit SSL certificates combined with a 24-character password and an iris scanner...the human holding the means

Re:

[Murdoch5]

I think you missed my point, if you can bypass the second (or additional) factor, it's not a factor. I have 40+ accounts in my Yubi Authenticator, to access those codes I need my Yubi Key. If any of those companies can bypass needing to get those codes, which some of them can ..., it's not a useful factor. When TD Bank sends me an SMS code to login, that's not useful, they generated the code, so it's really just double single factor.

I know plenty of companies who have "multifactor" but the additional

Re:

[The-Ixian]

Let me ask you this: What do you do if you somehow lost access to your Yubi-keys? Do you have any recovery methods at all? If so, that's your answer.

Re:

[Murdoch5]

I have a backup key, that is in a safe upstairs. I have all the QR codes backed up into a VeraCrypt container that is stored locally, on my server, and in two remote locations, one in Europe, and one in the US. The passphrase to open that container is 256 characters long, and I don't actually know what it is, but I know where it is, it's also key-file protected.

I've set things up so if I lose access, it's truly my fault.

Re:

[ctilsie242]

I do something similar. One of my FIDO tokens is a Trezor device. This means that if I lose it, I load the BIP-39 passphrase, load the app, load the encrypted token sheet, and I'm back with those. Downside is that I have to have a working Trezor device. I also have a backup Yubikey stored offsite, but that won't help much if there is something catastrophic. This is why I try to not just have FIDO access only.

Key management here is tough. Too secure, you lose all your data. Have the core recovery keys

Re:

[fatwilbur]

Ok great, but this article is about tech support. Just how many of those accounts you protect with such access, where if you lost it, would you find it acceptable that it is truly inaccessible forever more? Your email? Your bank account??

I’ve managed many help desks, and a constant high volume is “I forgot my password” or “I can’t access this please help me”. I get what you’re saying about putting responsibility in users hands, but the large paying customers are

Re:

[Murdoch5]

Sorry, do I have any recovery? Nope, I delete recovery keys, if I need to use one, that's unacceptable, and if the system is really set up for multifactor, they only get generated once, and then wiped from all memory.

Re:

[MachineShedFred]

So you never considered that an employee of the company can add / remove MFA methods from the account? I.e. "I will pay you $500 if you add this email account as a MFA on account X using the permissions you've been granted to remediate account access issues."

Of course email / SMS MFA is terrible. This has been known for a long time. But even if they're using TOTP or a hardware device like a Yubikey, there is nothing preventing a customer service agent empowered to make account changes to add the TOTP see

Re:

[Murdoch5]

If you can just remove or redirect the MFA, it's useless. Not questionable valuable, absolutely useless.

Re:

[MachineShedFred]

So you would rather have a world where you call customer service because you had a problem with your MFA device, and the answer is "too fucking bad, you're locked out of your retirement account forever because there's nothing we can do. Hope you didn't want your hundreds of thousands of dollars!"

Tell us you've never thought about the customer experience, without telling us you've never thought about the customer experience.

Re:

[ctilsie242]

One company I worked for handled recoveries where all else fails in a simple way. If all was lost, they would send a registered letter to the person at their stored snail mail address. The letter had a recovery code on it. Yes, it would take days to get there, but registered mail is good enough for security, and would allow someone access to their stuff, even if it means waiting a week for that recovery code.

Re:

[thegarbz]

If you can bypass it, it's not an authentication factor.

Of course it is. It's like saying your password isn't a password because it can be reset and changed by the root account. The authentication remains an authentication factor. Just that no one needs to be authenticated for certain administrative actions to take place.

You're confusing authentication with a privileged instruction.

Re:

[Murdoch5]

Take a look at Proton, where if someone resets your password, all the data in the account is effectively screwed, since it's encrypted out of your control. That's how MFA should work, and with Proton it does, if you screw around with the system, the system becomes unusable for you.