For your consideration: Hackers are stealing 2FA codes with terrifyingly effective voice bots

[nlinecomputers]

Yet I can screenshot it. If I can take a screenshot I can OCR that.

And so what? Just because a robot voice is used doesn’t mean a human can’t be used to read the screen and punch in a code into a script.

 

[britechguy]

@nlinecomputers

I am not going to argue your points. My intent was only to make clear how I understood the prior comment. A Captcha need not be obscured, and while what you say is possible, given the transient nature of what's being discussed it's improbable as far as OCR-ing.

I am in complete agreement that you can just as easily convince someone to do what you assert. Hence my constant beating of the drum that, in the end, there is no way to "tech" ourselves out of the issues at hand and that, very often, the proposed solutions are classic examples of the law of unintended results.

If we can't teach most people (we'll never teach all of 'em) the very basics of computer security then it doesn't matter how many "doors and locks" get put into place. And you can and do encourage a number of people to engage in "door propping" behaviors, where available, by trying to make things too secure for their liking. That's one reason the whole "use long passwords of random character sequences" never, ever had a chance of taking off. People need to be able to access things where and when that need arises, and that means remembering their password "in wetware" to the greatest extent possible. It's a cinch to create long, yet memorable to the individual, passwords that are not at all easily cracked by anyone else. But that's not really my central point, either. You just can't get around the core issue with technology.

 

[Sky-Knight]

What CAPTCHA?

@britechguy is correct. CAPTCHA is an acronym for Completely Automated Public Turing test to tell Computers and Humans Apart.

The garbled text you've seen, the pattern matching, the image matching, these are all different methods but not the ONLY methods. Yes, that screen is CAPTCHA integrated, but this time designed to be invisible to the human eye but quite the problem for the machine's eye.

I'm sure there's a programmatic way around it, and when someone finds it the heuristics flag it, identify it and then the system is changed. Microsoft has done this several times in the last year alone.

Heck, it wasn't 6 months ago when you used phone signin, it would present 3 number as a choice on the mobile device to be matched and then click accept. The process changed to require the user to type in the two digit code because the former process had a 1/3 chance of authorizing a login on a random button push. Which... well... people actually DID!

Microsoft and Google both have the telemetry to keep an eye on these processes. They make changes on the fly to protect users from themselves, the system has built in adaptation. So again while all of the above isn't perfect, it's as good as reasonably can be built with the technology we have. But more importantly, it WORKS! The risk of digital impersonation while these technologies are deployed is reduced by 99%.

 

[nlinecomputers]

Mind you I agree with you both.

The key take away is if anyone/any thing? calls you about your account. HANG UP! Then login to your account and check things.

 

[britechguy]

The key take away is if anyone/any thing? calls you about your account. HANG UP!

I'd even go beyond that. Regardless of what it is we're talking about, if you (the generic you) did not initiate the contact, and you were also not expecting any contact, then hang up. Most of the "you've got a virus on your computer, give me remote access" ransomware scams would be stopped dead by this.

It's simple: Only answer anything if it is you that initiated the contact and to an entity that you know well and know you have the correct contact information for.

 

[Sky-Knight]

I train users to hang up and call me, I find it more effective than "just hang up."

Though it can get REALLY annoying sometimes.