zlacker

[parent] [thread] 10 comments
1. gabere+(OP)[view] [source] 2023-07-20 00:46:53
He used the CEO’s voice to access AN account, I don’t think it was the CEO’s specifically. But just an account, verified by the CEO’s voice, to his.
replies(1): >>jhugo+pC
2. jhugo+pC[view] [source] 2023-07-20 08:05:53
>>gabere+(OP)
I doubt the bank’s authentication system is built to allow the CEO’s voice to authenticate a transfer out of any account
replies(4): >>detour+PR >>gabere+aW >>noblea+WX >>LawTal+4I2
◧◩
3. detour+PR[view] [source] [discussion] 2023-07-20 11:05:10
>>jhugo+pC
At Schwab my voice is my password. Is how Schwab authenticates me by voice. That demonstrates to me schwab knows they need a voice passphrase that wouldn't be used in passing or without raising suspicion.
replies(1): >>noSync+wU
◧◩◪
4. noSync+wU[view] [source] [discussion] 2023-07-20 11:33:06
>>detour+PR
This comment is very hard to parse, but after reading it, I feel a general sense of relief that I'll never use Schwab.
replies(2): >>detour+pX >>larntz+861
◧◩
5. gabere+aW[view] [source] [discussion] 2023-07-20 11:48:39
>>jhugo+pC
This was a long time ago. It was a small bank. I also heard it through the grape vine and not from him himself. I could definitely be wrong but this is what was told to me by someone who was there.
◧◩◪◨
6. detour+pX[view] [source] [discussion] 2023-07-20 11:58:49
>>noSync+wU
After over 30 years of perfect service. Schwab has done something so egregious that I’m leaving them. They used to be the best bank I ever used.

Finally I’m know that passphrase is tied to my phone number. Its not perfect but it is as good as any other consumer banks system.

I don’t recommend Schwab but my accounts are as secure as any.

◧◩
7. noblea+WX[view] [source] [discussion] 2023-07-20 12:03:34
>>jhugo+pC
I doubt it as well. Back in the day, I worked for an elected official who insisted on being a Domain Admin in our Active Directory tree. My co-worker and I used to joke, "think he wants to be a Schema Admin too?"
◧◩◪◨
8. larntz+861[view] [source] [discussion] 2023-07-20 12:59:59
>>noSync+wU
At first I thought this was a reference to the movie Sneakers (https://www.youtube.com/watch?v=-zVgWpVXb64), but after searching it seems Wells Fargo also does this, https://www.wellsfargo.com/privacy-security/voice-verificati....
replies(1): >>detour+L91
◧◩◪◨⬒
9. detour+L91[view] [source] [discussion] 2023-07-20 13:20:34
>>larntz+861
I just thought it was an interesting contrast to the bank executive story. Which demonstrated how the passphrase may have evolved and that moving money is done by voice authentication today.

Using just ones voice is bad. Using a phrase is better. Using a phrase that is unique and describes its function may set-off alarm bells for some.

I never connected the phrase with Sneakers.

◧◩
10. LawTal+4I2[view] [source] [discussion] 2023-07-20 20:07:52
>>jhugo+pC
When you do pen testing you're given a limited list of valid targets.

I imagine that the mission parameters were that he take a check and remove money from the account.

It would also make sense that this is the CEO's account, or one he also controls, because he's in on the test and can give informed consent. Also, probably the CEO doesn't have any special access so breaking into his identity wouldn't impact the bank the way breaking into the IT manager's account might.

If this was a fake account (one with no real user) then they wouldn't have discovered this flaw because Mitnick couldn't have called the user. Having a real person be exploitable is essential to proper discovery of the full scope of the problems.

replies(1): >>gabere+ob3
◧◩◪
11. gabere+ob3[view] [source] [discussion] 2023-07-20 22:49:41
>>LawTal+4I2
This is probably closer to the truth. That it was a test all along.
[go to top]