An Atavistic Freak Out, Episode One
by Leon Manna
The following story is a work of fiction.
And today, the outworn chase of money continues.
2FA. My dearest friend and my greatest enemy. One of the biggest ways of telling hackers to get lost. There's one way to get around it, which is to somehow get a copy of the victim's SIM card by tricking the carrier into giving it to you. This doesn't really work anymore. I could cut an employee a nice check to Sawtooth National Bank. They won't ask for ID there.
No.
I had weaseled my way into an email and was looking through it. Mostly nothing of interest, except for a mobile bank. I tried to reset the password and it asked me for a method of verification. Classic two-factor authentication. The only option was a partially blocked out phone number. I realized that this was going to be an obstacle. First, I switched back over to the email and deleted any recent emails from the mobile bank, to avoid tipping off the owner of the account.
So I figured instead of doing a SIM swap, I'd run a ruse on the mobile bank.
I opened the customer support section and began filling out a request to change the phone number associated with the account. It asked for a bunch of information but, thankfully for me, the person who owned this email had made a fatal mistake.
They kept their tax returns in their email in a PDF. This is a terrible, terrible decision because your entire identity is in that PDF. Almost everything needed to know about you in order to become you can be found in your tax returns. And when you keep them in your email, you run the risk of getting your identity stolen.
So I filled out the request with all of their information, and then in the description section for the support team to read, I spun up some crazy lie that involved me begging them to change the phone number to the account. I think some random comment about me just starting college and really needing the money in the account got a bit of sympathy from whoever read the request, because after I hit submit, about 30 minutes later I got an email back. It was a link to change the number associated with the account.
I clicked it and it asked for a new number. For a second I figured I was f*cked. I wasn't about to use my personal phone number. If I did, I might as well just turn myself in. So I used a Chinese SMS/VoIP number and typed it in. The website accepted the number.
Oh look at that, it worked.
On my burner phone, I opened up the money transfer app and signed in with the phone number now associated with the account. I typed the password in and the rest of what happened is none of your f*cking business.
I thought about it. I had snatched quite a bit of money with some shit I found on a tax form and some OSINT searches, all of which was obtained through a poorly secured email with insufficient use of 2FA, and I'm 100 percent sure in my mind that we can do better than this. The state of computer science, information technology, cybersecurity, and any other term you want to use must be further along than this, right?
How can somebody make a mistake like keeping documents that have their identity on it? They fell victim to the monster Venus flytrap that eats anything that comes by it. The great machine has failed them and will now make things right by refunding whatever money was taken. That's the thing about this - nobody really loses.
When the amount of money fraudulently obtained (or the value of the item) is under a certain amount, the police will not pursue it. The money will simply be refunded to whomever it got stolen from, the account will get closed, and everyone moves on. The great machine might fail you, but it will also take care of you.
I stayed awake in my apartment for a while. They couldn't have actually fucked up big enough to allow me to do this, right?
But apparently they did. And the outworn chase of money continues.