Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The secret challenge exists and it is the phone number / email address / VC account of CFO. If CFO wants to order EMPLOYEE to send money, then EMPLOYEE should only do the action after making an outgoing call to CFO.


100% agree. "Hang Up, Look Up, Call Back" should be made into a jingle and absolutely hammered into the culture of, at this point, literally everyone (given all the scams that occur targeted both toward consumers and employees): https://krebsonsecurity.com/2020/04/when-in-doubt-hang-up-lo...


The scammers make up some “plausible” reason that the CEO can’t talk on the phone.


Where it hurts is it can be a PITA to get hold of the CFO from the mere employee side, especially as the CFO was UK based.

Basically, it was a well thought and well executed scam that perfectly fit the employee's situation.


The CFO was on the call. You just say "cool I'm sending a 4 digit code to your mobile phone, read it back to me".


The CFO already separately sent him a message before the call, and I wonder if they'd get access to the CFO's number in a central directory (leaving aside the fact that you're asking to message them while they're live "in front" of you).

I fthe CFO gave a number on the call, it wouldn't also be much of a check.

I think the real improvement would be to have the CFO file a ticket, but obviously that company was used to play it loose and fast.


With $25 million on the line, I'd argue that the company could afford an airline ticket to fly to the UK and back to verify in person.


They might be able to afford ticket price, but not the time it takes to fly to the UK. Some things are time-sensitive.


It would detect number spoofing. Spoofing is easy, hacking phones is hard(er).


> it can be a PITA to get hold of the CFO from the mere employee side

I'm guessing that someone who can authorize a $25M transaction is fairly high up in the corporate hierarchy, not that many levels away from the CFO.


For a finance worker I actually wonder how much it means to transfer $25M.

I have no idea, but I suppose moving funds from one subsidiary to another for instance wouldn't be for a few thousands only, and he's seeing money fly around day in day out. Would it feel the same as an infra engineer rebalancing a few millions of access from a cluster to another ?


I don't know enough about this, but would it be possible for the scammers to hijack the SIM swapping?

That is, the scammer manages to get ahold of the SIM card / phone number of the CFO, and be on the receiving end if/when a worker calls the CFO up.

Weakest link would probably be to compromise some telecom worker, so that this can be orchestrated.


Make a twist and call my wife, not me.


This will work, until some determined actor sim swaps the CFO in advance.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: