It's not defense in depth, it's defense against a different threat entirely.
You want to have encryption, but I doubt their encryption or lack thereof has anything to do with this attack. Do we even have evidence the data wasn't encrypted?.
If someone gets access to a ticketing system they shouldn't have, talking about encryption is about as useful as talking about seatbelts. Important for general safety but irrelevant to the problem at hand.
Yes, that is how I read it as well. Email was just for fun, and the code came by a different channel (of course). The email the scammer sent wouldn't contain a code they can use to take over his account (of course).
On obvious spoofs I see "legal@gmail.com <via scamdude@askjdfaskldfj.net>". I think he means that it didn't indicate the latter. And if gmail phone app didn't fail to display headers he could have looked
Your analogy is different. They bought for X, then when it was stolen it was worth 80k, and at this random time today, it's worth $120k and he's saying he lost $120k.
Value is arbitrary, and only crystallises at liquidation. I have a painting I paid £300 for. Works by that artist are now selling for £10000. Does that make my painting worth £10000? I can send it to be appraised but even if it is valued at £10000 that value could only ever be realised if I send it to auction. If I wait too long the artist may fall out of fashion and the work may be worth less than I paid. The real value is the pleasure it gives me each day when I look at it. Is that worth more or less than £10000?
Be that as it may, it's missing the illogical point the other person raised. If your $300 painting was worth $10k when it got stolen from you, but 7 years later the market value is $1M, you don't say "I was robbed of a million"
> Who knows what hell can be unleashed on one's emotions nowadays with AI
This is key. I would "never" fall for a scam like this. But who knows for sure? I would also never cheat on my partner, but can I say with 100% certainty that some insane situation can't possibly ever come up where my many layered defenses are compromised? Can some sufficiently charismatic individual deliver a perfect AI script to me based on info from 5 other breaches, in my brother's voice, to make me give up a 2fa token in an emergency? Maybe! So just never answer the phone, ever
It's honestly irresponsible to pick up phone calls at this point. Phishers are really good, and every human has some weakness, so you can't guarantee you wouldn't fall for something -- perhaps one day a new vulnerability comes out and your old guidance is no longer perfect. Answering the phone at all is just putting yourself at risk
They should have users receive the code and then submit said code into the application for verification, with clear instructions that this code is produced as a result of a support call, and to confirm you are on an existing call when submitting the code.
Doing so would not force users to divulge codes over the phone, and enable support staff to verify identity all without training users that reading codes over the phone is acceptable.
Still not foolproof. Attacker can MITM the connection by initiating their own call to the real support line and relaying instructions between the user and support.
How else are you supposed to do identify verification over the phone?
I think if the war against phishing online has taught us anything, it's that humans can't be trusted to not reveal secrets to scammers. Only machine-to-machine public key authentication (like TLS or WebAuthn or U2F) is truly phish-proof.
