• Steamymoomilk
    link
    fedilink
    arrow-up
    7
    arrow-down
    1
    ·
    9 months ago

    I just use steam gift cards because if my account ever gets compramised it wont have a credit card attached. I recently had a freind get his account locked out and got an email "saying your steam account has been locked please contact are support to recover. It was a link to a discord account and my freind was super tired from work and wasnt thinking right and told them his security questions TO A “STEAM SUPPORT” on discord. He DM’d me and i just finished work and he told me about his new 3060 and i said we should game later. Then he told me about the discord steam support, i googled if steam uses discord and Big suprise it was a scam. I sent him a link to the steam form and he went “oh fuck” and realized his steam account just got stolen. He eventually got it back but lost $40 that was in his steam account :/

    Stay safe out there and dont open spooky emails.

      • biscuitswalrus@aussie.zone
        link
        fedilink
        arrow-up
        3
        ·
        9 months ago

        On many systems, the weakest link is that it needs to accommodate a ‘lost my x’ eg mfa, password etc.

        Systems often have a way to get in by resetting them by validating through more factors but often weaker ones, “not phishing resistant” factors like security questions. That way the account can get it removed or a new one put on.

        Mfa isn’t a silver bullet, it is another layer of Swiss cheese, most people will think twice about giving it away on a chat app. But there’s a reason IT departments sign you up for those phishing simulation and training videos.

        But you could still be right in this case, I just wanted to note broadly speaking you can’t assume prefect security is achieved with mfa. You still need to be constantly vigilant.

        • Dudewitbow@lemmy.zip
          link
          fedilink
          arrow-up
          1
          ·
          9 months ago

          not saying its perfect, but would have protected him in this specific case. the weakest link is always the human element, and the layers of protection are there to limit what hackers need in order to gain full access.

          • biscuitswalrus@aussie.zone
            link
            fedilink
            arrow-up
            1
            ·
            9 months ago

            Although that might be true, the moment the ‘friend’ gave away his account recovery answers to the phisher I think he would have been compromised either way. It was likely that the phisher was in real time actioning a account recovery, and using the friend as the proxy to give answers to the prompts. Plus since it’s already second hand info we can’t tell, but if the phisher simply asked ‘can you read me the code on your authenticator’ or ‘press approve and you’ll complete the recovery process’ and would have been successful.

            In investigating account breaches I’ve found most people shamefully don’t retell the whole story they’re embarrassed and upset and fearing loss of employment. They kind of shut down. In this case, social status or opinion could bet harmed so it would be hard to trust the story is complete. Generally my logs come from entra ID and you can see the authentication came from the mobile device even though it was a prompt generated by the phisher.

            Anyway I’m a big advocate for layers of security and you’re completely right in your stance. Technology is fragile to exactly what you said. We live in a world of incomplete information using trust and judgement under time pressure and poor sleep. Phishing attacks are ruthlessly designed to target that weakness in people. I’m empathetic when it is successful.