- cross-posted to:
- gaming
- cross-posted to:
- gaming
I often buy these for myself, as my workplace gives me a “bonus” credit card that can only be used at shops in the region.
That sounds like Ye Olde company scrip
Heh, kinda, but it’s basically just a way to save taxes. The 50€ I get on there each month are legally considered “non-cash benefits”, which aren’t taxed.
I just use steam gift cards because if my account ever gets compramised it wont have a credit card attached. I recently had a freind get his account locked out and got an email "saying your steam account has been locked please contact are support to recover. It was a link to a discord account and my freind was super tired from work and wasnt thinking right and told them his security questions TO A “STEAM SUPPORT” on discord. He DM’d me and i just finished work and he told me about his new 3060 and i said we should game later. Then he told me about the discord steam support, i googled if steam uses discord and Big suprise it was a scam. I sent him a link to the steam form and he went “oh fuck” and realized his steam account just got stolen. He eventually got it back but lost $40 that was in his steam account :/
Stay safe out there and dont open spooky emails.
he didnt have 2fa on his account?
On many systems, the weakest link is that it needs to accommodate a ‘lost my x’ eg mfa, password etc.
Systems often have a way to get in by resetting them by validating through more factors but often weaker ones, “not phishing resistant” factors like security questions. That way the account can get it removed or a new one put on.
Mfa isn’t a silver bullet, it is another layer of Swiss cheese, most people will think twice about giving it away on a chat app. But there’s a reason IT departments sign you up for those phishing simulation and training videos.
But you could still be right in this case, I just wanted to note broadly speaking you can’t assume prefect security is achieved with mfa. You still need to be constantly vigilant.
not saying its perfect, but would have protected him in this specific case. the weakest link is always the human element, and the layers of protection are there to limit what hackers need in order to gain full access.
Although that might be true, the moment the ‘friend’ gave away his account recovery answers to the phisher I think he would have been compromised either way. It was likely that the phisher was in real time actioning a account recovery, and using the friend as the proxy to give answers to the prompts. Plus since it’s already second hand info we can’t tell, but if the phisher simply asked ‘can you read me the code on your authenticator’ or ‘press approve and you’ll complete the recovery process’ and would have been successful.
In investigating account breaches I’ve found most people shamefully don’t retell the whole story they’re embarrassed and upset and fearing loss of employment. They kind of shut down. In this case, social status or opinion could bet harmed so it would be hard to trust the story is complete. Generally my logs come from entra ID and you can see the authentication came from the mobile device even though it was a prompt generated by the phisher.
Anyway I’m a big advocate for layers of security and you’re completely right in your stance. Technology is fragile to exactly what you said. We live in a world of incomplete information using trust and judgement under time pressure and poor sleep. Phishing attacks are ruthlessly designed to target that weakness in people. I’m empathetic when it is successful.
No, he now does because of this incident.