How to lose a fortune with one bad click

Original Article ↗ Hacker News Discussion ↗

Phone calls, trust, and verification

  • Many argue any unsolicited call/email demanding urgent action should be treated as hostile; you should hang up and call back via a number you independently look up (“hang up, look up, call back”).
  • Others note banks, telcos, and healthcare providers routinely behave like scammers (calling from unknown numbers, asking for SSN/DOB, sending links), which normalizes risky patterns.
  • Disagreement on how often banks legitimately block or freeze accounts after customers refuse to cooperate on such calls; some say it happens, others are skeptical.
  • STIR/SHAKEN and carrier “scam likely” flags help somewhat, but caller ID can still be spoofed; SS7-level attacks and network compromises are mentioned as deeper risks.

Google Authenticator, cloud sync, and 2FA philosophy

  • Strong criticism of Google Authenticator’s cloud backup: once TOTP seeds are in Google’s account backend, compromising Google yields all codes.
  • Some report bugs where disabling sync corrupted codes; others confirm you can turn off sync but debate whether Google truly deletes seeds.
  • Broader debate: backing up/syncing TOTP undermines “something you have,” turning 2FA into “phishing with extra steps,” but without it many users lose access and support becomes impossible.
  • Alternatives discussed: other authenticator apps, password managers with TOTP, hardware tokens (WebAuthn/FIDO2, YubiKeys), and their usability vs. security tradeoffs.

Crypto custody and irreversibility

  • Thread emphasizes that crypto’s irreversibility and lack of institutional recourse make these scams uniquely destructive compared to bank accounts.
  • Storing seed phrases in cloud photos or screenshots is widely condemned; suggestions include offline physical storage, hardware wallets, multisig, and separating “hot” vs. “cold” wallets.
  • Counterpoint: robust self-custody procedures (titanium plates, safes, multisig, inheritance planning) are complex and fragile for ordinary users; losing or damaging physical backups is also a risk.
  • Several see crypto as effectively “speedrunning” why financial regulations and chargebacks exist; others argue banks and cash are still dominant tools for money laundering.

Google support, impersonation, and UX issues

  • Many find it inherently implausible that “Google support” would proactively call a free-user, which itself is a useful red flag.
  • Complaints about big-tech customer service: opaque processes, reliance on volunteer “product experts,” and lack of reliable, human recovery channels.
  • Some suggest Google and similar firms should publish definitive “we never call you about X” messaging and SEO it, or simply provide real, paid support.

Prompts, MFA bombing, and security UX

  • Concern that Google’s one-tap “Yes/No” device prompts are too easy to fat‑finger or approve under pressure; this enables MFA bombing.
  • Comparison to systems that require entering or matching a code on the second device, which are slightly slower but more resistant to social engineering and accidents.

DMCA and abuse

  • Example raised where a scammer allegedly used a bogus copyright claim to get an incriminating recording removed, illustrating how DMCA-style systems can be abused to erase evidence.