/biz/ - Business & Finance

I got 2FA so who kares

>>12020251
Thanks for the help OP! Stay safe frens!

>>12020271
2FA wont stop a MiTM attack

would a vpn help?

>>12020285
Will it stop me from having sex with your mother

>>12020297
No, they have set up fake base stations. The connection would be your phone -> their device -> the vpn

What if I use my houses Wifi on my phone to make the trades?

>>12020309
Definitely not.

Funds are safu

>>12020320
That is safe. Basically their devices imitate cell phone towers, similar to FEDs and LEOs using Stingrays.

>>12020285
Yes it will you retard. How can they get to your second factor, like email or phone, if they are impersonating the exchange and don't know the email or the phone number in the first place?
If you got scammed because you don’t have 2FA, it doesn’t mean others will too.

>>12020356
They aren't impersonating the exchange. Read my previous posts. They can intercept your texts, email accounts you log into, the hash for your 2FA authentication, and/or your browser session.

>>12020375
>they can intercept your texts
Stopped reading there. Are you brain dead? Do you know how difficult is what you’re talking about? And by that I mean literally not true?
Also, what are certificates? Jesus these brainlets know nothing about routing security and cryptography.
Just stop. 2FA is enough.

>>12020311
A VPN encrypts the data though. How would the imposter device read vpn traffic?

>>12020469
CISSP, Gsec and and old af Sec+
Funny you call me a retard but think RSA/GA hashes and SMS is safe from MiTM. Fucking idiot. Even a brainlet can google this basic fact.

>>12020251
>not using Authenticator
not gonna make it

>>12020490
Because they have live access to your session. It doesnt matter if your traffic is encrypted, they aren't "reading" your traffic. They are duplicating and controlling your session.

>>12020490
Reverse TCP/ICMP shell doesnt care about your encryption.

>>12020251
you're a skid and I can smell it

>>12020528
Skiddie from wayback. Built black boxes and prank called other countries when I was young.

you can't MiTM on iOS. you'll have to somehow get the user to trust a rando certificate unless you rooted their phone already (or have a 0-day).

maybe on shitdroid it's possible, I don't know.

>>12020546
>You cant mitm on iOS
I'm here trying to help you faggots, probably better not to spout bullshit you know 0 about. Yes, iOS is susceptible to Stingray/fake base station attacks.

>>12020251
that would require getting a valid ssl certificate for exchange addresses.

Thanks for the warning, desu! Hopefully some anyone's have the common sense to listen. So this isn't just for trading, but even for logging in to check balances too, right?

>>12020541
hey, how's metasploit working for you

you fucking skiiiiiiiid

the future of money

>>12020577
Correct. DONT LOG IN on your phone. Afaik they aren't targeting banking credentials, this crew is specifically targeting crypto.
>>12020575
... no it does not. What is reverse TCP shell and how does it work?

>>12020592
I like Armitage because I need a GUI. ;)

Thanks OP. Now how do we set one of these base stations up to get teh n00dz. Do i just go into starbucks and name my hotspot Starbucks_public

>>12020595
>reverse TCP shell and how does it work?
he said it again

oh nonono. Gonna wait for another post.
>>12020612
HAHAHAH

>>12020563
Hey, thank you from a fellow paranoid non-retard.

To the retards doubting: What would ITSECanon's evil agenda be here? To get you to be safer? He's not shilling anything, just think about it.

>>12020592
realistically, who has the time to be anything else nowadays

>>12020595
holy shit stop embarrassing yourself.
Your story would make some sense if there was an exploit that allows hacking android with a fake base station, but you don't even know enough about how this all works to larp plausibly
'session jack' lmao

>>12020613
Bro, firesheep lmao

>>12020615
Finally, someone who gets me. <3

>>12020640
It's an exploit of the AKA protocol, as previously stated. Fuck. Why do I bother replying to you guys. White hat just trying to help you normies.

>>12020251
Relevant info Anon, thanks

Who would trade crypto on public wifi...period...?

>>12020697
>public wifi
Ok you guys are really dragging me down now. Read my previous posts.

>>12020681
it's irrelevant you dumb larper, the whole point of ssl is to ensure trusted and private (encrypted) communications over insecure medium.
Man in the middle attack only works for non-encrypted sites, or requires a valid certificate for a target site.

>>12020563
Technically stingrays only work on 3G networks. There are 4g equivalents. Honestly all you would need is an improvised IMSI catcher and you could probably intercept text messages, then it's just be a matter of getting that email address and/or username.

Things things aren't hard to build. Just Google it for fucks sake.

>>12020706
>hurr I think a base station attack is the same as a HTML redirect mitm
God, you are absolutely fucking daft.

>>12020251
how'd you find out about this? who do you think is doing it? what kind of costs and expertise are we talking about for such an intricate operation?

Thanks for the heads up.

>>12020711
AKA protocol handles 3g, 4g, and 5g authentication and keys. Similar fundamental idea as IMSI catcher, but exploits AKA instead.

>>12020251
Nigger that's literally the point of SSL/TLS. Fuck you.

i believe OP is talking about this kind of equipment: https://theintercept.com/surveillance-catalogue/

>>12020251
>Ever leaving your house so you're not on wifi
lol

>>12020681
Anyone giving you shit is either a genuine retard or is currently profiting from these attacks. Thanks OP. Do you have a safe keyboard and clipboard you can reccommend for android?

>>12020728
I'm pretty old, know a lot of people, have built and sold tools in the past, have a minor reputation.
Costs: Low, maybe $1k-1.5k a device
Expertise: High, custom built software and deep understanding of authentication protocols.

>>12020721
again, it's irrelevant what's below the encrypted layer.
>>12020626
>>12020734
>>12020771
Also stop obvious phoneposting dumb nigger, nobody is falling for your larp.

ChainLink solves this problem anyway

>>12020753
Just google Stringray IMSI. The attack I'm talking about is somewhat similar. If you think SSL/TLS is ultimate protection you're better off shutting your mouth and reading a little.

>>12020811
>sensiblechuckle.gif

>>12020784
what do you think this operation would look like? (brainlet here) is it fake cell phone tower boxes placed into existing arrays on the sides of buildings? or boxes in peoples' houses? what do you think such an operation physically looks like and what would you need to track it?

>>12020784
>have a minor reputation.
Whatever you say, Zero Cool.

>>12020792
This is literally the only post I have made in this thread:
>>12020771
I am confident that you are either engaged in this scheme or a fucking schitzo

Do you live in PR and Southern CA, OP?

>>12020854
>what would it look like
A well hidden Raspberry Pi with transmitter/receiver. Placed in high traffic areas. Financial districts, public transport hubs, etc.

>what would it take to track it
AIMSICD or something similar may work. I've never seen the devices I'm talking about in operation, so I honestly couldn't say. You'd want something to check/track consistency of the towers in your area, or something to whitelist known good towers (but would be a pain in the ass to manage, especially if you travel).

>>12020879
>last phonepost
you still have your last phone id because you didn't reset it
what are you even trying to achieve? everyone can google how ssl works and realize you're full of shit.
https://www.ssldragon.com/blog/how-ssl-certificates-protect-you-from-man-in-the-middle-attacks/

>>12020705
there are a lot of faggots on biz nowadays
I appreciate your information ITSECfag
Be careful ;)

>>12020972
Lol you are sad, man. That's another anon.
>still thinks SSL cert protects you from authentication protocol vulnerabilities
You're too much work, and know far too little.

Alright, gotta run. Hope I at least helped 1 anon today. Cheers. Be safe out there and may all your coins moon.

>>12020997
>still thinks SSL cert protects you from authentication protocol vulnerabilities
TLS is the authentication protocol.
You didn't fool anybody.

>>12021040
Oh look, it's already on the front page of the register, you fucking retard. Bye.

https://www.theregister.co.uk/2018/12/05/mobile_users_can_be_tracked_with_cheap_kit_aka_protocol/

>>12020251
So if i turn off data and use wifi im safe on my phone?

>>12021070
which has absolutely nothing to do with breaking tls security.
Again, the whole point of ssl is to protect against insecure base layer, like this attack.

If I use my smartphone as a hotspot, if my laptop has a VPN installed, am I protected when accessing sites/exchanges on the laptop?

>>12021105
Haven't these type of attacks been happening for years now? Why should i all of a sudden start worrying and when will using data become safe again?

>>12021035
Thanks man.

>>12021123
What if i have funds on my coinbase app on my phone? Should i not use coinbase now?

>>12021123
these attacks can make sms-code based 2fa insecure, but that's insecure in general because it's relatively easy to social engineer a replacement sim.
They also could potentially allow someone to record your calls or spoof numbers (ie. you call 911, but it's picked up by the attacker instead). If there's a security hole in a phone's 3g/lte stack it could be exploited to hack the phone.

That's basically it, connecting to exchanges over https is still safe (assuming unhacked phone, obviously), at worst an attacker can cut off your internet.

What if i have funds on my coinbase app on my phone? Should i not use coinbase now?

Aren't the transmissions of credentials to apps/webapps encrypted as a result of ssl/tls? Even if they can intercept your traffic, it's going to be encrypted as long as you are communicating with a valid certificate https address...

>>12020664
>firesheep
holy nostalgia
take me back to college fb message spoofing

who cares
crypto is dead now

>>12020811
>>12020841
do they know about ChainLink OP???

>>12020356
fucking retard. go look up mitm

>>12020469
it's not that hard you fucking retard. go and google "police stingray" and do some reading on it. fucking brainlets like you should be gassed, I swear..

>>12020356
You are retarded for calling someone retarded in affairs you have no clue about. Keep doing your thing, arrogant cunt. OP is trying to help

>>12020311
That's not how shit works. Nice LARP "ITSEC" guy

Nice fud you filthy little kike

>>12020251
Thanks op for the heads up. There’s a special place in Heaven for you

>>12021994
>>12022014
Neck yourself with your mom's lattice and I will throat fuck you with a trail of cum spilling out of your slit neck

>>12020309
>>12020325
If a man is in the middle then yes since your dick will go into his ass.

>>12020251
>ITT
Faggot who thinks Hackers can magically get around 2FA and Sign and Verify Transactions through PIN.

>>12020251
What about an old phone no SIM card WiFi only?

Why would they want access? To steal my shircoins ?

The absolute state of this board. Fucking newfags spreading misinformation because they’re reckless with their 4 figure portfolios. OP isn’t a larper he has nothing to gain out of this.

>>12020251
SSL, nigga

>>12020271
Fpbp
Op is a faggot pajeet nigger

>>12022037
If your mum knew you were posting gay trash about her lettuce she would be soooo angry.