• Telorand@reddthat.com
    link
    fedilink
    English
    arrow-up
    2
    ·
    3 months ago

    I’m talking about TOTP in something like Bitwarden or Authy. You can still social engineer your way to getting a code, but a scammer would have to convince the user to reveal that secret, not just pretend to send a code.

    • Trainguyrom@reddthat.com
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      3 months ago

      It sounds like in the above case the codes were real 2fa codes from his bank as the scammers were resetting their login credentials then adding an external account to initiate a transfer. Presumably they were simply reusing info from a breach to make the scam smoother