Just don't give people 2FA codes? I am never going to give a 2FA code to someone who calls me, no matter what combination of words come out of their mouth.
As TFA starts out, it is always easy to point out all the mistakes after the fact. People underestimate how prone the mind is to just trying to play down danger, inconvenience and generally unpleasing situations. Even after a few minutes on the phone, after you built up the most basic "relationship" with the person on the other end, you simply don't want this to be a scam. Avoiding cognitive dissonance. Just like when you bought something expensive that doesn't really meet your expectations.
Then you must not underestimate the pressure under which you then are, because either way is not a pleasant situation (getting scammed or having been scammed already trying to contain the damage). I fully believe the author that they only skimmed that mail and weren't even aware that this is 2FA. It must have seemed like "just some one-off verification code".
Then I think there is also this phenomenon where experts think that just by being an expert on something, they are immune to it. Not consciously, rationally, but lingering in the subconsciousness. It reminds me of the show "the good doctor" where a seasoned oncologist is diagnosed with a brain tumor and completely blocks off any conversation about it and rejecting treatment. I think that very well illustrates what I mean.
Another anecdote to add here if that Jim Browning, a YouTuber focused on finding scam call centers, getting into their systems to gather information and shutting them down in the end got his YouTube account taken away from him through a scammer on the phone. So I'd be careful with claiming this could never happen to me because I'd never do X. Until the day you do without realizing.
Look, I certainly believe that as you get larger and larger groups of people, law of large numbers it becomes inevitable that someone becomes scammed.
And I certainly don't doubt that I could be scammed at some time, especially by a phishing email or something of the sort.
But I don't think I'll ever give out a 2FA code to anybody that's not me. It's a really simple rule of thumb. Just never do it, there is never any reason for anybody besides myself to know my 2FA. If there is a reason, that is unfortunate that they've designed their system that way because, again, I am never going to give out my 2FA code to anybody.
The person in your anecdote never gave his 2FA to anybody, so it is not relevant to what I am discussing.
Yes, it's easy to convince yourself you're way too smart to make this mistake. At the same time, you now deliberately skipped over the fact twice that he just skimmed the mail and didn't fully realize it was specifically a 2FA code, just assumed it was some verification code. I mean, the wording explicitly talks about entering this code somewhere to enable stuff. That's already two dead giveaways. Otherwise you'd be implying this guy, being an expert, doesn't fully understand how 2FA works. Pretty unlikely, but sure, not impossible. But I mean realistically now that this has been overstressed I actually do believe you'd never make that specific mistake in the future.
It's pretty obvious what is a 2FA code and what is not. If I'm being sent a code on my email or phone, I know not to tell it to someone on the phone. Indeed, even that very email she was sent contained a reminder not to tell it to someone on the phone.
I read the entire article, I am just unimpressed by the justifications as to how this "could happen to anybody."
I don't think the e-mail in the article is very obviously a 2FA code? I usually associate 2FA with something I use to log in somewhere; not to do some other operation which (presumably) already requires account access. To me, it looks like a Wells Fargo Apple Pay "Verification Code", which honestly could mean anything.
There are other signs, obviously. You could ask the question of, why is the e-mail asking me to enter the code myself while the customer support rep asking me to provide it over the phone? But as you well know, the author also asked that question, and arrived at a plausible enough sounding answer.
Regarding that last sentence: I have actually skimmed the e-mail many times now, and only when looking at it again to try to understand what you meant by "even that very email contained a reminder not to tell it to someone on the phone" did I actually see that part. I suppose I just started reading the standard "if you have questions call us on this number" text and skipped the rest of the paragraph. Brains are very good at extracting what they think is the relevant information and ignoring what they think is the irrelevant information, especially when in an active social interaction with another person who expects something from you.
I think any technical person should be able to analyze a play-by-play description of the events and explain exactly how each mistake could've been avoided. But I think most technical people could've made similar mistakes if they were caught in a vulnerable state of mind. I think sharing these kinds of stories, where even people who "should" know better got scammed, is an important part of how we learn to recognize scams. I think the vitriol in places like this comment section plays a part in making people avoid sharing stories like this.
> Indeed, even that very email she was sent contained a reminder not to tell it to someone on the phone.
Yes, as regular unformatted text and tucked away at the end of the very last paragraph that starts with standard boilerplate:
"If you did not request this code, or if you have questions, please call us at the toll-free number on the back of your card. Wells Fargo will not contact you by phone or text to request this code."
Worse yet, the second paragraph starts with "Important:". That implicitly signals that the most important part of the email is what follows. However, that's obviously not the case.
The email is absolutely horrible security-wise, it downplays the most important security bit while overplaying everything else.
I happened to read through the entire email while reading the story and spotted the text at the end, but I'm not that confident I would be as diligent in a real life situation, especially if I was tired, like the OP was.
Just about every regular person would easily fall for this.
> It's pretty obvious what is a 2FA code and what is not.
Unless you're distracted or otherwise having a bad day. Everyone has bad days, even experts. To stay secure you must be secure always, while the scammer only has to be successful rarely. This dynamic favors the scammer very strongly.
Until you play with 15 different companies each which have slightly different variants of how they do their authentication security theater, as well as them throwing odd balls at you every month until you really have no idea how anything is supposed to work anymore.
