Several fedi-peeps have already posted this ABC article this morn
https://www.abc.net.au/news/2025-07-28/ato-tax-office-gst-scam-billions-fraud-four-corners/105573446
& been critical of the ATO. I am not here to defend the #ATO, & fwiw i remain deeply bitter about what they did to #RichardBoyle, but before too much more reflexive pile-on happens here, i would like to quote these four crucial paragraphs:
As the Abbott government swept to power in 2013, the ATO was moving away from this model of human verification to an automated system.
That would eventually see about 1,000 staff — or half the people in the division responsible for the GST — lose their jobs.
"I'm not sure the ATO has ever recovered from that sort of drain of knowledge and drain of skill sets," said Stephen Hathway, a liquidator currently investigating a large-scale GST fraud.
"The people [at the ATO] work really hard and diligently, but there just needs to be more of them. And there needs to be more regard to getting out there in the field and making those inquiries."So, i suggest that one's wrath should be properly directed.
The ATO was warned its systems were lacking, then scammers stole $2b
The ATO was warned its systems were lacking, then scammers... #australia #ato #fourcornershttps://www.abc.net.au/news/2025-07-28/ato-tax-office-gst-scam-billions-fraud-four-corners/105573446
if person logged in with #digitalid on #ato site to do #tax return person cannot then login with #passkey as it is deemed downgrading #security
Phishing - zoek de verschillen
Zelfs een onjuiste link onder de knop "Android App on Google Play" wordt gekopieerd...
Nb. ook in het linkerplaatje waren het logo van Proximus en de taalkeuzeknop te zien, maar omdat ik de kleurstelling onderaan wilde tonen (paarse horizontale balk met de Android knoppenbalk groen gemaakt door beide websites) en de cybercriminelen in de nepsite tekst hebben tussengevoegd, heb ik de neppagina een stukje omhoog gescrolled. In het derde plaatje zijn de taalknop en logo wel (deels) te zien.
Voorkom oplichting, lees namen van websites van rechts naar links: https://infosec.exchange/@ErikvanStraten/114789716360124891
@relishthecracker : that's make belief.
"Wow, asymmetric encryption, even quantum-computer-proof", "military-grade", etcetera.
Right after logging in using a passkey with an unbreakably protected private key, the website sends a session cookie (or similar) to the browser - which is NOT protected like private keys. If a website (like most of them) does not log you out if your IP-address changes, such a cookie is nearly as bad as a password. And fully if the cookie never expires.
Therefore:
Even if attackers cannot copy private keys: if the user device is sufficiently compromised (i.e. on Android, running an accessibility service), they can take over all of the user's accounts;
If the user's browser is compromised, attackers can copy session cookies and use them to obtain access to accounts the user logs in to;
An AitM (Attacker in the Middle) using a malicious website can copy/steal authentication cookies. Such AitM-attacks are possible in at least the following cases if either:
• A malicious third party website manages to obtain a fraudulently issued certificate (examples: https://infosec.exchange/@ErikvanStraten/112914050216821746);
• An attacker obtains unauthorised write access to the website's DNS record;
• An attacker manages to obtain access to a server where a "dangling" (forgotten) subdomain name points to, *AND* the real authenticating server (RP) does not carefully check for allowed subdomains (see https://github.com/w3ctag/design-reviews/issues/97#issuecomment-175766580);
The server is compromised or has a rogue admin: the attacker can add their passkey's public key to your account, or replace your public key with theirs (note that passkey pubkeys are not encapsulated by certificates issued by trusted issuers, stating who owns the public key).
Phishing using fake websites is probably the number one problem on the internet. *THE* major advantage of passkeys is that they make phishing attacks VERY HARD.
Indeed, if your device is sufficiently compromised, the risk of all of your passwords being stolen if you use a password manager is BIG.
However, as I wrote, if your device is sufficiently compromised, an attacker does not need access to your private keys in order to obtain access to your accounts.
Early bird discount ends today! Register now for the best deal on @allthingsopen
#events #community #OpenSource #ATO #FOSS
Australians paid over $298 billion in income tax last year, yet 139 millionaires paid nothing. They legally dodged tax through deductions, while everyday workers shouldered the burden. This isn't just a loophole—it's a systemic failure. We need a fair tax system that holds the ultra-wealthy accountable.
#auspol #taxjustice #inequality #ATO #taxtherich
https://amp.9news.com.au/article/5af0311c-d329-4fd6-a219-7442ce831505
@tychotithonus : thank you for responding. I'm not trying to be aggressive but to make the internet safer.
In your original toot, you wrote: "It's comforting to know that I'm significantly protected from these attempts" while showing phishing messages.
From https://blog.talosintelligence.com/how-are-attackers-trying-to-bypass-mfa/ (a year ago):
"In the latest Cisco Talos Incident Response Quarterly Trends report, instances related to multi-factor authentication (MFA) were involved in nearly half of all security incidents that our team responded to in the first quarter of 2024".
From my own research I know that the number of phishing-sites is exploding. PhaaS makes it easy to take over accounts where weak MFA is used.
The more people use weak MFA, the more of these sort of attacks we'll be seeing. IOW, the security of weak MFA (TOTP, SMS, number matching) will decrease over time (it does since Alex Weinert wrote this in 2019: https://techcommunity.microsoft.com/blog/microsoft-entra-blog/all-your-creds-are-belong-to-us/855124).
Furthermore, from the page referenced by you, https://meta.wikimedia.org/wiki/Steward_requests/Global_permissions#Requests_for_2_Factor_Auth_tester_permissions:
"Testing this service may result in the loss of your access and is not recommended for inexperienced users."
TOTP effectively means a unique strong (server supplied) password per account that people can impossibly remember. A TOTP app simply is a disguised password manager.
There have been lots of incidents where people lost access to multiple MFA-proteced accounts because they lost access to the shared secrets on their phones. Nobody tells people to make sure that backups are made of such secrets, let alone in a secure and privacy-respecting manner.
Note: a lot of TOTP apps had serious security issues a couple of years ago, as documented by Conor Gilsenan et al. in https://www.usenix.org/conference/usenixsecurity23/presentation/gilsenan (source: https://infosec.exchange/@conorgil/109542074585730853). I doubt that things have significantly improved (Authy was really bad, and at the time, Google's app blocked backups of the shared secrets).
Here's an, IMO, way better advice: use a password manager that checks the domain name. Use it to generate long random passwords, and make sure that it's (encrypted) database is backed up after every change you make.
I wrote about the caveats of password managers in, for example, https://infosec.exchange/@ErikvanStraten/113022180851761038.
Recommending people to use TOTP because they use weak passwords is a bad idea IMO: you effectively make them use a password manager (which a TOTP app is, while it does not check domain names) instead of solving the primary problem: weak passwords.
@tychotithonus : can you explain which protection(s) are provided by weak MFA?
We know we just finished #ow2con25 but it already time to get your #FOSSY2025 and #ATO tickets and accommodations!
We are excited to be a media partner once again for @allthingsopen Early bird registration is open now!
https://2025.allthingsopen.org/
#OpenSource #ATO #AllThingsOpen #community #events #inclusion #diversity #leadership #accessibility
We are honored to be a media partner for @allthingsopen with @linuxmagazine Early bird rates end July 1st!
https://2025.allthingsopen.org/
#AllThingsOpen #OpenSource #events #community #ATO
Proofpoint cloud threat researchers have recently uncovered an account takeover (ATO) campaign weaponizing TeamFiltration, a pentesting framework designed to assist cybersecurity practitioners in testing and improving defense solutions.
Attackers leverage Microsoft Teams API and globally distributed Amazon Web Services (AWS) servers for greater speed and efficiency, allowing for automating the tedious work of user enumeration and password spraying for both efficacy and stealth.
So far, over 80,000 user accounts across roughly 100 cloud tenants have been targeted.
Read the full campaign analysis here: https://brnw.ch/21wTk3G
アイビー Aibii
今回のお題はアイビーの花言葉とことわざ後の祭りです。
This time's topic is the flower language of Ivy and proverbs ato no matsuri.
https://youtu.be/jFON37NpZMw?feature=shared
<>
If as reported by Independantaustralia.net :
“Inflation declined again in April to 2.34%, making three consecutive monthly falls and nine months within the Reserve Bank’s optimum band between 2% and 3%. That’s the best run since monthly records have been kept.
Core inflation was 2.8%, within the optimum band for the fifth consecutive month. Interest rates were cut again in May to 3.85%, with further reductions likely soon.”
WHY then, pray tell, has my #HELP debt increased by 3.2% in on 01Jun25?
Is #StudentDebt meant to turn a #Proffit ?
WTF? I can’t wait to find out what seemingly arbitrary #CPI increase my #pension will deserve this new financial year.