> These tokens allowed full access to the Azure AD Graph API in any tenant. Requesting Actor tokens does not generate logs. Even if it did they would be generated in my tenant instead of in the victim tenant, which means there is no record of the existence of these tokens.
Wow! No logs.
I wonder how Microsoft would notify affected tenants.
I get legitimate calls from my health insurance company. When they call, they are not allowed to say the company they call from, it's a HIPAA thing. Once I say the name of the health insurance company, they will confirm it. It's weird, but it's the way it is now.
Website from desktop + SMS code is used as a second factor for login and for confirmation of operations. So the attacker would need to hack a desktop to read information and both devices to actually steal money. Or they would need a phone and a card number to login without password.
I am surprised why so many people use banking apps on phones. The apps often use SMS or even push notification (because it's cheaper) for confirmation and once you got access to the phone you can do whatever you want. Also banking apps tend to spam users with distracting notifications, and they often require extended rights, for example to scan other apps, to access contact list etc. For example, one of Russian banking apps includes an antivirus.
> What about in-person banking?
Rarely. Last time I went in-person, I found that the bank switched to a model (don't remember how it's called) where the office looks like a cafe with tables and employees come between them with laptops and there was really long waiting time so I got an impression that they don't want people to come in-person. Although I had some fun overhearing an angry customer complaining that his card was blocked for receiving transfers and immediately withdrawing large sums of money. He wasn't able to explain the source of the money or provide any documents but got a promise that his card would be unblocked.
Luckily there are still banks with traditional offices.
reply