> These tokens allowed full access to the Azure AD Graph API in any tenant. Requesting Actor tokens does not generate logs. Even if it did they would be generated in my tenant instead of in the victim tenant, which means there is no record of the existence of these tokens.
Wow! No logs.
I wonder how Microsoft would notify affected tenants.
I get legitimate calls from my health insurance company. When they call, they are not allowed to say the company they call from, it's a HIPAA thing. Once I say the name of the health insurance company, they will confirm it. It's weird, but it's the way it is now.
Website from desktop + SMS code is used as a second factor for login and for confirmation of operations. So the attacker would need to hack a desktop to read information and both devices to actually steal money. Or they would need a phone and a card number to login without password.
I am surprised why so many people use banking apps on phones. The apps often use SMS or even push notification (because it's cheaper) for confirmation and once you got access to the phone you can do whatever you want. Also banking apps tend to spam users with distracting notifications, and they often require extended rights, for example to scan other apps, to access contact list etc. For example, one of Russian banking apps includes an antivirus.
> What about in-person banking?
Rarely. Last time I went in-person, I found that the bank switched to a model (don't remember how it's called) where the office looks like a cafe with tables and employees come between them with laptops and there was really long waiting time so I got an impression that they don't want people to come in-person. Although I had some fun overhearing an angry customer complaining that his card was blocked for receiving transfers and immediately withdrawing large sums of money. He wasn't able to explain the source of the money or provide any documents but got a promise that his card would be unblocked.
Luckily there are still banks with traditional offices.
We document the extent to which workers in AI-exposed occupations can successfully retrain for AI-intensive work. We assemble a new workforce development dataset spanning over 1.6 million job training participation spells from all US Workforce Investment and Opportunity Act programs from 2012–2023 linked with occupational measures of AI exposure. Using earnings records observed before and after training, we compare high AI exposure trainees to a matched sample of similar workers who only received job search assistance. We find that AI-exposed workers have high earnings returns from training that are only 25% lower than the returns for low AI exposure workers. However, training participants who target AI-intensive occupations face a penalty for doing so, with 29% lower returns than AI-exposed workers pursuing more general training. We estimate that between 25% to 40% of occupations are “AI retrainable” as measured by its workers receiving higher pay for moving to more AI-intensive occupations—a large magnitude given the relatively low-income sample of displaced workers. Positive earnings returns in all groups are driven by the most recent years when labor markets were tightest, suggesting training programs may have stronger signal value when firms reach deeper into the skill market.
Wow! No logs.
I wonder how Microsoft would notify affected tenants.
reply