Attention, slackers — if you do remote work for a financial institution, using a mouse jiggler might not be the best career move. That’s what a dozen people learned this week as they became former employees of Wells Fargo after allegedly being caught “simulating keyboard activity” while working remotely. Having now spent more than twice as many years working either hybrid or fully remote, we get it; sometimes, you’ve just got to step away from the keyboard for a bit. But we’ve never once felt the need to create the “impression of active work” during those absences. Perhaps that’s because we’ve never worked in a regulated environment like financial services.
For our part, we’re curious as to how the bank detected the use of a jiggler. The linked article mentions that regulators recently tightened rules that require employers to treat an employee’s home as a “non-branch location” subject to periodic inspection. More than enough reason to quit, in our opinion, but perhaps they sent someone snooping? More likely, the activity simulators were discovered by technical means. The article contains a helpful tip to avoid powering a jiggler from the computer’s USB, which implies detecting the device over the port. Our guess is that Wells tracks mouse and keyboard activity and compares it against a machine-learning model to look for signs of slacking.
Speaking of the intersection of soulless corporate giants and AI, what’s this world coming to when AI walks you right into an online scam? That’s what happened to a Canadian man recently when he tried to get help moving Facebook to his new phone. He searched for a customer service number for Facebook and found one listed, but thought it would be wise to verify the number. So he pulled up the “Meta AI”-powered search tool in Facebook Messenger and asked if the number was legit. “No problem,” came the reply, so he called the number and promptly got attacked by the scammers on the other end, who within minutes used his PayPal account to buy $500 worth of Apple gift cards. From the sound of it, the guy did everything he should have to protect himself, at least up to a point. But when a company’s chatbot system gives you bad information about their own customer support, things like this are going to happen.
Just a reminder that we’re deep into con season now. Open Sauce should be just about wrapped up by the time this gets published, and coming up the week after is Teardown 2024 in Portland. The schedule for that has been released, which includes a workshop on retrocomputing with the “Voja4” Supercon badge. A little further on into the summer and back on the East Coast will be HOPE XV, which still has some tickets left. The list of speakers for that one looks pretty good, as does the workshop roundup.
And finally, if you have some STL models in need of a little creative mutilation, try out this STL twister online tool. It’s by our friend [Andrew Sink], who has come up with a couple of other interesting 3D tools, like the Banana for Scale tool and the 3D Low-Poly Generator. The STL Twister does pretty much what it says and puts the screws to whatever STL model you drop on it. The MakerBot Gnome mascot that pops up by default is a particularly good model for screwifying. Enjoy!
There are a number of the HOPE XV workshops I would love to attend!
I hope (no pun intended) they will be available afterwards online.
A mouse jiggler (AIUI) doesn’t click on anything.
So, the computer may be awake, but nothing is being accessed/used.
A few years back I worked at a software company where the CEO had a meeting with his IT and information security group to determine how to improve corporate security and reduce desktop computer energy consumption. They decided on a set of Windows group policy changes that caused all company computers to lock and sleep after 5 minutes of inactivity. Within days, most of the workers had installed mouse jiggler software, as no one could get any work done without having to repeatedly enter the overly long/complicated passwords that were required by a prior policy decision. Someone eventually managed to convince the CEO that computer security was now actually worse then it had been and the changes were quietly undone.
At least your people realized the error of their ways. Mine just added more layers of security with longer passwords and multi point verification. I built a desk shaker to rest the mouse on.
There is no regulation that requires financial institutions to monitor their employees for “active work”. Plenty of other things, yes, but not that.
as far as the facebook support AI issue, there is already at least one case where the company was found liable yet, albeit a canadian company, so not entirely applicable to american law.
https://www.bbc.com/travel/article/20240222-air-canada-chatbot-misinformation-what-travellers-should-know
Fortunately the victim of the scam got that $500 canceled by Paypal. Police are investigating currently.
*Took a report.
Police aren’t investigating $500.
They probably aren’t interested specifically in that $500 but if those particular scammers are raking in hundreds of thousands or millions then they might be interested in tracking down that group (though in that case it’d probably go beyond a police department and into the feds’ hands).
🤣 facebook support number!? what a fool he must have been born yesterday!
Seriously tho that is one of the most glaring obvious security flaws of the entire platform. The lack of any irl support for people struggling with security issues. I got hacked and found out the hard way that hackers specifically use this distinct absence of a support line to run their account hijacking. I had literally exhausted every step i possibly could to regain my account and a real person is the one and only thing that was needed in the loop and so my account never got reactivated. Over ten yrs of posts, photo memories with friends, contacts and networks i had built over the years. Gone.
The worst part is that it continues to this day. These hacks are literally stealing peoples identity and nobody cares. I guess i could have tried to make a police report i was able to figure out a ip address in texas and an email the hacker used. But the police report wouldn’t be investigated esp if no money was stolen. But even if it were, i have zero confidence that a detective would have found any assistance or resources from facebook without something like a warrant or court order.
🤷🏽♂️It is what it is. I now no longer am on any social media platforms. Ive probably isolated myself a bit in doing so. But theres no way i can validate any reason to continue allowing these companies to exploit my info while offering zero support or security. Ill never use fb or anything related to the platform again, even specifically told family members to NOT get me an oculus vr set as gift ideas. If enough people get screwed and then boycot the meta brand.
Theyll get the hint. Or maybe thats the goal all along, be such a garbage company that all human users are driven away leaving the gramework intact with only bot traffick and scamsters left as a sort of zombie data mining platform generating data on millions of bot and hacker account profiles. That sounds pretty on brand for the tech industry grift cycle thats become the norm in this day and age
I am sorry you have learned the lesson the hard way but am happy for you that you learned it at all.
“The linked article mentions that regulators recently tightened rules that require employers to treat an employee’s home as a “non-branch location” subject to periodic inspection.”
This is incorrect.
“As a reminder, new FINRA Rule 3110.19, which will become effective on June 1, 2024, will permit firms to treat a private residence where an associated person engages in specified supervisory activities (an RSL) as a non-branch location, subject to safeguards and limitations.”
There is a substantial difference between “require” and “permit”. This also raises a lot of issues with regard to the actual “facility” (presumably the employee’s home) with regard to tax status, liabilities ad nauseum.
____________
(Source: https://www.globalfinregblog.com/2024/05/finra-releases-long-anticipated-guidance-on-new-work-from-home-exemption-ahead-of-impending-covid-19-relief-expiration/#:~:text=As%20a%20reminder%2C%20new%20FINRA,subject%20to%20safeguards%20and%20limitations.)
Why are these two completely different topics included in one article?
Hackaday Links is a catchall for items that may not garner enough interest to justify individual postings.
At the government you just have to put up with entering like 5 different passwords every time you awake the computer. But they didn’t care much about mouse movement pettyness, I couldn’t work for a company that did that. As long as you got your 8 hours in you just flex time it.
Wow, that’s quite a story about Wells Fargo and the mouse jiggler! I can’t believe people thought that would be a good idea. And yikes, that Canadian man got scammed due to a faulty AI chatbot – that’s serious!
Thanks for the heads up on the upcoming events, Open Sauce, Teardown 2024, and HOPE XV. I’ll have to check out the schedules and workshops.
And cool tools from Andrew Sink! The STL Twister looks like fun, I’ll have to try it out.
Keep up the great work, and stay vigilant against those scammers!