Slashdot Mirror
Two-Factor Authentication Fail: Identity Thieves Hijack Cellphone Accounts to Go After Virtual Currency (nytimes.com)
Reader Cludge shares an NYT report: Hackers have discovered that one of the most central elements of online security -- the mobile phone number -- is also one of the easiest to steal. In a growing number of online attacks, hackers have been calling up Verizon, T-Mobile U.S., Sprint and AT&T and asking them to transfer control of a victim's phone number to a device under the control of the hackers. Once they get control of the phone number, they can reset the passwords on every account that uses the phone number as a security backup -- as services like Google, Twitter and Facebook suggest. "My iPad restarted, my phone restarted and my computer restarted, and that's when I got the cold sweat and was like, 'O.K., this is really serious,'" said Chris Burniske, a virtual currency investor who lost control of his phone number late last year. A wide array of people have complained about being successfully targeted by this sort of attack, including a Black Lives Matter activist and the chief technologist of the Federal Trade Commission. The commission's own data shows that the number of so-called phone hijackings has been rising. In January 2013, there were 1,038 such incidents reported; by January 2016, that number had increased to 2,658. But a particularly concentrated wave of attacks has hit those with the most obviously valuable online accounts: virtual currency fanatics like Mr. Burniske. Within minutes of getting control of Mr. Burniske's phone, his attackers had changed the password on his virtual currency wallet and drained the contents -- some $150,000 at today's values. Most victims of these attacks in the virtual currency community have not wanted to acknowledge it publicly for fear of provoking their adversaries. But in interviews, dozens of prominent people in the industry acknowledged that they had been victimized in recent months.
Two factor hasn't failed: the people running the two factor scheme did.
trust google or don't, but at least their security will protect against this type of social engineering. use a google voice number for security.
When you post enough info on Facebook and Twitter that it's actually possible for others to bypass your security questions, YOU are the problem, not the hackers. Also, here's a friendly tip: if a question is something like "Name of your daughter", try answering it with some something like "Random male name" or "Something totally unrelated to the question". Also, if you don't already know this, every hacker knows that the most common passwords are "love", "secret", "sex", and "God".
A wide array of people have complained about being successfully targeted by this sort of attack, including a Black Lives Matter activist (bold mine)
Why include this fella, really?
That is out of 1,000 victims or so...?
... particularly when that basket is connected to the Internet.
While I was out having dinner, Verizon called me three times to verify if I'd lost my phone. Each time I said no, the second time I was asked if I wanted to add a passcode and lock the account. I did. (It was Verizon, I checked later and they had the logs of all three calls to me, but I'm not sure if callers can spoof the Verizon internal caller ID)
Later that evening, I found myself locked out of my email accounts. I could see it happening in real time, but couldn't stop it. I called Verizon by landline and was told that they'd activated my spare iPhone after I dropped my phone in a pool. NO! I might have said a number of harsh words to them.
In the meantime, American Express had called my cell and emailed me to confirm a dodgy transaction, and the folks who had my phone number and email confirmed the transaction. By the time I called Amex, it was too late (although I ended up with no liability)
I tried to file a complaint with the local PD and was told "I don't have time for this" by the receptionist.
right? right
Just like cable-cutting seemed alien a decade or two ago, I do not have a phone number. I do everything by email and instant messaging (not SMS but iMessage, etc).
Every fucking place that requires a phone number is eliminating ahead-of-the-curve users.
#DeleteFacebook
I know that some sites only allow phone-based (i.e., SMS and.or voice) verification. But most of the big ones support things like U2F and TOTP. Why not use those instead?.
I always recommend TOTP to people since you can save the secret and store it in a safe or some other secure location if, for example, you ever lose your phone. Then you can simply load up the authenticator app (pick your favorite) and reload the secret. In fact, I can't think of a major on-line service that offers 2FA or MFA that doesn't offer TOTP support. Of course, there is also U2F and if you want to be really secure you can get something like a YubiKey and not even store the secrets directly on your device. With a phone/tablet that supports NFC you can just have the YubiKey close by or you could plug it into the USB port on your computer if that happens to be more convenient.
The point is that the pain threshold for SMS-based 2FA/MFA is the same as the pain threshold for a TOTP/U2F solution and the TOTP/U2F solution is demonstrably more secure.
Part of the problem is that criminals are learning quicker than before and where you used to have foreign entities contacting people with broken English or sending emails/letters with horrible spelling, they're getting a lot better, and companies like AT&T, Verizon and such don't consider themselves part of the problem, so they're going to be easy to grab the information and then completely screw other people over. Some of these companies don't even tell you when they've been breached, basically saying it would be a good idea to change your password, but not tell you why or when it was in question. In the past few months, I've had to change passwords to different services more times than I can count, which means they're getting the information they need to breach. It's only a matter of time before a bunch of pretty much lose everything and are tossed aside because then we won't have any resources to make the businesses interested in helping us.
Sarbonn's blog: http://www.sarbonn.com/blog
Seems to me the cell phone carriers should be held liable, at least to some extent, for damages. Not sure how far one would get in court, but if I had $150K stolen, I'd sue the carrier for not following due diligence. How can a carrier just transfer numbers without any real verification knowing the security ramifications can be severe.
AT&T offers an optional extra security code feature, but I suspect it's not that much better than no code at all. Have there been reports of AT&T customers with extra security enabled having their numbers transferred too?
Security experts have been warning about this and saying that two channel authentication (like text messages or emailing codes) is not true two factor authentication. For two factor authentication, it has to be tied directly to a device and the device cannot be changed without a enrollment process (for example, with Google Authenticator, where you see the code once and cannot retrieve it again). In this way, you either have to use a phishing mechanism to get the code or have physical access to the device. Getting access to the users phone number or email address does not allow you to get the code with two factor authentication because it is truly something you have (your device).
Same ol' same ol'. They don't get paid enough to care, and they don't get any reprimandation for fucking up.
I'm Virtually broke already.
This scam is hardly new to cryptocurrency. Criminal gangs have been doing it for years. It happened to my mother a few months back, who was a perfect target: excellent credit history, no online accounts with her bank or her credit card companies (the criminals very obligingly created some for her), a cell phone that she rarely turned on, and her home phone number as the only listed means of contact.
What they did was go to a Verizon store and get her home phone number transferred over to a mobile phone. After that, they went on a buying spree at several stores across the state, and even got into her personal savings account. When the credit card companies tried to call my Mom, all they got was the voicemail for the scammer at my Mom's number. She thought there was a problem with her phone service; she had no idea what was happening until three days later.
Fortunately my Mom had a credit freeze in place with the credit reporting agencies, so the gang was unable to open new lines of credit in her name. That limited the damage, and she was ultimately made whole by the bank and credit card companies.
To this day my brothers and I are convinced that some insider at a bank or credit agency must have sold her information to the gang, or else the information was stolen and never revealed. They hit her bank account and ALL her credit cards in parallel, created a whole set of fake online accounts in her name, and even tried to reopen a credit card account she closed years ago. It was too well coordinated, and they knew too much about her.
So some lessons for everyone:
(1) Activate online accounts for your banks and your credit cards, and then secure them with 2-factor authentication. If you don't do it, the criminals will do it for you.
(2) Activate a credit freeze with the credit reporting agencies. If you have elderly parents, sit down with them and do it for them. If my wife and I hadn't persuaded my Mom to activate a credit freeze two years ago, the damage would have been far worse.
"Most victims of these attacks in the virtual currency community have not wanted to acknowledge it publicly for fear of provoking their adversaries."
What do they mean by this? If they already are victims, they have already lost their coins?
Just to clarify, the problem here is the phone number linked SMS, which customer-service can be badgered into changing. 2FA that stores the secret on the phone are not susceptible to this, with Google Authenticator/TOTP being the most prominent example.
When you upgrade your phone, it all switches around: SMS 2FA convenient just keeps working since it goes with the number, but TOTP is now kind of a pain since you have to set it up again.
The U2F standard gets my vote as the nifty solution to this password madness. I wrote a U2F FAQ: https://medium.com/@nparlante/...
Grab the book of Kevin Mitnick Ghost in the Wires and he has mentioned in that book his phreaking adventures, including redirecting the calls from Department of Motor Vehicles (DMV) to his own cellphone, and answering DMV related questions of unsuspecting victims. So in my opinion, fully trusting 2FA whether by sms or voice, can be dangeours.
You don't have full control of your phone. Even when you BUY your phone your service provider will still force whatever updates they want, and will get away with it.
Don't ever trust your phone for ANY data.
Soon you will be required to give all kinds of information just to have a simply voice communication. Everybody MUST be working on independent solutions.
Re: "a virtual currency investor who lost control of his phone number" -- There's 0.0595430107527 born every minute (2,658 per month).
Debate is a form of harassment. Do not question my truth.
This is just the way security goes. Things get increasingly fragile when we're talking about targeted attacks. Most people still don't need to worry about this in generalized attacks seeking for massive ammounts of data, but for targeted attacks social engineering always seems to find a way to work around security schemes.
To the point, there is no failure on two factor here. There's a failure on mobile networks' security checks for highly sensitive operations like transfering a number to another device. It's taken lightly when it shouldn't.
But people have been talking about cases like these for a while now, recommending that instead of using SMS, you'd better use apps like Google Authenticator and whatnot, inside a locked down phone.
SMS is also vulnerable to interception, so there's also that. Apps like Google Authenticator are vulnerable only when someone gets hold of your phone unlocked, which SMS also is. But if someone hijacks your phone number alone and puts it into another device, they cannot replicate authenticator apps. It's tied to the device.
All this shit happens because you never have to go somewhere and meet an actual human. Isn't it crazy that someone can send some information in the mail and then get a credit card with a 10K limit in another person's name? Link someone's phone number to a new device? Turn off their electricity?
Saves companies money, and the consumers pay the cost.
People are letting their ($150k) Bitcoin wallet credentials get backed up to their phone's cloud?
Let's say your name is John Q Smith, and your friends know that your number is 555 234-5678 Does the particular email account or whatever say... "we are sending a confirmation request to Jane Doe @ 555 345-6789" or does it just say that "we are sending a confirmation request to your cellphone"? If I had so much depending on security, a separate, cheap Pay-As-You-Go phone and plan would be worth it.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user