Slashdot Mirror
Two-Factor Authentication Fail: Identity Thieves Hijack Cellphone Accounts to Go After Virtual Currency (nytimes.com)
Reader Cludge shares an NYT report: Hackers have discovered that one of the most central elements of online security -- the mobile phone number -- is also one of the easiest to steal. In a growing number of online attacks, hackers have been calling up Verizon, T-Mobile U.S., Sprint and AT&T and asking them to transfer control of a victim's phone number to a device under the control of the hackers. Once they get control of the phone number, they can reset the passwords on every account that uses the phone number as a security backup -- as services like Google, Twitter and Facebook suggest. "My iPad restarted, my phone restarted and my computer restarted, and that's when I got the cold sweat and was like, 'O.K., this is really serious,'" said Chris Burniske, a virtual currency investor who lost control of his phone number late last year. A wide array of people have complained about being successfully targeted by this sort of attack, including a Black Lives Matter activist and the chief technologist of the Federal Trade Commission. The commission's own data shows that the number of so-called phone hijackings has been rising. In January 2013, there were 1,038 such incidents reported; by January 2016, that number had increased to 2,658. But a particularly concentrated wave of attacks has hit those with the most obviously valuable online accounts: virtual currency fanatics like Mr. Burniske. Within minutes of getting control of Mr. Burniske's phone, his attackers had changed the password on his virtual currency wallet and drained the contents -- some $150,000 at today's values. Most victims of these attacks in the virtual currency community have not wanted to acknowledge it publicly for fear of provoking their adversaries. But in interviews, dozens of prominent people in the industry acknowledged that they had been victimized in recent months.
trust google or don't, but at least their security will protect against this type of social engineering. use a google voice number for security.
A wide array of people have complained about being successfully targeted by this sort of attack, including a Black Lives Matter activist (bold mine)
Why include this fella, really?
That is out of 1,000 victims or so...?
While I was out having dinner, Verizon called me three times to verify if I'd lost my phone. Each time I said no, the second time I was asked if I wanted to add a passcode and lock the account. I did. (It was Verizon, I checked later and they had the logs of all three calls to me, but I'm not sure if callers can spoof the Verizon internal caller ID)
Later that evening, I found myself locked out of my email accounts. I could see it happening in real time, but couldn't stop it. I called Verizon by landline and was told that they'd activated my spare iPhone after I dropped my phone in a pool. NO! I might have said a number of harsh words to them.
In the meantime, American Express had called my cell and emailed me to confirm a dodgy transaction, and the folks who had my phone number and email confirmed the transaction. By the time I called Amex, it was too late (although I ended up with no liability)
I tried to file a complaint with the local PD and was told "I don't have time for this" by the receptionist.
Just like cable-cutting seemed alien a decade or two ago, I do not have a phone number. I do everything by email and instant messaging (not SMS but iMessage, etc).
Every fucking place that requires a phone number is eliminating ahead-of-the-curve users.
#DeleteFacebook
I see no part of the two factor scheme that failed. The title is misleading, at best.
This was password recovery/reset that was exploited, not the two factor auth. In fact, this sort of issue is PRECISELY why two factor should be used, because one of the factors may be compromised, and the account would still be secure. The auth still was secure, but the attackers exploited the weak password reset security - weakest link and all that.
I know that some sites only allow phone-based (i.e., SMS and.or voice) verification. But most of the big ones support things like U2F and TOTP. Why not use those instead?.
I always recommend TOTP to people since you can save the secret and store it in a safe or some other secure location if, for example, you ever lose your phone. Then you can simply load up the authenticator app (pick your favorite) and reload the secret. In fact, I can't think of a major on-line service that offers 2FA or MFA that doesn't offer TOTP support. Of course, there is also U2F and if you want to be really secure you can get something like a YubiKey and not even store the secrets directly on your device. With a phone/tablet that supports NFC you can just have the YubiKey close by or you could plug it into the USB port on your computer if that happens to be more convenient.
The point is that the pain threshold for SMS-based 2FA/MFA is the same as the pain threshold for a TOTP/U2F solution and the TOTP/U2F solution is demonstrably more secure.
There's also "penis" but it doesn't work.
#DeleteFacebook
Part of the problem is that criminals are learning quicker than before and where you used to have foreign entities contacting people with broken English or sending emails/letters with horrible spelling, they're getting a lot better, and companies like AT&T, Verizon and such don't consider themselves part of the problem, so they're going to be easy to grab the information and then completely screw other people over. Some of these companies don't even tell you when they've been breached, basically saying it would be a good idea to change your password, but not tell you why or when it was in question. In the past few months, I've had to change passwords to different services more times than I can count, which means they're getting the information they need to breach. It's only a matter of time before a bunch of pretty much lose everything and are tossed aside because then we won't have any resources to make the businesses interested in helping us.
Sarbonn's blog: http://www.sarbonn.com/blog
Seems to me the cell phone carriers should be held liable, at least to some extent, for damages. Not sure how far one would get in court, but if I had $150K stolen, I'd sue the carrier for not following due diligence. How can a carrier just transfer numbers without any real verification knowing the security ramifications can be severe.
AT&T offers an optional extra security code feature, but I suspect it's not that much better than no code at all. Have there been reports of AT&T customers with extra security enabled having their numbers transferred too?
Security experts have been warning about this and saying that two channel authentication (like text messages or emailing codes) is not true two factor authentication. For two factor authentication, it has to be tied directly to a device and the device cannot be changed without a enrollment process (for example, with Google Authenticator, where you see the code once and cannot retrieve it again). In this way, you either have to use a phishing mechanism to get the code or have physical access to the device. Getting access to the users phone number or email address does not allow you to get the code with two factor authentication because it is truly something you have (your device).
This scam is hardly new to cryptocurrency. Criminal gangs have been doing it for years. It happened to my mother a few months back, who was a perfect target: excellent credit history, no online accounts with her bank or her credit card companies (the criminals very obligingly created some for her), a cell phone that she rarely turned on, and her home phone number as the only listed means of contact.
What they did was go to a Verizon store and get her home phone number transferred over to a mobile phone. After that, they went on a buying spree at several stores across the state, and even got into her personal savings account. When the credit card companies tried to call my Mom, all they got was the voicemail for the scammer at my Mom's number. She thought there was a problem with her phone service; she had no idea what was happening until three days later.
Fortunately my Mom had a credit freeze in place with the credit reporting agencies, so the gang was unable to open new lines of credit in her name. That limited the damage, and she was ultimately made whole by the bank and credit card companies.
To this day my brothers and I are convinced that some insider at a bank or credit agency must have sold her information to the gang, or else the information was stolen and never revealed. They hit her bank account and ALL her credit cards in parallel, created a whole set of fake online accounts in her name, and even tried to reopen a credit card account she closed years ago. It was too well coordinated, and they knew too much about her.
So some lessons for everyone:
(1) Activate online accounts for your banks and your credit cards, and then secure them with 2-factor authentication. If you don't do it, the criminals will do it for you.
(2) Activate a credit freeze with the credit reporting agencies. If you have elderly parents, sit down with them and do it for them. If my wife and I hadn't persuaded my Mom to activate a credit freeze two years ago, the damage would have been far worse.
This seems like a bit of a problem with the method of two factor authentication. One factor should only ever possibly be in one place, on your phone in your hand. This works well with RSA tokens as the only way to use them is to be able to see the display. Not saying I have a solution but it doesn't seem right to be able to use the two factor authentication without the phone in your hand.
Exactly this.
Calling or SMSing your cell phone number is not a second authentication factor, it is at best an out-of-band identifier.
But similar to government and corporations who believe your SSN is somehow a form of secret instead of only an identification, these types of things will continue to be mislabeled and abused improperly for authentication purposes.
For example, I see no way possible using this method of porting my phone number away from me that would gain an attacker access to my real second auth factor, an RFC6238 time based one time password client on my phone.
It's private keys are not backed up or synced to any cloud storage nor are they accessible to anyone knowing my phone number.
I suppose it could be possible knowing the IPv6 address of my cellular radio to exploit any OS flaws to gain access to those keys, but I would imagine having my cell phones number ported away would end up disconnecting it from GSM service, basically knocking it offline and removing even this possibility.
Agree. And also blogger nowadays intend to misuse the word "hacker" because the word sounds more interesting to readers.
In a growing number of online attacks, hackers have been calling up Verizon, T-Mobile U.S., Sprint and AT&T and asking them to transfer control of a victim’s phone number to a device under the control of the hackers.
The above sentences from TFA is describing what you should call "social engineering" instead of hacking.
Just to clarify, the problem here is the phone number linked SMS, which customer-service can be badgered into changing. 2FA that stores the secret on the phone are not susceptible to this, with Google Authenticator/TOTP being the most prominent example.
When you upgrade your phone, it all switches around: SMS 2FA convenient just keeps working since it goes with the number, but TOTP is now kind of a pain since you have to set it up again.
The U2F standard gets my vote as the nifty solution to this password madness. I wrote a U2F FAQ: https://medium.com/@nparlante/...
I see no part of the two factor scheme that failed. The title is misleading, at best.
This was password recovery/reset that was exploited, not the two factor auth. In fact, this sort of issue is PRECISELY why two factor should be used, because one of the factors may be compromised, and the account would still be secure. The auth still was secure, but the attackers exploited the weak password reset security - weakest link and all that.
Well, it is sort of a two-factor fail. Because it's not really two factors if one of the factors is dependent for its security on the other one. This is like someone being able to use a stolen SecurID fob to reset the password on the associated account. It's only one factor at that point.
coinbase uses the authy app (similar to RSA) such that if you lose your phone number you are still not locked out of your account (and they can't get in). BUT if you have no other account recovery options in place and your phone goes titsup you're in trouble!
That is the crux of the problem, users want both super ease of use and high security; they are quite often opposite sides of the coin.
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
Re: "a virtual currency investor who lost control of his phone number" -- There's 0.0595430107527 born every minute (2,658 per month).
Debate is a form of harassment. Do not question my truth.
This is just the way security goes. Things get increasingly fragile when we're talking about targeted attacks. Most people still don't need to worry about this in generalized attacks seeking for massive ammounts of data, but for targeted attacks social engineering always seems to find a way to work around security schemes.
To the point, there is no failure on two factor here. There's a failure on mobile networks' security checks for highly sensitive operations like transfering a number to another device. It's taken lightly when it shouldn't.
But people have been talking about cases like these for a while now, recommending that instead of using SMS, you'd better use apps like Google Authenticator and whatnot, inside a locked down phone.
SMS is also vulnerable to interception, so there's also that. Apps like Google Authenticator are vulnerable only when someone gets hold of your phone unlocked, which SMS also is. But if someone hijacks your phone number alone and puts it into another device, they cannot replicate authenticator apps. It's tied to the device.
... particularly when that basket is connected to the Internet.
And when that basket is full of deplorables.
Also, if you don't already know this, every hacker knows that the most common passwords are "love", "secret", "sex", and "God".
Thanks for the tip, Crash Override.
WTB [sig], PST!!!
People are letting their ($150k) Bitcoin wallet credentials get backed up to their phone's cloud?
Let's say your name is John Q Smith, and your friends know that your number is 555 234-5678 Does the particular email account or whatever say... "we are sending a confirmation request to Jane Doe @ 555 345-6789" or does it just say that "we are sending a confirmation request to your cellphone"? If I had so much depending on security, a separate, cheap Pay-As-You-Go phone and plan would be worth it.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
And simple enough to solve.
Login-options:
Normal 2fa: Hardware token as second-auth.. Less secure like google's authenticator or more secure like a dedicated hardware with one-time passwords.
Fallback 1:
- At account-creation a random 128 character password would be generated.
Less secure option: User would be responsible to print it on paper and store it securely.
More secure option: Have the company send you the password etched in metal to allow it to be fire-proof.
- At account creation a second 2fa device is bound to the account and used only for password recovery. Should only require a public id of the device to add it... Allows the device to be stored securely at another location in case of a fire etc.
Fallback 2:
- If all ways to login have been lost allow a password-reset to be performed.
Initiate via web-page. Notification via both SMS and mail. 4 weeks grace-period before any reset would become active.
Fallback 3: .. Could be a good revenue-source for banks since they already have quite high requirements for identification... More secure would be to require you to go to the bank where you live..
- Identification needs to be proven via secure 3'rd party where you have to go and show ID. (bank/police or other trusted party)
Problem is that for this to work in a sane, and secure way, you would have to get most of the services to agree on a common security-scheme. And users would have to pay somewhere between $5-$20 for the more advanced security... Fat chance either of those things will happen.