Hackers Steal Millions in Bitcoin Using Only A Phone Number
Just after midnight on August 11th, Jered Kenna in Medellin, Columbia was notified that two of his email accounts had their passwords reset.
He tried regaining control of the accounts by getting the services to send him a text, which he never received.
When he called his phone company (T-Mobile), they said that he didn’t have a phone with them, the number was transferred to another phone company.
It turns out that it is relatively simple, using a fake ID and some social engineering to steal someone’s phone account at a phone company.
Once you have control of someone’s phone number, you can reset account passwords since most websites will send you a text or email with a code or URL to reset your password.
After all, your phone is secure, right?
Not so much.
Within 7 minutes, his access to 30 accounts was lost.
Among the accounts that he lost control of were two bank accounts, a Paypal account, two Bitcoin services and his Windows account, which locked him out of his PC. This is one reason why I tell people NEVER use a Microsoft Online account to log in to your PC at home, even though Microsoft actually makes it difficult for you not to use one (there is a trick to it). The hacker can’t lock you out of your PC remotely if you do not use a Microsoft Online password.
Kenna was an early Bitcoin miner, having millions in Bitcoin. For security, the Bitcoin had been stored offline, but for some stupid reason, a few weeks earlier he had brought the Bitcoin online to move them to a more secure service.
Apparently not.
Suffice it to say, he lost millions of dollars.
He says he now has only about 60 Bitcoin (worth something less than $60,000).
He still doesn’t have his phone number back.
In January 2016, there over 2,000 Bitcoin theft reports filed with the FTC. Remember that 99+% of the time, if you lose your Bitcoin, they are gone forever. No way to get them back. No insurance. No recourse.
Coinbase, the highest volume cryptocurrency exchange, says the number of cryptocurrency fraud cases is on track to double between November and December.
It would seem that this attack was very specifically targeted at Kenna.
The fundamental problem here is that ALL service providers think customer service first, security second.
So when someone contacts your phone company pretending to be you, even though you (AKA they) violate all of the security protocols, the prime directive prevails – CUSTOMER SERVICE FIRST, SECURITY LAST.
In this case, it cost someone millions of dollars.
If you lost access to your phone number, then your email(s), then your bank accounts then:
- What would you do?
- What would the consequences be?
In the case of bank accounts, it is likely that you will be able to eventually get your money back.
In the case of other digital assets, the story is not so clear. If someone gains access to say, your iTunes account, you MAY, EVENTUALLY, get it back, but the attacker likely still has all of your data. If you recall the event called “The Fappening” a couple of years ago, a number of celebrities lost control of their iTunes accounts and thousands of nude photos appeared on the Internet. Try to get that genie back in the bottle.
Many service providers from Facebook to banks offer an extra level of security called two factor authentication. Only 10 percent, at most, of people use two factor authentication. It is a little bit complicated and it is a little inconvenient. But it is also a little inconvenient to lose all the money in your bank or brokerage account.
When convenience bumps up against security, in almost all cases, convenience wins. Many banks use text messages as the second factor but if you lose control of your phone, that doesn’t help because the hacker gets the text messsages. The government (NIST) says that SMS text messages as the second factor is not sufficiently secure and they want people to stop using it and replace it with encrypted, data based second factor authenticators.
Still, using SMS as the second factor is WAY more secure than not having a second factor.
In this case, it was millions of dollars of Bitcoin.
Who knows what the next case is.
So when Marissa Mayer, CEO of Yahoo (who seems to have lost control of 1.7 billion user accounts) says it is too inconvenient to put a password on her phone, I get it. After all, compared to 1.7 billion accounts, what could she lose that is more valuable than that?
And remember, even though you MAY, EVENTUALLY, get control back of your email, your bank accounts, your phone number, it may take weeks and you may have to expend a LOT of time and money to do so.
So when you say who would want to steal my stuff, you might want to reconsider that statement. I am sure that Jered Kenna wishes he did some things differently.
And when it comes to corporate intellectual property, it is likely that you will never be able to undo the damage unless the crook is very stupid or you are very lucky.
Food for thought.
Information for this post came from Forbes.
“Once you have control of someone’s phone number, you can reset account passwords since most websites will send you a text or email with a code or URL to reset your password.”
Good article. I am with AT&T. After reading the above, I changed my AT&T pw and security questions. I immediately got two emails notifying me of the the change. So to replicate the scam above…they have to get the phone number and the email account associated with the phone service and then change the phone service. Doable but sophisticated. But for millions of dollars, it is worth it.