Two-Factor Authentication Fail: Identity Thieves Hijack Cellphone Accounts to Go After Virtual Currency (nytimes.com) 76
Reader Cludge shares an NYT report: Hackers have discovered that one of the most central elements of online security -- the mobile phone number -- is also one of the easiest to steal. In a growing number of online attacks, hackers have been calling up Verizon, T-Mobile U.S., Sprint and AT&T and asking them to transfer control of a victim's phone number to a device under the control of the hackers. Once they get control of the phone number, they can reset the passwords on every account that uses the phone number as a security backup -- as services like Google, Twitter and Facebook suggest. "My iPad restarted, my phone restarted and my computer restarted, and that's when I got the cold sweat and was like, 'O.K., this is really serious,'" said Chris Burniske, a virtual currency investor who lost control of his phone number late last year. A wide array of people have complained about being successfully targeted by this sort of attack, including a Black Lives Matter activist and the chief technologist of the Federal Trade Commission. The commission's own data shows that the number of so-called phone hijackings has been rising. In January 2013, there were 1,038 such incidents reported; by January 2016, that number had increased to 2,658. But a particularly concentrated wave of attacks has hit those with the most obviously valuable online accounts: virtual currency fanatics like Mr. Burniske. Within minutes of getting control of Mr. Burniske's phone, his attackers had changed the password on his virtual currency wallet and drained the contents -- some $150,000 at today's values. Most victims of these attacks in the virtual currency community have not wanted to acknowledge it publicly for fear of provoking their adversaries. But in interviews, dozens of prominent people in the industry acknowledged that they had been victimized in recent months.
Re:The system works just fine (Score:5, Insightful)
I see no part of the two factor scheme that failed. The title is misleading, at best.
This was password recovery/reset that was exploited, not the two factor auth. In fact, this sort of issue is PRECISELY why two factor should be used, because one of the factors may be compromised, and the account would still be secure. The auth still was secure, but the attackers exploited the weak password reset security - weakest link and all that.
Re: (Score:3)
This seems like a bit of a problem with the method of two factor authentication. One factor should only ever possibly be in one place, on your phone in your hand. This works well with RSA tokens as the only way to use them is to be able to see the display. Not saying I have a solution but it doesn't seem right to be able to use the two factor authentication without the phone in your hand.
Re: (Score:2)
coinbase uses the authy app (similar to RSA) such that if you lose your phone number you are still not locked out of your account (and they can't get in). BUT if you have no other account recovery options in place and your phone goes titsup you're in trouble!
That is the crux of the problem, users want both super ease of use and high security; they are quite often opposite sides of the coin.
Re: (Score:1)
And simple enough to solve.
Login-options:
Normal 2fa: Hardware token as second-auth.. Less secure like google's authenticator or more secure like a dedicated hardware with one-time passwords.
Fallback 1:
- At account-creation a random 128 character password would be generated.
Less secure option: User would be responsible to print it on paper and store it securely.
More secure option: Have the company send you the password etched in metal to allow it to be fire-proof.
- At account cr
Re: (Score:1)
Exactly this.
Calling or SMSing your cell phone number is not a second authentication factor, it is at best an out-of-band identifier.
But similar to government and corporations who believe your SSN is somehow a form of secret instead of only an identification, these types of things will continue to be mislabeled and abused improperly for authentication purposes.
For example, I see no way possible using this method of porting my phone number away from me that would gain an attacker access to my real second aut
Re: (Score:2)
Agree. And also blogger nowadays intend to misuse the word "hacker" because the word sounds more interesting to readers.
In a growing number of online attacks, hackers have been calling up Verizon, T-Mobile U.S., Sprint and AT&T and asking them to transfer control of a victim’s phone number to a device under the control of the hackers.
The above sentences from TFA is describing what you should call "social engineering" instead of hacking.
Re: (Score:2)
I see no part of the two factor scheme that failed. The title is misleading, at best.
This was password recovery/reset that was exploited, not the two factor auth. In fact, this sort of issue is PRECISELY why two factor should be used, because one of the factors may be compromised, and the account would still be secure. The auth still was secure, but the attackers exploited the weak password reset security - weakest link and all that.
Well, it is sort of a two-factor fail. Because it's not really two factors if one of the factors is dependent for its security on the other one. This is like someone being able to use a stolen SecurID fob to reset the password on the associated account. It's only one factor at that point.
Help me understand... (Score:1)
Re: (Score:1)
Or are they just backing up the wallet which happens to be secured with "p4$$w0rd?"
google voice (Score:1)
trust google or don't, but at least their security will protect against this type of social engineering. use a google voice number for security.
Re: (Score:3)
Why use SMS at all? It's best to use time based codes with an app like Google Authenticator. It's an open standard so other apps are available and it works with many services.
The only disadvantage is that you can't easily move it to another phone with the Google app, you basically have to generate new codes for all the services that use it.
Re: (Score:2)
The only disadvantage is that you can't easily move it to another phone with the Google app, you basically have to generate new codes for all the services that use it.
In my experience, sites (like Google, Amazon, etc.) tend to allow you to see the actual secret (not just the QR code). I use this to store the secret in my password manager, so that if something were to happen to my phone I could simply input the secrets to another device to maintain access. The only thing I don't like is that Google requires you to have a backup in addition to a primary. If you choose SMS as a backup 2FA method, then you are still sort of in the same boat.
Re: (Score:2)
There are some ways to back up Google Authenticator codes. After Authy bit me (not just purged the codes on my main device, but decided not to restore the ones synced [1]), I use more than one program. When a site shows a QR code, I fire up one app, add it to that, then another app, same.
So far, enPass, 1Password, and Authenticator Plus have been good, allowing restores. All three allow export of the OTP seeds in plain text as well.
[1]: I have an iPod Touch, whose sole purpose is to store authenticator
Re: (Score:2)
more detail about Authy issue please... I use it!
Re: (Score:2)
No clue what caused it, but I used it to authenticate to some local sites, and after a crash, it would not allow access to the stored items. I erased and reinstalled the app, and it would not allow me into my account after that.
Security applications, when they fail, they fail hard. I highly recommend, if you use Authy, to use another app that not just stores tokens, but can back them up to your desktop as a plain text file, so if worse comes to worst, you can type them in.
Re: (Score:2)
I can only imagine some scammer calling up Google and asking to transfer the service to their device. Techsup would treat them as if they were new internet users under the age of 13 or over the age of 50 with a nephew's celly on speed dial for all those pebkac level issues.
Re: (Score:2)
There's also "penis" but it doesn't work [blogger.com].
Re: (Score:2)
Also, if you don't already know this, every hacker knows that the most common passwords are "love", "secret", "sex", and "God".
Thanks for the tip, Crash Override.
Why include this fella? (Score:4, Insightful)
A wide array of people have complained about being successfully targeted by this sort of attack, including a Black Lives Matter activist (bold mine)
Why include this fella, really?
That is out of 1,000 victims or so...?
Re: (Score:3)
Re: (Score:2)
This line of thinking presupposes that this fella is kind-of broke. I personally know of a number of colored folk who are doing way better than myself.
Some of these folk run their own businesses and are doing quite well.
They prefer to remain low; but are doing very very well. One of them I am sure, would hire you.
Re: (Score:2)
Haven't you gotten the memo? Conservatives are evil and the source of all problems. Surely he was not hacked by a liberal.
Re: (Score:2)
I found that more disconcerting than money theft. These dudes are trying to hack activists to sabotage their political action. It's like Mexico hacking journalists.
Re: (Score:2)
... particularly when that basket is connected to the Internet.
And when that basket is full of deplorables.
Done to me ... Verizon is the weakest link (Score:5, Insightful)
While I was out having dinner, Verizon called me three times to verify if I'd lost my phone. Each time I said no, the second time I was asked if I wanted to add a passcode and lock the account. I did. (It was Verizon, I checked later and they had the logs of all three calls to me, but I'm not sure if callers can spoof the Verizon internal caller ID)
Later that evening, I found myself locked out of my email accounts. I could see it happening in real time, but couldn't stop it. I called Verizon by landline and was told that they'd activated my spare iPhone after I dropped my phone in a pool. NO! I might have said a number of harsh words to them.
In the meantime, American Express had called my cell and emailed me to confirm a dodgy transaction, and the folks who had my phone number and email confirmed the transaction. By the time I called Amex, it was too late (although I ended up with no liability)
I tried to file a complaint with the local PD and was told "I don't have time for this" by the receptionist.
Re: (Score:3)
While I was out having dinner, Verizon called me three times to verify if I'd lost my phone. Each time I said no, the second time I was asked if I wanted to add a passcode and lock the account. I did. (It was Verizon, I checked later and they had the logs of all three calls to me, but I'm not sure if callers can spoof the Verizon internal caller ID)
Later that evening, I found myself locked out of my email accounts. I could see it happening in real time, but couldn't stop it. I called Verizon by landline and was told that they'd activated my spare iPhone after I dropped my phone in a pool. NO! I might have said a number of harsh words to them.
In the meantime, American Express had called my cell and emailed me to confirm a dodgy transaction, and the folks who had my phone number and email confirmed the transaction. By the time I called Amex, it was too late (although I ended up with no liability)
I tried to file a complaint with the local PD and was told "I don't have time for this" by the receptionist.
In my opinion, the reason to file an identity theft case with the Police is useful if you ever have to challenge a charge, etc. Even if the receptionist says that they don't have time for it, have them open a case. They won't do anything about it and it's a pure administrative task (i.e. opening a case). But, in my opinion, it does provide a bit of legal cover if something major would happen. I am not a lawyer, so take my opinions with a grain of salt.
Re: (Score:2)
My truck was burgled and I lost a checkbook.
Called my bank that morning and they basically said the same thing:
We're cancelling all your checks for you now, but be sure to file a police report, even though they won't do anything, just so when someone tries to fraudulently pass off your checks you have a report that they were stolen from *before* the attempt was made.
Also in OP's case I would consider a lawsuit against Verizon.
Re: (Score:2)
Why can't the phone companies use your email account as they're second factor for all attempts to re-point your phone number? Assuming there's a cumbersome fallback method to get you into your email account without your phone, this would at least require somebody trying to steal your email account by stealing your phone to already have access to that account. But it wouldn't prevent you from replacing your lost phone.
Re: (Score:2)
Why can't the phone companies use your email account as they're second factor for all attempts to re-point your phone number?
Well really, that's not even the problem here. Why didn't Verizon flag the fact that they'd called the customer and he'd repeatedly said he wasn't authorizing the changes, and locking the account in response? Why isn't Verizon honoring the passcode he added to his account?
This is a Verizon problem, not a technical problem.
Re: (Score:2)
I came to the comments section to suggest that perhaps the phone companies in question should be doing exactly what you outline Verizon initially did. You'd have thought that after the 2nd time they'd have marked the account as "receiving active attempts to compromise" and gone the long route around (letters to your home or you visiting a store if needs be) to verify the request to activate a different phone on the account.
But apparently if you try enough times you eventually hit a monkey (they're no doubt
Requiring a phone number is a bad move (Score:2)
Just like cable-cutting seemed alien a decade or two ago, I do not have a phone number. I do everything by email and instant messaging (not SMS but iMessage, etc).
Every fucking place that requires a phone number is eliminating ahead-of-the-curve users.
Re: (Score:2)
Why not use TOTP all the time? (Score:3)
I know that some sites only allow phone-based (i.e., SMS and.or voice) verification. But most of the big ones support things like U2F and TOTP. Why not use those instead?.
I always recommend TOTP to people since you can save the secret and store it in a safe or some other secure location if, for example, you ever lose your phone. Then you can simply load up the authenticator app (pick your favorite) and reload the secret. In fact, I can't think of a major on-line service that offers 2FA or MFA that doesn't offer TOTP support. Of course, there is also U2F and if you want to be really secure you can get something like a YubiKey and not even store the secrets directly on your device. With a phone/tablet that supports NFC you can just have the YubiKey close by or you could plug it into the USB port on your computer if that happens to be more convenient.
The point is that the pain threshold for SMS-based 2FA/MFA is the same as the pain threshold for a TOTP/U2F solution and the TOTP/U2F solution is demonstrably more secure.
Re: (Score:2)
Problems with SMS-based 2-factor authentication have been known for years, yet these behemoths still make use of it with no other options. It's becoming a little ridiculous.
Criminals are moving faster than protectors (Score:2)
Cell Phone Carriers Should Be Legally Liable (Score:1)
Seems to me the cell phone carriers should be held liable, at least to some extent, for damages. Not sure how far one would get in court, but if I had $150K stolen, I'd sue the carrier for not following due diligence. How can a carrier just transfer numbers without any real verification knowing the security ramifications can be severe.
AT&T offers an optional extra security code feature, but I suspect it's not that much better than no code at all. Have there been reports of AT&T customers with extra
Re:Cell Phone Carriers Should Be Legally Liable (Score:4, Informative)
I have T-Mobile and have my account set to *require* in store identification to move phone number.
I tested it and so far they've not let me move my phone number away to my spare phone, replying only that "I'm sorry sir but your account is very specific that you must go into our store and provide proper identification and pin before you can move your number. I would be happy to provide you a temporary number until you can get to a retail location."
So, they could still rack up charges on my account with a temp number I suppose, but at least can't redirect my actual number.
Not Two Factor (Score:3)
Security experts have been warning about this and saying that two channel authentication (like text messages or emailing codes) is not true two factor authentication. For two factor authentication, it has to be tied directly to a device and the device cannot be changed without a enrollment process (for example, with Google Authenticator, where you see the code once and cannot retrieve it again). In this way, you either have to use a phishing mechanism to get the code or have physical access to the device. Getting access to the users phone number or email address does not allow you to get the code with two factor authentication because it is truly something you have (your device).
Re: (Score:3, Insightful)
True security adds a "secret" to the two-factor authentication. Something known (password), something unknown (a PIN that I memorized), and something random (Google Authenticator - okay, pseudo-random). Not something resetable (password), something resetable (recovery account), and something stealable/duplicatable (phone or phone number).
And no, those probably aren't real words.
Re: (Score:3)
Heck, NIST removed its recommendation of using a phone number for two-factor authentication earlier this year.
Of course, the thinking was that criminals would hijack SS7 and use that to intercept SMS messages, not wholesale takeover of the phone number.
I'm guessing NIST didn't think that they would hijack people's phones instead, but the recommendation is still there - a phone number is not sufficient for two-factor authentication.
Criminals have been doing this for a while (Score:2)
This scam is hardly new to cryptocurrency. Criminal gangs have been doing it for years. It happened to my mother a few months back, who was a perfect target: excellent credit history, no online accounts with her bank or her credit card companies (the criminals very obligingly created some for her), a cell phone that she rarely turned on, and her home phone number as the only listed means of contact.
What they did was go to a Verizon store and get her home phone number transferred over to a mobile phone.
Re: (Score:2)
https://www.google.com/search?... [google.com]
Phone vs. Phone Number (Score:2)
Just to clarify, the problem here is the phone number linked SMS, which customer-service can be badgered into changing. 2FA that stores the secret on the phone are not susceptible to this, with Google Authenticator/TOTP being the most prominent example.
When you upgrade your phone, it all switches around: SMS 2FA convenient just keeps working since it goes with the number, but TOTP is now kind of a pain since you have to set it up again.
The U2F standard gets my vote as the nifty solution to this password
Idiots... (Score:1)
Targeted attack... (Score:3)
This is just the way security goes. Things get increasingly fragile when we're talking about targeted attacks. Most people still don't need to worry about this in generalized attacks seeking for massive ammounts of data, but for targeted attacks social engineering always seems to find a way to work around security schemes.
To the point, there is no failure on two factor here. There's a failure on mobile networks' security checks for highly sensitive operations like transfering a number to another device. It's taken lightly when it shouldn't.
But people have been talking about cases like these for a while now, recommending that instead of using SMS, you'd better use apps like Google Authenticator and whatnot, inside a locked down phone.
SMS is also vulnerable to interception, so there's also that. Apps like Google Authenticator are vulnerable only when someone gets hold of your phone unlocked, which SMS also is. But if someone hijacks your phone number alone and puts it into another device, they cannot replicate authenticator apps. It's tied to the device.
A separate PAYG cellphone under a fake name (Score:2)
Let's say your name is John Q Smith, and your friends know that your number is 555 234-5678 Does the particular email account or whatever say... "we are sending a confirmation request to Jane Doe @ 555 345-6789" or does it just say that "we are sending a confirmation request to your cellphone"? If I had so much depending on security, a separate, cheap Pay-As-You-Go phone and plan would be worth it.