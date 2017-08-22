Two-Factor Authentication Fail: Identity Thieves Hijack Cellphone Accounts to Go After Virtual Currency (nytimes.com) 32
Reader Cludge shares an NYT report: Hackers have discovered that one of the most central elements of online security -- the mobile phone number -- is also one of the easiest to steal. In a growing number of online attacks, hackers have been calling up Verizon, T-Mobile U.S., Sprint and AT&T and asking them to transfer control of a victim's phone number to a device under the control of the hackers. Once they get control of the phone number, they can reset the passwords on every account that uses the phone number as a security backup -- as services like Google, Twitter and Facebook suggest. "My iPad restarted, my phone restarted and my computer restarted, and that's when I got the cold sweat and was like, 'O.K., this is really serious,'" said Chris Burniske, a virtual currency investor who lost control of his phone number late last year. A wide array of people have complained about being successfully targeted by this sort of attack, including a Black Lives Matter activist and the chief technologist of the Federal Trade Commission. The commission's own data shows that the number of so-called phone hijackings has been rising. In January 2013, there were 1,038 such incidents reported; by January 2016, that number had increased to 2,658. But a particularly concentrated wave of attacks has hit those with the most obviously valuable online accounts: virtual currency fanatics like Mr. Burniske. Within minutes of getting control of Mr. Burniske's phone, his attackers had changed the password on his virtual currency wallet and drained the contents -- some $150,000 at today's values. Most victims of these attacks in the virtual currency community have not wanted to acknowledge it publicly for fear of provoking their adversaries. But in interviews, dozens of prominent people in the industry acknowledged that they had been victimized in recent months.
I see no part of the two factor scheme that failed. The title is misleading, at best.
This was password recovery/reset that was exploited, not the two factor auth. In fact, this sort of issue is PRECISELY why two factor should be used, because one of the factors may be compromised, and the account would still be secure. The auth still was secure, but the attackers exploited the weak password reset security - weakest link and all that.
trust google or don't, but at least their security will protect against this type of social engineering. use a google voice number for security.
Why use SMS at all? It's best to use time based codes with an app like Google Authenticator. It's an open standard so other apps are available and it works with many services.
The only disadvantage is that you can't easily move it to another phone with the Google app, you basically have to generate new codes for all the services that use it.
In my experience, sites (like Google, Amazon, etc.) tend to allow you to see the actual secret (not just the QR code). I use this to store the secret in my password manager, so that if something were to happen to my phone I could simply input the secrets to another device to maintain access. The only thing I don't like is that Google requires you to have a backup in addition to a primary. If you choose SMS as a backup 2FA method, then you are still sort of in the same boat.
There are some ways to back up Google Authenticator codes. After Authy bit me (not just purged the codes on my main device, but decided not to restore the ones synced [1]), I use more than one program. When a site shows a QR code, I fire up one app, add it to that, then another app, same.
So far, enPass, 1Password, and Authenticator Plus have been good, allowing restores. All three allow export of the OTP seeds in plain text as well.
[1]: I have an iPod Touch, whose sole purpose is to store authenticator
I can only imagine some scammer calling up Google and asking to transfer the service to their device. Techsup would treat them as if they were new internet users under the age of 13 or over the age of 50 with a nephew's celly on speed dial for all those pebkac level issues.
There's also "penis" but it doesn't work [blogger.com].
A wide array of people have complained about being successfully targeted by this sort of attack, including a Black Lives Matter activist (bold mine)
Why include this fella, really?
That is out of 1,000 victims or so...?
This line of thinking presupposes that this fella is kind-of broke. I personally know of a number of colored folk who are doing way better than myself.
Some of these folk run their own businesses and are doing quite well.
They prefer to remain low; but are doing very very well. One of them I am sure, would hire you.
While I was out having dinner, Verizon called me three times to verify if I'd lost my phone. Each time I said no, the second time I was asked if I wanted to add a passcode and lock the account. I did. (It was Verizon, I checked later and they had the logs of all three calls to me, but I'm not sure if callers can spoof the Verizon internal caller ID)
Later that evening, I found myself locked out of my email accounts. I could see it happening in real time, but couldn't stop it. I called Verizon by landline and was told that they'd activated my spare iPhone after I dropped my phone in a pool. NO! I might have said a number of harsh words to them.
In the meantime, American Express had called my cell and emailed me to confirm a dodgy transaction, and the folks who had my phone number and email confirmed the transaction. By the time I called Amex, it was too late (although I ended up with no liability)
I tried to file a complaint with the local PD and was told "I don't have time for this" by the receptionist.
In my opinion, the reason to file an identity theft case with the Police is useful if you ever have to challenge a charge, etc. Even if the receptionist says that they don't have time for it, have them open a case. They won't do anything about it and it's a pure administrative task (i.e. opening a case). But, in my opinion, it does provide a bit of legal cover if something major would happen. I am not a lawyer, so take my opinions with a grain of salt.
Just like cable-cutting seemed alien a decade or two ago, I do not have a phone number. I do everything by email and instant messaging (not SMS but iMessage, etc).
Every fucking place that requires a phone number is eliminating ahead-of-the-curve users.
I know that some sites only allow phone-based (i.e., SMS and.or voice) verification. But most of the big ones support things like U2F and TOTP. Why not use those instead?.
I always recommend TOTP to people since you can save the secret and store it in a safe or some other secure location if, for example, you ever lose your phone. Then you can simply load up the authenticator app (pick your favorite) and reload the secret. In fact, I can't think of a major on-line service that offers 2FA or MFA that doesn
Seems to me the cell phone carriers should be held liable, at least to some extent, for damages. Not sure how far one would get in court, but if I had $150K stolen, I'd sue the carrier for not following due diligence. How can a carrier just transfer numbers without any real verification knowing the security ramifications can be severe.
AT&T offers an optional extra security code feature, but I suspect it's not that much better than no code at all. Have there been reports of AT&T customers with extra
Security experts have been warning about this and saying that two channel authentication (like text messages or emailing codes) is not true two factor authentication. For two factor authentication, it has to be tied directly to a device and the device cannot be changed without a enrollment process (for example, with Google Authenticator, where you see the code once and cannot retrieve it again). In this way, you either have to use a phishing mechanism to get the code or have physical access to the device. G
This scam is hardly new to cryptocurrency. Criminal gangs have been doing it for years. It happened to my mother a few months back, who was a perfect target: excellent credit history, no online accounts with her bank or her credit card companies (the criminals very obligingly created some for her), a cell phone that she rarely turned on, and her home phone number as the only listed means of contact.
What they did was go to a Verizon store and get her home phone number transferred over to a mobile phone.