Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Cellphones Crime Bitcoin Security

A Wave of SIM Swapping Attacks Targets Cryptocurrency Users (zdnet.com) 33

"Numerous members of the cryptocurrency community have been hit by SIM swapping attacks over the past week," ZDNet reported Monday, "in what appears to be a coordinated wave of attacks."

SIM swapping, also known as SIM jacking, is a type of ATO (account take over) attack during which a malicious threat actor uses various techniques (usually social engineering) to transfers a victim's phone number to their own SIM card. The purpose of this attack is so that hackers can reset passwords or receive 2FA verification codes and access protected accounts....

[D]espite a period of calm in the first half of the year, a rash of SIM swapping attacks have been reported in the second half of May, and especially over the past week... Some candidly admitted to losing funds, while others said the SIM swapping attacks were unsuccessful because they switched to using hardware security tokens to protect accounts, instead of the classic SMS-based 2FA system.

This discussion has been archived. No new comments can be posted.

A Wave of SIM Swapping Attacks Targets Cryptocurrency Users

Comments Filter:
  • by Anonymous Coward on Sunday June 09, 2019 @04:58PM (#58736550)

    As this shows, phone based 2FA is totally retarded and full of flaws. It probably makes authentication less secure, as it's another attack vector. Any site or service forcing phone based 2FA is dumb, I think.

    • by Hylandr ( 813770 ) on Sunday June 09, 2019 @05:44PM (#58736676)

      It really is retarded. In addition to conditioning people to accepting important alerts from their phones I have lost access to my Amazon AWS account because my phone died with 2FA enabled.

      I find it's safer and easier to NOT use it.

    • by gweihir ( 88907 )

      Actually, it works pretty well if the phone company used has reasonable security. If they require you showing up personally with a photo ID, for example, for this type of change, then the phone is a valid second factor. But that costs money and is inconvenient. In some countries, it works like this nonetheless, in others it does not.

      Maybe hint to the US DHS that SIM swaps could also be used to get clean phones to terrorists? That should cut down on the insecurity fast!

    • Re: (Score:3, Insightful)

      by DeHackEd ( 159723 )

      This is clearly not 2-Factor authentication if your phone alone is sufficient to login (regardless of any hoops the attacker has to jump through). Either the attackers are also getting your password which is already a security fail, or your phone alone is enough to perform account recovery which is a security fail from the web site/service.

      Obviously there's some blame on the phone company, but I think the web sites in question share the greater majority of the blame.

      • OK. I don't even have any bitcoin, but after reading a story a couple of weeks ago, I bought a couple of U2F Keys and secured my google and FB account.

        Here is the deal, a lot of sites use SMS texts as password recovery or to send a code to you when you login from a strange computer. Yes, someone would have to know your password...BUT if they have your android based phone and access to your gmail, they can then start resetting passwords using the recovery process that most sites have.

        Let me tell, google and

        • ... or to send a code to you when you login from a strange computer.

          This would be the correct interpretation of "two factor authentication", though ideally you should receive a code for all login attempts regardless of computer.

          BUT if they have your android based phone and access to your gmail...

          They'd need to also have it unlocked, but this isn't the attack being discussed. A SIM swap attack doesn't get you anything on the phone still held by the correct owner. The attacker now owns your phone number

        • by AmiMoJo ( 196126 )

          Would be nice if you could use your phone as a generic U2F token. Google has some special support for it, but it needs to be universal.

          That would fix one of the few issues with U2F keys - there is no physical security. Once you have someone's key you can use it. With a phone it also needs to be unlocked.

          NFC would be nice, Bluetooth would work although it's a bit of a battery killer.

      • by AmiMoJo ( 196126 )

        The theory is good, the problem is assuming that mobile service providers have any clue about security or care in the slightest about it.

        A U2F app on your phone is a better option. Protected by your phone's unlock system (e.g. fingerprint) so even if someone swipes your phone the chances of them being sophisticated enough to unlock it are very low. Use an open source one that lets you back up your U2F codes.

      • it's better than nothing.

        Indeed. At the very least it ups the level of difficulty for would-be thieves, reducing the number of folks capable of this attack vector.

        An argument, perhaps to keep the legacy landline for internet phone number of record wherever 2FA isn't necessary.

        • So what's to keep the attacker from porting the landline number? (If I correctly understand what you're suggesting.)

          • So what's to keep the attacker from porting the landline number? (If I correctly understand what you're suggesting.)

            In this example, the attacker co-opts the landline rather than the cell number your important accounts use for TFA.

            • Yes, I got your rationale but I meant that given that one can port a landline number to a cellular number, couldn't the attacker just port the landline and thus receive your "TFA" auth messages on their cellphone? If they can social engineer a SIM swap I'd think they could do the same for a number port.

  • Trusting a third party is risky.
  • by TheNarrator ( 200498 ) on Sunday June 09, 2019 @09:55PM (#58737478)

    You can prevent porting by moving your phone to Google Voice. Unlike the telcos, Google has good security and good 2fa to prevent porting hacks. Google famously has no customer service, so there is no possible social engineering attack.

  • The best bet against all hackers odd is to vigilant when there's a social engineer around the corner. ðY Social Engineering backdoor is always open.
  • This is an article from a guy that lost 100K because of a SIM port attack:

    https://medium.com/coinmonks/t... [medium.com]

    I promptly ordered 3 U2F keys and secured my crap better after reading the above.

    Actually, I ordered 6 and gave three to my son. Start them out young.

  • Say your name is Joe Blow. Get a burner phone on a cheap PAYG (Pay As You Go) plan, Use a different name like Jane Doe. Unless someone has really deep acces to your internal data (In which case you're already toast) they won't know to hijack your "Jane Doe" number. Any problems?

Understanding is always the understanding of a smaller problem in relation to a bigger problem. -- P.D. Ouspensky

Working...