'Crypto Muggings': Thieves in London Target Digital Investors By Taking Phones (theguardian.com) 68
Thieves are targeting digital currency investors on the street in a wave of "crypto muggings," police have warned, with victims reporting that thousands of pounds have been stolen after their mobile phones were seized. From a report: Anonymised crime reports provided to the Guardian by City of London police, as part of a freedom of information request, reveal criminals are combining physical muscle with digital knowhow to part people from their cryptocurrency. One victim reported they had been trying to order an Uber near Londonâ(TM)s Liverpool Street station when muggers forced them to hand over their phone. While the gang eventually gave the phone back, the victim later realised that $6,150-worth of ethereum digital currency was missing from their account with the crypto investing platform Coinbase.
In another case, a man was approached by a group of people offering to sell him cocaine and agreed to go down an alley with them to do the deal. The men offered to type a number into his phone but instead accessed his cryptocurrency account, holding him against a wall and forcing him to unlock a smartphone app with facial verification. They transferred $7,400-worth of ripple, another digital currency, out of his account. A third victim said he had been vomiting under a bridge when a mugger forced him to unlock his phone using a fingerprint, then changed his security settings and stole $35,300, including cryptocurrency.
In another case, a man was approached by a group of people offering to sell him cocaine and agreed to go down an alley with them to do the deal. The men offered to type a number into his phone but instead accessed his cryptocurrency account, holding him against a wall and forcing him to unlock a smartphone app with facial verification. They transferred $7,400-worth of ripple, another digital currency, out of his account. A third victim said he had been vomiting under a bridge when a mugger forced him to unlock his phone using a fingerprint, then changed his security settings and stole $35,300, including cryptocurrency.
Re: (Score:2)
"i CaN ReMoTeLy DiSaBlE iT"
They threaten you for your PIN, get you to swipe to unlock. Once they are sure they are in, they kill you to stop you from running home and closing your accounts.
Re: (Score:2)
in recent Slashdot comments it was argued that "thieves have no reason to steal phones!" and "Carrying cash invites muggings!"
Why create an additional attack vector by having financial apps on your phone?
It's not just "financial apps".
Most people do banking on their phone these days. A mugger can empty your entire savings account if they can get you to unlock it.
Don't make your phone "the keys to the kingdom" (Score:1)
-One dude oblivious to his surroundings while trying to get a rideshare
-One dude was trying to buy coke in an alley
-One dude was "vomiting under a bridge"
Any bets on the blood/(insert chemical) content of these individuals when mugged?
They combined shitty digital security with making themselves easy targets.
Re: (Score:2)
"A third victim said he had been vomiting under a bridge when a mugger forced him to unlock his phone using a fingerprint"
Sorry, but... LOL!
Least of worries (Score:2)
I'd be a lot more worried about what the market and leverage with things like Tether is doing to the contents of your crypto wallet than some rando stealing your phone.
Phones should have a solution for this (Score:2)
Re: (Score:3)
Re: (Score:2)
"Dude, what do you want, of course it's on factory default, I just bought the bloody thing, didn't even have it for 10 minutes and already got robbed, dammit!"
Re: Phones should have a solution for this (Score:2)
Re: (Score:2)
You're about to test empirically how we found out that torture is not a qualified way to determine whether someone is lying?
Re: (Score:2)
. . . and fifteen seconds after your phone lies to the bad guys, they leave you congealing (or worse yet, not) in an alley somewhere on the South side of Leeds, or Sao Paolo, or [insert locale name here]. And that's if your phone is locked when they take it from you.
To the best of my knowledge, there is no technical solution to lead pipe cryptography. Firearms, situational awareness, not walking around with the virtual equivalent of twenty dollar bills hanging out of your pockets . . . nominally effective, but the best there is at this point in time. I don't know about you, but I'm givin' up the pin code before they start hitting me. I'm still on target to die of old age, wouldn't want to do anything to ruin that.
For phones using fingerprints, this should be a relatively simple solution. You register a finger as a "duress" fingerprint - unlock with that finger, and any apps/data/contacts, etc. you've marked are hidden, but the phone otherwise operates as normal, except that it shows no duress mode configured, and no other fingerprints are accepted until unlocked via password.
Re: (Score:2)
To the best of my knowledge, there is no technical solution to lead pipe cryptography. Firearms, situational awareness...
Always vomit in well-lit areas with other people around.
Re: (Score:2)
Think about the threat model, and why banks are more trusting of phones than they are of chip & pin cards. There is no limit on how high a contactless payment made with a phone can be, but there is on a contactless card.
If someone does take your phone, force you to unlock it and uses your banking app to make fraudulent transactions, as long as you report them reasonably quickly they can be reversed. They also have methods of slowing down muggers, e.g. when transferring money to an account for the first
Re: (Score:2)
documented (Score:2)
International Business Times [ibtimes.com]
Mandatory GIF (Score:2)
https://imgs.xkcd.com/comics/s... [xkcd.com]
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Con says: SMILE!
Re: (Score:2)
What you need is plausible deniability. Good anti-lead-pipe techniques have that built in.
Re: (Score:2)
XKCD also described the problem as the "$5 wrench" problem.
https://xkcd.com/538/ [xkcd.com]
It's actually possible to buy a large enough wrench for $5 on Ebay, typically a Craftsman box-end wrench. It's not large enough to do the job without repeated blows, some creativity is needed.
What's needed is 2FA (Score:2)
That'll solve it!
Re: (Score:1)
Re: (Score:3)
Yes, that's the point of 2FA. If you shove everything, on the one device, then protect it with facial/fingerprint bio-metrics, you are asking to be robbed. I'm certain, these people didn't walk around with thousands of dollars in their pocket before online banking / cryto-wallets become popular. I'm certain these people didn't write their ATM PIN on their card, which is what bio-metric security on an financial applet, is. Putting your entire (financial) life on a device that can be seized or stolen anyt
Re: (Score:3)
That's a nice idea in theory, too bad most people are stupid enough to have both factors on the same phone, rendering it useless.
Unbreakable passwords (Score:2)
Re: (Score:2)
It's not like they targeted a whale with a huge account and then held them hostage until they would give up the keys. The nabbed the phone, then looked through for anything it let them log into that was valuable, and took what they could. It could have been a PayPal account, could have been a logged-in Amazon account letting them order stuff, whatever.
The only difference is since it was crypto, there is a reduc
Re: (Score:2)
I wonder why they gave it back afterwards?
Re: (Score:2)
So the cops couldn't find them with it.
Re: (Score:2)
Re: (Score:2)
I think the point is that when it happens with PP or Venmo, it's often possible to reverse transaction given authorities get involved soon, and a bank can act as an escrow pretty effectively, if they really want to.
But that brings us to the untold part of story, majority of people who get mugged like are either johns or junkies who aren't particularly street wise (ie n00bz). Something only cash or crypto can support.
More like idiots trusting their phones (Score:2)
Probably none of these people would carry around this amount of cash.
Re: (Score:2)
While the password that accesses most of my money is not stored on the phone, I do have a few accounts with stored passwords out of necessity-- I need to access the accounts several times per day and they need long random passwords. What other good, practical solutions exist?
I would love to have a yubikey that could do it seamlessly as a second factor to reduce first factor complexity, but an alternative password manager doesn't magically improve security.
Re: (Score:2)
At this time? None. The only somewhat secure storage is your memory. Better not get mugged by people that are interested in those accounts...
Re: (Score:2)
But it's not cash! It's crypto! It's ... encrypted... that means it's secure, or something!
Re: (Score:2)
Indeed. "I trusted this! I feel so betrayed now!" after not understanding what level of trust (here: none) would have been appropriate.
Re: (Score:2)
Same #$%@ here in Brazil.... (Score:1)
Re: (Score:3)
Lessons learned (Score:2)
Lessons learned:
1) Don't do drugs.
2) Don't use single-factor biometric authentication.
3) Don't use applications that save passwords.
While no one should be the victim of a crime, I have a hard time sympathizing when people set themselves up like some of these characters did.
Re:Lessons learned (Score:5, Interesting)
I would say one takeaway is, "Only use cryptocurrency exchanges which mandate waiting periods for withdrawals to new crypto addresses."
Re: (Score:1)
"Only use cryptocurrency exchanges which mandate waiting periods for withdrawals to new crypto addresses."
Because everyone using crypto needs a centralized record of past transactions. Wait..../s
The correct answer is simple: Quit walking around while staring at your wallet. For one you might see these people coming. Two you might realize that carrying around every penny you have is not, will not, and has never been, a good idea for exactly this reason.
Though I guess I'm one to talk. Given that on this side of the pond we have cops that do the exact same things as these thugs. So I guess well see stories ab
Re: (Score:2)
. I'm not sure what the alternative to single-factor biometric authentication is... dual-factor?
Sorry for not being direct: I meant 2-factor: biometric + password. The summary led me to believe that the devices could be unlocked just with the person's thumb.
If there is a password, the victim can refuse to give the password (yes, there is reason not to do that when someone has a knife to your throat). If implemented, the person can give the password that locks the device for a period of time (again, at risk).
Applications that save passwords are considered a best practice at my current employer, which is very security-conscious.
Yeah, that is often the case when there is a domain involved. This is one of the reasons I d
Re: (Score:2)
Biometric auth on phones is not single factor.
Possession of the phone is the first factor.
Matching biometrics are the second fact.
The issue is that the system is not designed to protect you from this scenario, where an attacker has both you and the phone and can force you to authenticate.
One possible solution would be an enforced time delay on any crypto transactions. The user would select a delay, say 2 hours, and any transactions initiated would not complete for at least that long. No mugger is going to r
Re: (Score:2)
Biometric auth on phones is not single factor.
Possession of the phone is the first factor.
Matching biometrics are the second fact.
Fair point, the phone is "something you have." I never thought of it that way since my phone is almost soldered onto me at this point. What I am confused about is that nobody seems to list "passwords" as a thing any more. Am I the last person on earth remaining who uses passwords?
This is the issue with two factor authentication (Score:2)
Criminals robbing other criminals. (Score:4, Insightful)
These sound suspiciously like cases where people in the illegal drug trade exploited other people in the illegal drug trade.
This has always been a common occurrence. If you buy/sell illegal drugs (or are a pimp, hooker, john; or run an illegal gaming business; etc.) you have identified yourself as an attractive target, because (1) you are much more likely to have larger amounts of cash than the general population, (2) you are much more likely to put yourself in physical locations where you're isolated and public surveillance is limited/blind, (3) you're extremely unlikely to report the crime to the police because they will immediately recognize the circumstances as part of other criminal activity.
Once you mug someone in a public place you flee, because now the herd knows there's a predator, or the police may be on their way, or you want to take the stolen money/property where it can be stashed/pawned as quickly as possible. Muggers don't just crouch in a dark alley like a bridge troll and assail everyone who happens to walk by. (That's a job for tax collectors.) And they're not going to stand around for 15 minutes examining your clothes and phone for all the ways you might have something of value. It's shock-and-awe snatch-and-run. They look for an opportune situation inhabited by a victim who appears both easy to overcome and is likely to have something worth stealing. Criminals who deal in illegal commerce know exactly what forms of liquidity other criminals use, and so they know whom to target. The situations in TFS sound like pretty deliberate attacks against victims who had been identified as targets specifically likely for crypto.
Go on, put more valueable accounts on your mobile (Score:5, Informative)
This is exactly that, just like me, you should have a separate google account for your phone and never, ever, put your investments apps, banking apps or password managers on your phone. If it gets stolen like this, your entire identity goes with it.
Re: (Score:2)
Originally people carried money around with them. It was easy to steal.
Then people moved on to credit and debit cards. Still easy to steal, but once the theft is reported the card stops working and the victim is usually not liable for any losses due to fraudulent use.
The problem here is that with crypto currencies there is no way to undo fraudulent transactions.
Re: (Score:2)
Not really. Crypto is just one of the valuable things that can be stolen with your phone. Your identity cannot be recovered either and has way more significant repercussions.
Why isn't there a distress code for phone already? (Score:3)
I'm not sure (Score:2)
...they're getting the results they intend by publicizing this.
Most of the victims sound like cunts that deserved what they got.
No-password security (Score:2)
Part of that know-how seems to be which people have the stupidity to connect their cryto-wallet to their phone. Cyber-crime investigators might want follow that lead.
Crimes like these prove that no-password security, such as bio-metrics, is easily defeated.
Computer literacy needs to include lessons on password managers: So many people use the one e-mail and one password for all online activities. It's surprising identity-theft is so rare.
There is an opportunity here (Score:2)
Maybe somebody who runs a creative writing workshop could start the participants out with just this line: "A third victim said he had been vomiting under a bridge when..."
Passwordless from Google, etc. (Score:1)
And on the 5th, Slashdot featured this article:
https://apple.slashdot.org/sto... [slashdot.org]
"Instead of a long string of characters, this new scheme would have the app or website you're logging in to push a request to your phone for authentication. From there, you'd need to unlock the phone, authenticate with some kind of pin or biometric, and then you're on your way. "
Just perfect.