Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Businesses Crime The Almighty Buck

'Crypto Muggings': Thieves in London Target Digital Investors By Taking Phones (theguardian.com) 68

Thieves are targeting digital currency investors on the street in a wave of "crypto muggings," police have warned, with victims reporting that thousands of pounds have been stolen after their mobile phones were seized. From a report: Anonymised crime reports provided to the Guardian by City of London police, as part of a freedom of information request, reveal criminals are combining physical muscle with digital knowhow to part people from their cryptocurrency. One victim reported they had been trying to order an Uber near Londonâ(TM)s Liverpool Street station when muggers forced them to hand over their phone. While the gang eventually gave the phone back, the victim later realised that $6,150-worth of ethereum digital currency was missing from their account with the crypto investing platform Coinbase.

In another case, a man was approached by a group of people offering to sell him cocaine and agreed to go down an alley with them to do the deal. The men offered to type a number into his phone but instead accessed his cryptocurrency account, holding him against a wall and forcing him to unlock a smartphone app with facial verification. They transferred $7,400-worth of ripple, another digital currency, out of his account. A third victim said he had been vomiting under a bridge when a mugger forced him to unlock his phone using a fingerprint, then changed his security settings and stole $35,300, including cryptocurrency.

This discussion has been archived. No new comments can be posted.

'Crypto Muggings': Thieves in London Target Digital Investors By Taking Phones

Comments Filter:
  • I'd be a lot more worried about what the market and leverage with things like Tether is doing to the contents of your crypto wallet than some rando stealing your phone.

  • Phones should have a solution to this, some way to put your phone into a "fake unlocked mode" if you're being mugged or worse yet pulled over by the police. Personally I don't do any banking or crypto on my phone... Might be good to carry around a few thousand bucks or so in fake paper money just in case so they'll leave happy with something.
    • Comment removed based on user account deletion
      • "Dude, what do you want, of course it's on factory default, I just bought the bloody thing, didn't even have it for 10 minutes and already got robbed, dammit!"

      • by eth1 ( 94901 )

        . . . and fifteen seconds after your phone lies to the bad guys, they leave you congealing (or worse yet, not) in an alley somewhere on the South side of Leeds, or Sao Paolo, or [insert locale name here]. And that's if your phone is locked when they take it from you.

        To the best of my knowledge, there is no technical solution to lead pipe cryptography. Firearms, situational awareness, not walking around with the virtual equivalent of twenty dollar bills hanging out of your pockets . . . nominally effective, but the best there is at this point in time. I don't know about you, but I'm givin' up the pin code before they start hitting me. I'm still on target to die of old age, wouldn't want to do anything to ruin that.

        For phones using fingerprints, this should be a relatively simple solution. You register a finger as a "duress" fingerprint - unlock with that finger, and any apps/data/contacts, etc. you've marked are hidden, but the phone otherwise operates as normal, except that it shows no duress mode configured, and no other fingerprints are accepted until unlocked via password.

      • To the best of my knowledge, there is no technical solution to lead pipe cryptography. Firearms, situational awareness...

        Always vomit in well-lit areas with other people around.

      • by AmiMoJo ( 196126 )

        Think about the threat model, and why banks are more trusting of phones than they are of chip & pin cards. There is no limit on how high a contactless payment made with a phone can be, but there is on a contactless card.

        If someone does take your phone, force you to unlock it and uses your banking app to make fraudulent transactions, as long as you report them reasonably quickly they can be reversed. They also have methods of slowing down muggers, e.g. when transferring money to an account for the first

    • I think the 'fake unlocked mode' is coming... In Ukraine, civilians have been reporting Russian troop movements via an app on their phones. When villages and apartment complexes get taken over by Russian / Chechens, they've been confiscating everyone's phones and checking for this app. This has resulted in many murdered Ukrainians.
  • That'll solve it!

    • The same phone has all necessary to robbers avoid 2FA. Email, phone number, SMS, Documents (iCloud, OneDrive). Everything! You would need a secondary phone in your home to manage the main phone.... Default iphone/android phone options makes the phone a 0-Day flaw....
      • ... need a secondary phone ...

        Yes, that's the point of 2FA. If you shove everything, on the one device, then protect it with facial/fingerprint bio-metrics, you are asking to be robbed. I'm certain, these people didn't walk around with thousands of dollars in their pocket before online banking / cryto-wallets become popular. I'm certain these people didn't write their ATM PIN on their card, which is what bio-metric security on an financial applet, is. Putting your entire (financial) life on a device that can be seized or stolen anyt

    • That's a nice idea in theory, too bad most people are stupid enough to have both factors on the same phone, rendering it useless.

  • This only proves there are no unbreakable passwords or biometric locks unless you're willing to die for them.
    • It seems to me that just not caching their password in the phone would have prevented this.

      It's not like they targeted a whale with a huge account and then held them hostage until they would give up the keys. The nabbed the phone, then looked through for anything it let them log into that was valuable, and took what they could. It could have been a PayPal account, could have been a logged-in Amazon account letting them order stuff, whatever.

      The only difference is since it was crypto, there is a reduc

      • On a second reading, it looks like maybe they did make him stand there and open the phone, so that's different.

        I wonder why they gave it back afterwards?

        • by ahodgson ( 74077 )

          So the cops couldn't find them with it.

          • Besides that, the muggers were smart enough to know about crypto, so they were likely smart enough to know a stolen phone could be remotely bricked, especially the more expensive ones. Now if they were way smarter, they could have brought a Faraday cage. That might give them time to deliver the phone to some low-level hardware hacker for proper "fixing".
      • by ezdiy ( 2717051 )

        It could have been a PayPal account

        I think the point is that when it happens with PP or Venmo, it's often possible to reverse transaction given authorities get involved soon, and a bank can act as an escrow pretty effectively, if they really want to.

        But that brings us to the untold part of story, majority of people who get mugged like are either johns or junkies who aren't particularly street wise (ie n00bz). Something only cash or crypto can support.

  • Probably none of these people would carry around this amount of cash.

    • While the password that accesses most of my money is not stored on the phone, I do have a few accounts with stored passwords out of necessity-- I need to access the accounts several times per day and they need long random passwords. What other good, practical solutions exist?

      I would love to have a yubikey that could do it seamlessly as a second factor to reduce first factor complexity, but an alternative password manager doesn't magically improve security.

      • by gweihir ( 88907 )

        At this time? None. The only somewhat secure storage is your memory. Better not get mugged by people that are interested in those accounts...

    • But it's not cash! It's crypto! It's ... encrypted... that means it's secure, or something!

      • by gweihir ( 88907 )

        Indeed. "I trusted this! I feel so betrayed now!" after not understanding what level of trust (here: none) would have been appropriate.

  • Comment removed based on user account deletion
  • Here in Brazil same thing. They stole your phone while is unlocked, so they can rapidly change FaceID or biometrics to robber's face/fingerprint. Then all banking apps using fingerprint or FaceID gets emptied and worst, here banking apps offer fast loans with 1-click action. Iphone users have to take further and advanced steps to be protected or at leat minimize flaws from this kind of attacks. In my opinion somenthing as simple as using faceid or fingerprint to protect Settings manager would help a lot.
  • Lessons learned:
    1) Don't do drugs.
    2) Don't use single-factor biometric authentication.
    3) Don't use applications that save passwords.

    While no one should be the victim of a crime, I have a hard time sympathizing when people set themselves up like some of these characters did.

    • Re:Lessons learned (Score:5, Interesting)

      by Software ( 179033 ) on Tuesday May 10, 2022 @04:19PM (#62520912) Journal
      Applications that save passwords are considered a best practice at my current employer, which is very security-conscious. I'm not sure what the alternative to single-factor biometric authentication is... dual-factor? I don't see how that helps if the attackers have access to the victim. Perhaps you mean hardware key as an additional factor -- that is valid, but then again, the victim is probably carrying the hardware key around, so that doesn't help.

      I would say one takeaway is, "Only use cryptocurrency exchanges which mandate waiting periods for withdrawals to new crypto addresses."
      • "Only use cryptocurrency exchanges which mandate waiting periods for withdrawals to new crypto addresses."

        Because everyone using crypto needs a centralized record of past transactions. Wait..../s

        The correct answer is simple: Quit walking around while staring at your wallet. For one you might see these people coming. Two you might realize that carrying around every penny you have is not, will not, and has never been, a good idea for exactly this reason.

        Though I guess I'm one to talk. Given that on this side of the pond we have cops that do the exact same things as these thugs. So I guess well see stories ab

      • by MobyDisk ( 75490 )

        . I'm not sure what the alternative to single-factor biometric authentication is... dual-factor?

        Sorry for not being direct: I meant 2-factor: biometric + password. The summary led me to believe that the devices could be unlocked just with the person's thumb.

        If there is a password, the victim can refuse to give the password (yes, there is reason not to do that when someone has a knife to your throat). If implemented, the person can give the password that locks the device for a period of time (again, at risk).

        Applications that save passwords are considered a best practice at my current employer, which is very security-conscious.

        Yeah, that is often the case when there is a domain involved. This is one of the reasons I d

    • by AmiMoJo ( 196126 )

      Biometric auth on phones is not single factor.

      Possession of the phone is the first factor.
      Matching biometrics are the second fact.

      The issue is that the system is not designed to protect you from this scenario, where an attacker has both you and the phone and can force you to authenticate.

      One possible solution would be an enforced time delay on any crypto transactions. The user would select a delay, say 2 hours, and any transactions initiated would not complete for at least that long. No mugger is going to r

      • by MobyDisk ( 75490 )

        Biometric auth on phones is not single factor.
        Possession of the phone is the first factor.
        Matching biometrics are the second fact.

        Fair point, the phone is "something you have." I never thought of it that way since my phone is almost soldered onto me at this point. What I am confused about is that nobody seems to list "passwords" as a thing any more. Am I the last person on earth remaining who uses passwords?

  • Some a-hole will just steal the required device also.
  • by SomePoorSchmuck ( 183775 ) on Tuesday May 10, 2022 @04:31PM (#62520946) Homepage

    These sound suspiciously like cases where people in the illegal drug trade exploited other people in the illegal drug trade.

    This has always been a common occurrence. If you buy/sell illegal drugs (or are a pimp, hooker, john; or run an illegal gaming business; etc.) you have identified yourself as an attractive target, because (1) you are much more likely to have larger amounts of cash than the general population, (2) you are much more likely to put yourself in physical locations where you're isolated and public surveillance is limited/blind, (3) you're extremely unlikely to report the crime to the police because they will immediately recognize the circumstances as part of other criminal activity.

    Once you mug someone in a public place you flee, because now the herd knows there's a predator, or the police may be on their way, or you want to take the stolen money/property where it can be stashed/pawned as quickly as possible. Muggers don't just crouch in a dark alley like a bridge troll and assail everyone who happens to walk by. (That's a job for tax collectors.) And they're not going to stand around for 15 minutes examining your clothes and phone for all the ways you might have something of value. It's shock-and-awe snatch-and-run. They look for an opportune situation inhabited by a victim who appears both easy to overcome and is likely to have something worth stealing. Criminals who deal in illegal commerce know exactly what forms of liquidity other criminals use, and so they know whom to target. The situations in TFS sound like pretty deliberate attacks against victims who had been identified as targets specifically likely for crypto.

  • by devslash0 ( 4203435 ) on Tuesday May 10, 2022 @05:50PM (#62521150)

    This is exactly that, just like me, you should have a separate google account for your phone and never, ever, put your investments apps, banking apps or password managers on your phone. If it gets stolen like this, your entire identity goes with it.

    • by AmiMoJo ( 196126 )

      Originally people carried money around with them. It was easy to steal.

      Then people moved on to credit and debit cards. Still easy to steal, but once the theft is reported the card stops working and the victim is usually not liable for any losses due to fraudulent use.

      The problem here is that with crypto currencies there is no way to undo fraudulent transactions.

      • Not really. Crypto is just one of the valuable things that can be stolen with your phone. Your identity cannot be recovered either and has way more significant repercussions.

  • Really, Seems to me that this is an issue that should have been solved 30 years ago, for people forcing pins out of people. Having the system where a person can put in a distress code on their phone and it will alert the police that you are being harmed. And additionally having the wallets report fake amounts and all sorts of other items that could be set by the end user. Honestly just having a "mild distress" code on my phone would be nice. Where the browser history doesn't have questions like "how to synthesize ricin" when my boss asks to borrow my phone because it has a full charge. This is totally workable and having several "distress modes/codes" could thwart rubber hose password hacking. It's no good for thumbprint unlock.. but that's just a damn excuse for criminals to carry hand pruners around.
  • ...they're getting the results they intend by publicizing this.

    Most of the victims sound like cunts that deserved what they got.

  • ... digital know-how ...

    Part of that know-how seems to be which people have the stupidity to connect their cryto-wallet to their phone. Cyber-crime investigators might want follow that lead.

    Crimes like these prove that no-password security, such as bio-metrics, is easily defeated.

    Computer literacy needs to include lessons on password managers: So many people use the one e-mail and one password for all online activities. It's surprising identity-theft is so rare.

  • Maybe somebody who runs a creative writing workshop could start the participants out with just this line: "A third victim said he had been vomiting under a bridge when..."

  • And on the 5th, Slashdot featured this article:

    https://apple.slashdot.org/sto... [slashdot.org]

    "Instead of a long string of characters, this new scheme would have the app or website you're logging in to push a request to your phone for authentication. From there, you'd need to unlock the phone, authenticate with some kind of pin or biometric, and then you're on your way. "

    Just perfect.

Ocean: A body of water occupying about two-thirds of a world made for man -- who has no gills. -- Ambrose Bierce

Working...