My Never-Ending Fight Against Thieves - Part 3 and How Fraudsters Are Stealing Millions In Cryptocurrency

in #security8 years ago

If you missed part 1 and part 2, here's the "too long, didn't read" version so you can quickly catch up on the story:

TL;DR of previous chapters

Part 1. I found out someone is calling companies from my phone number, trying to hack various accounts. They had control of my phone by getting into my cellular account and also hacked several of my emails. They hacked my Facebook, bank, Authy (used for my Purse.io and Coinbase), PayPal, and quite a few other websites. Nothing was stolen from me yet, and after adding an extra layer of security and 100s of password changes, they seemed to have stopped trying.

Part 2. A little more than six months later, the hacker tries to get into my T-mobile account again. This time they can't because I added security measures. Instead, they steal my phone number altogether by porting it out to Sprint because that is now much easier than hacking into my T-mobile. They then get into my PayPal and Venmo accounts. The hacker stole a few hundred from my PayPal.

If you read part 1 and 2, start here:

They stole your what?!?

You've probably heard of many people who have had their phone stolen. It even happened to me once. But, have you ever heard of someone's phone number getting stolen? That's what just happened to me.

Your mobile carrier can take a lot of steps to keep your account secure, but in the US, phone number porting is federally-regulated. An employee of T-mobile's security department told me that regulations say a carrier must have the same porting requirements for every customer. Therefore, it's illegal for them to make my phone number more secure against unauthorized porting. Thus, all someone needs to steal my number is my T-mobile account number and the last four digits of my SSN.

After finding out my number was ported to Sprint, the T-mobile rep I spoke to said: I can see here that someone has been calling us every day, trying to get your account number. After trying enough times, they finally got someone on the phone who didn't follow protocol. This allowed them to steal my number.

Results of the hack

  • My carrier ended up recovering my stolen number a couple days later. But, by that time, I had already been assigned a new phone number. Since I had already gone through the trouble of letting everyone know my new number (my friends, family, and companies) I decided to keep that new one.

  • A couple of my backup email accounts got hacked, but that situation was easily rectified.

  • Paypal ended up refunding the stolen funds after filing a claim.

  • The Venmo employee had never seen a situation like this where a fraudster stole someone's phone number to get into thier account. Probably in the theif's attempt to establish his device as an authorized one, he sent $200 to my girlfriend. Fortunately for me, that was just about all I had in that bank account at the time, so he wasn't able to send additional funds elsewhere. Luckily, no damage done there.

How to avoid these issues in the future

Step 1. To prevent this from happening to you, you should secure your email with Google Authenticator. Or even better, purchase and use Yubikey.

Step 2. Remove your phone number as a way to verify and restore passwords everywhere. Twitter and Facebook default to this method.

I'm not alone here. Hackers have gone after many in the bitcoin community using this method, including prominent names. Jered Kenna had millions in bitcoin stolen from him when his T-mobile number was ported. Andrew Lee, CEO of purse.io had his phone number ported from T-mobile. Blockchain VC, Bo Shen fell victim to the same tactic. Brock Pierce, Adam Draper, and others are victims as well.

Check out this excellent article from Kraken, showing you how to secure your accounts

Sort:  

Wow, this is quite an amazing story and, by the way, thanks for the short version as I had not seen the previous postings. Also, I want to thank you for underlining @kraken excellent article about securing our accounts. this is a must read for anyone interested in making sure that sort of story would happen to them.

All for one and one for all! Namaste :)

Thanks for stopping by and reading. I hope it brings to light some security flaws that people can patch up.

It might be a way to get hacked, but since portability is strictly regulated, one can also sue for damages on their phone company for allowing the phone to be ported / stolen. It might actually be very lucrative to start going over companies who allowed this to happen.

I'd be curious to know if Jered Kenna or any of the other victims have pursued legal action.

That's scary stuff. People tend to be the weak link in security. Some of my accounts are verified with SMS messages. Sounds like that is not so secure. I'll see if they can be changed to the Google tool or similar.

People tend to be the weak link in security.

I can see someone recently getting hired as a customer service rep at T-mobile. They are told do not give out any information regarding any account, unless you first verify with this, this, and this. Then, that rep gets someone calling them who only needs the account number. They think to themselves I was told not to do this, but what harm can that do? It will make the customer happy.

Little does the rep know, that information just let someone steal that phone number, bypass 2FA with Authy and SMS, and steal all their bitcoin.

The crooks can be crafty. There was a case a while back where they were able to extra data from Apple and other sources to get control of a Twitter account. Data such a SSN, credit card number etc should not be used to confirm identity. We should be using digital signatures by now.

I have a feeling that it won't be long until we see the blockchain revolutionizing security.

Yeah can't see why you would keep anything on your phone or connected to it, it should be for calls only, people are too lenient on privacy. It's gone to the point where all your contacts are on your phone , all your money is on your phone , soon enough all your life will be on a cloud :D Facebook VR rooms :D

Having gone through this, I'm certainly more wary about it now.

Yeah what you went through is a bit over the top, somebody actually targeting you is a crime , mostly hacks are done by public wifi and on unsuspecting victims that have no sense of cyber security, or good hygiene habits :) I'm getting to the point where I'm thinking we should all be trained spies :D and have some intelligence trump cards in our pockets in case of a potential attack, 10-20 security services :D or just drop the phones , too many computers too much time vested in them.

Good information. Thanks.

A bit of "social engineering" to get around the tech. Happens often.

Designing systems to prevent the social engineering would be quite the task. It'd be pretty much impossible to think up every possible way to get around the safeguards.

having your # given away would suck!
upvoted! solid post!

Luckily, I got off easy. Others had it much worse. Thanks for the support.

That's why it is a security risk for companies to require personal information for registration, for situations just like these. The criminals use fake information any way, so it's only the law abiding that suffer.

How often do we hear about companies getting hacked and users' data getting stolen? It happens all the time. I probably get an email from some company once a month saying something along the lines of: Despite us taking the utmost precautions, our customers' information has been leaked...

Lessons learned from reading this. I already had a bad feeling about connecting my phone to all of my accounts...

Thanks for reading and commenting. I'm glad you got something out of it.

Hello, I am from bangladesh. and i am new on steemit

Hello and welcome!

Freakin crazy man!