Hackers Steal Cellular Accounts to Break 2FA Protected Online Bitcoin Wallets
All of the major cellular service providers have been seeing an increase of attacks on customer accounts. Hackers are stealing cell phone numbers from users of Verizon, AT&T, T-Mobile, and Sprint through social engineering techniques. Once the attackers have control of a phone number they can use it to reset passwords for services like Google and social media sites. The hackers are able to break 2 Factor Authentication (2FA) for services which send out a 2FA code via SMS text message. Recently, Chinese researchers were able to make calls and texts from a user’s cellular phone number using an attack known as the Ghost Telephonist.
Even the Chief Technologist for the United States’ Federal Trade Commission fell victim to cellphone hijacking. According to statistics from the Federal Trade Commission, the number of cellular account hijackings had more than doubled in January 2016 from the number of cellular account hijackings during January 2013. 2,658 cellular account hijackings were reported in January of 2016. Many of the hijackings are used to steal online cryptocurrency wallets, such as those hosted by Coinbase. Once an account has been hijacked the attacker can drain the account’s entire holdings of cryptocurrencies. One cryptocurrency investor who spoke with the New York Times claimed he had lost cryptocurrency holdings worth over one hundred and fifty thousand US dollars. Another person, Joby Weeks, told the New York Times that they had utilized increased security features for their cellular service accounts after family members had fallen victim to account hijackings, but despite the increased security features his account was hijacked and he had lost nearly a million dollars worth of cryptocurrencies. “Everybody I know in the cryptocurrency space has gotten their phone number stolen,” Weeks told the New York Times.
Unlike traditional monetary transactions, cryptocurrency transactions are not reversible, making it extremely difficult to recover stolen coins. Cellular account hijackers are targeting people who talk about cryptocurrencies on social media and people who are known to be investors in cryptocurrencies. Cellular account hijackers also sometimes will hold e-mails, private personal information, and naked pictures for ransom, threatening to release them if the victim doesn’t pay up. Unless cellular service providers make drastic changes to the way they approach securing accounts, experts believe these account hijackings will continue to increase.
Some cellular service providers have added the ability to add PINs. Adam Pokornicky, who is a managing partner for a cryptocurrency investment firm, added increased security measures to his Verizon account and changed his PIN, after being informed that an attacker had tried over a dozen times to try and get his phone number transferred. However, on the following day, the attacker successfully convinced a Verizon employee to transfer the number without asking for the PIN. A representative for Verizon denied that phone porting attacks were common, and defended the company’s efforts to protect user accounts. While extra security measures are usually added on the customer notes, cellular service provider employees are able to simply ignore, or forget to follow the additional security measures.
It is believed by many who investigate these crimes that some of these cellular account hijacking operations are being carried out by groups of hackers. The short amount of time in which multiple accounts are hijacked after the phone number has been ported may be an indication that more than one person is involved in the account hijackings. The cryptocurrency security company BlockSeer claims to have traced cellular account hijackings back to groups of hackers in the Philippines, Turkey, and the United States. Attackers use social engineering skills on cellular service provider employees, often having to make many attempts until they are able to convince an employee to transfer a number to a new mobile device. “These guys will sit and call 600 times before they get through and get an agent on the line that’s an idiot,” Weeks said. Representatives for Coinbase told the press that they were expending more resources on trying to further secure accounts.