Hackers have discovered that one of the most central elements of online security — the mobile phone number — is also one of the easiest to steal.
In a growing number of online attacks, hackers have been calling up Verizon, T-Mobile U.S., Sprint and AT&T and asking them to transfer control of a victim’s phone number to a device under the control of the hackers. Once they get control of the phone number, they can reset the passwords on every account that uses the phone number as a security backup — as services like Google, Twitter and Facebook suggest.
Attacks in the Virtual Currency Community
A particularly concentrated wave of attacks has hit those with the most obviously valuable online accounts: virtual currency fanatics. Most victims of these attacks in the virtual currency community have not wanted to acknowledge it publicly for fear of provoking their adversaries. But in interviews, dozens of prominent people in the industry acknowledged that they had been victimized in recent months.
The attackers appear to be focusing on anyone who talks on social media about owning virtual currencies or anyone who is known to invest in virtual currency companies, such as venture capitalists. And virtual currency transactions are designed to be irreversible.
In a number of cases involving digital money aficionados, the attackers have held email files for ransom — threatening to release naked pictures in one case, and details of a victim’s sexual fetishes in another. The vulnerability of even sophisticated programmers and security experts to these attacks sets an unsettling precedent for when the assailants go after less technologically savvy victims. Security experts worry that these types of attacks will become more widespread if mobile phone operators do not make significant changes to their security procedures.
A spokesman for Coinbase (one of the most widely used Bitcoin wallets) said the company “has invested significant resources to build internal tools to help protect our customers against hackers and account takeovers, including compromise through phone porting.” The irreversibility of Bitcoin transactions has often been lauded as one of the most important qualities of virtual currency because it makes it harder for banks and governments to intervene in transactions. the virtual currency industry needed to alert new users to the added risk that comes with the new features of the technology. “It’s powerful to be able to control your money and move things without any permission,” he said. “But that privilege requires a clear understanding of the downside.”
Mobile Phone Carriers
Mobile phone carriers are taking steps to head off the attacks by making it possible to add more complex personal identification numbers, or PINs, to accounts, among other steps. But these measures have not been enough to stop the spread and success of the culprits. In several recent cases, the hackers have commandeered phone numbers even when the victims knew they were under attack and alerted their cellphone provider. Adam Pokornicky, a managing partner at Cryptochain Capital, asked Verizon to put extra security measures on his account after he learned that an attacker had called in 13 times trying to move his number to a new phone. But just a day later, he said, the attacker persuaded a different Verizon agent to change his number without requiring the new PIN.
A spokesman for Verizon, Richard Young, said that the company could not comment on specific cases, but that phone porting was not common: “While we work diligently to ensure customer accounts remain secure, on occasion there are instances where automated processes or human performance falls short. We strive to correct these issues quickly and look for additional ways to improve security.”
Most phone companies would write down any additional security requests in the notes of a customer account. But agents can generally act on their own, he said, regardless of what is in the notes, and can easily miss what is in the notes.
The vulnerability of phone numbers is the unintended consequence of a broad push in the security industry to institute a practice, known as two-factor authentication, that is supposed to help make accounts more secure. Many email providers and financial firms require customers to tie their online accounts to phone numbers, to verify their identity. But this system also generally allows someone with the phone number to reset the passwords on these accounts without knowing the original passwords. A hacker just hits “forgot password?” and has a new code sent to the commandeered phone.
The speed with which the attackers move has convinced people who are investigating the hacks that the attacks are generally run by groups of hackers working together.
Danny Yang, the founder of the virtual currency security firm BlockSeer, said he had traced several attacks to internet addresses in the Philippines, though other attacks have been tracked to computers in Turkey and the United States. Investigations on recent hacks said the assailants generally succeeded by delivering sob stories about an emergency that required the phone number to be moved to a new device — and by trying multiple times until a gullible agent was found. “These guys will sit and call 600 times before they get through and get an agent on the line that’s an idiot”.
A wide array of people have complained about being successfully targeted by this sort of attack, including a Black Lives Matter activist and the chief technologist of the Federal Trade Commission. The commission’s own data shows that the number of so-called phone hijackings has been rising. In January 2013, there were 1,038 such incidents reported; by January 2016, that number had increased to 2,658.
