With the prevalence of two-step authentication systems that use phone numbers to access email and virtual money accounts, phone hijacking is on the rise as a way to siphon funds from online cryptocurrency wallets.
With control of a phone number, a hacker can compromise any two-step identification process that uses SMS and a string of phone hacks against members of the virtual money community has hit in recent months – resulting in millions of dollars in lost Bitcoin and other currencies. The recent attacks, along with a slew of incidents last winter, have targeted high-profile members of the cryptocurrency community, such as venture capitalists, CEOs, and even an unnamed Coinbase executive. Blockchain Capital co-founder Brock Pierce, for example, was hacked while he was being interviewed for the Forbes Blockchain podcast Unchained. Pierce told host Laura Shin “I have been warning people in my public speeches about the importance of 2-factor authentication and that we’re really going to need something like 3-factor authentication or a separate device because it is so easy to steal people’s phone numbers – but my phone number wasn’t in my name so I felt I was pretty secure.”
He wasn’t. Others are hesitant to speak out due to fear of falling victim to similar hacks again, making it difficult to pinpoint the exact number of incidents. While not all who have been targeted have suffered financial losses, others have lost anywhere from thousands to millions of dollars. These transactions are often irreversible, leaving victims without any option to recover their funds. All this poses a major security question for wallet providers like Coinbase and others, given they’re storing hundreds of billions in crypto currencies. While Coinbase states all the digital currency it holds online is insured, coverage explicitly does not extend to user’s individual accounts. It is the account holder’s responsibility, the company says, to “use a strong password and maintain control of their login credentials”.
A recent study undertaken by benevolent hackers at Positive Technologies revealed they were able to access and empty a Coinbase account by leveraging weaknesses in the global telecoms network known as the Signaling System No. 7 (SS7). The SS7 is a network used by telecoms providers to monitor the flow of information such as text messages for accurate billing. Once researchers at Positive Technologies found out the email address linked to a specific wallet, they hacked into the SS7 network and intercepted a one-time SMS authorization code sent by Coinbase, enabling them to change the wallet’s account settings and password.
The ease of phone hijacking demonstrated by Positive Technologies underscores vulnerabilities in the global telecoms network, which is used by all mobile operators. To add to this, hacking is not the only way to gain access to SS7 with cyber criminals known to illegally buy their way onto it via the dark web. Exploiting flaws in SS7 is not the only way hackers have emptied online cryptocurrency accounts. According to a New York Times article published in late August, hackers in the US have assumed an account holder’s identity and contacted mobile service providers to have a number moved to a phone in their control.
With prosecutions few and far between, phone hijacking shows no signs of abating. According to the Federal Trade Commission, reported incidents in the US of identity theft via phone hacking were up 156% in the three years to January 2016. These incidents are not specific to hacking digital wallets, but also include other scams such as illegally gaining access to traditional bank accounts and denying access to vital information in ransom-ware style attacks. Hacks don’t even have to be particularly hi-tech. In fact, any scenario where a customer service rep (CSR) verifies someone’s identity over the phone also presents a potential risk, as it is not uncommon for CSRs to breach security protocols if a caller is convincing enough. So far, these scams have been carried out on all the major mobile phone operators in the US, including Verizon, T-Mobile, Sprint, and AT&T.
Security experts say there are some things cryptocurrency account holders can do to minimize their risk of being hacked, however.
- Take privacy seriously. Openly talking about cryptocurrency on Facebook and Twitter can make users an easy target for hackers.
- Conduct a privacy audit of your online identity and remove addresses (email & physical), phone numbers and birth dates from social media profiles as these are common default security questions for phone companies, credit cards and banks.
- Deploy a Time-based One-time Password Algorithm (TOTP) app for authentication. Although they still use the 2-factor authentication process, TOTPs are more secure than simple SMS for 2-factor codes, as they are tied to a specific physical device, not just a phone number, which can be compromised in a phone porting hack.
- Build in some transaction delay. Coinbase, for example, allows users to leave money in a vault – withdrawals from which can be canceled for up to 48 hours after the transaction.
- Maintain situational awareness and follow up immediately if you receive unexpected confirmations of a password change for any of your accounts.
- Take it offline and consider hardware solutions like Ledger Nano S which requires users to enter a pin before making transactions.
- Familiarize yourself with the process around quickly freezing accounts at any exchanges you transact through.