Cryptocurrency Thefts Blamed on Social Engineering Hacks of Phone Providers

Journalist:
Andrew Quentson @Aquentson
December 7, 2016

A number of digital currency users have been hacked recently and the blame is being squarely placed on carrier providers.

Jack Peterson, Augur developer, told CCN:

It’s what has happened in every single case… Their phones were compromised first and then their emails, etc. and they had recovery phones enabled.

A recovery phone number is a very popular feature for second layer added security to any password breaches. To ensure the rightful owner gains access, service providers send a unique text message, usually with a time lapse period. As each phone number is unique, the reasonable assumption is that only individuals with access to that specific phone can know the code, but what if that assumption is wrong?

The spate of new recent hacks, including the hack of Bo Shen today, Founding Partner of Fenbushi Capital, and, according to Kraken, “at least 10 cases of people publicly involved in the cryptocurrency scene being victimized by mobile phone hijacking,” places that assumption in serious doubt.

A quick google search indicates there are many service providers offering phone spyware, allowing you to effectively see everything someone else is doing. They are mainly sold to parents to keep their children in check, but undoubtedly abused for other uses. Although we cannot verify, there appear to be providers who allow you to intercept text messages without the installation of any software nor any other information whatever, but the phone number.

If the latter is indeed the case, the entire premise of text authentication is deeply flawed which would be incredibly worrying for almost all online service providers, especially bitcoin exchanges, as most rely on two-factor authentication. The only security they may provide, therefore, is the obscurity of your phone number, a very low barrier by most considerations and one ruthlessly abused recently.

Peterson states:

In every case their MO seems to be the same: they use social engineering of cell-phone carriers to get your phone number, then if you have a “recovery phone number” enabled in your email they use your phone to take over your email. Once they have your email they can use password resets etc. to take over everything else.

That is, if they have access to your name, e-mail address, preferably postal address, employment and any other identifying information, they can impersonate legitimate, and for call center operators fairly ordinary, cases where you genuinely forget some information or changes of details, such as an old postal or email address. As, for call center operators, such cases are not rare, the phone number may seem innocuous, but that magic number can then, apparently, open doors.

Although it seems fairly incredible someone can intercept your text messages without installing any software nor being in your vicinity, Peterson states Tony Sakich and Ron Bernstein, both currently or previously involved with Augur, have confirmed with their phone carrier that their phone numbers were compromised, leading to hacks. We tried to speak to Bernstein, but have received no reply to confirm his phone carrier in time for publishing.

Once more, this raises the question of how we can secure our value to the point where a teenager, mother, or very wealthy man can hold any confidence their funds do not just vanish. As it stands, the best we can do is mirror gold. Bank vaults have armed guards, layers and layers, deep bunkers. Fairly wealthy physical value holders have coded steel boxes. The majority rely on lack of incentive.

Perhaps we can do a bit better in this digital age. Perhaps armed guards can be replaced with their digital version. Perhaps reversibility should become a feature for special, saving like, accounts. Perhaps there should be far more emphasis on undoubtedly the number one priority, security, but the problem is not limited to just the digital currency space.

Security has been a problem in all of the computing industry for far too long as its apparent rarity makes costs seem unjustified, but, swan-like events, from huge databases hacked, private pictures publicized, the influencing of USA elections through the Podesta e-mail leaks, as well as the many hacks in this space may, gradually, lead to the realization that security, rather than a luxury, is very much a necessity.

Image from Shutterstock.

Andrew Quentson @Aquentson

Feel free to contact me at andrewquentson@gmail.com with any information you may have.