It's an extremely odd decision by the author to publish this piece. Port attacks on cryptocurrency accounts is nothing new, and outside of publishing the number ($100k!) there is nothing special about this account of events vs the countless other near identical articles that have been published on Medium on the same old attack.
The reason I say it's odd is that he's an engineering manager at BitGo, which is a leading cryptocurrency custody solution! His job is literally to secure and protect institutional cryptocurrency wallets, and to publicly tell the world how careless he was with his own personal account looks extremely poorly on his employer despite the fact that this was an unrelated incident.
Moreover, why wouldn't he be using his own company's "industry-leading comprehensive secure" wallet solution which he recommends in the article, for his $100K worth of Bitcoin?
Honestly - they are a pain in the ass, its not fun having to use them vs the convenience of an exchange, I certainly procrastinated about moving mine for a long time!
It's a reminder that crypto is fundamentally dangerous due to its lack of regulation and compliance requirements, its fundamental irreversibility and lack of authority/censorship. It's a lesson we should all take to heart about what makes for a functional financial system and what doesn't. It's also a lesson about the security of phones.
IMO its great to learn about what goes well but super valuable to learn when people face-plant.
And you would have a chance (actually, be legally entitled) to recover your money as opposed to people on the internet telling you sorry for your loss.
IF someone managed to rob your account entirely through a mistake of the bank, it is the govt pointing the gun at the banks head (figuratively and literally) to give you your monetary assets.
With crypto the government can't get involved so you're screwed
The banks know this, and they don't like losing money, so they have made most of their transactions reversible. There was an article on this a few years ago exploring why bank account credentials are worth little on the black market. Basically, there isn't an easy, safe way to just steal money out of a bank account.
Traditional financial regulation and compliance is a joke and mostly security theatre from the perspective of a security engineer or cryptographers.
- credit cards with secrets printed and shared in plain sight
- hacked banks
- hacked atms
It only works because most involved are somewhat trustworthy and the damages are small enough that it’s still worth to have the system.
But the latter also seems to be true for crypto. It shifts the responsibility further to the user. Some like it because they assume they can provide better opsec than their bank (which was easy in the past). Others don’t like to take responsibility and leave it with some exchange, which in some cases even lack behind banks.
When I was a student 15 years ago my debit card was skimmed (here in the UK) and someone in the middle east completely emptied my bank account. I called my bank, they explained what had happened and what little money I had was back the very next day.
So while the infrastructure may be fundamentally insecure, quite frankly that's not my problem. If it was a crypto wallet I would have had zero legal recourse and of course never would have seen that money again - as we're seeing again and again.
I do hold some ETH but I don't see it replacing my bank anytime soon.
Ouch. Sucks to read that. For anyone who might be interested in a possible alternative to this, I keep two bank accounts with the same bank with only one being connected to my debit card. I keep a tiny balance in the account connected to the debit card so that even if I lose it, the damage is minimal. Whenever my balance is running low, I do a quick transfer via online banking.
No idea how feasible this might be in other countries, but wanted to share in case its helpful. It's really helped me have ease of mind in using my card when I've been abroad.
Doesn't stop me from attempting to dismantle any ATM though whenever I use one :')
How many hours did you spend resolving the issue? That’s your damage.
And while you were reimbursed, the damage to the whole community was still done and just covered by an insurance fee that everyone pays on every transaction.
A bank's lack of opsec isn't my problem, it's theirs. They get hacked, I still get made whole. Only in crypto is the lack of anyones opsec your problem.
> credit cards with secrets printed and shared in plain sight
This is a simplification. For all customer-present transactions cards use the secrets in a secure chip, and the transaction is authorised by the cryptographic processor in those chips signing the transaction data with a secret key. It's classic 2FA - Something you have (a card) and something you know (a PIN).
The type-in-a-number-on-a-website purchases are the weak link, and even they are usually protected by another layer of passwords (3D-secure, Verified by Visa etc).
It's quite a while (in most places outside the US) since the number on the front was the secret.
Correct, and they won't any time soon. This US is a Chip + Signature market, which still incorporates cryptographic elements on the card itself as the secret.
In a Chip + PIN transaction, the second factor is your digital PIN, whereas in the Chip + Signature transaction the second factor is your signature. It's still 2fac, but more importantly, in neither case is the secret on the front of the card.
There are three security elements aspects to the EMV standard: card duplication (your card is the real deal), cardholder verification (you are the real deal), and lending (that you still have available credit).
Having a chip prevents (or at least is intended to prevent) card skimming. EMV payments cannot be re-played, cards cannot be duplicated and neither the card nor the reader can be tampered with. The magstripe of a chip card includes a flag indicating the card has a chip so even if you duplicated the stripe, it still wouldn't work. That is a material improvement over magstripe-only cards, and the private key is embedded within the silicon in a highly tamper-resistant way. This got the US the bulk of the 'win'.
With respect to cardholder verification, the Cardholder Verification Methods range, from least to most secure (from the perspective of a bank): None (i.e. have at it), Signature, PIN and CDCVM (ApplePay, etc). The CVM is negotiated between the card and the reader on insertion (EMV) or presentation (NFC/EMV). Each of these CVMs will impact to some extent things such as how likely a transaction is to be approved vs declined, how much you're charged in interchange to make up for it, and so on.
Yes, PINs are more secure in some ways because they provide a pre-payment second factor and in some ways yield a false sense of security. For instance, if someone sees you key in your PIN, you'll have a harder time claiming fraud, and in Europe it's on you to prove that. In the US, it's on the merchant. The trade-off here is again more time. Merchants are often willing to pay a slightly higher interchange rate to get people through the line faster, and signature is unequivocally faster than Online pin (requiring another network request to decrypt/verify) and still faster than Offline pin (which only works in Europe and is capped through floor limit).
Consider this from the perspective of all the layers of security even an EMV signature payment has. Tamper-proof physical card required that cannot be cloned, tamper-proof terminal, the card yields a signed payment request to your acquirer who can flag it as fraudulent, to the issuing bank who can flag it as fraudulent, and all the way back down to the card which can itself mark your transaction as fraudulent (it's called a reversal). Then you sign. And your photograph / video is likely recorded by the merchant at the point of sale, too. PIN or no-PIN, in a low fraud rate market, the win is small but the cost in added time can be really high.
If this mattered in the US and PIN were truly advantageous, restaurants could configure their terminals to request signatures or no verification while high-ticket size merchants could still capture PINs. They could still make this change at any time, really, all the tech out there more or less supports it. During the EMV transition all this was considered, and the decision was made it wasn't worth it.
tl;dr: Sometimes the 'less secure' method get you the bulk of the security win while yielding more profit for the merchant.
Source: I worked in payments for years including during the EMV switchover :) Hope that helps!
In Europe it's more common to have an EC card, which doesn't have any necessary secrets printed in plain sight (you need a TAN to complete a transaction over 25€ or total 100€ per day).
We also have SEPA Inst which allows me to send people money instantly for no fees (atleast at my bank), faster than Bitcoin ever could.
I'm insured against the bank being hacked. I'm also insured against the ATM's being hacked.
If I'd open my bank account today and found 0€ via hacks, I'd get it all back in 99.9% of cases. If I loose my card I get back everything too.
If I loose my bitcoin wallet, I'm SOL and should be sorry for not making backups and using a multisig wallet with 2FA!
Same-day ACH took a while AFAIK because of fraud risk especially to smaller banks and credit unions, although we've moved into phase 3 of the work last year so that's happening now. I think the push-to-debit functionality pioneered by the likes of Square Cash helped hurry this along but I'm only speculating.
It's not particularly insider information, the reason America was slow to the chip card game was pragmatic. The US is a very low fraud rate market, and re-issuing all 1.43 billion credit cards [1] and 14M payment terminals [2] was going to cost an awful lot of money. Further, major industry players like McDonalds weren't interested in seeing line speeds go down at point of sale as they switch from mag stripe payments which happen real fast to EMV chip transactions which, at the time, were really slow. Think <1s for magstripe to 10s of seconds for EMV. NFC helps mitigate this, but again, dual-interface cards (EMV + NFC + Mastripe) are a few dollars a piece.
tl:dr; it wasn't until a few years ago that the cost of the transition outweighed the cost of the fraud that would be mitigated as a result.
You think of CC cards but an EC card is connected to your bank account, so you require the bank account number on the card plus a valid TAN number or the pin number of the card.
Alternatively you need a SEPA merchant account, but running fraud on that gets you sued to hell and back.
Personal email accounts also tend to leak into having access to employer systems, especially in tech. For example a lot of people use their personal email for Github, so once an attacker has access to your personal email they can move laterally into your employers private code repositories.
BitGo should be treating this as a security incident and verifying the attacker didn’t also target them.
IIRC their system with Bitfinex was a 2-of-3 key setup, with BitGo holding one key and Bitfinex, for some reason, holding two. At least that's what's stuck in my memory from Bitfinex/BitGo communications at the time, since the setup seemed to negate the point of using BotGo in the first place.
Edit: I should've clicked the link there, it says pretty much the same. It doesn't seem to me there was much left to explain - the attacker gained access to Bitfinex's keys and that was enough to withdraw. The idea of using BitGo was that a compromise of Bitfinex couldn't lead to loss of user funds, but Bitfinex holding two keys completely undermined that goal.
I'd like to see more companies introduce "time locks" into various big aspects of accounts.
Want to port a SIM? I'll put your request in now but it will wait for 5 business days before it happens, and at any point if you or someone claiming to be you calls up to stop it, we stop it, no questions asked.
Want to change 2 factor information for an account? We can put in the request now and it won't take effect for a week while we reach out to you using every communication method we know how to let you know it's happening and give you ample time to stop it if you discover it wasn't actually you that did it.
It seems like a fairly "low cost" way of upping the security quite a bit.
Also, not to make the OP feel worse, but Coinbase even offers a service like this called the "vault". The idea being that withdraws are time-locked for a specific amount of time, and there are multiple ways to stop it during that time lock, even if you got locked out of your account entirely.
And while we are doing PSAs, I'd like to give one piece of seemingly conflicting advice: make sure you have backups of your multi-factor authentication systems.
Sure, having your accounts taken over is awful, and it can happen to anyone, but something just as bad is losing your 2-factor systems and being locked out of accounts with no way to recover them.
Print out 2-factor backup codes, put them somewhere safe, maybe split them in 2 and put half of the codes in one place, and half in another. Think through possible problems. It really sucks to have your house flood, then find out that your phone with the 2-factor app on it was destroyed, and your backup codes ruined as well...
> I'll put your request in now but it will wait for 5 business days before it happens
This to me seems to be a complete misunderstanding of the telcos business and motivations. They sell mobile telephony - voice, sms, and data - and their _prime objective_ is to make it as easy as possible for their customer to spend as much money doing that as possible. Making you wait five days to get reconnected to "your number" when you have, for whatever reason, lost control of it is just not going to happen. They'll move mountains to get you back onto your data/voice plan before you've walked out of the store.
Nobody ever advertised their phone/sms plans as "banking grade secure". Telcos have been telling us for years that they are explicitly _not_ secure for that:
Communications Alliance chief executive John Stanton, representing the interests of mobile providers Telstra, Optus and Vodafone, took the extraordinary step of of declaring the technology insecure in the wake of numerous reports of Australians being defrauded via a phone porting scam first uncovered in Secure Computing magazine.
"SMS is not designed to be a secure communications channel and should not be used by banks for electronic funds transfer authentication," Stanton told iTnews this week.
Telcos are not interested in securing that, they get _way_ more complaints from people who lost/broke their phone who want their replacement one to work RIGHT NOW, than they do from people who got defrauded with a sim porting attack. And the first group of people are spending _way_ more money collectively than the second, so of course telcos will continue to make it quick and easy to sim port.
Everybody else needs to deal with that. While sms 2FA is marginally better than not having any 2FA at all, it's not the telco's problem if you choose to use it to "secure" your $100k worth of crypto. In my mind, a large part of the blame here goes to COinbase for even offering it. I'm also looking at your PayPal...
Yes, Paypal is bad, they took away their support for the Symantec 2FA codes and forced users in many countries to use SMS instead.
This is pretty easy for the telco to prevent, though. Your existing telco should simply phone you and ask if you wish to leave them before letting the number get ported out.
Note that all telcos will prevent the number being ported out if you owe them any money on the account.
You appear to be discussing porting a number from one provider to another but the attack in the article (and being discussed in the thread up to this point) is based on moving the number to another SIM within the same provider).
> While sms 2FA is marginally better than not having any 2FA at all
I used to believe this too. Until this morning. Then I realized something and now I'm not so sure: if I don't have SMS 2FA at all, then my phone line is less to become an attack target. Meaning I'm less likely to have to deal with the collateral damage of lost accounts, files, etc. So is it really better to have that SMS 2FA? Especially if you weren't ever having problems securing your stuff before it came along?
Good to know! I feel like it stems from the notion that protecting whatever particular account they want you to protect must be the most important priority in your life. Even security folks don't always seem inclined to think in terms of trade-offs... too often they seem to see things as black and white. If something protects your account or computer better then it must be better and you have to do it. They don't care if you might lose your job or if it might burn down your home as a side effect; that's just not part of their threat models...
> Want to port a SIM? I'll put your request in now but it will wait for 5 business days before it happens, and at any point if you or someone claiming to be you calls up to stop it, we stop it, no questions asked.
Funny because that's exactly what happens in France when you do so. I must have sounded a bit dumb when I asked when my number would be active when I changed from Tello to Verizon. I couldn't believe it was effective right away.
It's been a while since I ported a number but the last time I did it took days here in the UK too. I just assumed it was typical inefficiency by the mobile operators rather than a security thing, however.
It takes days in the UK because we have a crappy system where instead of having a central register of number -> provider, calls are still routed to a ported number via the "donor" network, i.e. the network the number range belongs. So I just ported from O2 to EE, and my calls and texts will still go through o2, and then sent on to EE. Not very efficient.
> And while we are doing PSAs, I'd like to give one piece of seemingly conflicting advice: make sure you have backups of your multi-factor authentication systems.
Yes! Many password managers (at least KeePassXC/KeePass with plugin) can store and create TOTPs. The underlying keys can be manually shown and entered elsewhere if needed, and can be backed up with everything else that's valuable.
> Print out 2-factor backup codes, put them somewhere safe, maybe split them in 2 and put half of the codes in one place, and half in another. Think through possible problems. It really sucks to have your house flood, then find out that your phone with the 2-factor app on it was destroyed, and your backup codes ruined as well...
Off site and offline backups are a good thing to have, especially with fire and water proof lockboxes. (think encrypted external drive lying around at work or at family/friend's house)
>Many password managers (at least KeePassXC/KeePass with plugin) can store and create TOTPs.
Personally I don't really like this feature and urge people to avoid it for "high security accounts".
It's not a "second factor" if it's stored and input using the same device and authentication information as your "first factor" (your username and password).
That's not to say it's useless, at the very least it's another layer that attackers have to figure out. But the true benefits of 2FA come from needing multiple devices to access accounts. If all of the factors are stored in one program on one device, then in the situation where that device/program is cracked, the attackers have everything.
Still, if you are going to choose between no 2FA and "2FA stored in your password manager", choose the password manager! And if you are going to choose between SMS-2FA, and the password manager, choose the password manager! But if you really want better security for not much more work, store your 2FA on a different device!
> That's not to say it's useless, at the very least it's another layer that attackers have to figure out. But the true benefits of 2FA come from needing multiple devices to access accounts. If all of the factors are stored in one program on one device, then in the situation where that device/program is cracked, the attackers have everything.
I feel you're not portraying the trade-off accurately so I'll try to clarify.
It's not merely better because it's just "another layer to figure out". That's what you would get with 2 passwords. It's not what you get with 1 password + 1 OTP.
With OTP you're protected against your password being logged and used later on e.g. an untrusted or breached machine (say, at a library). I'd hazard to guess that dealing with a passive adversary who's time-separated from you is FAR more common/likely than having your actual password database stolen or cracked somehow. Meaning it's still quite a significant benefit to having OTP.
Personally I use Google Authenticator. The lack of a backup is a feature not a con IMO.
Every account I have setup with TOTP I also make sure to print out the recovery codes and put them in a safe, and use them if my device is ever destroyed. When I switch phones (which for me happens maybe once every 2-3 years at most), I go through the shitty process of transferring the TOTP codes over to the new device, but it doesn't really take all that long (it took me an hour to do it for about a dozen accounts last time I did it), and I'd much rather not have any of it uploaded anywhere.
You can print out the QR code or save that somehow during setup and use that to setup TOTP codes on other devices (or the same TOTP on multiple devices), but I tend not to do that as recovery codes work just as well, and they notify you if they are used (unlike a TOTP setup QR code). I did have to store the QR code for one account that doesn't provide recovery codes, but it's overall not that much extra work.
Google Authenticator does not help prevent against a compromised device (as all TOTP secrets and seeds are on device) and is truly a pain when working with multiple phones. Personally I use Yubico Authenticator as all the TOTPs live on my Yubikey. That, in combination with a password then clicking on a totp i want and tapping my yubikey provides me with only that code. When I first seed the yubikey with a new TOTP i also backup a copy of the QR code text and save it into my password manager in the unfortunate event of having to swap out yubikeys.
I use pass for my password manager which links to my yubikey that has my gpg key on it. My yubikey has touch enabled which means that even if someone got access to my machine with my yubikey on it and asked me to tap they would only get that single password. As far as TOTP is concerned it's the same thing. The TOTP section of my yubikey has it's password and also requires a tap
This is good advice. I also have my TOTP set up on at least two devices, my phone, my previous phone, and my iPad. (Both phones because it's fairly common for me to have both my current phone and my iPad with me at the same time. It's spectacularly rare for me to have all three devices with me outside my home.)
I use Authenticator Plus (https://play.google.com/store/apps/details?id=com.mufri.auth...) which has encrypted cloud backup (Google Drive or Dropbox). The encryption is done client-side. When I get a new phone, all I do is set up A+'s cloud sync on the new phone, enter the passphrase I've used previously, and it syncs all my TOTP codes.
As a bonus, the backup is just an encrypted sqlite DB (with dirt-simple schema), so you're not tied to some inscrutable proprietary format, and can easily extract the tokens if you want to use a different app/service.
When setting up a new TOTP for Google Authenticator for my personal accounts, my standard procedure is to take a screenshot of the initialization QR code, and encrypt that screenshot with my gpg key. That is then stored on my external backup disk (which incidentally uses FDE via luks).
You can back up the Key used to set up the TOTP system. This allows you to re-seed the TOTP generator on a new device without needing to go through setup.
Even when you authenticate via SMS in multi device mode, the imported tokens still have to be decrypted via a master password. SMS is just your account identifier on Authy, hijacking it will not allow access to your tokens on its own.
There are also tools to allow you to use those TOTPs without having a phone in general. You can always use those methods instead of using SMS or phones.
2FA has no place over phone networks for account recovery. It's far easier to obtain access to 2FA texts or doing SIM ports like this, than it is to break some gmail account password (even a weak one).
So many people don't seem to understand this - I was trying to use U2F yubikeys on gitlab a while back only to discover they force you to enable 2FA first for account recovery, this completely defeats the purpose of hardware auth, it's not supposed to be for convenience, security is only as strong as the weakest link, 2FA is very weak.
> Sure, having your accounts taken over is awful, and it can happen to anyone, but something just as bad is losing your 2-factor systems and being locked out of accounts with no way to recover them.
+1. I lost a phone and with it my Cloudflare 2FA. For some reason, Cloudflare won't let you contact tech support without logging in. There is no contact info for support on their website, AT ALL, so if you can't log in, you're fucked.
Lots of places do this. Fidelity, for example, blocks withdrawals for a certain amount of time when some specific actions happen on an account. I believe address changes and adding people to your account with a certain level of access trigger the block.
One of those is Microsoft, which requires you to wait a month before changing your email, and there's no way that I can think of to get that expedited.
The „time lock” approach is exactly what Apple is doing if you try to recover your Apple ID (without password and second factor).
Unfortunately, when you search on Twitter, people are going bananas over having to wait a few days to get their Apple account reset... so I definitely get why not more companies are doing this.
In all seriousness folks, as someone who long ago worked for a big wireless carrier, do not use SMS-based two-factor auth for anything. Number porting is a huge and easily performed attack vector, it requires very, very little information, a lot of which can be gathered from publicly available resources... or pretty easily obtained via social engineering. To make matters worse, the information doesn't even need to be entirely accurate.
Once they have your number ported getting it back will take, at least, a few days; during which, they'll have unfettered access to anything that uses your mobile number to authenticate.
Use a dedicated 2FA application on a device you physically control and _write down_ the backup keys somewhere physically safe.
Many services will happily send an SMS account recovery/reset link regardless of how vehemently we refuse to use SMS-based two-factor auth.
An attacker can call support, give them plausibly correct information gleaned from public sources, and nicely claim to have forgotten the answers to your recovery questions ("Oh, it might have been a jumble of letters and numbers... silly me..."). There are enough incorrectly trained support people who will let this through to make the tactic effective on average.
Your point is obviously correct, but everything is so hopelessly broken that it almost doesn't matter in practice.
... which is how it actually works in many countries. In USA "something you know" is enough to impersonate you, elsewhere you'd actually show up with a good quality forgery of passport or gov't ID card, which would cost you more than you might steal from a random person.
Since USA has this "root of trust" problem, it's also unreasonably easy to obtain fake USA IDs since you (again) can impersonate people simply with "something you know" even for the purposes of obtaining legitimate IDs. It's not so easy elsewhere (e.g. if you claim you're me and have lost all ID, they'd just check biometrics before reissuing ID). Proper checks of IDs (+ verification of lost&stolen IDs databases) can ensure that identity theft cases are very rare. The identity theft epidemic isn't general worldwide, it's mostly a regional issue specific to USA and some similar countries.
Many carriers let you set an "account password" or "account pin" - changes can't be made to the account without it (even with personal info like SSN, bday, etc)
Financial institutions offer it to sometimes - my credit union requires the account password, or a visit to a branch to show ID - no amount of personal info will allow you access.
> Any carrier will allow you to change your password or pin using other information .
If by "other information" you mean "come into a store and show a government issued photo ID" you are correct. That's a fairly high bar to clear.
That's the way my carrier does it, and I assume if they violate their own procedures I could evaluate my legal options... though as a practical matter I use a VOIP # which requires a 2FA protected login to port out for vendors that force me to use SMS 2FA.
Not to mention the fact that the carrier can perform these attacks quite easily, as can the governments who have historically found ISPs willing partners. If you have any reason to believe that you might be the subject of a targeted attack, do not use SMS as a second factor!
And U2F tokens, which are even better than TOTP as they are immune to phishing. TOTP codes can be and commonly are phished.
U2F is the current state of the art for 2FA. App/Device-based 2fa (krypton, Google App’s “approve on other device”, authy’s “approve on other device”, keybase, et c) are second.
TOTP is in a lot of ways more trouble than it is worth.
I was attacked in the same manner this weekend. I'll dump what I know below in the hopes it helps someone.
I lost money when MTGox went under and made some online posts (on reddit, I think) several years ago. Maybe this is what caused me to be targeted?
This weekend a malicious actor posing as the account holder on my account was able to get my number transferred to his phone. At&t fraud says this happened at a store, and the user had the last 4 of one of my family member's social security number, as well as a fake id. I'm not sure I believe this, but will request more info in writing.
I regained access to my account. The attacker came from IP 216.162.42.85 (santa clara california)
They entered my email and according to google activity logs immediately went after my coinbase account. They got in (joke's on them I didn't have anything). Then they searched my email for 'btc', and also made a visit to my bank website. They weren't able to get access.
As far as I can tell, they were in and out within 10 minutes. I wonder if this was related to the author's experience?
This is the reason I have disabled SMS as a recovery option in my gmail/google account. My 2FA for gmail is now my iphone and ipad. THey have to know my password and get one of my devices to hack my account. I also use protonmail and for SMS based 2FA, I plan to use a google voice number from a totally different google account w/c forwards the text to my protonmail account. Google voice numbers cannot be ported out. Hence, avoiding the sim hack. They can port out if they hack my "shadow" google account. The trick is to never use the shadow account for anything. Hence, the attackers have no way to get to your google voice.
Unfortunately many places are actively refusing to work with Google Voice. I got a message from Bank of America saying specifically that they're removing Google Voice support:
> You can't enroll in Zelle with a landline, Google Voice or VOIP (voice over internet protocol) phone number. (Section 3.C.3 Enrolling in the Service)
This follows with some other unnamed (because I don't remember them) services which also refuse to work with Google Voice.
That's really unfortunate because I've been using Google Voice for nearly 10 years without issue until recently (when companies specifically remove support...)
I don't imagine they would know unless they check their service logs. I imagine that interconnectivity with (in my case: Bank of America) would cease. And I'm pretty cynical with tech so I suspect it would quietly cease.
Stuff like this freaks me out and I'm sure I'm not the only one. Thanks for the wake-up call. It's a terrible amount of money to lose. I hope things get better for this guy in the future (and I don't think anyone would say they're to blame for this.)
Security is becoming so difficult to balance with an every day life... I don't know how anyone can remember everything that they're "suppose" to know about security.
This is frightfully common in South Africa except aimed at banks - they use SMS as their 2FA. ("SIM swap")
Another common tactic to watch out for: Repeated calling of your phone to annoy you enough so that you switch it off/silent it. That can give the attacker enough time where you don't notice the swap.
This is frightening. If you're using texts for 2-factor auth you're at the mercy of your phone service provider's customer service. And they're trying to balance being helpful with security, which can be in opposition. Losing $100,000 with no hope of recovery is the kind of thing that could sink many people's finances.
His summary of how to avoid having this happen to you:
* Use a hardware wallet to secure your crypto
* SMS-based 2FA is not enough
* Reduce your online footprint
* Use Google Voice for 2FA
* Create a secondary email address
* Use an offline password manager
I like this idea, insofar as the Voice number is not vulnerable to the SIM port attack.
But then I worry that it's yet-another-thing I'm to my Google account, which Google could always shut down at a moment's notice, with no explanation, and no recourse.
I would consider that an alarming sign that I need to change investment companies asap (probably after loudly complaining and trying to change it, since Vanguard is somewhat unique).
How can a mobile carrier operate like this?? No authentication that the request isn't fraudulent?
In Sweden I switched to another carrier, still keeping the number in the same name. To do that I got a text message with a code I had to input to initiate the process.
When I ported my phone number from my father to me within the same carrier when I turned 18 that required the same confirmation to initiate the process and signed request/approval both from me and my father posted to the company, with associated emails about the process.
This isn't even hard? This is just basic steps to prevent identity theft....
This is not about porting the number to a different carrier or even a different owner though. It's more analogous to getting a replacement SIM card.
The last time I had a phone stolen, I went to the carrier's store, they checked my ID, and gave me a replacement SIM. And the things is, if the customer service representative is empowered to do that, they could also be bribed by the attacker.
It's worse than this though. My colleague had his sim replaced by an attacker in October of last year even though his account had a note on it specifically to prevent this without the account holder being present and showing photo id. Not only can the customer service rep at your carriers store do this but so can the phone reps at all the other stores that sell phones for your carrier such as best buy. The bottom line is that SMS/phone numbers shouldn't be an identifying factor for security purposes.
I checked, to get a replacement sim my carrier sends out inactive cards that needs to be activated through their web service using the printed number on the card.
If you don't have an account you need to contact customer service, and to get through there they most likely authenticate you based on your SSN and an already active app on your phone (BankID) where you input your personal password.
This has actually created problems when people get their stuff stolen abroad. The ID application is authenticated using your bank and a device using your physical bank card, a generated number from the webpage and your pin and then the generated number is put into the webpage. So if you get both phone and card stolen it's essentially impossible to get into your accounts until you can get a new one posted to you. Especially fun if your bills end up in a digital mailbox requiring that login....
Using that app is how essentially all identification is done in Sweden since it's based on an already approved physical device and a personal password. With your bank as insurance that the information is correct based on your physical bank card and the account associated to it.
And reading the article everyone was already at the time working on preventing it, because any unauthorized change is illegal.
The prevention seems to be either through BankID authentication or actually calling/texting the number being forwarded to make sure the request is legitimate.
How? I still get a text to my physical phone with the active number being ported and use the code supplied to initiate the process.
Somehow making them change my contact details would just end up with the bills being sent to the wrong place, if you still have paper bills and don't have it automatically paid or goes to a digital mailbox.
Large tech companies like Google push 2-factor auth to "increase" security, but this article shows that 2-factor auth with SMS verification opens up a huge security hole since the attacker can access your email if they can get your provider to port your SIM over to their device. Am I missing something and if not how did companies like Google not foresee this huge security hole?
Google offers many different 2 factor methods including Google Prompt, TOTP, and security key - all of which are better choices than SMS. The author is right to say that SMS is not enough but he didn't go far enough: only use SMS-based 2FA if it's your only 2FA choice for your critical accounts, and consider alternative services if it's your only choice.
I don't know if that's possible in gmail, but in protonmail you can just disable password recovery altogether, which makes your email account secure against these kinds of attacks.
Sucks to be the OP but storing any crypto in an exchange is idiotic and literally the first thing on any list of "how to secure your crypto" is to not do it. This shows the OP is just being willfully ignorant.
If you have any kind of serious crypto holdings, you should either be using hardware wallets or a PC that you only use for crypto. Nothing else.
* Buy crypto, transfer to your PC, turn off PC.
This is why you do long term holding in BTC or any coin that may take longer to confirm on the chain and the money you are playing/trading with should be in an asset like XLM which transfers in seconds.
Now if the whole thing is tanking and you want to transfer your entire savings to try and ride the wave you are already too late if your money is not already on an exchange and you shouldn't be 100% swing trading anyway.
That’s not really a security issue. It sounds like a speculation issue. Treat custodial services like a porta-potty at a shitty music festival: do your business then GTFO
For Bitcoin you should always aim to use the lowest fee possible, and use replace-by-fee (RBF) if a transaction is taking too long.
This person's Google account is likely still vulnerable to the attacker and if they used chrome password sync all of their other accounts are also likely owned. You can recover a google account if you know some basic details such as a previously used password or the creation date of an account. After having a google account owned enrollment in the advanced protection program and ensuring only the strongest recovery methods are enabled are best next steps.
> Do not leave funds idle on exchanges or fiat on-ramps.
This warning has been publicly repeated hundreds of times since 2010, yet people still insist on ignoring it.
The author didn't lose anything. He gave Coinbase his bitcoin in exchange for a promise to pay it back. That deal backfired.
> I knew the risks better than most, but never thought something like this could happen to me.
There's knowing the risk, and then there's knowing the risk. I'd suggest that the author didn't really know the risk, or he would never have considered leaving such a valuable asset in the care of an organization so ill-equipped to safeguard it.
And yet if he'd kept it on his own machine there's myriad other vectors from compromised wallets to typos that would separate even the veteran "investor" from their crypto. And we'd be blaming him again, just as you are now, because in the land of Crypto anything bad that happens is your fault, not the insanely problematic technology. This is the fundamental problem with crypto, it's irreversible and decentralized. These aren't features, they're bugs.
If this were real money or real assets, he'd be able to call his bank and be made whole by the close of business, I wager. Instead he's out a down-payment, SFYL.
I can't believe these shenanigans are allowed to play out as though we're all okay with this being the future of currency.
>because in the land of Crypto anything bad that happens is your fault, not the insanely problematic technology
Cars are designed to travel at lethal speeds. If you were reckless and killed someone or yourself, do you also declare it to be an "insanely problematic technology"? The problem here is that people are not aware of the risks associated with cryptocurrencies and so are not taking the required precautions. After all, you can be pretty reckless with your credit card numbers or bank login and still be fine, because the finance system has an undo button for everything.
>This is the fundamental problem with crypto, it's irreversible and decentralized. These aren't features, they're bugs.
I wouldn't call them "bugs", just design decisions or trade offs. Bug implies it's somehow fixable, but if it's not. What if you want to make an irreversible payment, or want to be able to send money to whomever you want without the government stepping in the way, all while being trustless? Is there a way to achieve that, and still being able to hit undo when you make a mistake?
> Cars are designed to travel at lethal speeds. If you were reckless and killed someone or yourself, do you also declare it to be an "insanely problematic technology"?
Possibly: see the numerous self-driving efforts underway.
> Cars are designed to travel at lethal speeds. If you were reckless and killed someone or yourself, do you also declare it to be an "insanely problematic technology"?
More aptly though, I would declare it problematic if I couldn't drive 10 feet without someone carjacking me in my ostensibly armored car, or if pressing the button on my radio caused the car to explode. I'd call that 'problematic' because if it were my fault, I'd be in jail, and if not, the automaker would be on the wrong end of a huge lawsuit.
You know who we have to thank for their current level of safety? The DOT, NHTSA and legal system.
> The problem here is that people are not aware of the risks associated with cryptocurrencies and so are not taking the required precautions.
He had his coins on probably the only legitimate exchange in all of crypto. He had 2fac. He had 2fac on his gmail. If this isn't sufficient to keep your money protected, we need to stop blaming the victim. He's probably one of the most competent technical individuals owning crypto. If he can't keep it safe how on earth would your grandmother?
> After all, you can be pretty reckless with your credit card numbers or bank login and still be fine, because the finance system has an undo button for everything.
Isn't that awesome? We've recognized people make mistakes and created for them a path to remedy said mistakes. Pretending they don't happen and that it's the victims fault if they do isn't a replacement.
> What if you want to make an irreversible payment.
Wire transfer. You can opt in to irreversibility, it's not the default, and that's completely reasonable IMO.
> ...or want to be able to send money to whomever you want without the government stepping in the way.
AKA breaking the law. Yes, you shouldn't be able to send money to people on the OFAC list, to terrorists, or to sanctioned countries. That's fine with me, and all your fellow citizens. That's why we have those laws. Let's not mince words, "sending money to people the government doesn't want" is financing international terrorism, narcotics trafficking, human trafficking and so on. No, you shouldn't be able to do that.
> ...all while being trustless?
Again, why do you need this without the illegal use cases? Either way PoW cryptos aren't trustless, Beijing has over 80% of the hash power one strongly worded memo away. Decentralized and trustless are not a feature of Bitcoin or most other cryptocurrencies. They are centralized in the PRC. You would give up sovereign control of your money system to the PRC?
> Is there a way to achieve that, and still being able to hit undo when you make a mistake?
No, you shouldn't be able to break the law. An open challenge to all crypto advocates: Provide me one legal use case better suited to cryptocurrency than the US dollar.
> Surprisingly not everyone overseas is linked with international terrorism as you imply.
Unless you're trying to send money to North Korea that wasn't my implication at all, I have family overseas to whom I manage to send money without crypto or getting overcharged.
There are tons of international remittance services already including Andreesen-backed TransferWise which charges ~0.85% or less to move money internationally. Much less than the sum total of the cost of buying coins on an exchange in one country, paying an on-network transaction fee, risk of huge swings in the asset value and fraud along the way and one more exchange transaction fee in the destination country.
Generally even WU is quite competitive. In markets where they appear pricey the cost is usually to de-risk things like political issues which are all borne by crypto too but opaquely.
For instance, the USD-INR corridor is almost fee-free on all services.
If you've got a ton of money to move, you may be best off opening an Interactive Brokers account and performing the exchange there. They take a commission minimum of $2, or 0.002% ($2000 per million) for the trade. [1] It's a $5.1T per day (legitimate) market after all.
This is not a particularly good example, it's a solved problem.
Uh sorry, Interactive Brokers is so cheap my math was off. They charge 0.2 basis points which is 0.2/100 of 1% (0.002%, minimum $2). So a $100,000 exchange would cost $2.00 and a $1,000,000 would cost $20.00
That line of thinking is part of the problem. It's terrible that the author lost his money, but misconceptions only ensure this will happen over and over.
Coinbase != bank.
The banking system has a safety net for recovery of stolen funds. Coinbase has pretty much jack squat in that sense.
True, Coinbase is insured against loss from its hot wallet. But if Coinbase were to suffer a loss from its cold wallet, you'd be left with zilch.
Likewise, Coinbase's terms of service put all of the responsibility for security on you, the user.
Your bank is a different story. It's FDIC insured. It has in place numerous security measure that enable it to claw back any digital theft and make you whole.
Coinbase is not regulated like a bank. Just to pick a relevant point, if someone makes an unauthorized withdrawal from your bank account, that is fraud and your liability is limited. The bank has responsibility for making sure they identify you. https://budgeting.thenest.com/banks-liability-there-identity...
This is the first analogy that sprang to my mind as well but as they noted Coinbase gets all the upside and you get little in return. When you put your money in a bank typically you earn interest in exchange for the bank having your money.
Someone please correct me if I'm wrong, but at least in the US banks take on all risk of fraud. If someone starts writing bad checks in your name, that's ultimately the bank's problem rather than yours.
SMS should not be used for anything even remotely related to security. If you still need to be convinced, the Reply All episode about it[0] is eye opening while being entertaining.
I wonder how nobody sees the elephant in the room.
2FA by SMS is terribly insecure. Numerous security researchers recommended never using it. Using phone numbers as primary authentication mechanism is insecure and never should be used. Phone numbers can be spoofed, SMS messages can be intercepted, SIM port attacks can and will happen. If your email or banking accounts depend on 2FA by SMS, especially when SMS can be used to reset the password — disable it now. Avoid it like plague.
More than that — if your account has significant value that you absolutely can’t afford to lose, you shouldn’t use _any_ 2FA services linked to your phone, at all, including Google Auth. Your phone can be lost or stolen anytime. Use a dedicated device which you don’t take with you all the time.
Alliant Credit Union, for example, only just rolled out SMS-based 2FA in the past ~year. No TOTP/U2F/FIDO* options at all (in fact, according to https://dongleauth.info/, exactly zero major banks/CUs in North America support anything better than SMS or TOTP).
When I can lock my GitHub account more securely than my _money_, it's a bit (read: lot) depressing.
This is the kind of stuff that convinces me we'll never see mass adoption of cryptocurrency -- or that if we do, it will be only by replicating the existing financial system and slapping a cryptocurrency label on it.
If security engineers at cryptocurrency firms are getting hacked, what hope do mom & pop user have? And once your money is stolen, you have basically zero recourse and no way to reverse the transaction. I know many proponents consider that a feature, but I'm telling you for the average user, it is absolutely a bug.
I have a question related to this that someone expert in Bitcoin could answer.
Could the victim monitor where the bitcoin (we assume) went to using the public blockchain record? Then, trace it every step of the way (and in whatever chunks it divides into) until it reaches the account of a publicly identifiable entity? At that point, there might be legal recourse in recouping stolen goods (at least, this is how it works in the UK with stolen physical goods.. even if someone "legitimately" buys them, they can be reclaimed).
Kinda but it's hard and there are measures to counter this. There is one thing called coinjoin which attempts to tumble coins.
Imagine you stole 10 btc and you split it to 10 outputs of 1 btc each. Then you use 2 of them to perform a coinjoin with several other people where in a single transaction 10 inputs of 1 btc (2 of them yours) produce 10 outputs of 1 btc (again 2 of them yours). There is no way to tell which coin is which anymore. Of course this requires some degree of interaction with other people but in other coins such as grin that use the mimblewimble protocol this happens automatically for every block.
Another thing you can do is try to do an atomic swap with someone on another blockchain i.e Litecoin. In this case you send your coins to a specific script address, the other person sends his LTC to another script address and you effectively swap BTC with LTC.
Truly big heists like the Mt. Gox collapse have received research attention, yes. There are some firms which will follow the transactions and try to find patterns. However, for a relatively small amount like this it's probably futile. It's trivial (though costly) to run the funds through a public mixer several times, or to trade it for Monero, which has a ledger that's much more difficult to analyze.
That and Bitcoin is specifically designed to not give you a recourse in case of an attack.
Cryptocurrency designers seem to think that banking was designed as a mistake without anyone thinking. That laws people wanted were just unfortunate side effects.
Bitcoin isn't the problem here. Coinbase is regulated as a "money transmitter". You can get into the same situation if you send money via Western Union, which is also regulated as a money transmitter, and tell them to "waive identification" at the receiving end.[1] That's used as a payment method by some scams.
Coinbase will pay out via PayPal, so someone with access to an account's credentials could pull of this scam without involving cryptocurrency at all.
Now if Coinbase was regulated by the SEC as a "broker/dealer", which is what they really are, they'd be subject to SEC regulations on fraud, and would have SIPC insurance to protect the customer up to $250K.[2]
Coinbase does, in fact, have a New York State "BitLicense", which makes them subject to various New York State regulations.
Among other things, transactions larger than US$10,000 have to be reported to the New York State Department of Financial Services within 24 hours, and Coinbase is subject to rules about cybersecurity, fraud, and its activity as a custodian of the funds of others. You can complain to the New York State Department of Financial Services.
DFS pulled Bittrx's license last month and gave them one day to get out of New York State.
That's interesting, I did not know it was possible to have a coinbase acct without working google authenticator.
I found out the hard way it takes over a week of time and multiple verifications and contacts to reset my authenticator when my old phone was broken; as it should be.
I still don't get one thing: how could the attacker port OP's number without proving he owns the sim? Where I live (in EU) it's mandatory, isn't it the same in the US?
They might have an accomplice within carriers' or dealers' employees. Imagine how many shops are there across the country and how many employees have access to reissuing SIM cards. As an excuse such an employee can always say that they didn't notice that the documents were fake.
at least in germany ordering new sim cards to new addresses your provider never heard of before was a thing some years ago. I think porting a number is a lot easier if you know the detailed process though.
Here in Italy you must provide your ID card and wait a couple days for the carrier to check the data. Goverment websites even use 2fa as a proof of your physical identity
Why is it so common for some people to use "EU"/"Europe" when talking about a quirk about their country? Americans do it too, though the states are far less unique than countries.
If only there was a way to trace the transactions and reverse them. Sadly, the "future of banking" is all immutable ledgers with zero recourse so the money is gone. If this were a real bank he'd have his money back right quick.
>Do not leave funds idle on exchanges or fiat on-ramps. I treated Coinbase like a bank account and you have absolutely zero recourse in the case of an attack. I knew the risks better than most, but never thought something like this could happen to me
I wonder why he'd think that. Disregarding the risk of you getting phished/hacked (which you can prevent), there's nothing you can do about coinbase getting hacked (eg. mt gox), running away with the funds, losing their funds because of incompetence (eg. quadrigacx), or locking your account and taking months to unlock.
Is Google's password reset system a massive security risk? I set up a couple of recovery phone numbers without thinking about it too much, but after reading this it seems like I'm just a little bit of social engineering away from having my Gmail account taken over, along with anyone else who set up a recovery number. If someone took over my SIM and reset my password overnight, they would have 8 hours to do whatever they want with my Gmail account before I saw that my password had been reset.
Yes, my google account was simjacked last year. I lost access to my email, photos, and ability to login via Google. They were after my Coinbase account (luckily the only account I used real 2FA on). They could have initiated bank transfers too but didn’t try.
Customer support for personal gmail accounts is almost nonexistent. Fortunately I had a friend who worked at Google and had them put a word in on my reset request otherwise I would have been SOL.
Disable phone number resets and switch to Google Authenticator w/ backup codes ASAP.
Go through the password reset process with google and it's worse than most people think. The first thing it asks you is:
> Enter the last password you remember using with this Google Account
Which of course the attacker knows because they changed your password. If they don't know that you can click try again and go through the various two factor methods set up (hardware token, totp code, sms) and then the very last and also terrible option is putting in the date the account was created. If your account has been owned the attacker likely knows this too. Advanced account protection is pretty much the only option if you've had your account breached at any time.
>> Enter the last password you remember using with this Google Account
> Which of course the attacker knows because they changed your password.
The site asks for the last password you remember using, not the last password that was used (presumably by the attacker). I don't think this is as bad as you think; the attacker doesn't likely know the previous password, or else they would not have needed to hijack your phone number.
The major US provides are looking to get you to replace all your logins with direct cell-provider authenticated logins, so they can skip the email recovery part:
I would think that an online-only MVNO like Ting.com would be harder to fool - even if their call agent fell for the trick, they'd still have to mail a new sim out. But you'd have to log in yourself to swap the sim using the Ting website. As I understand it, attacker would have to fool you and coax you to swap the sim.
This type of attack has been happening for a long time in Russia where criminals often have accomplices among employees of a cellular carrier or its dealer. There is often no serious responsibility for this and such employees often get away with a fine or just being fired.
The most notable example is when a certain person's SIM card was reissued 4 times within 2 days in different cities by criminals while the owner was trying to restore access to her phone.
To prevent it, some Russian banks have agreements with carriers that allow them to check SIM card's identifier and detect whether it was reissued. If such situation is detected, the bank doesn't allow to use new SIM card to confirm operations.
Some carriers block new SIM cards from receiving SMS for 24 hours and send a SMS with notification to an old SMS card so that the owner can restore access. Also, one can restrict a list of locations where your SIM card can be reissued.
Seems like 2FA in this case is significantly weaker than 1FA if you have a long password. I suppose it depends on if it is easier to answer the security questions or to convince a customer support rep, but my security questions are pretty obscure and I have a security question salt that I always append to the answer.
2FA is not in itself weaker (for the same password). It's account recovery that's that downfall here - the password is forgotten and not one of the factors, so the system allows to to recover your password with _only_ the second factor (mobile phone number).
This same thing happened to me last month (SIM Swap). I also made a post recapping the event, plus the security steps you need to take to help mitigate this attack vector, here:
This inspired me to disable SMS verification on my Google account. Now, the attacker may be able to port my phone number, but without my logged in Android phone, or one of my printed pass codes, they would not be able to subvert my email address.
I was wondering how the attacker found out this guy's phone number, so I searched my own online. Disconcertingly, it was visible on truepeoplesearch.com. So I also submitted a record removal request there.
I mean, I think the best option is to not own any assets that can be fraudulently, irreversibly transferred away. That's what I do. But a little extra security won't hurt.
Phone-based 2FA is security theatre that just adds a new and easy attack vector in the process, pushed by service providers obviously to attain your phone number instead of just an email address.
For anything important I use air-gapped hardware tokens for 2FA. If a brokerage or bank doesn't support hardware token 2FA they don't get my business, full stop.
At the last startup I worked for, which was rather security sensitive, the leadership actually insisted on employees setting up gmail w/SMS 2FA on their smartphones. I kept using backup codes and never set it up.
Part of the problem here is the lack of fraud insurance from CoinBase/exchanges. If the attacker would have instead stolen from his bank (several US and Canadian banks I know happily allow logins with only a password or are only starting to introduce SMS-only 2fa), it is likely that the bank would have returned the money, whether they could revert the transaction or not, and then pursued the hackers themselves.
Fraudulent transactions made with a regular bank account are pretty irreversible too. There's a whole extra layer of infrastructure on top of the 'core' banking services that allows them (banks) to 'reverse' a fraudulent transaction. But I'd be very very surprised if fraudulent charges are 'reversible' in any other way than the bank reimbursing the account holder.
In other words, crypto-currency exchanges could do the same thing (but then they'd almost certainly have/want to charge for that).
Double-entry bookkeeping is also, ideally, irreversible.
Real banks have been hacked (e.g. full mainframe root access), and the hackers have made international transfers which were reversed.
Sure. When bank accounts get hacked sometimes the bank just eats the cost, but if $100k goes to another bank they'll contact that bank to have the money be clawed back.
Now I say "reversed", but the end goal I mean is "the money was transferred back" because it's traceable and doesn't require the cooperation of the receiving account holder. Not that it gets "undone" in double-entry bookkeeping.
Indeed bank hacks have lost some money when the "reversal" incurred currency fluctuation effects. (which could have gone the other way, too).
Also no, regular bank transfers are very reversible because courts can order it so. The justice system can order accounts frozen. With cryptocurrency the illusion is "math is the ultimate arbiter", but of course "math" can't solve "so what happens if one party broke the law", but is forced to answer "well... I guess they win, then".
Also compare smart contracts. You can make an illegal contract. Say the equivalent of selling yourself into slavery. Smart contracts want there to be no court that says "actually, that's slavery, and this contract is void, also the money must be returned". To think that "math" can provide justice better than a justice system is not just holding low esteem for justice systems in general. It's anarchy, and tyranny by exploitation.
"People" are not lawyers, which is why some things are not allowed in contracts. "People" are not coders, which is why smart contracts are also not a thing that will happen (on a scale cryptocurrency people dream of).
They are generally reversible until they cross borders, then it gets way more complicated. Most of these scammers are outside the US, they immediately make an international wire transfer of the money, then split it apart to a bunch of separate accounts, in order to make reverting impossible
> In these cases, you might be better off creating a Google Voice phone number (which cannot be SIM ported) and using that has your 2-Factor Auth recovery number.
I hoped this too but someone commented to me recently that GV is not immune to porting attacks:
Here in India pretty much every online banking transaction requires an SMS OTP. To get a SIM card changed, you need to provide govt ID + you don't get any text messages for 24 hours. IIRC, if you go into a store asking for a SIM swap they also send you an OTP, and ask you to text the new SIM's serial number to a special number to activate it.
Seems like a "better than nothing" mitigation for sites that insist on SMS 2FA is using a Google Voice number so the recovery # is 2FA protected.
Out of curiosity are there any decent free/cheap voip services that support 2FA aside from Google Voice? Using the same provider for email + recovery codes makes me a little nervous.
Email services like Gmail should not treat all emails as identical. Some emails like change in the security settings eg. password reset, change in 2FA, suspicious activity notifications from Google as well as 3rd party, etc. are more important than usual emails. Such critical emails should not be allowed to be deleted by the user for a certain period of time say 1 week. While it might be annoying to see those emails lying around in your inbox. I would prefer that over an attacker being able to clear their traces after taking control of my account.
The standard person today isn't capable of managing multiple secure tokens, and actually keeping them separate.
One smashed phone, and truly secure accounts would be lost forever, or require significant resources on the part of the provider to re-verify people's identities.
> I knew the risks better than most, but never thought something like this could happen to me
This also explains why this article is useless as a warning. Someone who will be hacked like this in the future is reading now this article and saying "hmm, I should be securing my holdings against this, but I don't have time now, and this won't happen to me right away, I'll look into it next week"
It's like the countless articles which appear after backup failures. "I knew I was supposed to test restoring from backup, but...."
Although very sad for this person, his warnings aren't correct. SIM porting is one avenue of attack, but TOTP can also be phished through a http reverse proxy. Push based 2fa is better, U2F based hardware keys are the gold standard today.
I really loved him until he proved himself not worthy, i had to contact
an hacker to help me get access to his whatsApp messages and track his
phone. I didn't get what was expected as i got a lot worse for loving a
man,i was depressed but it is okay now. Am really glad i listened to my
sister and spied on him before it becomes too late. If you need help in
your relationship, you can contact my hacker waynecyberghost @gmail.com
There are so many fake hackers and perverts online who extorts people off their hard earned money from
the basement of their mother. it took me several months to find a genuine hacker who is trustworthy.
Thanks, wayne you are simply the best, no doubt, hey guys if you ever need to track down your cheating
boyfriend or girlfriend or improve your credit score, school grade, or clear criminal records. The man is
genius and gifted hacker. he can hack into all social networking site Facebook, twitter, Instagram, snap chat,
hot mail, yahoo mail, AOL, etc. he also does credit score, credit and debit card top ups as well. he's a top class
hack tool,highly secretive and discreet. Dudes kinda picky so make mention of the reference and you will thank me later.
you can contact him via his mail -waynecyberghost@gmail.com
Tell him stephanie refer you
A non-federally controlled pseudo-anonymous currency similar to cash has the positive upside of enabling digital privacy in spite of the blockchain. That's why. There are still trustworthy tumbler services to obfuscate and hold your bitcoins similar to a bank. And with what some claim, inarguably so, of government overreach and corporate over-sharing of your personal data, it's something I can sympathize with.
Because it covers the use cases of cash but for online. Sometimes you're willing to have no safety guarantees but also not have to deal with paypal etc. Send a small tip to a content creator, pay content creators in small amounts in a patreon-like setting without having to deal with rules against content payment processors don't like (I saw recently this was being launched but I forget the name), lots of use cases.
I really need to call out crypto shill when I see it. As it stands, bitcoin is utterly unusable for micropayments, the transaction fees are way too high for that. There has been attempts at creating micropayment services on top, these all have failed to gain traction.
I still maintain as I did several times here in the past: bitcoin (and in general, crypto"currencies" because they are not currencies) are a scam, a new kind of scam for sure but a scam nonetheless. There are simply no (legit) use cases.
It's an extremely odd decision by the author to publish this piece. Port attacks on cryptocurrency accounts is nothing new, and outside of publishing the number ($100k!) there is nothing special about this account of events vs the countless other near identical articles that have been published on Medium on the same old attack.
The reason I say it's odd is that he's an engineering manager at BitGo, which is a leading cryptocurrency custody solution! His job is literally to secure and protect institutional cryptocurrency wallets, and to publicly tell the world how careless he was with his own personal account looks extremely poorly on his employer despite the fact that this was an unrelated incident.
Moreover, why wouldn't he be using his own company's "industry-leading comprehensive secure" wallet solution which he recommends in the article, for his $100K worth of Bitcoin?
Honestly - they are a pain in the ass, its not fun having to use them vs the convenience of an exchange, I certainly procrastinated about moving mine for a long time!
It's a reminder that crypto is fundamentally dangerous due to its lack of regulation and compliance requirements, its fundamental irreversibility and lack of authority/censorship. It's a lesson we should all take to heart about what makes for a functional financial system and what doesn't. It's also a lesson about the security of phones.
IMO its great to learn about what goes well but super valuable to learn when people face-plant.
If a bank uses SMS to confirm operations and doesn't check that card was recently reissued then this attack would work against traditional bank too.
And you would have a chance (actually, be legally entitled) to recover your money as opposed to people on the internet telling you sorry for your loss.
No, you are not liable when someone robs the bank you use.
IF someone managed to rob your account entirely through a mistake of the bank, it is the govt pointing the gun at the banks head (figuratively and literally) to give you your monetary assets.
With crypto the government can't get involved so you're screwed
The banks know this, and they don't like losing money, so they have made most of their transactions reversible. There was an article on this a few years ago exploring why bank account credentials are worth little on the black market. Basically, there isn't an easy, safe way to just steal money out of a bank account.
Also caps.
My debit card is capped at $400? Cash a day. So cool you get $400 if you steal it. Very different from 100k
There are ways to withdraw money from the card indirectly, for example: ordering expensive goods or betting on sport events.
Sure. Both of those would likely raise a fraud check, and my bank would call me before releasing money.
Spending 100 crypto coins? Not so much.
Traditional financial regulation and compliance is a joke and mostly security theatre from the perspective of a security engineer or cryptographers.
- credit cards with secrets printed and shared in plain sight
- hacked banks
- hacked atms
It only works because most involved are somewhat trustworthy and the damages are small enough that it’s still worth to have the system.
But the latter also seems to be true for crypto. It shifts the responsibility further to the user. Some like it because they assume they can provide better opsec than their bank (which was easy in the past). Others don’t like to take responsibility and leave it with some exchange, which in some cases even lack behind banks.
When I was a student 15 years ago my debit card was skimmed (here in the UK) and someone in the middle east completely emptied my bank account. I called my bank, they explained what had happened and what little money I had was back the very next day.
So while the infrastructure may be fundamentally insecure, quite frankly that's not my problem. If it was a crypto wallet I would have had zero legal recourse and of course never would have seen that money again - as we're seeing again and again.
I do hold some ETH but I don't see it replacing my bank anytime soon.
Ouch. Sucks to read that. For anyone who might be interested in a possible alternative to this, I keep two bank accounts with the same bank with only one being connected to my debit card. I keep a tiny balance in the account connected to the debit card so that even if I lose it, the damage is minimal. Whenever my balance is running low, I do a quick transfer via online banking.
No idea how feasible this might be in other countries, but wanted to share in case its helpful. It's really helped me have ease of mind in using my card when I've been abroad.
Doesn't stop me from attempting to dismantle any ATM though whenever I use one :')
How many hours did you spend resolving the issue? That’s your damage.
And while you were reimbursed, the damage to the whole community was still done and just covered by an insurance fee that everyone pays on every transaction.
A bank's lack of opsec isn't my problem, it's theirs. They get hacked, I still get made whole. Only in crypto is the lack of anyones opsec your problem.
> credit cards with secrets printed and shared in plain sight
This is a simplification. For all customer-present transactions cards use the secrets in a secure chip, and the transaction is authorised by the cryptographic processor in those chips signing the transaction data with a secret key. It's classic 2FA - Something you have (a card) and something you know (a PIN).
The type-in-a-number-on-a-website purchases are the weak link, and even they are usually protected by another layer of passwords (3D-secure, Verified by Visa etc).
It's quite a while (in most places outside the US) since the number on the front was the secret.
Most chip credit transactions in the US dont use a pin yet.
Correct, and they won't any time soon. This US is a Chip + Signature market, which still incorporates cryptographic elements on the card itself as the secret.
In a Chip + PIN transaction, the second factor is your digital PIN, whereas in the Chip + Signature transaction the second factor is your signature. It's still 2fac, but more importantly, in neither case is the secret on the front of the card.
a signature doesnt stop the transaction from going through. if i dispute a transaction, I can go "thats not my signature."
do most people sign their name on those digital pads, or do they scribble random patterns?
a signature is not a pre-authentication factor, a PIN is.
There are three security elements aspects to the EMV standard: card duplication (your card is the real deal), cardholder verification (you are the real deal), and lending (that you still have available credit).
Having a chip prevents (or at least is intended to prevent) card skimming. EMV payments cannot be re-played, cards cannot be duplicated and neither the card nor the reader can be tampered with. The magstripe of a chip card includes a flag indicating the card has a chip so even if you duplicated the stripe, it still wouldn't work. That is a material improvement over magstripe-only cards, and the private key is embedded within the silicon in a highly tamper-resistant way. This got the US the bulk of the 'win'.
With respect to cardholder verification, the Cardholder Verification Methods range, from least to most secure (from the perspective of a bank): None (i.e. have at it), Signature, PIN and CDCVM (ApplePay, etc). The CVM is negotiated between the card and the reader on insertion (EMV) or presentation (NFC/EMV). Each of these CVMs will impact to some extent things such as how likely a transaction is to be approved vs declined, how much you're charged in interchange to make up for it, and so on.
Yes, PINs are more secure in some ways because they provide a pre-payment second factor and in some ways yield a false sense of security. For instance, if someone sees you key in your PIN, you'll have a harder time claiming fraud, and in Europe it's on you to prove that. In the US, it's on the merchant. The trade-off here is again more time. Merchants are often willing to pay a slightly higher interchange rate to get people through the line faster, and signature is unequivocally faster than Online pin (requiring another network request to decrypt/verify) and still faster than Offline pin (which only works in Europe and is capped through floor limit).
Consider this from the perspective of all the layers of security even an EMV signature payment has. Tamper-proof physical card required that cannot be cloned, tamper-proof terminal, the card yields a signed payment request to your acquirer who can flag it as fraudulent, to the issuing bank who can flag it as fraudulent, and all the way back down to the card which can itself mark your transaction as fraudulent (it's called a reversal). Then you sign. And your photograph / video is likely recorded by the merchant at the point of sale, too. PIN or no-PIN, in a low fraud rate market, the win is small but the cost in added time can be really high.
If this mattered in the US and PIN were truly advantageous, restaurants could configure their terminals to request signatures or no verification while high-ticket size merchants could still capture PINs. They could still make this change at any time, really, all the tech out there more or less supports it. During the EMV transition all this was considered, and the decision was made it wasn't worth it.
tl;dr: Sometimes the 'less secure' method get you the bulk of the security win while yielding more profit for the merchant.
Source: I worked in payments for years including during the EMV switchover :) Hope that helps!
I was under the the understanding that
1) readers can be tampered with - https://www.creditcards.com/credit-card-news/new-card-skimmi...
and
2) there was some ability to clone the cards https://www.kaspersky.com/blog/chip-n-pin-cloning/21502/
In Europe it's more common to have an EC card, which doesn't have any necessary secrets printed in plain sight (you need a TAN to complete a transaction over 25€ or total 100€ per day).
We also have SEPA Inst which allows me to send people money instantly for no fees (atleast at my bank), faster than Bitcoin ever could.
I'm insured against the bank being hacked. I'm also insured against the ATM's being hacked.
If I'd open my bank account today and found 0€ via hacks, I'd get it all back in 99.9% of cases. If I loose my card I get back everything too.
If I loose my bitcoin wallet, I'm SOL and should be sorry for not making backups and using a multisig wallet with 2FA!
I’ve read somewhere that regarding the way the cards, checks and transfers work the U.S. is not only behind Europe but even the African countries.
And that the chip cards were invented and used in Europe decades before they started to be spread in the UK and the U.S.
I don’t know why but somebody with more insider information can maybe explain?
Same-day ACH took a while AFAIK because of fraud risk especially to smaller banks and credit unions, although we've moved into phase 3 of the work last year so that's happening now. I think the push-to-debit functionality pioneered by the likes of Square Cash helped hurry this along but I'm only speculating.
It's not particularly insider information, the reason America was slow to the chip card game was pragmatic. The US is a very low fraud rate market, and re-issuing all 1.43 billion credit cards [1] and 14M payment terminals [2] was going to cost an awful lot of money. Further, major industry players like McDonalds weren't interested in seeing line speeds go down at point of sale as they switch from mag stripe payments which happen real fast to EMV chip transactions which, at the time, were really slow. Think <1s for magstripe to 10s of seconds for EMV. NFC helps mitigate this, but again, dual-interface cards (EMV + NFC + Mastripe) are a few dollars a piece.
tl:dr; it wasn't until a few years ago that the cost of the transition outweighed the cost of the fraud that would be mitigated as a result.
[1] https://wallethub.com/edu/cc/number-of-credit-cards/25532/
[2] https://gomedici.com/steady-growth-in-nfc-pos-terminals-in-t...
> In Europe it's more common to have an EC card, which doesn't have any necessary secrets printed in plain sight
This is not true. All you need to do online transactions is the number, expiration and CCV, all of which is printed on EC cards.
You think of CC cards but an EC card is connected to your bank account, so you require the bank account number on the card plus a valid TAN number or the pin number of the card.
Alternatively you need a SEPA merchant account, but running fraud on that gets you sued to hell and back.
EC cards do not have a CCV number.
>It's an extremely odd decision by the author to publish this piece. Port attacks on cryptocurrency accounts is nothing new
I remember first hearing about them in 2016:
https://www.ftc.gov/news-events/blogs/techftc/2016/06/your-m...
I recall case in Russia back in 2005, it was used to gain access to regular bank account.
Very cool, if you have a source that would be very interesting to read about.
Personal email accounts also tend to leak into having access to employer systems, especially in tech. For example a lot of people use their personal email for Github, so once an attacker has access to your personal email they can move laterally into your employers private code repositories.
BitGo should be treating this as a security incident and verifying the attacker didn’t also target them.
BitGo also secured the wallets for Bitfinex leading to a hack in 2015, never fully explaining the circumstances. https://en.m.wikipedia.org/wiki/BitGo#Bitfinex_hack
IIRC their system with Bitfinex was a 2-of-3 key setup, with BitGo holding one key and Bitfinex, for some reason, holding two. At least that's what's stuck in my memory from Bitfinex/BitGo communications at the time, since the setup seemed to negate the point of using BotGo in the first place.
Edit: I should've clicked the link there, it says pretty much the same. It doesn't seem to me there was much left to explain - the attacker gained access to Bitfinex's keys and that was enough to withdraw. The idea of using BitGo was that a compromise of Bitfinex couldn't lead to loss of user funds, but Bitfinex holding two keys completely undermined that goal.
BitGo users always have two of the three keys. Only one of them is supposed to be online, the other one is a backup key.
He just proved how secure most of crypto solutions really are.
I think this is related to the "normalization of deviance" which permeates all domains.
I'd like to see more companies introduce "time locks" into various big aspects of accounts.
Want to port a SIM? I'll put your request in now but it will wait for 5 business days before it happens, and at any point if you or someone claiming to be you calls up to stop it, we stop it, no questions asked.
Want to change 2 factor information for an account? We can put in the request now and it won't take effect for a week while we reach out to you using every communication method we know how to let you know it's happening and give you ample time to stop it if you discover it wasn't actually you that did it.
It seems like a fairly "low cost" way of upping the security quite a bit.
Also, not to make the OP feel worse, but Coinbase even offers a service like this called the "vault". The idea being that withdraws are time-locked for a specific amount of time, and there are multiple ways to stop it during that time lock, even if you got locked out of your account entirely.
And while we are doing PSAs, I'd like to give one piece of seemingly conflicting advice: make sure you have backups of your multi-factor authentication systems.
Sure, having your accounts taken over is awful, and it can happen to anyone, but something just as bad is losing your 2-factor systems and being locked out of accounts with no way to recover them.
Print out 2-factor backup codes, put them somewhere safe, maybe split them in 2 and put half of the codes in one place, and half in another. Think through possible problems. It really sucks to have your house flood, then find out that your phone with the 2-factor app on it was destroyed, and your backup codes ruined as well...
> I'll put your request in now but it will wait for 5 business days before it happens
This to me seems to be a complete misunderstanding of the telcos business and motivations. They sell mobile telephony - voice, sms, and data - and their _prime objective_ is to make it as easy as possible for their customer to spend as much money doing that as possible. Making you wait five days to get reconnected to "your number" when you have, for whatever reason, lost control of it is just not going to happen. They'll move mountains to get you back onto your data/voice plan before you've walked out of the store.
Nobody ever advertised their phone/sms plans as "banking grade secure". Telcos have been telling us for years that they are explicitly _not_ secure for that:
https://www.itnews.com.au/news/telcos-declare-sms-unsafe-for...
Communications Alliance chief executive John Stanton, representing the interests of mobile providers Telstra, Optus and Vodafone, took the extraordinary step of of declaring the technology insecure in the wake of numerous reports of Australians being defrauded via a phone porting scam first uncovered in Secure Computing magazine.
"SMS is not designed to be a secure communications channel and should not be used by banks for electronic funds transfer authentication," Stanton told iTnews this week.
Telcos are not interested in securing that, they get _way_ more complaints from people who lost/broke their phone who want their replacement one to work RIGHT NOW, than they do from people who got defrauded with a sim porting attack. And the first group of people are spending _way_ more money collectively than the second, so of course telcos will continue to make it quick and easy to sim port.
Everybody else needs to deal with that. While sms 2FA is marginally better than not having any 2FA at all, it's not the telco's problem if you choose to use it to "secure" your $100k worth of crypto. In my mind, a large part of the blame here goes to COinbase for even offering it. I'm also looking at your PayPal...
Yes, Paypal is bad, they took away their support for the Symantec 2FA codes and forced users in many countries to use SMS instead.
This is pretty easy for the telco to prevent, though. Your existing telco should simply phone you and ask if you wish to leave them before letting the number get ported out.
Note that all telcos will prevent the number being ported out if you owe them any money on the account.
> Note that all telcos will prevent the number being ported out if you owe them any money on the account.
Wait really? Is there a way to force yourself to perpetually owe them a small amount of money then? Could be really worth the money.
This wouldn't prevent a SIM port attack (which is what occurred in the article). You don't leave your provider so account status isn't a factor.
The comment you replied to appears to be discussing porting a number to a different provider which is very different and doesn't happen same-day.
An attacker could just pay the balance.
Seems like a decent hurdle to make an attacker jump through? Given they'd want the payment to be untraceable etc.
You appear to be discussing porting a number from one provider to another but the attack in the article (and being discussed in the thread up to this point) is based on moving the number to another SIM within the same provider).
> While sms 2FA is marginally better than not having any 2FA at all
I used to believe this too. Until this morning. Then I realized something and now I'm not so sure: if I don't have SMS 2FA at all, then my phone line is less to become an attack target. Meaning I'm less likely to have to deal with the collateral damage of lost accounts, files, etc. So is it really better to have that SMS 2FA? Especially if you weren't ever having problems securing your stuff before it came along?
Thank you. I've been waiting years now for someone else to notice this as well.
Good to know! I feel like it stems from the notion that protecting whatever particular account they want you to protect must be the most important priority in your life. Even security folks don't always seem inclined to think in terms of trade-offs... too often they seem to see things as black and white. If something protects your account or computer better then it must be better and you have to do it. They don't care if you might lose your job or if it might burn down your home as a side effect; that's just not part of their threat models...
> Want to port a SIM? I'll put your request in now but it will wait for 5 business days before it happens, and at any point if you or someone claiming to be you calls up to stop it, we stop it, no questions asked.
Funny because that's exactly what happens in France when you do so. I must have sounded a bit dumb when I asked when my number would be active when I changed from Tello to Verizon. I couldn't believe it was effective right away.
It's been a while since I ported a number but the last time I did it took days here in the UK too. I just assumed it was typical inefficiency by the mobile operators rather than a security thing, however.
It takes days in the UK because we have a crappy system where instead of having a central register of number -> provider, calls are still routed to a ported number via the "donor" network, i.e. the network the number range belongs. So I just ported from O2 to EE, and my calls and texts will still go through o2, and then sent on to EE. Not very efficient.
> And while we are doing PSAs, I'd like to give one piece of seemingly conflicting advice: make sure you have backups of your multi-factor authentication systems.
Yes! Many password managers (at least KeePassXC/KeePass with plugin) can store and create TOTPs. The underlying keys can be manually shown and entered elsewhere if needed, and can be backed up with everything else that's valuable.
> Print out 2-factor backup codes, put them somewhere safe, maybe split them in 2 and put half of the codes in one place, and half in another. Think through possible problems. It really sucks to have your house flood, then find out that your phone with the 2-factor app on it was destroyed, and your backup codes ruined as well...
Off site and offline backups are a good thing to have, especially with fire and water proof lockboxes. (think encrypted external drive lying around at work or at family/friend's house)
>Many password managers (at least KeePassXC/KeePass with plugin) can store and create TOTPs.
Personally I don't really like this feature and urge people to avoid it for "high security accounts".
It's not a "second factor" if it's stored and input using the same device and authentication information as your "first factor" (your username and password).
That's not to say it's useless, at the very least it's another layer that attackers have to figure out. But the true benefits of 2FA come from needing multiple devices to access accounts. If all of the factors are stored in one program on one device, then in the situation where that device/program is cracked, the attackers have everything.
Still, if you are going to choose between no 2FA and "2FA stored in your password manager", choose the password manager! And if you are going to choose between SMS-2FA, and the password manager, choose the password manager! But if you really want better security for not much more work, store your 2FA on a different device!
> That's not to say it's useless, at the very least it's another layer that attackers have to figure out. But the true benefits of 2FA come from needing multiple devices to access accounts. If all of the factors are stored in one program on one device, then in the situation where that device/program is cracked, the attackers have everything.
I feel you're not portraying the trade-off accurately so I'll try to clarify.
It's not merely better because it's just "another layer to figure out". That's what you would get with 2 passwords. It's not what you get with 1 password + 1 OTP.
With OTP you're protected against your password being logged and used later on e.g. an untrusted or breached machine (say, at a library). I'd hazard to guess that dealing with a passive adversary who's time-separated from you is FAR more common/likely than having your actual password database stolen or cracked somehow. Meaning it's still quite a significant benefit to having OTP.
What's a good secondary service to store the TOTP codes separate from passcodes?
Authy, from what I understand, requires a phone number as backup, meaning it could be compromised by the same method
Google authenticator can't be backedup, which is royally annoying when you change/lose devices
Lastpass has some security issues, and one well known comment here has recommended no one use it.
I heard someone say they use Duo security: does that let you store codes? When I looked it just seemed to lock various services
Personally I use Google Authenticator. The lack of a backup is a feature not a con IMO.
Every account I have setup with TOTP I also make sure to print out the recovery codes and put them in a safe, and use them if my device is ever destroyed. When I switch phones (which for me happens maybe once every 2-3 years at most), I go through the shitty process of transferring the TOTP codes over to the new device, but it doesn't really take all that long (it took me an hour to do it for about a dozen accounts last time I did it), and I'd much rather not have any of it uploaded anywhere.
You can print out the QR code or save that somehow during setup and use that to setup TOTP codes on other devices (or the same TOTP on multiple devices), but I tend not to do that as recovery codes work just as well, and they notify you if they are used (unlike a TOTP setup QR code). I did have to store the QR code for one account that doesn't provide recovery codes, but it's overall not that much extra work.
Google Authenticator does not help prevent against a compromised device (as all TOTP secrets and seeds are on device) and is truly a pain when working with multiple phones. Personally I use Yubico Authenticator as all the TOTPs live on my Yubikey. That, in combination with a password then clicking on a totp i want and tapping my yubikey provides me with only that code. When I first seed the yubikey with a new TOTP i also backup a copy of the QR code text and save it into my password manager in the unfortunate event of having to swap out yubikeys.
Doesn't this mean your password manager is still single factor? Access that, access everything. That's the problem I was trying to avoid.
I use pass for my password manager which links to my yubikey that has my gpg key on it. My yubikey has touch enabled which means that even if someone got access to my machine with my yubikey on it and asked me to tap they would only get that single password. As far as TOTP is concerned it's the same thing. The TOTP section of my yubikey has it's password and also requires a tap
This is good advice. I also have my TOTP set up on at least two devices, my phone, my previous phone, and my iPad. (Both phones because it's fairly common for me to have both my current phone and my iPad with me at the same time. It's spectacularly rare for me to have all three devices with me outside my home.)
You can use Authenticator Plus, which cloud syncs your 2FA DB on every add/delete/update you make to any of your 2FA accounts.
I use Authenticator Plus (https://play.google.com/store/apps/details?id=com.mufri.auth...) which has encrypted cloud backup (Google Drive or Dropbox). The encryption is done client-side. When I get a new phone, all I do is set up A+'s cloud sync on the new phone, enter the passphrase I've used previously, and it syncs all my TOTP codes.
As a bonus, the backup is just an encrypted sqlite DB (with dirt-simple schema), so you're not tied to some inscrutable proprietary format, and can easily extract the tokens if you want to use a different app/service.
Authy let you password encrypt your data with then, so even if someone ports your sim it won't give them access.
When setting up a new TOTP for Google Authenticator for my personal accounts, my standard procedure is to take a screenshot of the initialization QR code, and encrypt that screenshot with my gpg key. That is then stored on my external backup disk (which incidentally uses FDE via luks).
I use a Yubikey + my phone for storing copies of TOTP codes
Means I don't have to worry about phone upgrades and such, and if the Yubikey were to stop working I still have it on my phone
You can back up the Key used to set up the TOTP system. This allows you to re-seed the TOTP generator on a new device without needing to go through setup.
You can disable "multi device" mode in Authy, this prevents adding new devices via SMS auth.
Even when you authenticate via SMS in multi device mode, the imported tokens still have to be decrypted via a master password. SMS is just your account identifier on Authy, hijacking it will not allow access to your tokens on its own.
Simple solution, have a secondary db for totp.
I have this in case my yubikey ever dies and takes my totp codes with it.
There are also tools to allow you to use those TOTPs without having a phone in general. You can always use those methods instead of using SMS or phones.
2FA has no place over phone networks for account recovery. It's far easier to obtain access to 2FA texts or doing SIM ports like this, than it is to break some gmail account password (even a weak one).
So many people don't seem to understand this - I was trying to use U2F yubikeys on gitlab a while back only to discover they force you to enable 2FA first for account recovery, this completely defeats the purpose of hardware auth, it's not supposed to be for convenience, security is only as strong as the weakest link, 2FA is very weak.
> Sure, having your accounts taken over is awful, and it can happen to anyone, but something just as bad is losing your 2-factor systems and being locked out of accounts with no way to recover them.
+1. I lost a phone and with it my Cloudflare 2FA. For some reason, Cloudflare won't let you contact tech support without logging in. There is no contact info for support on their website, AT ALL, so if you can't log in, you're fucked.
Lots of places do this. Fidelity, for example, blocks withdrawals for a certain amount of time when some specific actions happen on an account. I believe address changes and adding people to your account with a certain level of access trigger the block.
One of those is Microsoft, which requires you to wait a month before changing your email, and there's no way that I can think of to get that expedited.
The „time lock” approach is exactly what Apple is doing if you try to recover your Apple ID (without password and second factor).
Unfortunately, when you search on Twitter, people are going bananas over having to wait a few days to get their Apple account reset... so I definitely get why not more companies are doing this.
In all seriousness folks, as someone who long ago worked for a big wireless carrier, do not use SMS-based two-factor auth for anything. Number porting is a huge and easily performed attack vector, it requires very, very little information, a lot of which can be gathered from publicly available resources... or pretty easily obtained via social engineering. To make matters worse, the information doesn't even need to be entirely accurate.
Once they have your number ported getting it back will take, at least, a few days; during which, they'll have unfettered access to anything that uses your mobile number to authenticate.
Use a dedicated 2FA application on a device you physically control and _write down_ the backup keys somewhere physically safe.
Many services will happily send an SMS account recovery/reset link regardless of how vehemently we refuse to use SMS-based two-factor auth.
An attacker can call support, give them plausibly correct information gleaned from public sources, and nicely claim to have forgotten the answers to your recovery questions ("Oh, it might have been a jumble of letters and numbers... silly me..."). There are enough incorrectly trained support people who will let this through to make the tactic effective on average.
Your point is obviously correct, but everything is so hopelessly broken that it almost doesn't matter in practice.
>Number porting is a huge and easily performed attack vector, it requires very, very little information
Does it need to be? Seems most of it could be avoided if the cellular service required a visit at the store with an ID card to clone a SIM card.
... which is how it actually works in many countries. In USA "something you know" is enough to impersonate you, elsewhere you'd actually show up with a good quality forgery of passport or gov't ID card, which would cost you more than you might steal from a random person.
Since USA has this "root of trust" problem, it's also unreasonably easy to obtain fake USA IDs since you (again) can impersonate people simply with "something you know" even for the purposes of obtaining legitimate IDs. It's not so easy elsewhere (e.g. if you claim you're me and have lost all ID, they'd just check biometrics before reissuing ID). Proper checks of IDs (+ verification of lost&stolen IDs databases) can ensure that identity theft cases are very rare. The identity theft epidemic isn't general worldwide, it's mostly a regional issue specific to USA and some similar countries.
So what’s the alternative? Especially financial institutions insist on using SMS in addition to even hardware keys. It’s crazy.
Many carriers let you set an "account password" or "account pin" - changes can't be made to the account without it (even with personal info like SSN, bday, etc)
Financial institutions offer it to sometimes - my credit union requires the account password, or a visit to a branch to show ID - no amount of personal info will allow you access.
Any carrier will allow you to change your password or pin using other information .
Otherwise, what would happen in the frequent case where users forget their pin?
> Any carrier will allow you to change your password or pin using other information .
If by "other information" you mean "come into a store and show a government issued photo ID" you are correct. That's a fairly high bar to clear.
That's the way my carrier does it, and I assume if they violate their own procedures I could evaluate my legal options... though as a practical matter I use a VOIP # which requires a 2FA protected login to port out for vendors that force me to use SMS 2FA.
Which carrier is that?
Or allowing one to "confirm" their accoubt via SMS if they've lost the TOTP code generating device.
(Because no one would lie about that)
Use a different financial institution
Not to mention the fact that the carrier can perform these attacks quite easily, as can the governments who have historically found ISPs willing partners. If you have any reason to believe that you might be the subject of a targeted attack, do not use SMS as a second factor!
Oy, does that mean Authy is vulnerable to this?
https://authy.com/phones/reset/?proceed=true
Authy backups are encrypted with a password (at least, if you set them to), so you can't gain access with just the phone number.
However I believe their "OneTouch" system (e.g. Twitch & Namecheap) is linked to phone numbers only, so that could be breached via SMS.
I'd recommend using a standalone 2FA app which can be backed up to your own cloud storage. (e.g. Google Drive/Dropbox)
I wish Google, Twitter et al would listen to this, but alas...
At least Google allows you to turn off SMS as a "2FA" source.
You can set up Google Authenticator (or Authy) and a Yubikey as 2FA sources, then remove your phone number.
Much to my surprise, I was able to do this with PayPal where I set up two Symantec VIP Access IDs and was able to remove the phone number.
I wish I could do this with other accounts.
Google offers 2FA using TOTP, and has for several years.
And U2F tokens, which are even better than TOTP as they are immune to phishing. TOTP codes can be and commonly are phished.
U2F is the current state of the art for 2FA. App/Device-based 2fa (krypton, Google App’s “approve on other device”, authy’s “approve on other device”, keybase, et c) are second.
TOTP is in a lot of ways more trouble than it is worth.
Also physical tokens can be easier to use if the support for them is built into OS and doesn't require installing or configuring additional software.
I was attacked in the same manner this weekend. I'll dump what I know below in the hopes it helps someone.
I lost money when MTGox went under and made some online posts (on reddit, I think) several years ago. Maybe this is what caused me to be targeted?
This weekend a malicious actor posing as the account holder on my account was able to get my number transferred to his phone. At&t fraud says this happened at a store, and the user had the last 4 of one of my family member's social security number, as well as a fake id. I'm not sure I believe this, but will request more info in writing.
I regained access to my account. The attacker came from IP 216.162.42.85 (santa clara california)
They entered my email and according to google activity logs immediately went after my coinbase account. They got in (joke's on them I didn't have anything). Then they searched my email for 'btc', and also made a visit to my bank website. They weren't able to get access.
As far as I can tell, they were in and out within 10 minutes. I wonder if this was related to the author's experience?
This is the reason I have disabled SMS as a recovery option in my gmail/google account. My 2FA for gmail is now my iphone and ipad. THey have to know my password and get one of my devices to hack my account. I also use protonmail and for SMS based 2FA, I plan to use a google voice number from a totally different google account w/c forwards the text to my protonmail account. Google voice numbers cannot be ported out. Hence, avoiding the sim hack. They can port out if they hack my "shadow" google account. The trick is to never use the shadow account for anything. Hence, the attackers have no way to get to your google voice.
I'm fairly certain that any phone number in the US has to be portable by law.
You can port out a voice number - it's $3 if it was originally a voice number:
https://support.google.com/voice/answer/1065667?hl=en
Weirdly, you can't port a Gsuite google voice # to a gmail account. (I looked into it when considering canceling my Gsuite account)
Porting out GVoice numbers is harder, but it can absolutely be done, I've moved a purely Google Voice number to T-Mobile before.
> Google voice numbers cannot be ported out.
I hoped so too but someone replied to me that they can:
https://news.ycombinator.com/item?id=19886705
I've ported out my google voice numbers several times.
> My 2FA for gmail is now my iphone and ipad
sorry - how does that work? what's the platform / messaging service?
Authenticator app that generates one-time codes; no messaging (or even being online) required after the initial sync.
This is awesome. Thank you for sharing.
I wish more people knew that their entire identity hinges on a store clerk at AT&T.
> Google Voice 2FA
Unfortunately many places are actively refusing to work with Google Voice. I got a message from Bank of America saying specifically that they're removing Google Voice support:
> You can't enroll in Zelle with a landline, Google Voice or VOIP (voice over internet protocol) phone number. (Section 3.C.3 Enrolling in the Service)
This follows with some other unnamed (because I don't remember them) services which also refuse to work with Google Voice.
That's really unfortunate because I've been using Google Voice for nearly 10 years without issue until recently (when companies specifically remove support...)
If you ported a previous phone number to google voice, how would they know?
It's easy to find out the company hosting a phone number: http://twilio.com/lookup
I don't imagine they would know unless they check their service logs. I imagine that interconnectivity with (in my case: Bank of America) would cease. And I'm pretty cynical with tech so I suspect it would quietly cease.
Same with my bank, and I ported my Voice number to my carrier.
Stuff like this freaks me out and I'm sure I'm not the only one. Thanks for the wake-up call. It's a terrible amount of money to lose. I hope things get better for this guy in the future (and I don't think anyone would say they're to blame for this.)
Security is becoming so difficult to balance with an every day life... I don't know how anyone can remember everything that they're "suppose" to know about security.
This is frightfully common in South Africa except aimed at banks - they use SMS as their 2FA. ("SIM swap")
Another common tactic to watch out for: Repeated calling of your phone to annoy you enough so that you switch it off/silent it. That can give the attacker enough time where you don't notice the swap.
This is frightening. If you're using texts for 2-factor auth you're at the mercy of your phone service provider's customer service. And they're trying to balance being helpful with security, which can be in opposition. Losing $100,000 with no hope of recovery is the kind of thing that could sink many people's finances.
His summary of how to avoid having this happen to you:
> * Use Google Voice for 2FA
I like this idea, insofar as the Voice number is not vulnerable to the SIM port attack.
But then I worry that it's yet-another-thing I'm to my Google account, which Google could always shut down at a moment's notice, with no explanation, and no recourse.
Using Google voice may not do all you had hoped:
https://news.ycombinator.com/item?id=19886705
There may not be a choice. Vanguard refused to log me in until I configured 2-factor SMS.
Vanguard also offers 2FA with voice-automated calls. I wonder, would getting a landline and using that with a Yubikey be any more secure?
https://investor.vanguard.com/security/security-keys
Vanguard can work with Yubikeys now.
I would consider that an alarming sign that I need to change investment companies asap (probably after loudly complaining and trying to change it, since Vanguard is somewhat unique).
Fidelity also only uses SMS-based 2FA :-/
Good list, and I would add using multisig for serious amounts.
Everybody involved in something like this should be suing the phone company that gave away their phone number in violation of policy.
https://www.silvermillerlaw.com/current-investigations/crypt... comes up on a search and says they'll do contingency in cases like this. Got nothing to lose.
How can a mobile carrier operate like this?? No authentication that the request isn't fraudulent?
In Sweden I switched to another carrier, still keeping the number in the same name. To do that I got a text message with a code I had to input to initiate the process.
When I ported my phone number from my father to me within the same carrier when I turned 18 that required the same confirmation to initiate the process and signed request/approval both from me and my father posted to the company, with associated emails about the process.
This isn't even hard? This is just basic steps to prevent identity theft....
This is not about porting the number to a different carrier or even a different owner though. It's more analogous to getting a replacement SIM card.
The last time I had a phone stolen, I went to the carrier's store, they checked my ID, and gave me a replacement SIM. And the things is, if the customer service representative is empowered to do that, they could also be bribed by the attacker.
It's worse than this though. My colleague had his sim replaced by an attacker in October of last year even though his account had a note on it specifically to prevent this without the account holder being present and showing photo id. Not only can the customer service rep at your carriers store do this but so can the phone reps at all the other stores that sell phones for your carrier such as best buy. The bottom line is that SMS/phone numbers shouldn't be an identifying factor for security purposes.
I checked, to get a replacement sim my carrier sends out inactive cards that needs to be activated through their web service using the printed number on the card.
If you don't have an account you need to contact customer service, and to get through there they most likely authenticate you based on your SSN and an already active app on your phone (BankID) where you input your personal password.
This has actually created problems when people get their stuff stolen abroad. The ID application is authenticated using your bank and a device using your physical bank card, a generated number from the webpage and your pin and then the generated number is put into the webpage. So if you get both phone and card stolen it's essentially impossible to get into your accounts until you can get a new one posted to you. Especially fun if your bills end up in a digital mailbox requiring that login....
Using that app is how essentially all identification is done in Sweden since it's based on an already approved physical device and a personal password. With your bank as insurance that the information is correct based on your physical bank card and the account associated to it.
See recent Tele2 attacks. This is a problem in Sweden too.
Maybe the Tele2 attacks made them finally sort things out.
Googled. Is it regarding using social engineering to enable call forwarding last autumn? Can't find anything else.
Yeah. Which is how this guy got hacked, too. Whether it's by forwarding or new sim card is a detail. It's the same social engineering vulnerability.
And reading the article everyone was already at the time working on preventing it, because any unauthorized change is illegal.
The prevention seems to be either through BankID authentication or actually calling/texting the number being forwarded to make sure the request is legitimate.
What Tele2 attacks?
https://computersweden.idg.se/2.2683/1.710395/google-konto-h...
In your case, a dedicated attacker could socially engineer the carrier into changing you and your father's contact details and then port the number.
$100k is a lifetime's worth of money in some countries, and it can justify a few months worth of recon.
How? I still get a text to my physical phone with the active number being ported and use the code supplied to initiate the process.
Somehow making them change my contact details would just end up with the bills being sent to the wrong place, if you still have paper bills and don't have it automatically paid or goes to a digital mailbox.
Large tech companies like Google push 2-factor auth to "increase" security, but this article shows that 2-factor auth with SMS verification opens up a huge security hole since the attacker can access your email if they can get your provider to port your SIM over to their device. Am I missing something and if not how did companies like Google not foresee this huge security hole?
Google offers many different 2 factor methods including Google Prompt, TOTP, and security key - all of which are better choices than SMS. The author is right to say that SMS is not enough but he didn't go far enough: only use SMS-based 2FA if it's your only 2FA choice for your critical accounts, and consider alternative services if it's your only choice.
The issue is that the forgot/lost device flow allows you to remove your more secure 2FA with only SMS verification.
You can turn off SMS/phone auth fallback, at least in gsuite.
If you use one of those secure options, click the lost your device option, and then you can describe to everyone how secure the recovery process is.
I don't know if that's possible in gmail, but in protonmail you can just disable password recovery altogether, which makes your email account secure against these kinds of attacks.
Sucks to be the OP but storing any crypto in an exchange is idiotic and literally the first thing on any list of "how to secure your crypto" is to not do it. This shows the OP is just being willfully ignorant.
Exchanges get hacked or are victims of internal fraud at a level that is far beyond any acceptable risk. https://coinsutra.com/biggest-bitcoin-hacks/
If you have any kind of serious crypto holdings, you should either be using hardware wallets or a PC that you only use for crypto. Nothing else. * Buy crypto, transfer to your PC, turn off PC.
For any significant crypto holdings you should be using a hardware wallet, and for serious holdings you should also use a multisig setup.
Right but what if the blocks fill up and transactions are taking forever right when you (and others) have the most interest in selling?
This is why you do long term holding in BTC or any coin that may take longer to confirm on the chain and the money you are playing/trading with should be in an asset like XLM which transfers in seconds.
Now if the whole thing is tanking and you want to transfer your entire savings to try and ride the wave you are already too late if your money is not already on an exchange and you shouldn't be 100% swing trading anyway.
Just my opinion on how I handle it.
That’s not really a security issue. It sounds like a speculation issue. Treat custodial services like a porta-potty at a shitty music festival: do your business then GTFO
For Bitcoin you should always aim to use the lowest fee possible, and use replace-by-fee (RBF) if a transaction is taking too long.
This person's Google account is likely still vulnerable to the attacker and if they used chrome password sync all of their other accounts are also likely owned. You can recover a google account if you know some basic details such as a previously used password or the creation date of an account. After having a google account owned enrollment in the advanced protection program and ensuring only the strongest recovery methods are enabled are best next steps.
https://landing.google.com/advancedprotection/
> Do not leave funds idle on exchanges or fiat on-ramps.
This warning has been publicly repeated hundreds of times since 2010, yet people still insist on ignoring it.
The author didn't lose anything. He gave Coinbase his bitcoin in exchange for a promise to pay it back. That deal backfired.
> I knew the risks better than most, but never thought something like this could happen to me.
There's knowing the risk, and then there's knowing the risk. I'd suggest that the author didn't really know the risk, or he would never have considered leaving such a valuable asset in the care of an organization so ill-equipped to safeguard it.
And yet if he'd kept it on his own machine there's myriad other vectors from compromised wallets to typos that would separate even the veteran "investor" from their crypto. And we'd be blaming him again, just as you are now, because in the land of Crypto anything bad that happens is your fault, not the insanely problematic technology. This is the fundamental problem with crypto, it's irreversible and decentralized. These aren't features, they're bugs.
If this were real money or real assets, he'd be able to call his bank and be made whole by the close of business, I wager. Instead he's out a down-payment, SFYL.
I can't believe these shenanigans are allowed to play out as though we're all okay with this being the future of currency.
>because in the land of Crypto anything bad that happens is your fault, not the insanely problematic technology
Cars are designed to travel at lethal speeds. If you were reckless and killed someone or yourself, do you also declare it to be an "insanely problematic technology"? The problem here is that people are not aware of the risks associated with cryptocurrencies and so are not taking the required precautions. After all, you can be pretty reckless with your credit card numbers or bank login and still be fine, because the finance system has an undo button for everything.
>This is the fundamental problem with crypto, it's irreversible and decentralized. These aren't features, they're bugs.
I wouldn't call them "bugs", just design decisions or trade offs. Bug implies it's somehow fixable, but if it's not. What if you want to make an irreversible payment, or want to be able to send money to whomever you want without the government stepping in the way, all while being trustless? Is there a way to achieve that, and still being able to hit undo when you make a mistake?
> Cars are designed to travel at lethal speeds. If you were reckless and killed someone or yourself, do you also declare it to be an "insanely problematic technology"?
Possibly: see the numerous self-driving efforts underway.
> Cars are designed to travel at lethal speeds. If you were reckless and killed someone or yourself, do you also declare it to be an "insanely problematic technology"?
More aptly though, I would declare it problematic if I couldn't drive 10 feet without someone carjacking me in my ostensibly armored car, or if pressing the button on my radio caused the car to explode. I'd call that 'problematic' because if it were my fault, I'd be in jail, and if not, the automaker would be on the wrong end of a huge lawsuit.
You know who we have to thank for their current level of safety? The DOT, NHTSA and legal system.
> The problem here is that people are not aware of the risks associated with cryptocurrencies and so are not taking the required precautions.
He had his coins on probably the only legitimate exchange in all of crypto. He had 2fac. He had 2fac on his gmail. If this isn't sufficient to keep your money protected, we need to stop blaming the victim. He's probably one of the most competent technical individuals owning crypto. If he can't keep it safe how on earth would your grandmother?
> After all, you can be pretty reckless with your credit card numbers or bank login and still be fine, because the finance system has an undo button for everything.
Isn't that awesome? We've recognized people make mistakes and created for them a path to remedy said mistakes. Pretending they don't happen and that it's the victims fault if they do isn't a replacement.
> What if you want to make an irreversible payment.
Wire transfer. You can opt in to irreversibility, it's not the default, and that's completely reasonable IMO.
> ...or want to be able to send money to whomever you want without the government stepping in the way.
AKA breaking the law. Yes, you shouldn't be able to send money to people on the OFAC list, to terrorists, or to sanctioned countries. That's fine with me, and all your fellow citizens. That's why we have those laws. Let's not mince words, "sending money to people the government doesn't want" is financing international terrorism, narcotics trafficking, human trafficking and so on. No, you shouldn't be able to do that.
> ...all while being trustless?
Again, why do you need this without the illegal use cases? Either way PoW cryptos aren't trustless, Beijing has over 80% of the hash power one strongly worded memo away. Decentralized and trustless are not a feature of Bitcoin or most other cryptocurrencies. They are centralized in the PRC. You would give up sovereign control of your money system to the PRC?
> Is there a way to achieve that, and still being able to hit undo when you make a mistake?
No, you shouldn't be able to break the law. An open challenge to all crypto advocates: Provide me one legal use case better suited to cryptocurrency than the US dollar.
> Provide me one legal use case better suited to cryptocurrency than the US dollar.
Sending money to people overseas without extortionate fees. Surprisingly not everyone overseas is linked with international terrorism as you imply.
> Surprisingly not everyone overseas is linked with international terrorism as you imply.
Unless you're trying to send money to North Korea that wasn't my implication at all, I have family overseas to whom I manage to send money without crypto or getting overcharged.
There are tons of international remittance services already including Andreesen-backed TransferWise which charges ~0.85% or less to move money internationally. Much less than the sum total of the cost of buying coins on an exchange in one country, paying an on-network transaction fee, risk of huge swings in the asset value and fraud along the way and one more exchange transaction fee in the destination country.
Generally even WU is quite competitive. In markets where they appear pricey the cost is usually to de-risk things like political issues which are all borne by crypto too but opaquely.
For instance, the USD-INR corridor is almost fee-free on all services.
If you've got a ton of money to move, you may be best off opening an Interactive Brokers account and performing the exchange there. They take a commission minimum of $2, or 0.002% ($2000 per million) for the trade. [1] It's a $5.1T per day (legitimate) market after all.
This is not a particularly good example, it's a solved problem.
[1] https://www.interactivebrokers.com/en/index.php?f=1590&p=fx
Uh sorry, Interactive Brokers is so cheap my math was off. They charge 0.2 basis points which is 0.2/100 of 1% (0.002%, minimum $2). So a $100,000 exchange would cost $2.00 and a $1,000,000 would cost $20.00
Stellar and IBM's WorldWire are hoping to tackle the remittances issue! Check it out if you haven't.
Neither of those solutions need or benefit from BlockChain.
Your comment couldn't be more asinine.
Did you even bother to google search them? Here I'll help.
https://www.stellar.org/
https://www.ibm.com/blockchain/solutions/world-wire
Personal attacks will get you banned here. Would you please read https://news.ycombinator.com/newsguidelines.html and follow the rules?
I apologize. I did not read the rules. I have now and will refrain from any personal attacks going forward.
> No, you shouldn't be able to break the la
Check your privilege, as some might say
Replace by Fee, but its a pretty small window of opportunity.
Honestly, put it into Coinbase's vault (locked for 48 hours).
People want the convenience of being able to trade while also wanting security. Eat the cost of transferring from a hardware wallet.
Do you also keep your cash under your mattress, instead of into a bank account?
That line of thinking is part of the problem. It's terrible that the author lost his money, but misconceptions only ensure this will happen over and over.
Coinbase != bank.
The banking system has a safety net for recovery of stolen funds. Coinbase has pretty much jack squat in that sense.
True, Coinbase is insured against loss from its hot wallet. But if Coinbase were to suffer a loss from its cold wallet, you'd be left with zilch.
Likewise, Coinbase's terms of service put all of the responsibility for security on you, the user.
Your bank is a different story. It's FDIC insured. It has in place numerous security measure that enable it to claw back any digital theft and make you whole.
Coinbase is not regulated like a bank. Just to pick a relevant point, if someone makes an unauthorized withdrawal from your bank account, that is fraud and your liability is limited. The bank has responsibility for making sure they identify you. https://budgeting.thenest.com/banks-liability-there-identity...
This is the first analogy that sprang to my mind as well but as they noted Coinbase gets all the upside and you get little in return. When you put your money in a bank typically you earn interest in exchange for the bank having your money.
Someone please correct me if I'm wrong, but at least in the US banks take on all risk of fraud. If someone starts writing bad checks in your name, that's ultimately the bank's problem rather than yours.
Coinbase is not a bank. It acts like one. It spies on its customers on behalf of federal regulators like one. But it most definitely is not a bank.
The author has to eat the loss, as per the user agreement.
SMS should not be used for anything even remotely related to security. If you still need to be convinced, the Reply All episode about it[0] is eye opening while being entertaining.
[0] https://gimletmedia.com/shows/reply-all/v4he6k/130-the-snapc...
I wonder how nobody sees the elephant in the room.
2FA by SMS is terribly insecure. Numerous security researchers recommended never using it. Using phone numbers as primary authentication mechanism is insecure and never should be used. Phone numbers can be spoofed, SMS messages can be intercepted, SIM port attacks can and will happen. If your email or banking accounts depend on 2FA by SMS, especially when SMS can be used to reset the password — disable it now. Avoid it like plague.
More than that — if your account has significant value that you absolutely can’t afford to lose, you shouldn’t use _any_ 2FA services linked to your phone, at all, including Google Auth. Your phone can be lost or stolen anytime. Use a dedicated device which you don’t take with you all the time.
I know SO many real banks which still use 2FA by SMS.
And it was a hell of a fight to even get _those_.
Alliant Credit Union, for example, only just rolled out SMS-based 2FA in the past ~year. No TOTP/U2F/FIDO* options at all (in fact, according to https://dongleauth.info/, exactly zero major banks/CUs in North America support anything better than SMS or TOTP).
When I can lock my GitHub account more securely than my _money_, it's a bit (read: lot) depressing.
This is the kind of stuff that convinces me we'll never see mass adoption of cryptocurrency -- or that if we do, it will be only by replicating the existing financial system and slapping a cryptocurrency label on it.
If security engineers at cryptocurrency firms are getting hacked, what hope do mom & pop user have? And once your money is stolen, you have basically zero recourse and no way to reverse the transaction. I know many proponents consider that a feature, but I'm telling you for the average user, it is absolutely a bug.
I have a question related to this that someone expert in Bitcoin could answer.
Could the victim monitor where the bitcoin (we assume) went to using the public blockchain record? Then, trace it every step of the way (and in whatever chunks it divides into) until it reaches the account of a publicly identifiable entity? At that point, there might be legal recourse in recouping stolen goods (at least, this is how it works in the UK with stolen physical goods.. even if someone "legitimately" buys them, they can be reclaimed).
Kinda but it's hard and there are measures to counter this. There is one thing called coinjoin which attempts to tumble coins.
Imagine you stole 10 btc and you split it to 10 outputs of 1 btc each. Then you use 2 of them to perform a coinjoin with several other people where in a single transaction 10 inputs of 1 btc (2 of them yours) produce 10 outputs of 1 btc (again 2 of them yours). There is no way to tell which coin is which anymore. Of course this requires some degree of interaction with other people but in other coins such as grin that use the mimblewimble protocol this happens automatically for every block.
Another thing you can do is try to do an atomic swap with someone on another blockchain i.e Litecoin. In this case you send your coins to a specific script address, the other person sends his LTC to another script address and you effectively swap BTC with LTC.
Truly big heists like the Mt. Gox collapse have received research attention, yes. There are some firms which will follow the transactions and try to find patterns. However, for a relatively small amount like this it's probably futile. It's trivial (though costly) to run the funds through a public mixer several times, or to trade it for Monero, which has a ledger that's much more difficult to analyze.
"I treated Coinbase like a bank account and you have absolutely zero recourse in the case of an attack."
Now that's the real problem. Coinbase acts like a bank or a broker/dealer, but isn't regulated like one.
That and Bitcoin is specifically designed to not give you a recourse in case of an attack.
Cryptocurrency designers seem to think that banking was designed as a mistake without anyone thinking. That laws people wanted were just unfortunate side effects.
Bitcoin isn't the problem here. Coinbase is regulated as a "money transmitter". You can get into the same situation if you send money via Western Union, which is also regulated as a money transmitter, and tell them to "waive identification" at the receiving end.[1] That's used as a payment method by some scams.
Coinbase will pay out via PayPal, so someone with access to an account's credentials could pull of this scam without involving cryptocurrency at all.
Now if Coinbase was regulated by the SEC as a "broker/dealer", which is what they really are, they'd be subject to SEC regulations on fraud, and would have SIPC insurance to protect the customer up to $250K.[2]
Coinbase does, in fact, have a New York State "BitLicense", which makes them subject to various New York State regulations. Among other things, transactions larger than US$10,000 have to be reported to the New York State Department of Financial Services within 24 hours, and Coinbase is subject to rules about cybersecurity, fraud, and its activity as a custodian of the funds of others. You can complain to the New York State Department of Financial Services.
DFS pulled Bittrx's license last month and gave them one day to get out of New York State.
[1] https://www.westernunion.com/us/en/fraudawareness/fraud-ques...
[2] https://www.sipc.org/for-investors/what-sipc-protects
That's interesting, I did not know it was possible to have a coinbase acct without working google authenticator.
I found out the hard way it takes over a week of time and multiple verifications and contacts to reset my authenticator when my old phone was broken; as it should be.
I'd like to point out that preventing things like this is literally this guy's day job. (Look him up)
And he didn't know about SIM attacks.
And he kept $100k of irreversibly transactible "money" on an exchange, despite their history of being hacked.
This is what happens when you get involved with organized crime (which I consider Bitcoin to be): you become a victim.
His lessons learned is of course not that reversible transactions is something good, not a "mistake" in the fiat banking system.
Additional discussion yesterday. Perhaps the mods can merge these submissions:
https://news.ycombinator.com/item?id=19964089
I still don't get one thing: how could the attacker port OP's number without proving he owns the sim? Where I live (in EU) it's mandatory, isn't it the same in the US?
They might have an accomplice within carriers' or dealers' employees. Imagine how many shops are there across the country and how many employees have access to reissuing SIM cards. As an excuse such an employee can always say that they didn't notice that the documents were fake.
at least in germany ordering new sim cards to new addresses your provider never heard of before was a thing some years ago. I think porting a number is a lot easier if you know the detailed process though.
Oh, my bad, I thought US was the exception
Here in Italy you must provide your ID card and wait a couple days for the carrier to check the data. Goverment websites even use 2fa as a proof of your physical identity
Why is it so common for some people to use "EU"/"Europe" when talking about a quirk about their country? Americans do it too, though the states are far less unique than countries.
Because many of the rules are made on the EU level, not by the individual country.
If only there was a way to trace the transactions and reverse them. Sadly, the "future of banking" is all immutable ledgers with zero recourse so the money is gone. If this were a real bank he'd have his money back right quick.
>Do not leave funds idle on exchanges or fiat on-ramps. I treated Coinbase like a bank account and you have absolutely zero recourse in the case of an attack. I knew the risks better than most, but never thought something like this could happen to me
I wonder why he'd think that. Disregarding the risk of you getting phished/hacked (which you can prevent), there's nothing you can do about coinbase getting hacked (eg. mt gox), running away with the funds, losing their funds because of incompetence (eg. quadrigacx), or locking your account and taking months to unlock.
I am a bit surprised at the lack of opsec considering the author’s employment and experience.
Definitely sucks to have $100k stolen.
Is Google's password reset system a massive security risk? I set up a couple of recovery phone numbers without thinking about it too much, but after reading this it seems like I'm just a little bit of social engineering away from having my Gmail account taken over, along with anyone else who set up a recovery number. If someone took over my SIM and reset my password overnight, they would have 8 hours to do whatever they want with my Gmail account before I saw that my password had been reset.
Yes, my google account was simjacked last year. I lost access to my email, photos, and ability to login via Google. They were after my Coinbase account (luckily the only account I used real 2FA on). They could have initiated bank transfers too but didn’t try.
Customer support for personal gmail accounts is almost nonexistent. Fortunately I had a friend who worked at Google and had them put a word in on my reset request otherwise I would have been SOL.
Disable phone number resets and switch to Google Authenticator w/ backup codes ASAP.
Go through the password reset process with google and it's worse than most people think. The first thing it asks you is:
> Enter the last password you remember using with this Google Account
Which of course the attacker knows because they changed your password. If they don't know that you can click try again and go through the various two factor methods set up (hardware token, totp code, sms) and then the very last and also terrible option is putting in the date the account was created. If your account has been owned the attacker likely knows this too. Advanced account protection is pretty much the only option if you've had your account breached at any time.
>> Enter the last password you remember using with this Google Account
> Which of course the attacker knows because they changed your password.
The site asks for the last password you remember using, not the last password that was used (presumably by the attacker). I don't think this is as bad as you think; the attacker doesn't likely know the previous password, or else they would not have needed to hijack your phone number.
The major US provides are looking to get you to replace all your logins with direct cell-provider authenticated logins, so they can skip the email recovery part:
https://www.fiercewireless.com/tech/project-verify-will-brin...
With this the attackers get direct access to all your services once they socially engineer or identity theft attack your cell account once.
Is there a mobile carrier focusing on security?
something like what CF (and others) are doing with domains
I would think that an online-only MVNO like Ting.com would be harder to fool - even if their call agent fell for the trick, they'd still have to mail a new sim out. But you'd have to log in yourself to swap the sim using the Ting website. As I understand it, attacker would have to fool you and coax you to swap the sim.
This type of attack has been happening for a long time in Russia where criminals often have accomplices among employees of a cellular carrier or its dealer. There is often no serious responsibility for this and such employees often get away with a fine or just being fired.
The most notable example is when a certain person's SIM card was reissued 4 times within 2 days in different cities by criminals while the owner was trying to restore access to her phone.
To prevent it, some Russian banks have agreements with carriers that allow them to check SIM card's identifier and detect whether it was reissued. If such situation is detected, the bank doesn't allow to use new SIM card to confirm operations.
Some carriers block new SIM cards from receiving SMS for 24 hours and send a SMS with notification to an old SMS card so that the owner can restore access. Also, one can restrict a list of locations where your SIM card can be reissued.
Seems like 2FA in this case is significantly weaker than 1FA if you have a long password. I suppose it depends on if it is easier to answer the security questions or to convince a customer support rep, but my security questions are pretty obscure and I have a security question salt that I always append to the answer.
2FA is not in itself weaker (for the same password). It's account recovery that's that downfall here - the password is forgotten and not one of the factors, so the system allows to to recover your password with _only_ the second factor (mobile phone number).
This same thing happened to me last month (SIM Swap). I also made a post recapping the event, plus the security steps you need to take to help mitigate this attack vector, here:
https://www.youtube.com/watch?v=Uww4Bu6Uzxk
This inspired me to disable SMS verification on my Google account. Now, the attacker may be able to port my phone number, but without my logged in Android phone, or one of my printed pass codes, they would not be able to subvert my email address.
I was wondering how the attacker found out this guy's phone number, so I searched my own online. Disconcertingly, it was visible on truepeoplesearch.com. So I also submitted a record removal request there.
I mean, I think the best option is to not own any assets that can be fraudulently, irreversibly transferred away. That's what I do. But a little extra security won't hurt.
Phone-based 2FA is security theatre that just adds a new and easy attack vector in the process, pushed by service providers obviously to attain your phone number instead of just an email address.
For anything important I use air-gapped hardware tokens for 2FA. If a brokerage or bank doesn't support hardware token 2FA they don't get my business, full stop.
At the last startup I worked for, which was rather security sensitive, the leadership actually insisted on employees setting up gmail w/SMS 2FA on their smartphones. I kept using backup codes and never set it up.
Slightly off topic, but I briefly addressed SIM swap in my prequel blog post to "SSH 2 Factor...", "SSH 2-Factor's First Factor".
The goal was to help beginners in security and technology as a whole understand why SMS based two-factor is insecure and should be avoided.
It's just a couple of paragraphs in a larger post on securing your SSH sessions but hopefully it's of interest.
https://2byt.es/post/totp2
Coinbase should not allow your phone number to be used for 2FA.
I don’t think they’ll change it either because doing so would be admitting responsibility.
Part of the problem here is the lack of fraud insurance from CoinBase/exchanges. If the attacker would have instead stolen from his bank (several US and Canadian banks I know happily allow logins with only a password or are only starting to introduce SMS-only 2fa), it is likely that the bank would have returned the money, whether they could revert the transaction or not, and then pursued the hackers themselves.
because they can (usually) revert it.
Because reversibility is a good thing.
Fraudulent transactions made with a regular bank account are pretty irreversible too. There's a whole extra layer of infrastructure on top of the 'core' banking services that allows them (banks) to 'reverse' a fraudulent transaction. But I'd be very very surprised if fraudulent charges are 'reversible' in any other way than the bank reimbursing the account holder.
In other words, crypto-currency exchanges could do the same thing (but then they'd almost certainly have/want to charge for that).
Double-entry bookkeeping is also, ideally, irreversible.
Real banks have been hacked (e.g. full mainframe root access), and the hackers have made international transfers which were reversed.
Sure. When bank accounts get hacked sometimes the bank just eats the cost, but if $100k goes to another bank they'll contact that bank to have the money be clawed back.
Now I say "reversed", but the end goal I mean is "the money was transferred back" because it's traceable and doesn't require the cooperation of the receiving account holder. Not that it gets "undone" in double-entry bookkeeping.
Indeed bank hacks have lost some money when the "reversal" incurred currency fluctuation effects. (which could have gone the other way, too).
Also no, regular bank transfers are very reversible because courts can order it so. The justice system can order accounts frozen. With cryptocurrency the illusion is "math is the ultimate arbiter", but of course "math" can't solve "so what happens if one party broke the law", but is forced to answer "well... I guess they win, then".
Also compare smart contracts. You can make an illegal contract. Say the equivalent of selling yourself into slavery. Smart contracts want there to be no court that says "actually, that's slavery, and this contract is void, also the money must be returned". To think that "math" can provide justice better than a justice system is not just holding low esteem for justice systems in general. It's anarchy, and tyranny by exploitation.
"People" are not lawyers, which is why some things are not allowed in contracts. "People" are not coders, which is why smart contracts are also not a thing that will happen (on a scale cryptocurrency people dream of).
They are generally reversible until they cross borders, then it gets way more complicated. Most of these scammers are outside the US, they immediately make an international wire transfer of the money, then split it apart to a bunch of separate accounts, in order to make reverting impossible
> In these cases, you might be better off creating a Google Voice phone number (which cannot be SIM ported) and using that has your 2-Factor Auth recovery number.
I hoped this too but someone commented to me recently that GV is not immune to porting attacks:
https://news.ycombinator.com/item?id=19886705
Coinbase's password reset delay is a great idea, but not as useful without Coinbase indicating it in the UI for the current session.
Here in India pretty much every online banking transaction requires an SMS OTP. To get a SIM card changed, you need to provide govt ID + you don't get any text messages for 24 hours. IIRC, if you go into a store asking for a SIM swap they also send you an OTP, and ask you to text the new SIM's serial number to a special number to activate it.
Seems like a "better than nothing" mitigation for sites that insist on SMS 2FA is using a Google Voice number so the recovery # is 2FA protected.
Out of curiosity are there any decent free/cheap voip services that support 2FA aside from Google Voice? Using the same provider for email + recovery codes makes me a little nervous.
I'm curious how difficult it would be to do this hack in Australia. Anyone have any idea?
I have access to all of this data for other people because they sign up for services with the wrong email address (mine).
Tying all security to only an email is dumb for important services.
Email services like Gmail should not treat all emails as identical. Some emails like change in the security settings eg. password reset, change in 2FA, suspicious activity notifications from Google as well as 3rd party, etc. are more important than usual emails. Such critical emails should not be allowed to be deleted by the user for a certain period of time say 1 week. While it might be annoying to see those emails lying around in your inbox. I would prefer that over an attacker being able to clear their traces after taking control of my account.
Do not ever activate password recovery over SMS
Yeah this is why I don't have mobile numbers on any of my accounts as a recovery method.
Put your number in Google Voice and use two factor authentication. Unlike the phone companies, Google actually has decent security.
It's why most of 2FA implementations is BS. It's truly only whoever has access to your number or email can do whatever.
I wouldn't say it's BS. It's just not perfect.
The standard person today isn't capable of managing multiple secure tokens, and actually keeping them separate.
One smashed phone, and truly secure accounts would be lost forever, or require significant resources on the part of the provider to re-verify people's identities.
This kind of sums up the whole article:
> I knew the risks better than most, but never thought something like this could happen to me
This also explains why this article is useless as a warning. Someone who will be hacked like this in the future is reading now this article and saying "hmm, I should be securing my holdings against this, but I don't have time now, and this won't happen to me right away, I'll look into it next week"
It's like the countless articles which appear after backup failures. "I knew I was supposed to test restoring from backup, but...."
Although very sad for this person, his warnings aren't correct. SIM porting is one avenue of attack, but TOTP can also be phished through a http reverse proxy. Push based 2fa is better, U2F based hardware keys are the gold standard today.
folks still willingly use SMS 2FA?
I really loved him until he proved himself not worthy, i had to contact an hacker to help me get access to his whatsApp messages and track his phone. I didn't get what was expected as i got a lot worse for loving a man,i was depressed but it is okay now. Am really glad i listened to my sister and spied on him before it becomes too late. If you need help in your relationship, you can contact my hacker waynecyberghost @gmail.com
There are so many fake hackers and perverts online who extorts people off their hard earned money from the basement of their mother. it took me several months to find a genuine hacker who is trustworthy. Thanks, wayne you are simply the best, no doubt, hey guys if you ever need to track down your cheating boyfriend or girlfriend or improve your credit score, school grade, or clear criminal records. The man is genius and gifted hacker. he can hack into all social networking site Facebook, twitter, Instagram, snap chat, hot mail, yahoo mail, AOL, etc. he also does credit score, credit and debit card top ups as well. he's a top class hack tool,highly secretive and discreet. Dudes kinda picky so make mention of the reference and you will thank me later. you can contact him via his mail -waynecyberghost@gmail.com Tell him stephanie refer you
Federal laws and the protections/insurances a US bank provides would have you without losses right now. Why do we want a decentralized currency again?
A non-federally controlled pseudo-anonymous currency similar to cash has the positive upside of enabling digital privacy in spite of the blockchain. That's why. There are still trustworthy tumbler services to obfuscate and hold your bitcoins similar to a bank. And with what some claim, inarguably so, of government overreach and corporate over-sharing of your personal data, it's something I can sympathize with.
Similar to a bank as in a guaranteed insurance of my funds, like the FDIC in the US?
FDIC is the government overreach the parent was talking about.
It's also a relatively new thing.
People who cry about government overreach seem to rarely ponder why it is there in the first place. Well, TFA shows why.
TFA?
The eFfing Article (as in RTFA, "read the effing article"). I.e. the thing we're all discussing here.
Thanks.
Because it covers the use cases of cash but for online. Sometimes you're willing to have no safety guarantees but also not have to deal with paypal etc. Send a small tip to a content creator, pay content creators in small amounts in a patreon-like setting without having to deal with rules against content payment processors don't like (I saw recently this was being launched but I forget the name), lots of use cases.
I really need to call out crypto shill when I see it. As it stands, bitcoin is utterly unusable for micropayments, the transaction fees are way too high for that. There has been attempts at creating micropayment services on top, these all have failed to gain traction.
I still maintain as I did several times here in the past: bitcoin (and in general, crypto"currencies" because they are not currencies) are a scam, a new kind of scam for sure but a scam nonetheless. There are simply no (legit) use cases.
> There has been attempts at creating micropayment services on top, these all have failed to gain traction.
I'd argue that Bitcoin's lightning network is gaining traction, and it accomplishes a lot of what you are asking for.
Bitcoin isn't the only crypto. Dogecoin is great for microtransactions.
I pay all my dogs in Doge
Who doesn't want to learn the lessons of the last millennia of finance all over again?