Scary Security Stuff

[Jud]

https://apple.news/A07YTbJ9QS5mfGjStr5KpGg

[cjf]

10 minutes ago, Jud said:

https://apple.news/A07YTbJ9QS5mfGjStr5KpGg

Article appears to only be viewable to subscribers

[pkane2001]

21 minutes ago, cjf said:

Article appears to only be viewable to subscribers

 

Not a new security threat, but still scary how easily this is accomplished, even today:

 

https://www.consumer.ftc.gov/blog/2019/10/sim-swap-scams-how-protect-yourself

https://www.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin

https://www.vice.com/en_us/article/gyaqnb/hacker-joel-ortiz-sim-swapping-10-years-in-prison

https://krebsonsecurity.com/2019/05/nine-charged-in-alleged-sim-swapping-ring/

https://krebsonsecurity.com/2019/01/stole-24-million-but-still-cant-keep-a-friend/

 

[Jud]

38 minutes ago, cjf said:

Article appears to only be viewable to subscribers

 

Sorry about that. For those with iPhones, it's a Wall Street Journal article available on Apple News+. It's about a method of hacking through the security of a phone known as "sim-swapping," which doesn't actually involve stealing the SIM in your phone, but rather gaining enough information to hack an email account (surprisingly easy with "lost password" procedures) and thereby stealing your identity (could be a matter of minutes). From there they get into financial accounts - the fellow in the article had $24 million worth of cryptocurrency stolen.

 

Edit: Paul's last link appears to be about this case. Good idea to read up (Krebs has a good site) and find out how to make this more difficult. Two-factor authentication isn't necessarily great, depending on what the second factor is.

[AnotherSpin]

3 hours ago, Jud said:

 

Sorry about that. For those with iPhones, it's a Wall Street Journal article available on Apple News+. It's about a method of hacking through the security of a phone known as "sim-swapping," which doesn't actually involve stealing the SIM in your phone, but rather gaining enough information to hack an email account (surprisingly easy with "lost password" procedures) and thereby stealing your identity (could be a matter of minutes). From there they get into financial accounts - the fellow in the article had $24 million worth of cryptocurrency stolen.

 

Edit: Paul's last link appears to be about this case. Good idea to read up (Krebs has a good site) and find out how to make this more difficult. Two-factor authentication isn't necessarily great, depending on what the second factor is.

"...When you ain't got nothing, you got nothing to lose"

[lucretius]

4 hours ago, Jud said:

From there they get into financial accounts - the fellow in the article had $24 million worth of cryptocurrency stolen.

 

I take it that this gentleman had held his crypto on an exchange and also did not have 2FA set.  In any case, someone with that much crypto should have known better and should have (a) kept the bulk of it in cold storage, and (b) used 2FA for the amounts held on the exchange.

 

If one really must keep really large amounts on an exchange (to facilitate large trades), then at least spread it around various exchanges.  Crypto exchanges have a reputation for going bust and making your crypto and fiat deposits disappear.

[mansr]

9 hours ago, cjf said:

Article appears to only be viewable to subscribers

https://www.fullwsj.com/articles/he-thought-his-phone-was-secure-then-he-lost-24-million-to-hackers-11573221600

[lucretius]

6 hours ago, lucretius said:

 

I take it that this gentleman had held his crypto on an exchange and also did not have 2FA set.  In any case, someone with that much crypto should have known better and should have (a) kept the bulk of it in cold storage, and (b) used 2FA for the amounts held on the exchange.

 

If one really must keep really large amounts on an exchange (to facilitate large trades), then at least spread it around various exchanges.  Crypto exchanges have a reputation for going bust and making your crypto and fiat deposits disappear.

 

I should have noted that crypto exchanges use a 2FA that doesn't rely on calling you up on the phone or sending you an email etc.  They use Google Authenticator or equivalent.  Getting back into a "locked-out" account takes a lot more verification than merely sending an email (and/or providing one's phone number).

[Jud]

20 minutes ago, lucretius said:

 

I should have noted that crypto exchanges use a 2FA that doesn't rely on calling you up on the phone or sending you an email etc.  They use Google Authenticator or equivalent.  Getting back into a "locked-out" account takes a lot more verification than merely sending an email (and/or providing one's phone number).

In fact he did have 2FA set, but the 2FA for his Gmail was text messaging to his phone. So once they got enough info to pretend their phone was his, *they* got the text message, got into his Gmail, and bootstrapped enough info to get through the 2FA in his crypto account.

[pkane2001]

6 hours ago, lucretius said:

 

I take it that this gentleman had held his crypto on an exchange and also did not have 2FA set.  In any case, someone with that much crypto should have known better and should have (a) kept the bulk of it in cold storage, and (b) used 2FA for the amounts held on the exchange.

 

If one really must keep really large amounts on an exchange (to facilitate large trades), then at least spread it around various exchanges.  Crypto exchanges have a reputation for going bust and making your crypto and fiat deposits disappear.

 

The problem is not the lack of 2FA but that the second factor is a phone that is easily spoofable by a bad actor. This is true for many, many websites, banks, email providers, social media, etc.

 

What’s worse is that often the phone is all that’s required to reset a password to many accounts. So anyone able to redirect SMS or voice calls to a phone that doesn’t belong to the account owner can gain access to a lot of information and assets, not just cryptocurrency.

 

Social engineering remains the single easiest path to taking over someone’s identity and access.  The problem in this case is that the owner of the phone can be very savvy and cautious, and yet it takes just a single underpaid, overworked and unaware store clerk or phone rep to give away the customer’s crown jewels. 

[lucretius]

2 minutes ago, Jud said:

In fact he did have 2FA set, but the 2FA for his Gmail was text messaging to his phone. So once they got enough info to pretend their phone was his, *they* got the text message, got into his Gmail, and bootstrapped enough info to get through the 2FA in his crypto account.

 

What crypto exchange relies upon text messaging your phone for 2FA -- that's is rather uncommon.

[lucretius]

4 minutes ago, pkane2001 said:

he problem is not the lack of 2FA but that the second factor is a phone that is easily spoofable by a bad actor. This is true for many, many websites, banks, email providers, social media, etc.

 

Yes, but it's not true for any crypto exchange that I know -- Google Authenticator is widely used for 2FA (if the account holder bothers to turn it on) in the industry.

 

And when resetting your access to a bank account, normally 2FA isn't all that is used; they make you answer the security questions.

[pkane2001]

3 minutes ago, lucretius said:

 

Yes, but it's not true for any crypto exchange that I know -- Google Authenticator is widely used for 2FA (if the account holder bothers to turn it on) in the industry.

 

And when resetting your access to a bank account, normally 2FA isn't all that is used; they make you answer the security questions.

 

Having worked for a large financial before, running all their customer facing operations and call centers, I can tell you that’s not even remotely true. Customer reps are easily fooled by good social engineering, no matter how much training or instruction they are provided by their employer. Oh, and secret questions are also one of the worst second factors one can imagine since they are easy to steal, discover or even guess.

[lucretius]

17 minutes ago, pkane2001 said:

 

Having worked for a large financial before, running all their customer facing operations and call centers, I can tell you that’s not even remotely true. Customer reps are easily fooled by good social engineering, no matter how much training or instruction they are provided by their employer. Oh, and secret questions are also one of the worst second factors one can imagine since they are easy to steal, discover or even guess.

 

I don't disagree that customer reps are easily fooled or that secret questions are bad second factors -- but you must know a little something about the account holder other than an email or telephone number to fool them.

 

Here are some of the security procedures at Kraken (coin exchange);

• 2FA (Google Authenticator and Yubikey) to keep your account secure*
• No Phone/SMS account recovery, your account stays in your hands
• Email confirmations for withdrawals with self-serve account lock
• Configurable account timeout for another layer of protection
• Customizable, granular API key permissions with range boundaries
• Global settings time lock for extreme security when you're away
• PGP signed and encrypted email for secure communication
• SSL encryption to protect you when browsing Kraken 
• Constant, real-time monitoring for suspicious activity
• Sensitive data is fully encrypted at rest and in transit

 

*unfortunately, enabling this is optional.

[Jud]

27 minutes ago, lucretius said:

 

What crypto exchange relies upon text messaging your phone for 2FA -- that's is rather uncommon.

You’re missing a step. The text messaging gets you into email, perhaps some other accounts. There you glean enough information to get you through to the crypto account - for example you use an authenticator on the spoofed phone or answer security questions. 

[lucretius]

10 minutes ago, Jud said:

You’re missing a step. The text messaging gets you into email, perhaps some other accounts. There you glean enough information to get you through to the crypto account - for example you use an authenticator on the spoofed phone or answer security questions. 

 

I get that.  But you won't find the secret keys to use in Google Authenticator in the email. And the phone hardware isn't spoofed/cloned, only the phone number is spoofed. And normally (I say normally because coin exchanges are mostly unregulated) the information you must provide to reset your account isn't something that you would find in an email.

 

 

[pkane2001]

39 minutes ago, lucretius said:

 

I get that.  But you won't find the secret keys to use in Google Authenticator in the email. And the phone hardware isn't spoofed/cloned, only the phone number is spoofed. And normally (I say normally because coin exchanges are mostly unregulated) the information you must provide to reset your account isn't something that you would find in an email.

 

 

 

The problem is still a human being on the other side. They are gullible and given half a chance will accommodate the request coming from a perceived distressed or angry customer. I’ve seen this way too many times, no matter what the policy says.

 

As long as the technology/software is available to override your chosen security options and another human has access to it, someone will find a way to exploit this.

[Jud]

42 minutes ago, lucretius said:

 

I get that.  But you won't find the secret keys to use in Google Authenticator in the email. And the phone hardware isn't spoofed/cloned, only the phone number is spoofed. And normally (I say normally because coin exchanges are mostly unregulated) the information you must provide to reset your account isn't something that you would find in an email.

 

 

By all indications, I am the owner of the Gmail account - after all, I have passed 2FA. So now “my” Google Authenticator works to open “my” accounts, and if you want answers to security questions I may know those or be able to reset them as well. It’s all bootstrapping from the original identity theft. You don’t go directly from spoofing the phone to being able to use an authenticator, there are steps in between that pwning the email account allow you to do.

 

Please do read some of the linked articles.

[mansr]

3 minutes ago, Jud said:

By all indications, I am the owner of the Gmail account - after all, I have passed 2FA. So now “my” Google Authenticator works to open “my” accounts, and if you want answers to security questions I may know those or be able to reset them as well. It’s all bootstrapping from the original identity theft. You don’t go directly from spoofing the phone to being able to use an authenticator, there are steps in between that pwning the email account allow you to do.

Google Authenticator is tied to the physical phone hardware. To use it, an attacker would have to steal your phone. Gaining access to your phone number, your Gmail account, your primary school teacher's mother's first pet's maiden name, or anything else besides the actual, physical phone will be of no use.

[pkane2001]

3 minutes ago, mansr said:

Google Authenticator is tied to the physical phone hardware. To use it, an attacker would have to steal your phone. Gaining access to your phone number, your Gmail account, your primary school teacher's mother's first pet's maiden name, or anything else besides the actual, physical phone will be of no use.

 

Why go through a locked door when a back door is wide open? Google Authenticator protects the front door. It’s not used for backdoor (employee) access in 99% of the cases. The weak link is the human with administrative access to change your password, remove or change your 2FA settings, or reset your secret questions. 

[lucretius]

22 minutes ago, pkane2001 said:

 

Why go through a locked door when a back door is wide open? Google Authenticator protects the front door. It’s not used for backdoor (employee) access in 99% of the cases. The weak link is the human with administrative access to change your password, remove or change your 2FA settings, or reset your secret questions. 

 

Agreed, employees are the week link and the risk here will never be completely eliminated but the risk can be somewhat reduced through continued and vigilant training, rules (and sanctions), appropriate tracking, proper segregation (e.g. why not send all requests to reset an account to the compliance team?), and frequent compliance reviews.

[Jud]

1 hour ago, mansr said:

Google Authenticator is tied to the physical phone hardware. To use it, an attacker would have to steal your phone. Gaining access to your phone number, your Gmail account, your primary school teacher's mother's first pet's maiden name, or anything else besides the actual, physical phone will be of no use.

The idea is to get it tied to other hardware through employees you either suborn or convince of your bona fides.

[lucretius]

4 minutes ago, Jud said:

The idea is to get it tied to other hardware through employees you either suborn or convince of your bona fides.

 

Is this any different than the "back door" that pkane2001 that speaks of?  As stated above, the employee risk can be signicficantly reduced (but never eliminated).

[mansr]

36 minutes ago, lucretius said:

Agreed, employees are the week link and the risk here will never be completely eliminated but the risk can be somewhat reduced through continued and vigilant training, rules (and sanctions), appropriate tracking, proper segregation (e.g. why not send all requests to reset an account to the compliance team?), and frequent compliance reviews.

They could also simply refuse to reset login credentials over the phone. If it required a personal visit with photo ID and perhaps some other documentation, it would make a fraudulent request much harder to pull off. Also, anyone wealthy enough to be worth that trouble to impersonate is probably known by the bank manager, so a fake ID might not be enough.

[tmtomh]

18 hours ago, cjf said:

Article appears to only be viewable to subscribers

 

An additional way to read this (and paywall-blocked articles at many, but not all, other sites): If you're on a Mac, visit the link in Safari and then click on the Reader View - it will bypass the paywall and show you the full article.