pkane2001 Posted November 9, 2019 Share Posted November 9, 2019 21 minutes ago, cjf said: Article appears to only be viewable to subscribers Not a new security threat, but still scary how easily this is accomplished, even today: https://www.consumer.ftc.gov/blog/2019/10/sim-swap-scams-how-protect-yourself https://www.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin https://www.vice.com/en_us/article/gyaqnb/hacker-joel-ortiz-sim-swapping-10-years-in-prison https://krebsonsecurity.com/2019/05/nine-charged-in-alleged-sim-swapping-ring/ https://krebsonsecurity.com/2019/01/stole-24-million-but-still-cant-keep-a-friend/ semente 1 -Paul DeltaWave, DISTORT, Earful, PKHarmonic, new: Multitone Analyzer Link to comment
pkane2001 Posted November 9, 2019 Share Posted November 9, 2019 6 hours ago, lucretius said: I take it that this gentleman had held his crypto on an exchange and also did not have 2FA set. In any case, someone with that much crypto should have known better and should have (a) kept the bulk of it in cold storage, and (b) used 2FA for the amounts held on the exchange. If one really must keep really large amounts on an exchange (to facilitate large trades), then at least spread it around various exchanges. Crypto exchanges have a reputation for going bust and making your crypto and fiat deposits disappear. The problem is not the lack of 2FA but that the second factor is a phone that is easily spoofable by a bad actor. This is true for many, many websites, banks, email providers, social media, etc. What’s worse is that often the phone is all that’s required to reset a password to many accounts. So anyone able to redirect SMS or voice calls to a phone that doesn’t belong to the account owner can gain access to a lot of information and assets, not just cryptocurrency. Social engineering remains the single easiest path to taking over someone’s identity and access. The problem in this case is that the owner of the phone can be very savvy and cautious, and yet it takes just a single underpaid, overworked and unaware store clerk or phone rep to give away the customer’s crown jewels. Jud 1 -Paul DeltaWave, DISTORT, Earful, PKHarmonic, new: Multitone Analyzer Link to comment
pkane2001 Posted November 9, 2019 Share Posted November 9, 2019 3 minutes ago, lucretius said: Yes, but it's not true for any crypto exchange that I know -- Google Authenticator is widely used for 2FA (if the account holder bothers to turn it on) in the industry. And when resetting your access to a bank account, normally 2FA isn't all that is used; they make you answer the security questions. Having worked for a large financial before, running all their customer facing operations and call centers, I can tell you that’s not even remotely true. Customer reps are easily fooled by good social engineering, no matter how much training or instruction they are provided by their employer. Oh, and secret questions are also one of the worst second factors one can imagine since they are easy to steal, discover or even guess. -Paul DeltaWave, DISTORT, Earful, PKHarmonic, new: Multitone Analyzer Link to comment
pkane2001 Posted November 9, 2019 Share Posted November 9, 2019 39 minutes ago, lucretius said: I get that. But you won't find the secret keys to use in Google Authenticator in the email. And the phone hardware isn't spoofed/cloned, only the phone number is spoofed. And normally (I say normally because coin exchanges are mostly unregulated) the information you must provide to reset your account isn't something that you would find in an email. The problem is still a human being on the other side. They are gullible and given half a chance will accommodate the request coming from a perceived distressed or angry customer. I’ve seen this way too many times, no matter what the policy says. As long as the technology/software is available to override your chosen security options and another human has access to it, someone will find a way to exploit this. Jud 1 -Paul DeltaWave, DISTORT, Earful, PKHarmonic, new: Multitone Analyzer Link to comment
pkane2001 Posted November 9, 2019 Share Posted November 9, 2019 3 minutes ago, mansr said: Google Authenticator is tied to the physical phone hardware. To use it, an attacker would have to steal your phone. Gaining access to your phone number, your Gmail account, your primary school teacher's mother's first pet's maiden name, or anything else besides the actual, physical phone will be of no use. Why go through a locked door when a back door is wide open? Google Authenticator protects the front door. It’s not used for backdoor (employee) access in 99% of the cases. The weak link is the human with administrative access to change your password, remove or change your 2FA settings, or reset your secret questions. -Paul DeltaWave, DISTORT, Earful, PKHarmonic, new: Multitone Analyzer Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now