Jump to content
Jud

Scary Security Stuff

Rate this topic

Recommended Posts

38 minutes ago, cjf said:

Article appears to only be viewable to subscribers

 

Sorry about that. For those with iPhones, it's a Wall Street Journal article available on Apple News+. It's about a method of hacking through the security of a phone known as "sim-swapping," which doesn't actually involve stealing the SIM in your phone, but rather gaining enough information to hack an email account (surprisingly easy with "lost password" procedures) and thereby stealing your identity (could be a matter of minutes). From there they get into financial accounts - the fellow in the article had $24 million worth of cryptocurrency stolen.

 

Edit: Paul's last link appears to be about this case. Good idea to read up (Krebs has a good site) and find out how to make this more difficult. Two-factor authentication isn't necessarily great, depending on what the second factor is.


One never knows, do one? - Fats Waller

The fairest thing we can experience is the mysterious. It is the fundamental emotion which stands at the cradle of true art and true science. - Einstein

Computer, Audirvana -> eero Pro router -> EtherREGEN -> microRendu -> USPCB -> ISO Regen (powered by LPS-1) -> Ghent JSSG360 USB cable -> Pro-Ject Pre Box S2 DAC -> Spectral DMC-12 & DMA-150 -> Vandersteen 3A Signature.

Share this post


Link to post
Share on other sites
4 hours ago, Jud said:

From there they get into financial accounts - the fellow in the article had $24 million worth of cryptocurrency stolen.

 

I take it that this gentleman had held his crypto on an exchange and also did not have 2FA set.  In any case, someone with that much crypto should have known better and should have (a) kept the bulk of it in cold storage, and (b) used 2FA for the amounts held on the exchange.

 

If one really must keep really large amounts on an exchange (to facilitate large trades), then at least spread it around various exchanges.  Crypto exchanges have a reputation for going bust and making your crypto and fiat deposits disappear.

Share this post


Link to post
Share on other sites
6 hours ago, lucretius said:

 

I take it that this gentleman had held his crypto on an exchange and also did not have 2FA set.  In any case, someone with that much crypto should have known better and should have (a) kept the bulk of it in cold storage, and (b) used 2FA for the amounts held on the exchange.

 

If one really must keep really large amounts on an exchange (to facilitate large trades), then at least spread it around various exchanges.  Crypto exchanges have a reputation for going bust and making your crypto and fiat deposits disappear.

 

I should have noted that crypto exchanges use a 2FA that doesn't rely on calling you up on the phone or sending you an email etc.  They use Google Authenticator or equivalent.  Getting back into a "locked-out" account takes a lot more verification than merely sending an email (and/or providing one's phone number).

Share this post


Link to post
Share on other sites
20 minutes ago, lucretius said:

 

I should have noted that crypto exchanges use a 2FA that doesn't rely on calling you up on the phone or sending you an email etc.  They use Google Authenticator or equivalent.  Getting back into a "locked-out" account takes a lot more verification than merely sending an email (and/or providing one's phone number).


In fact he did have 2FA set, but the 2FA for his Gmail was text messaging to his phone. So once they got enough info to pretend their phone was his, *they* got the text message, got into his Gmail, and bootstrapped enough info to get through the 2FA in his crypto account.


One never knows, do one? - Fats Waller

The fairest thing we can experience is the mysterious. It is the fundamental emotion which stands at the cradle of true art and true science. - Einstein

Computer, Audirvana -> eero Pro router -> EtherREGEN -> microRendu -> USPCB -> ISO Regen (powered by LPS-1) -> Ghent JSSG360 USB cable -> Pro-Ject Pre Box S2 DAC -> Spectral DMC-12 & DMA-150 -> Vandersteen 3A Signature.

Share this post


Link to post
Share on other sites
6 hours ago, lucretius said:

 

I take it that this gentleman had held his crypto on an exchange and also did not have 2FA set.  In any case, someone with that much crypto should have known better and should have (a) kept the bulk of it in cold storage, and (b) used 2FA for the amounts held on the exchange.

 

If one really must keep really large amounts on an exchange (to facilitate large trades), then at least spread it around various exchanges.  Crypto exchanges have a reputation for going bust and making your crypto and fiat deposits disappear.

 

The problem is not the lack of 2FA but that the second factor is a phone that is easily spoofable by a bad actor. This is true for many, many websites, banks, email providers, social media, etc.

 

What’s worse is that often the phone is all that’s required to reset a password to many accounts. So anyone able to redirect SMS or voice calls to a phone that doesn’t belong to the account owner can gain access to a lot of information and assets, not just cryptocurrency.

 

Social engineering remains the single easiest path to taking over someone’s identity and access.  The problem in this case is that the owner of the phone can be very savvy and cautious, and yet it takes just a single underpaid, overworked and unaware store clerk or phone rep to give away the customer’s crown jewels. 

Share this post


Link to post
Share on other sites
2 minutes ago, Jud said:


In fact he did have 2FA set, but the 2FA for his Gmail was text messaging to his phone. So once they got enough info to pretend their phone was his, *they* got the text message, got into his Gmail, and bootstrapped enough info to get through the 2FA in his crypto account.

 

What crypto exchange relies upon text messaging your phone for 2FA -- that's is rather uncommon.

Share this post


Link to post
Share on other sites
4 minutes ago, pkane2001 said:

he problem is not the lack of 2FA but that the second factor is a phone that is easily spoofable by a bad actor. This is true for many, many websites, banks, email providers, social media, etc.

 

Yes, but it's not true for any crypto exchange that I know -- Google Authenticator is widely used for 2FA (if the account holder bothers to turn it on) in the industry.

 

And when resetting your access to a bank account, normally 2FA isn't all that is used; they make you answer the security questions.

Share this post


Link to post
Share on other sites
3 minutes ago, lucretius said:

 

Yes, but it's not true for any crypto exchange that I know -- Google Authenticator is widely used for 2FA (if the account holder bothers to turn it on) in the industry.

 

And when resetting your access to a bank account, normally 2FA isn't all that is used; they make you answer the security questions.

 

Having worked for a large financial before, running all their customer facing operations and call centers, I can tell you that’s not even remotely true. Customer reps are easily fooled by good social engineering, no matter how much training or instruction they are provided by their employer. Oh, and secret questions are also one of the worst second factors one can imagine since they are easy to steal, discover or even guess.

Share this post


Link to post
Share on other sites
17 minutes ago, pkane2001 said:

 

Having worked for a large financial before, running all their customer facing operations and call centers, I can tell you that’s not even remotely true. Customer reps are easily fooled by good social engineering, no matter how much training or instruction they are provided by their employer. Oh, and secret questions are also one of the worst second factors one can imagine since they are easy to steal, discover or even guess.

 

I don't disagree that customer reps are easily fooled or that secret questions are bad second factors -- but you must know a little something about the account holder other than an email or telephone number to fool them.

 

Here are some of the security procedures at Kraken (coin exchange);

  • 2FA (Google Authenticator and Yubikey) to keep your account secure*
  • No Phone/SMS account recovery, your account stays in your hands
  • Email confirmations for withdrawals with self-serve account lock
  • Configurable account timeout for another layer of protection
  • Customizable, granular API key permissions with range boundaries
  • Global settings time lock for extreme security when you're away
  • PGP signed and encrypted email for secure communication
  • SSL encryption to protect you when browsing Kraken 
  • Constant, real-time monitoring for suspicious activity
  • Sensitive data is fully encrypted at rest and in transit

 

*unfortunately, enabling this is optional.

Share this post


Link to post
Share on other sites
27 minutes ago, lucretius said:

 

What crypto exchange relies upon text messaging your phone for 2FA -- that's is rather uncommon.


You’re missing a step. The text messaging gets you into email, perhaps some other accounts. There you glean enough information to get you through to the crypto account - for example you use an authenticator on the spoofed phone or answer security questions. 


One never knows, do one? - Fats Waller

The fairest thing we can experience is the mysterious. It is the fundamental emotion which stands at the cradle of true art and true science. - Einstein

Computer, Audirvana -> eero Pro router -> EtherREGEN -> microRendu -> USPCB -> ISO Regen (powered by LPS-1) -> Ghent JSSG360 USB cable -> Pro-Ject Pre Box S2 DAC -> Spectral DMC-12 & DMA-150 -> Vandersteen 3A Signature.

Share this post


Link to post
Share on other sites
10 minutes ago, Jud said:


You’re missing a step. The text messaging gets you into email, perhaps some other accounts. There you glean enough information to get you through to the crypto account - for example you use an authenticator on the spoofed phone or answer security questions. 

 

I get that.  But you won't find the secret keys to use in Google Authenticator in the email. And the phone hardware isn't spoofed/cloned, only the phone number is spoofed. And normally (I say normally because coin exchanges are mostly unregulated) the information you must provide to reset your account isn't something that you would find in an email.

 

 

Share this post


Link to post
Share on other sites
39 minutes ago, lucretius said:

 

I get that.  But you won't find the secret keys to use in Google Authenticator in the email. And the phone hardware isn't spoofed/cloned, only the phone number is spoofed. And normally (I say normally because coin exchanges are mostly unregulated) the information you must provide to reset your account isn't something that you would find in an email.

 

 

 

The problem is still a human being on the other side. They are gullible and given half a chance will accommodate the request coming from a perceived distressed or angry customer. I’ve seen this way too many times, no matter what the policy says.

 

As long as the technology/software is available to override your chosen security options and another human has access to it, someone will find a way to exploit this.

Share this post


Link to post
Share on other sites
42 minutes ago, lucretius said:

 

I get that.  But you won't find the secret keys to use in Google Authenticator in the email. And the phone hardware isn't spoofed/cloned, only the phone number is spoofed. And normally (I say normally because coin exchanges are mostly unregulated) the information you must provide to reset your account isn't something that you would find in an email.

 

 


By all indications, I am the owner of the Gmail account - after all, I have passed 2FA. So now “my” Google Authenticator works to open “my” accounts, and if you want answers to security questions I may know those or be able to reset them as well. It’s all bootstrapping from the original identity theft. You don’t go directly from spoofing the phone to being able to use an authenticator, there are steps in between that pwning the email account allow you to do.

 

Please do read some of the linked articles.


One never knows, do one? - Fats Waller

The fairest thing we can experience is the mysterious. It is the fundamental emotion which stands at the cradle of true art and true science. - Einstein

Computer, Audirvana -> eero Pro router -> EtherREGEN -> microRendu -> USPCB -> ISO Regen (powered by LPS-1) -> Ghent JSSG360 USB cable -> Pro-Ject Pre Box S2 DAC -> Spectral DMC-12 & DMA-150 -> Vandersteen 3A Signature.

Share this post


Link to post
Share on other sites
3 minutes ago, mansr said:

Google Authenticator is tied to the physical phone hardware. To use it, an attacker would have to steal your phone. Gaining access to your phone number, your Gmail account, your primary school teacher's mother's first pet's maiden name, or anything else besides the actual, physical phone will be of no use.

 

Why go through a locked door when a back door is wide open? Google Authenticator protects the front door. It’s not used for backdoor (employee) access in 99% of the cases. The weak link is the human with administrative access to change your password, remove or change your 2FA settings, or reset your secret questions. 

Share this post


Link to post
Share on other sites
22 minutes ago, pkane2001 said:

 

Why go through a locked door when a back door is wide open? Google Authenticator protects the front door. It’s not used for backdoor (employee) access in 99% of the cases. The weak link is the human with administrative access to change your password, remove or change your 2FA settings, or reset your secret questions. 

 

Agreed, employees are the week link and the risk here will never be completely eliminated but the risk can be somewhat reduced through continued and vigilant training, rules (and sanctions), appropriate tracking, proper segregation (e.g. why not send all requests to reset an account to the compliance team?), and frequent compliance reviews.

Share this post


Link to post
Share on other sites
1 hour ago, mansr said:

Google Authenticator is tied to the physical phone hardware. To use it, an attacker would have to steal your phone. Gaining access to your phone number, your Gmail account, your primary school teacher's mother's first pet's maiden name, or anything else besides the actual, physical phone will be of no use.


The idea is to get it tied to other hardware through employees you either suborn or convince of your bona fides.


One never knows, do one? - Fats Waller

The fairest thing we can experience is the mysterious. It is the fundamental emotion which stands at the cradle of true art and true science. - Einstein

Computer, Audirvana -> eero Pro router -> EtherREGEN -> microRendu -> USPCB -> ISO Regen (powered by LPS-1) -> Ghent JSSG360 USB cable -> Pro-Ject Pre Box S2 DAC -> Spectral DMC-12 & DMA-150 -> Vandersteen 3A Signature.

Share this post


Link to post
Share on other sites
4 minutes ago, Jud said:


The idea is to get it tied to other hardware through employees you either suborn or convince of your bona fides.

 

Is this any different than the "back door" that pkane2001 that speaks of?  As stated above, the employee risk can be signicficantly reduced (but never eliminated).

Share this post


Link to post
Share on other sites
36 minutes ago, lucretius said:

Agreed, employees are the week link and the risk here will never be completely eliminated but the risk can be somewhat reduced through continued and vigilant training, rules (and sanctions), appropriate tracking, proper segregation (e.g. why not send all requests to reset an account to the compliance team?), and frequent compliance reviews.

They could also simply refuse to reset login credentials over the phone. If it required a personal visit with photo ID and perhaps some other documentation, it would make a fraudulent request much harder to pull off. Also, anyone wealthy enough to be worth that trouble to impersonate is probably known by the bank manager, so a fake ID might not be enough.

Share this post


Link to post
Share on other sites
18 hours ago, cjf said:

Article appears to only be viewable to subscribers

 

An additional way to read this (and paywall-blocked articles at many, but not all, other sites): If you're on a Mac, visit the link in Safari and then click on the Reader View - it will bypass the paywall and show you the full article.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...