Phone Security for Crypto Assets

Admittedly, cryptocurrency ownership has some enervating aspects.  Depending on how much you like rollercoasters, one of those aspects might be the volatility. However, the irreversibility and the overall Code Is Law ethic of blockchain should inspire caution and respect.

This is especially true if you’ve gotten complacent about centralized commercial services like credit cards giving almost painless mulligans on fraudulent transactions.  Not only is there no such process for “fraudulent” crypto transactions, even the FDIC insurance on exchanges protects you only against solvency events at the exchanges, not against your account being hacked or even making a fat-finger transaction.  Between this and the swelling value of the crypto space, interest from hackers has surged, but the dry irony here is that the essential technology some hackers use to crack your two-factor-authenticated crypto-wallet is their vocal chords.

While the image of the popular image of a hacker is someone whose absent social skills are compensated for by the ability to seduce computer networks, the majority of hacks actually occur through what’s called “social engineering.”  A dramatic example of social engineering would be someone dressing up as an employee of a company they don’t work for and fast-talking their way into a secure area to get direct physical access to computing equipment or records.  More prosaically, phishing is a social engineering attack since the victim is tricked into simply offering their sensitive private information under false pretenses.

Here are a couple of narratives from people who have recently been crypto-hacked through the social engineering of their phone service providers.  They are brief reads and highly worthwhile because many online financial products share the same vulnerability.

How to lose 8k worth of Bitcoin in 15 minutes with Verizon and
Hackers have stolen millions of dollars in Bitcoin using only phone numbers

The bad news here is that your financial security could suddenly be thrust into the hands of a minimum wage employee at a T-Mobile storefront in a stripmall.  The good news is that we can see a pattern for the attacks and we can distill some best practices from these stories.

As the increasingly anachronistic saying goes, it’s unlucky to light three cigarettes on one match.  Supposedly, this originated in the trenches of the first World War.  The rationale is that the first glow of light would alert the sharpshooter to your presence.  The second flare of light would let him get the range, and with the third, he would get the windage and fire.  Likewise, a social engineer operates this scheme by first becoming aware that you own crypto holdings that are worth hacking.  Next, they scrape your two-factor info (e.g. phone number) from the same place or maybe a personal webpage or Facebook.  Finally, your email address and – bang – they’re ready to hijack your life.  To see just how innocuous-seeming the information that a good social engineer could use to roll a bad Verizon employee, we present a vignette of bad security practices in the following seemingly-unrelated fake tweets.  (Note: No political subtext here, is just fun to use)
For a normal private citizen, this might seem like a fairly sloppy, but not really outrageous, husbandry of information – after all Facebook default settings let “friends” see the phone number they constantly beg you to link to your account.  However, this is absolutely enough information for a social engineer to go to work trying to find and transfer control of the phone number, reset the email password and get access to anything linked to that email.   Even worse, if one of your contact’s phones or emails is compromised by a crypto-savvy hacker, they could get all the requisite information for a social engineering attack through a single message you sent that contact, bragging about how much your crypto-portfolio went up that week.  This bears repeating: not only do you need to trust anyone who has the contact info linked to your financial accounts not to try to hack you, but you also have to trust them not to get hacked themselves.

What can we take from this?   Well, maybe the first rule of crypto-club is don’t talk about crypto-club.  Admittedly, this statement is an absolute and part of the joy and part of the ability to succeed in the space is sharing information.  So we can put some shades of grey on this slogan and say that you shouldn’t advertise on open public forums like Twitter that you have a big stake in crypto.  This is not a new security maxim, flaunting wealth always increases attention and risk.  The only difference here is that you can get “mugged” remotely.

Next, protect the contact information that you have associated with your crypto-currency holdings.  If you are a public-facing person; separate the email addresses associated with your financial life from the ones you distribute widely.  Think about using VoIP or a business line to protect your personal number.  Most importantly, if your banks and exchanges allow it, you should use a 2FA service (like Google Authenticate, Duo, or Authy) that is not SMS through a large cell service provider.  As always, if you are not actively trading, use cold storage and hardware wallets.

What could financial service providers (from Coinbase to Wells Fargo) do to help?  Non-SMS 2FA is stronger and users should push for the option where it doesn’t exist.  Exchanges could allow users to opt for transaction freezes for some amount of time after their password is reset, at least giving them some time to regain control of their identity before hackers can move funds.  Needless to say, for this particular attack, the cell providers are the weak link and should make and carefully enforce rules like no replacement SIM cards without government photo ID.

It’s unclear how common the scam is, but it’s absolutely a growth industry.  We noticed that our corporate twitter page was almost instantly followed by what seemed to be sock-puppet accounts, a few of which were shut down within a day.  They were probably just garden-variety spammers, but more insidiously, they could have been scraping the feed for any of the bits of contact information.  …Bad hombres?  Scary!