Hackers have discovered that one of the most central elements of online security — the mobile phone number — is also one of the easiest to steal.
In a growing number of online attacks, hackers have been calling up Verizon, T-Mobile U.S., Sprint and AT&T and asking them to transfer control of a victim’s phone number to a device under the control of the hackers.
Once they get control of the phone number, they can reset the passwords on every account that uses the phone number as a security backup — as services like Google, Twitter and Facebook suggest. “My iPad restarted, my phone restarted and my computer restarted, and that’s when I got the cold sweat and was like, ‘O.K., this is really serious,’” said Chris Burniske, a virtual currency investor who lost control of his phone number late last year.
A wide array of people have complained about being successfully targeted by this sort of attack, including a Black Lives Matter activist and the chief technologist of the Federal Trade Commission. The commission’s own data shows that the number of so-called phone hijackings has been rising. In January 2013, there were 1,038 such incidents reported; by January 2016, that number had increased to 2,658.
But a particularly concentrated wave of attacks has hit those with the most obviously valuable online accounts: virtual currency fanatics like Mr. Burniske. Within minutes of getting control of Mr. Burniske’s phone, his attackers had changed the password on his virtual currency wallet and drained the contents — some $150,000 at today’s values.
Most victims of these attacks in the virtual currency community have not wanted to acknowledge it publicly for fear of provoking their adversaries. But in interviews, dozens of prominent people in the industry acknowledged that they had been victimized in recent months.
“Everybody I know in the cryptocurrency space has gotten their phone number stolen,” said Joby Weeks, a Bitcoin entrepreneur. Mr. Weeks lost his phone number and about a million dollars’ worth of virtual currency late last year, despite having asked his mobile phone provider for additional security after his wife and parents lost control of their phone numbers.
The attackers appear to be focusing on anyone who talks on social media about owning virtual currencies or anyone who is known to invest in virtual currency companies, such as venture capitalists. And virtual currency transactions are designed to be irreversible. Accounts with banks and brokerage firms and the like are not as vulnerable to these attacks because these institutions can usually reverse unintended or malicious transactions if they are caught within a few days.
But the attacks are exposing a vulnerability that could be exploited against almost anyone with valuable emails or other digital files — including politicians, activists and journalists. Last year, hackers took over the Twitter account of DeRay Mckesson, a leader of the Black Lives Matters movement, by first getting his phone number.
In a number of cases involving digital money aficionados, the attackers have held email files for ransom — threatening to release naked pictures in one case, and details of a victim’s sexual fetishes in another. The vulnerability of even sophisticated programmers and security experts to these attacks sets an unsettling precedent for when the assailants go after less technologically savvy victims. Security experts worry that these types of attacks will become more widespread if mobile phone operators do not make significant changes to their security procedures.
“It’s really highlighting the insecurity of using any kind of telephone-based security,” said Michael Perklin, the chief information security officer at the virtual currency exchange ShapeShift, which has seen many of its employees and customers attacked. Mobile phone carriers have said they are taking steps to head off the attacks by making it possible to add more complex personal identification numbers, or PINs, to accounts, among other steps.
But these measures have not been enough to stop the spread and success of the culprits. After a first wave of phone porting attacks on the virtual currency community last winter, which was reported, their frequency appears to have ticked up, Mr. Perklin and other security experts said. In several recent cases, the hackers have commandeered phone numbers even when the victims knew they were under attack and alerted their cellphone provider.
Adam Pokornicky, a managing partner at Cryptochain Capital, asked Verizon to put extra security measures on his account after he learned that an attacker had called in 13 times trying to move his number to a new phone. But just a day later, he said, the attacker persuaded a different Verizon agent to change Mr. Pokornicky’s number without requiring the new PIN. A spokesman for Verizon, Richard Young, said that the company could not comment on specific cases, but that phone porting was not common.
“While we work diligently to ensure customer accounts remain secure, on occasion there are instances where automated processes or human performance falls short,” he said. “We strive to correct these issues quickly and look for additional ways to improve security.” Mr. Perklin, who worked at a Canadian mobile phone operator before joining ShapeShift, said most phone companies would write down any additional security requests in the notes of a customer account.
But agents can generally act on their own, he said, regardless of what is in the notes, and can easily miss what is in the notes. The vulnerability of phone numbers is the unintended consequence of a broad push in the security industry to institute a practice, known as two-factor authentication, that is supposed to help make accounts more secure.
Many email providers and financial firms require customers to tie their online accounts to phone numbers, to verify their identity. But this system also generally allows someone with the phone number to reset the passwords on these accounts without knowing the original passwords. A hacker just hits “forgot password?” and has a new code sent to the commandeered phone.
Mr. Pokornicky was online at the time his phone number was taken, and he watched as his assailants seized all his major online accounts within a few minutes. “It felt like they were one step ahead of me the whole time,” he said. The speed with which the attackers move has convinced people who are investigating the hacks that the attacks are generally run by groups of hackers working together.
Danny Yang, the founder of the virtual currency security firm BlockSeer, said he had traced several attacks to internet addresses in the Philippines, though other attacks have been tracked to computers in Turkey and the United States. Mr. Perklin and other people who have investigated recent hacks said the assailants generally succeeded by delivering sob stories about an emergency that required the phone number to be moved to a new device — and by trying multiple times until a gullible agent was found.
“These guys will sit and call 600 times before they get through and get an agent on the line that’s an idiot,” Mr. Weeks said. Coinbase, one of the most widely used Bitcoin wallets, has encouraged customers to disconnect their mobile phones from their Coinbase accounts. But some customers who have lost money have said the companies need to take more steps by doing things like delaying transfers from accounts on which the password was recently changed.
“Coinbase looks like a bank, stores millions of dollars like a bank, but you don’t realize how weak its default protections are until you are robbed of thousands of dollars in minutes,” said Cody Brown, a virtual reality developer who was hacked in May.
Mr. Brown wrote a widely circulated post about his experience, in which he lost around $8,000 worth of virtual currency from his Coinbase account, all as he sat online and watched, getting no response from the customer service at either Coinbase or Verizon. A spokesman for Coinbase said the company “has invested significant resources to build internal tools to help protect our customers against hackers and account takeovers, including compromise through phone porting.”
The irreversibility of Bitcoin transactions has often been lauded as one of the most important qualities of virtual currency because it makes it harder for banks and governments to intervene in transactions. But Mr. Pokornicky said the virtual currency industry needed to alert new users to the added risk that comes with the new features of the technology. “It’s powerful to be able to control your money and move things without any permission,” he said. “But that privilege requires a clear understanding of the downside.”
Download SafeUM — communicate privately, without advertising and spam.