How to upgrade your arsenal to protect against cyber warfare

CleanShot 2019-02-03 at 21.14.07.png

Originally posted on medium.com.

TL;DR

  • I was recently the victim of identity theft, crypto ransomware, and a cybercrime. Hackers were able to break havoc onto my digital/personal life by stealing my mobile phone number through illegal SIM porting. Account security/internet privacy is dead.

  • I was not the first victim, and unfortunately, I will certainly not be the last. EXTRA PRECAUTION, replacing two-factor authentication (2FA) via SMS with 2FA via 3rd party app (Google Authenticator or Duo) + hardware security tokens (Google Titan or Yubico), and pressuring companies to invest in advancing cryptography are the best ways to minimize the risk of getting hacked.

  • Sign the change.org petition I drafted to the World Wide Web Consortium, the FTC, and the FBI, requesting the implementation of 2-factor authentication via hardware security tokens as a top priority for all web companies.


How many bitcoins is your digital identity worth? Read the full post to make sure you don’t have to find out.

ef28f-1jjqp9xlww9x62bc8by-r6a.png
5bede-1g6aripqi9gbghdoyozbwza.png

Internet-facilitated criminal activity is increasing. Our arsenal of tools for protection is inadequate.

First, let’s look at the data. According to the FBI’s Internet Crime Complaint Center (IC3), there have been a total of 1.4 million complaints, and total reported losses of $5.52 billion from 2013 through 2017. Internet-facilitated criminal activity and losses are on the rise.

Let’s double-click on 2017 data. In 19,986 cases, social media was used to facilitate the crime, resulting in $57M in losses. In 4,139 cases, virtual currency was used to facilitate the crime, resulting in $59 million in losses. In 2017, there were 17,636 self-identified victims of identity theft, resulting in $69 million in losses.

We live in an increasingly digital and hyperconnected world. Hackers understand vulnerabilities in the imperfect systems we have built and over-rely on. We are two steps behind and under attack. There are multiple attack vectors, and the system is only as strong as the weakest link. By publicizing some details around the hack process below, future hackers can strategize. They will no doubt become more sophisticated.

The 2018 report has yet to be released but the number of victims, complaints, and losses will undoubtedly be higher.

Note, this dataset does not break out the number of SIM porting victims. I have to assume these types of attacks will happen more regularly.

The latest figures I found were from a 2016 blog post from the Federal Trade Commission Chief Technologist Lorrie Cranor, who was also a victim.

In January 2013, there were 1,038 incidents of these types of identity theft reported, representing 3.2% of all identity theft incidents reported to the FTC that month. By January 2016, that number had increased to 2,658 such incidents, representing 6.3% of all identity thefts reported to the FTC that month. Such thefts involved all four of the major mobile carriers.

Empirically, hackers have focused their efforts on Instagram celebrities and anyone who talks on social media about virtual currency. While cryptocurrency can be used as a tool for ransomware, hackers can also easily request victims to transfer fiat to an offshore bank account. Crimes involving virtual currencies are newer, and while the flow of funds is often traceable (accounts are pseudonymous for many cryptocurrencies), there are few precedents and safeguards for individuals and institutions to follow. The latter type of crime has many cases for precedent in court, while banks have additional security measures in place to track the flow of funds.

The attacks expose a vulnerability that can be used to exploit anyone including politicians, journalists, businesses, and key individuals.


How to get hacked? Centralized point of failure: cell phone carriers

In a SIM porting attack, a hacker uses your mobile number and your name to take over your mobile account. How does this work?

Porting allows customers to take their phone number when they change phone carriers. The law requires carriers to comply with a request to port a number if the person making the request provides accurate information. Typically, this involves PII (Personally Identifiable Information) such as the last 4 digits of your social security number, your address, date of birth etc. Given the rise of company hacks over the years, this information is likely findable online. Check to see if your accounts are included in major company hacks: https://haveibeenpwned.com/

Even if your account information was not hacked in the past, think about how much data you share on social media. Other ways to acquire information include via phishing. It doesn’t take a rocket scientist to put all the pieces together.

How this plays out:

  • A hacker goes into a phone store and pretends to be you with a fake ID and your personal information. They want to switch carriers and walk away with control of your phone number.

  • A hacker uses social engineering to convince a phone carrier’s customer service representative to skip security steps with a made up story to register a new SIM card. The hacker may not be able to provide your account password but mentions the last 4 digits of your social security number or other PII to convince the agent. The hacker keeps trying over and over until they find a representative that falls for it.

  • Most scary scenario, a hacker breaks into the carrier network or works with an insider to register a new SIM card, circumventing account security. In a lawsuit filed by Los Angeles litigation firm Greenberg Glusker on August 15, 2018, cryptocurrency investor and entrepreneur Michael Terpin claimed that AT&T’s employees have been complicit in a SIM swap fraud. Michael Terpin is suing AT&T, claiming the company’s failure to protect his cellphone data led to hackers stealing $24 million in cryptocurrencies. Terpin is seeking $23.8 million in compensatory damages and a further $200 million in punitive damages. Excerpts from the lawsuit:

Most troubling, AT&T does not improve its protections even though it knows from numerous incidents that some of its employees actively cooperate with hackers in SIM swap frauds by giving hackers direct access to customer information and by overriding AT&T’s security procedures. In recent incidents, law enforcement has even confirmed that AT&T employees profited from working directly with cyber terrorists and thieves in SIM swap frauds.

AT&T’s subscriber privacy protection system is thus a veritable modern-day Maginot Line: a lot of reassuring words that promote a false sense of security…

The porosity of AT&T’s privacy program is dramatically evident in this case, which follows a pattern well known to AT&T. An experienced, high profile cryptocurrency investor, Plaintiff Michael Terpin was a longtime AT&T subscriber who entrusted his sensitive private information to AT&T and relied on AT&T’s assurances and its compliance with applicable laws. Given all the carrier’s hype about protecting customer security, Plaintiff believed that it would keep its promises about absolutely safeguarding him from a data breach that could lead to the theft of tens of millions of dollars of crypto currency.

Even after AT&T had placed vaunted additional protection on his account after an earlier incident, an imposter posing as Mr. Terpin was able to easily obtain Mr. Terpin’s telephone number from an insider cooperating with the hacker without the AT&T store employee requiring him to present valid identification or to give Mr. Terpin’s required password.

The purloined telephone number was accessed to hack Mr. Terpin’s accounts, resulting in the loss of over $24 million of cryptocurrency coins.

It was AT&T’s act of providing hackers with access to Mr. Terpin’s telephone number without adhering to its security procedures that allowed the cryptocurrency theft to occur. What AT&T did was like a hotel giving a thief with a fake ID a room key and a key to the room safe to steal jewelry in the safe from the rightful owner.

AT&T is doing nothing to protect its almost 140 million customers from SIM card fraud. AT&T is therefore directly culpable for these attacks because it is well aware that its customers are subject to SIM swap fraud and that its security measures are ineffective. AT&T does nothing to protect its customers from such fraud because it has become too big to care.

I’m waiting for the class action…


Hackers first steal your phone number with a fake SIM card. Now what? Game over. Securing your phone number is the key to protecting your online identity.

Once a new SIM is activated on your account, the phone number is transferred to a device controlled by the hacker. Hackers will then get authentication messages and use them to reset your passwords, bypassing the two-factor authentication via SMS on your accounts. Hackers can now intercept text authentication messages from third parties including Google, iCloud, Facebook, Dropbox, banks, credit card issuers, cryptocurrency exchanges etc. Further, many companies will call or text customers to confirm their identity.

That’s why having control of a phone number is so powerful.

You may not know any of this has happened until you notice your mobile device has lost service. Maybe it’s just an issue with the network coverage?

6f798-0hd4rg4cnn4gplwqk.jpg

Then, you may notice a loss of access or syncing issues to major accounts as the attacker changes passwords, steals your money, and gains access to other pieces of your personal information.

Then you may get an email with instructions to send bitcoin to an unknown wallet address to regain access to the data. It all happens very quickly (<1 hour) and unless you are connected to wifi or already have your email account open during the hack, you will lose complete access.


Prevention Tips — How can you reduce (BUT NOT ELIMINATE) the risks?

  • Add extra security to your phone carrier accounts. Create an additional unique passcode on your account. Mobile carriers are required by the FTC to have internal policies for detecting and preventing identity theft. Many mobile carriers will let you set a password on your account, so anyone who calls to make changes will have to provide the password first. While carriers usually require that unique passcode before any changes can be made, this process can be vulnerable. Customer reps don’t always follow the protocol. See above. From the FTC website:

AT&T offers a feature they refer to as “extra security.” Once activated, any interaction with AT&T, whether online, via phone, or in a retail store will require that you provide your passcode. You can use your AT&T online account or the myAT&T app on your mobile phone to turn on extra security. Note, that when you login online with your passcode, you may be presented with the option to not be asked for it again. Do not accept this option or you will disable extra security.

Sprint asks customers to set a PIN and security questions when they establish service with Sprint, so no additional steps are needed to use this feature.

T-Mobile allows their customers to establish a customer care password on their accounts. Once established, customers are required to provide this password when contacting T-Mobile by phone. To establish such a password, customers can call T-Mobile customer service or visit a T-Mobile retail store.

Verizon allows their customers to set an account PIN. Customers can do this by editing their profile in their online account, calling customer service, or visiting a Verizon retail store. This PIN provides additional security for telephone transactions and certain other transactions.

  • Be careful about sharing your phone number. Be selective in what number you share with the companies you do business with and limit how often you share it with others. TIP: Remove your main phone number from any account that could interest hackers. Replace that number with a VoIP number, such as a Google Voice number, which is SIM hijack-proof. In particular, change your trusted phone number on your phone carrier account to your VoIP number to facilitate recovery. Protect this new number using a unique password and two-factor authentication.

  • Use a password manager to generate secure, unique passwords for every account. Pay for a password manager such as 1Password or Lastpass. TIP: enable two-factor authentication on a password manager using a hardware layer of protection (Google Titan or Yubico). If you’re an activist, journalist, or other potential targets (i.e. OWN ANY CRYPTOCURRENCY), Google Advanced Protection is the most secure option around. Write down your recovery codes and store them with your passport.

  • Don’t use and disable SMS two-factor authentication. In 2018, 2FA has become common practice and plays an integral part of account security. Yet, many websites don’t offer any 2FA security. Some websites only offer 2FA via SMS, a security measure which is completely flawed, providing a false sense of security to users. Yes, the easiest way to implement two-factor is with SMS, receiving a text with an access code every time you try to log into a secured account. Only a handful of companies allow 2FA authenticated by hardware, a best in class standard used by enterprise and government.

  • Keep your personal email inbox clean. Delete phone bills, bank statements and other emails that may include personal information. TIP: search your email accounts and cloud drives for keywords related to account information… these are the first terms hackers look for. DELETE ASAP or change keywords.

  • If you own or invest in cryptocurrencies, store your crypto in cold wallets (Trezor, Ledger, paper wallet, hardware wallet). TIP: Scrub any digital footprint of your private keys. Every website can get hacked. It is a matter of time.

  • Try to hack yourself. Understand vulnerabilities and fix them.


Lessons Learned

  • Hackers took my identity, AT&T and Google took my sanity… customer service and fraud departments are completely siloed and unreachable in the event of a disaster… We trust the services we use on a daily basis. Once you get hacked, you are alone.

  • There is a clear yet unfortunate tradeoff between convenience and security. Many websites only support 2FA via SMS, a security system with flaws. We need to pressure companies to upgrade their security systems. Are these service providers guilty of gross negligence, violation of statutory duties, and failure to adhere to their commitments in their Privacy Policy? I think so.Don’t expect them to change. Take matters into your own hands before it is too late. Spend a few hours upgrading your security. Don’t be lazy. You’ll regret it after it’s too late. Sign the change.org petition I drafted to the World Wide Web Consortium, the FTC, and the FBI, requesting the implementation of 2-factor authentication via hardware security tokens as a top priority for all web companies.

ea8b3-1ssymckppxjdq5oaid82gga.png
  • Being active on social media is a double-edged sword. If you want to be a thought leader on the web, pay for extra security. But beware, our institutions and companies do not know how to deal with evolving 21st-century threats. I have little faith in our collective ability to deal with a more sophisticated state-sponsored cyber attack.

  • The FBI does not support paying a ransom to the adversary — paying a ransom does not guarantee individuals will regain access to their data. Further, paying a ransom emboldens hackers to targets others and provides for a lucrative environment for criminals.

  • Why are our social security numbers and phone numbers, which we share loosely, the bases of our identity? Private-public key cryptography could enable third parties to verify our identifies without sharing these valuable data points. Advances in cryptography and widespread adoption of blockchain technology can help in the future. Central points of failure create havoc in interconnected systems. Today, vast amounts of information are controlled and managed by institutions that we trust to act honestly. Blockchain technology enables a shift from centralized repositories of information of today to more decentralized robust fault-tolerant networks. Using blockchain technology it is possible to imagine a future where we do not rely on centralized organizations to manage our data but we, the users, have greater control of our digital lives. Individuals should strive for greater sovereignty over their data.


Are you a victim too? #JeSuisVictim

  • First step, call your carrier, disable the new SIM, and recover access to your number.

  • Call the companies where you know fraud occurred — do your best to recover accounts as fast as possible to contain collateral damage. Place a fraud alert and get your credit reports. Monitor or freeze your credit to help prevent a new account from being opened in your name.

  • The Fair Credit Reporting Act (FCRA) spells out rights for victims of identity theft, as well as responsibilities for businesses. Identity theft victims are entitled to ask businesses for a copy of transaction records — such as applications for credit — relating to the theft of their identity. Complete “Request Letter for Getting Business Records Related to Identity Theft” from your telecom provider, in accordance with section 609(e) of the Fair Credit Reporting Act, 15 U.S.C. § 1681g(e).

  • Report identity theft to the FTC.

  • File a complaint with the FBI Internet Crime Complaint Center (“IC3”).

  • File a report with your local police department.

Stay safe, my friends.

Previous
Previous

Crypto mining as a payment mechanism with Zack Pelka & Connor Swofford, Co-Founders of Mineful

Next
Next

Down the digital asset vortex: a macro review of the state of cryptoassets & blockchain