Hackers have discovered that one of the most central elements of online security — the mobile phone number — is also one of the easiest to steal.
Ter a growing number of online attacks, hackers have bot calling up Verizon, T-Mobile U.S., Spurt and AT&,T and asking them to transfer control of a victim’s phone number to a device under the control of the hackers.
Once they get control of the phone number, they can reset the passwords on every account that uses the phone number spil a security backup — spil services like Google, Twitter and Facebook suggest.
“My iPad restarted, my phone restarted and my rekentuig restarted, and that’s when I got the cold sweat and wasgoed like, ‘O.K., this is truly serious,’” said Chris Burniske, a virtual currency investor who lost control of his phone number late last year.
A broad array of people have complained about being successfully targeted by this sort of attack, including a Black Lives Matter activist and the chief technologist of the Federal Trade Commission. The commission’s own gegevens shows that the number of so-called phone hijackings has bot rising. Ter January 2013, there were 1,038 such incidents reported, by January 2016, that number had enhanced to Two,658.
But a particularly concentrated wave of attacks has klapper those with the most obviously valuable online accounts: virtual currency fanatics like Mr. Burniske.
Within minutes of getting control of Mr. Burniske’s phone, his attackers had switched the password on his virtual currency wallet and drained the contents — some $150,000 at today’s values.
Most victims of thesis attacks ter the virtual currency community have not desired to acknowledge it publicly for fear of provoking their adversaries. But ter interviews, dozens of vooraanstaand people te the industry acknowledged that they had bot victimized ter latest months.
“Everybody I know te the cryptocurrency space has gotten their phone number stolen,” said Joby Weeks, a Bitcoin entrepreneur.
Mr. Weeks lost his phone number and about a million dollars’ worth of virtual currency late last year, despite having asked his mobile phone provider for extra security after his wifey and parents lost control of their phone numbers.
The attackers emerge to be focusing on anyone who talks on social media about wielding virtual currencies or anyone who is known to invest ter virtual currency companies, such spil venture capitalists. And virtual currency transactions are designed to be irreversible.
Accounts with banks and brokerage firms and the like are not spil vulnerable to thesis attacks because thesis institutions can usually switch sides unintended or malicious transactions if they are caught within a few days.
But the attacks are exposing a vulnerability that could be exploited against almost anyone with valuable emails or other digital files — including politicians, activists and journalists.
Last year, hackers took overheen the Twitter account of DeRay Mckesson, a leader of the Black Lives Matters movement, by very first getting his phone number.
Te a number of cases involving digital money aficionados, the attackers have held email files for ransom — menacing to release naked pictures ter one case, and details of a victim’s sexual fetishes ter another.
The vulnerability of even sophisticated programmers and security experts to thesis attacks sets an unsettling precedent for when the assailants go after less technologically savvy victims. Security experts worry that thesis types of attacks will become more widespread if mobile phone operators do not make significant switches to their security procedures.
“It’s truly highlighting the insecurity of using any kleuter of telephone-based security,” said Michael Perklin, the chief information security officer at the virtual currency exchange ShapeShift, which has seen many of its employees and customers attacked.
Mobile phone carriers have said they are taking steps to head off the attacks by making it possible to add more sophisticated private identification numbers, or PINs, to accounts, among other steps.
But thesis measures have not bot enough to zekering the spread and success of the culprits.
After a very first wave of phone porting attacks on the virtual currency community last winter, which wasgoed reported by Forbes, their frequency shows up to have ticked up, Mr. Perklin and other security experts said.
Te several latest cases, the hackers have commandeered phone numbers even when the victims knew they were under attack and alerted their cellphone provider.
Adam Pokornicky, a managing playmate at Cryptochain Capital, asked Verizon to waterput toegevoegd security measures on his account after he learned that an attacker had called te 13 times attempting to stir his number to a fresh phone.
But just a day straks, he said, the attacker persuaded a different Verizon smeris to switch Mr. Pokornicky’s number without requiring the fresh Speld.
A spokesman for Verizon, Richard Youthfull, said that the company could not comment on specific cases, but that phone porting wasgoed not common.
“While wij work diligently to ensure customer accounts remain secure, on occasion there are instances where automated processes or human spectacle falls brief,” he said. “We strive to juist thesis issues quickly and look for extra ways to improve security.”
Mr. Perklin, who worked at a Canadian mobile phone technicus before joining ShapeShift, said most phone companies would write down any extra security requests ter the notes of a customer account.
But agents can generally act on their own, he said, regardless of what is ter the notes, and can lightly miss what is te the notes.
The vulnerability of phone numbers is the unintended consequence of a broad thrust te the security industry to institute a practice, known spil two-factor authentication, that is supposed to help make accounts more secure.
Many email providers and financial firms require customers to tie their online accounts to phone numbers, to verify their identity. But this system also generally permits someone with the phone number to reset the passwords on thesis accounts without knowing the original passwords. A hacker just hits “forgot password?” and has a fresh code sent to the commandeered phone.
Mr. Pokornicky wasgoed online at the time his phone number wasgoed taken, and he observed spil his assailants seized all his major online accounts within a few minutes.
“It felt like they were one step ahead of mij the entire time,” he said.
The speed with which the attackers stir has coaxed people who are investigating the hacks that the attacks are generally run by groups of hackers working together.
Danny Yang, the founder of the virtual currency security stiff BlockSeer, said he had traced several attacks to internet addresses te the Philippines, however other attacks have bot tracked to computers te Turkey and the United States.
Mr. Perklin and other people who have investigated latest hacks said the assailants generally succeeded by delivering sob stories about an emergency that required the phone number to be moved to a fresh device — and by attempting numerous times until a gullible tuut wasgoed found.
“These guys will sit and call 600 times before they get through and get an smeris on the line that’s an idiot,” Mr. Weeks said.
Coinbase, one of the most widely used Bitcoin wallets, has encouraged customers to disconnect their mobile phones from their Coinbase accounts.
But some customers who have lost money have said the companies need to take more steps by doing things like delaying transfers from accounts on which the password wasgoed recently switched.
“Coinbase looks like a bankgebouw, stores millions of dollars like a bankgebouw, but you don’t realize how feeble its default protections are until you are robbed of thousands of dollars ter minutes,” said Cody Brown, a virtual reality developer who wasgoed hacked te May.
Mr. Brown wrote a widely circulated postbode about his practice, te which he lost around $8,000 worth of virtual currency from his Coinbase account, all spil he sat online and observed, getting no response from the customer service at either Coinbase or Verizon.
A spokesman for Coinbase said the company “has invested significant resources to build internal devices to help protect our customers against hackers and account takeovers, including compromise through phone porting.”
The irreversibility of Bitcoin transactions has often bot lauded spil one of the most significant qualities of virtual currency because it makes it stiffer for banks and governments to intervene ter transactions.
But Mr. Pokornicky said the virtual currency industry needed to oplettend fresh users to the added risk that comes with the fresh features of the technology.
“It’s powerful to be able to control your money and stir things without any permission,” he said. “But that privilege requires a clear understanding of the downside.”