You are here

You are here

Mobile number portability hacking (it’s WAY too easy): The 2FA FAIL-factor

Richi Jennings Your humble blogwatcher, dba RJA

Yet more attention is being paid to the risks of using SMS for authentication. As we have mentioned before, two-factor authentication (2FA) using a cellphone is, quite simply, horribly insecure.

Yes, this week, we’re talking about hacking phones again. (But it’s nothing to do with Lindsey and Tiger.)

One of the problems centers on how carriers can be persuaded to transfer numbers to a hacker. In this week’s Security Blogwatch, our numbers are portable.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention:  my pressures!

Portability pooh poohed

What’s the craic? Nathaniel Popper pops in to tell us Identity Thieves Hijack Cellphone Accounts to Go After Virtual Currency:

One of the most central elements of online security — the mobile phone number — is also one of the easiest to steal. … Hackers have been calling up [cell providers] and asking them to transfer control of a victim’s phone number. [Then] they can reset the passwords on every account that uses the phone number as a security backup.

[The FTC says] that the number of so-called phone hijackings has been rising. In January 2013, there were 1,038 such incidents reported; by January 2016, that number had increased to 2,658.

[Now] attackers appear to be focusing on anyone who talks on social media about owning virtual currencies or anyone who is known to invest in virtual currency companies. … But the attacks are exposing a vulnerability that could be exploited against almost anyone … including politicians, activists and journalists.

Security experts worry that these types of attacks will become more widespread if mobile phone operators do not make significant changes to their security procedures. … Mobile phone carriers have said they are taking steps.

What should cryptocurrency holders do? William Suberg offers this timely reminder—‘Hodlers’ Beware:

Never … store cryptocurrency holdings in easily accessible format. Coins held in hot wallets should be kept to an absolute minimum, with the majority in cold storage such as a hardware wallet.

What else can be said? Karen Webster’s anonymous scribblers scribble Cybercriminals Hijack Phone Numbers:

Whatever else can be said of hackers, they never lack for creative new ways to separate people from their hard-earned money.

The way the scam works is that a thief contacts a victim’s phone company and asks to transfer their old phone number. … Once they control the phone number, they can use it to reset the passwords on every account where the phone is the security backup.

As Srinivas “@VasKetavarapu” Ketavarapu‏ points out, the MSM notices SMS[You’re fired—Ed.]

The regular press is starting to wise up about the vulnerabilities of SMS authentication.

The appropriately named George‏ “@georgekroner” Kroner points the finger in a secondary direction:

Virtual currencies - not so secure after all (though no one wants to admit it).

Lest we forget, at its core, this isn't a story about Bitcoin, or even about SMS. Subrahmanyam “@SuB8u” KVJ ’splains:

[It’s] the oldest trick in security - social engineering your telco!

So what of the carriers? Jorj X. “@Jorj_X_McKie” McKie‏ cuts to the chase:

Holding any valuable content on phone puts you at mercy of dumbest carrier employee. It has … little to do with #bitcoin.

Indeed. And so Tyler “@Tyler_Hibbard” Hibbard‏ notes one way carriers can help fix the problem:

The proper course of action here is to fire the employee who breached the rules and allowed unauth'd access to an account.

And here’s G from California:

The vulnerability exposed here is more likely to affect cryptocurrency holders than others, but social-engineering attacks can harm any institution's customers. The cell carriers very definitely need to do a better job on security. If customers squawk, the carriers should point them at this [story] and remind them how central their phones very likely are to their provable identities, disconcerting as that may be to those of us who still think of them as mere appliances.

However, could this all be just an August storm in a teacup? Christopher “@chrissandoval83” Sandoval‏ pokes the Gray Lady:

Nobody I know has had this happen.

Really? Not really, according to a previous victim, Cody “@CodyBrown” Brown:

I am still getting DMs from people who are being robbed on Coinbase and left with nothing. It is such a mess.

Meanwhile, Liz Blum “@lizbblum” Brummond‏ hearkens back to more innocent times:

Did this as a college prank; didn't know it's worth $$$.

The moral of the story? Make sure you can properly trust any second factor you rely on. Think hard about the weakest link in the chain.

And finally …

So you want to be a Goblin?

Hat tip: Bronwyn Cook

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Rico C. C. Shen (cc:by-sa)

Keep learning

Read more articles about: SecurityData Security