Hackers find another online vulnerability
Identity thieves hijack cellphone accounts to go after virtual currency
Hackers have discovered that one of the most central elements of online security — the mobile phone number — is also one of the easiest to steal.
In a growing number of online attacks, hackers have been calling up Verizon, T-Mobile U.S., Sprint and AT&T and asking them to transfer control of a victim’s phone number to a device under the control of the hackers.
Once they get control of the phone number, they can reset the passwords on every account that uses the phone number as a security backup — as services like Google, Twitter and Facebook suggest.
“My iPad restarted, my phone restarted and my computer restarted, and that’s when I got the cold sweat and was like, ‘OK, this is really serious,’ ” said Chris Burniske, a virtual currency investor who lost control of his phone number late last year.
A wide array of people have complained about being targeted by this sort of attack. The commission’s own data shows that the number of phone hijackings has been rising. In 2013, there were 1,038 such incidents reported; by 2016, that number had increased to 2,658.
But a particularly concentrated wave of attacks has hit those with the most obviously valuable online accounts: virtual currency fanatics like Burniske.
Within minutes of getting control of Burniske’s phone, his attackers had changed the password on his virtual currency wallet and drained the contents — some $150,000.
Most victims of these attacks in the virtual currency community have not wanted to acknowledge it publicly for fear of provoking their adversaries. But in interviews, dozens of prominent people in the industry acknowledged that they had been victimized in recent months.
“Everybody I know in the cryptocurrency space has gotten their phone number stolen,” said Joby Weeks, a bitcoin entrepreneur.
Weeks lost his phone number and $1 million worth of virtual currency late last year, despite having asked his mobile phone provider for additional security after his wife and parents lost control of their phone numbers.
The attackers appear to be focusing on anyone who talks on social media about owning virtual currencies or anyone who is known to invest in virtual currency companies, such as venture capitalists. And virtual currency transactions are designed to be irreversible. Accounts with banks and brokerage firms and the like are not as vulnerable to these attacks because these institutions can usually reverse unintended or malicious transactions if they are caught within a few days.
But the attacks are exposing a vulnerability that could be exploited against almost anyone with valuable emails or other digital files — including politicians, activists and journalists.
In a number of other cases involving digital money aficionados, the attackers have held email files for ransom — threatening to release naked pictures in one case, and details of a victim’s sexual fetishes in another.
The vulnerability of even sophisticated programmers and security experts sets an unsettling precedent for when the assailants go after less technologically savvy victims. Security experts worry that these types of attacks will become more widespread if mobile phone operators do not make significant changes to their security procedures.
Mobile phone carriers have said they are taking steps to head off the attacks by making it possible to add more complex personal identification numbers, or PINs, to accounts, among other steps.
But these measures have not been enough to stop the spread and success of the culprits.