
Getting Hacked, Lessons Learned - ikeboy
http://avc.com/2017/06/getting-hacked-lessons-learned/
======
tylergetsay
I used to work at BestBuy mobile about 3 years ago. The level of access I had
to as a retail employee making $9 an hour was incredible.

Verizon accounts are by default secured only by the last 4 SSN numbers of the
account holder, with an optional 5 alphanumeric password. AT&T was worse as
there was no default verification required, it was only presented as a
recommended validation to me. I could type in any AT&T phone number and click
the "Skip Verification" button. Many employees get in the habit of doing this
by default to save time and that makes the problem worse, as they ignore the
large "VERIFY CUSTOMER" text.

Don't remember the password? No problem, It was not uncommon for me to make a
quick call to my account manager for whatever carrier and simply ask them for
the last 4 digital of the social or the password. Im not sure if they just
trusted me, or if this was normal practice. But I could get into anybodys
account, for the 3 major carriers, with little to no verification.

Thats not even mentioning being able to search through BestBuys entire
customer database.

Porting of numbers if an obvious vector for this kind of attack, but its also
worth noting that swapping the ICCID on the line (the SIM card number) is a
much more effecient solution, as it doesn't require the attacker to setup new
cell phone service anywhere. Carriers are starting to catch on to this though
as more of these attacks happen to high profile users.

------
tankenmate
You don't need to have your number ported for this to work, Signalling System
7 (SS7) hacks can redirect SMS messages.[0] For the truly paranoid (or high
value targets) SMS is _not_ secure.

[0]
[https://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7...](https://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/)

~~~
fiatpandas
And if anyone were still undecided about SMS 2 factor security, attackers can
simply call your provider and fwd all messages to a 2nd number, possibly
without you being notified of the change. The susceptibility probably varies
across providers.

------
idlewords
Dude needs a Yubikey. Don't have your phone number on a gmail account.

[https://techsolidarity.org/resources/security_key_gmail.htm](https://techsolidarity.org/resources/security_key_gmail.htm)

~~~
zurn
Ironically Google's Yubikey implementation requires you to register a phone
number to your Google account, which many people don't want to do.

~~~
idlewords
Yeah, it's a big flaw in the setup. The instructions I linked have users add
it temporarily, to unlock the rest of the options, and remove it afterwards.

~~~
yakult
Once you've added it, it's google's forever and you've only got their word
that they've 'deleted' it. I bet it's still available with a warrant.

~~~
blfr
The problem isn't that Google knows your phone number but that they will use
it (or more precisely the attacker will use it after redirecting your texts)
for account recovery which you can prevent by removing the number.

------
cyberferret
The article states that Google Authenticator is more secure than Authy? As
someone who has been using GA for a long time but thinking about moving to
Authy - what is the rationale behind this assessment? Is it because Authy
stores your 2FA sites in the cloud?

I was going to use that as a plus, as I have now had to switch phones twice,
and re-setting up my GA 2FA sites on the new phone was a major PITA - I
thought Authy would make that easier, but now I guess that feature could be an
attack vector too?

~~~
mason55
Because Authy is SMS-based it's subject to phone number hijacking. If someone
manages to convince your mobile carrier to enable your number on their SIM
then you just lost all your 2FA protection. There are also ways to hack the
SMS system so that you don't even need to have your phone number ported to
fall victim.

~~~
mpswardle
If you put a password on the Authy backup then it cannot be restored without
that.

[https://support.twilio.com/hc/en-
us/articles/223182508-Authy...](https://support.twilio.com/hc/en-
us/articles/223182508-Authy-Backups-Password-Retrieval)

This should be the default really.

~~~
sowbug
Another default should be PIN enabled.

------
tomxor
I don't think he did learn his lesson... I thought everyone knew by now: your
account security is only as strong as it's weakest link.

Account recovery and 2 factor auth is always that week link. If you don't want
to get hacked in this unsophisticated way just because someone is targeting
you - then just remember your password the old fashioned way and close all the
other doors. even postit notes are more secure because they are not remotely
exploitable.

~~~
lsmarigo
Learned this lesson the hard way, enabled 2FA for a certain major service
which in turn opened me up to an exploit that didn't effect those not using
2FA. So in enabling 2FA I weakened my acct security and opened a new attack
vector. At best if everything is implemented properly you're still now only as
secure as your telecoms customer service security practices.

------
paulpauper
To hack coinbase 2FA, you need access to both the phone and the email account.

So if one can obtain the phone number (which can often be found publicly) and
though social engineering have the carrier route the number to a new device,
just from the phone alone one can break into gmail and thus also coinbase.

it is not 2FA ..more like 0 factor authentication because all you need is a
phone number and the ability to impersonate the account holder

That is really bad

~~~
skierscott
> just from the phone alone one can break into gmail

The social engineering only gives you access to receive SMS. It does not give
access to a complete backup or gmail's password.

~~~
paulpauper
because you can login to gmail with your phone after verifying SMS, knowing
the gmail password is not necessary

~~~
davchana
this is the exact reason I removed all of my phone numbers from Google
account. No Matt what recovery options you choose, if Google has a phone
number connected to account, it will always offer to senf an sms to let you
regain access. Downside: Google everytime bothers me with notification on
MyAccount page that my phone number is missing. But worth it.

------
zkms
> Call your cell phone provider and put a “do not port under any
> circumstances” hold on your phone number.

How do I do this for my cell provider (T-Mobile USA)?

~~~
andrewpi
I haven't heard of a 'do not port' instruction, but you can call T-Mobile and
add an additional password that will be required before customer service will
service your account.

~~~
pxeboot
Unfortunately numbers can usually be ported out with just name, account number
and zip code. There is a lot of port fraud happening.

~~~
exhilaration
I ported my wife's number last week from Verizon to Sprint, a 4 digit PIN was
required in addition to the account number and phone number.

------
austenallred
I wonder how much bitcoin/ethereum Fred Wilson has. Probably enough that if I
were him I would look into cold storage of some sort.

~~~
exolymph
He should have a hardware wallet or something like that, IMO.

------
jasode
Apparently, the following Verizon SMS text[1] Cody Brown got was genuine:

 _> Free VZQ Msg: You're on the phone with Verizon and just authenticated with
an alternative method. Not you? Please call us at 800-922-0204 immediately._

And one of CB's followup recommendations is:

 _> Make urgent text alerts actionable through SMS. If I received the original
alert and was able to text a reply stopping it, or even delaying it, this
entire hack would have stopped in its tracks. Instead I was told to
‘immediately’ call a number for Verizon that no one was there to answer._

It seems inevitable that the Verizon SMS alert as a bonafide safety check
would embolden social engineers to use that very same method to trick people
into calling their own 800-555-2222. Then, a fake Verizon customer service
agent "phishes" for _even more sensitive identification data_ by asking
official-sounding questions in the guise of "verifying the account".

The tone of that Verizon SMS is panic-inducing and it's very easy for people
to not realize they need to verify that the 800-922-0204 is actually a
legitimate Verizon phone#. Even if non-techies take the extra step of googling
"800-922-0204", they may get conflicting information and get confused on
whether it's safe to call back: e.g. [http://stopthecap.com/2015/10/05/got-a-
call-from-1-800-922-0...](http://stopthecap.com/2015/10/05/got-a-call-
from-1-800-922-0204-careful-the-verizon-wireless-refund-scam-is-back/)

EDIT ADD: I think it's very challenging to come up with a generalized decision
tree for non-techies (e.g. your 75-year old grandmother) to follow such that
they know they are _" really really REALLY talking to Verizon"_.

If the techie-grandson thinks they can simply the decision matrix by
instructing his grandmother to simply get a hold of him when she receives such
an alert, then in the 15 minutes plus it takes the grandson to research the
legitimacy of the SMS, the grandmother's life savings in the bank account is
drained. In that scenario, the alert _was legitimate_. The extra delay
introduced by the grandson _made the situation worse_.

In substituting in-person transactions that require biometric verification
(e.g. thumbprint at the bank counter) with non-physical _" information
verifying other information over information channels to unlock access"_, it
creates new vectors of social engineering attacks. It's a very hard safety
problem to solve for the mass population.

[1] [https://cdn-
images-1.medium.com/max/800/1*TJo_9dnPNqJC0eecYp...](https://cdn-
images-1.medium.com/max/800/1*TJo_9dnPNqJC0eecYpTuXQ.png)

~~~
ufmace
Fortunately, the banks are on Grandma's side on this one. Unlike Bitcoin,
banks will not let someone who obtains a few credentials simply transfer an
arbitrary amount of money to anywhere in the world in seconds. Banks seems to
have many layers of checking for potentially suspicious activity, and ways to
reverse transactions that are later proven to be fraudulent.

Bitcoin has some interesting properties, but holding bitcoins directly is
definitely not right for anyone who can't be trusted to keep their critical
credentials secure no matter what.

~~~
selmat
"Banks seems to have many layers of checking for potentially suspicious
activity,..."

I don’t think so. I had this kind of incident and nobody from bank noticed it
(60 euro paid over night 3:35 AM from central europe to fake company somwhere
in tax paradise, summer 2014). If i asked why and how it was possible, they
replied with formal letter how much sorry they are. Nothing more.

I was in touch with ViSA guys and they confirmed payment as fraud and returned
my money back to me.

Around 10 years ago i was in national bank. We had small project for entrance
gateway automation. Control unit was strange DIY solution.

Banks aren’t so secure as we think. At least in my country.

I worked for big oil company and even their infrastructure and solutions are
far from ideal. So i don’t have false expectations about security.

~~~
ufmace
I'm talking about bank transfers, not debit cards. Try and transfer $50k to
another account and see how many steps you have to go through, presuming it's
a individual account and not a business. And then see how long it takes to
actually go through, and how many times they call you to make sure you are
really trying to do that before it goes through.

------
ufmace
IMO, the real lesson to learn for that is that your phone number will never be
really secure, so don't use possession of it for any hard verification if you
have any other options.

------
louprado
I am not sure I understand the following advice:

>"Call your cell phone provider and put a “do not port under any
circumstances” hold on your phone number.

Is "porting" the same as call forwarding (which I assume would also forward
SMS) ? Or is porting a means to upgrading to a new phone or changing carriers
while keeping your phone number ? The latter isn't something I want to
disable.

~~~
rabboRubble
I think it means configuring a new SIM on a new phone controlled by the thief
with Cody Brown's Verizon cell phone number. This would allow the thief to
receive SMS authentication texts from Coinbase.

Mobile phone carriers are permitting phone numbers to be ported to a new phone
held by a thief with nothing more than a billing address. The idea behind
adding that "don't port under any circumstance" message is to force an in-
store visit with some type of legal identification before a phone number is
ported to a new device.

If you don't use SMS to secure your bank account, then maybe this advice is
overkill. But if you are using a service that holds a large part of your
assets and can only 2FA with SMS, then you really ought to make taking over
your mobile phone number as hard as possible.

------
87adb99h
I did wonder why I got an email from Coinbase yesterday: "We strongly
recommend you update your second-factor verification to Google Authenticator.
Authy and SMS are vulnerable to phone porting attacks. [...] as of July 31,
2017, we will be requiring that all customers with significant balances use an
Authenticator app as their second-factor verification."

------
MichaelBurge
Every time these hit the news, the exchanges harden their defenses. That's
good for holders of Bitcoin, but I wonder if usability for small transactions
is hurt.

I asked someone with no prior Bitcoin experience to test a checkout process
with Bitpay[1], and the 3rd[2] time they had to pull out their phone they were
really frustrated at all the steps. Plus, doing that many on-chain
transactions is going to add a 30% overhead to a common purchase.

Am I wrong to advise users interested in single <$100 transactions to skip all
the apps and use their exchange's wallet? I hear a lot of people recommending
that everyone operate their own wallet. But since this page is in Bitpay's
checkout funnel the wallet must be very important.

[1] The "How do I pay this?" on a Bitpay invoice links to this:
[https://bitpay.com/pay-with-bitcoin](https://bitpay.com/pay-with-bitcoin)

[2] Once to install the wallet app; once for Coinbase to set up 2FA; once to
set up 2FA for the wallet app

------
RichardHeart
1\. I think number portability is required by law?
[https://en.wikipedia.org/wiki/Local_number_portability#Unite...](https://en.wikipedia.org/wiki/Local_number_portability#United_States)

2\. 2fa makes people think they're safe, when they're often not. (ss7 is weak
thus sms, etc)

3\. There's not really a "secure" email account. The admin can read your mail.
There's not really a "secure" phone number. The admin can use your number.

4\. This seems ok, if your phone isn't pwned.

5\. If you don't hold the keys, you don't own the coins. DO YOUR OWN COLD
STORAGE.

~~~
tptacek
SMS 2FA makes people think they're safe, and, worse, sometimes turns out to be
SMS 1FA.

TOTP and U2F ("Authenticator" and Yubikeys) have a great track record.

------
chinathrow
Why do people talk about what banks/platforms/accounts they use to hold their
financial values (e.g. Bitcoin)?

Just keep your mouth shut where you store your values and you're most likely
less a target these days.

Also, avoid 2FA based on SMS like hell. This method has been broken multiple
times in Germany where SS7 (the GSM signaling system) was involved.

------
matt_wulfeck
This is precisely why I removed my phone as a 2fa option. I scan the
authenticator on two devices (one primary, one backup) and simply use the
google push app for all logins.

~~~
bitmapbrother
What do you mean by "google push app"? Are you referring to Google
Authenticator? The reason I ask is that I also removed 2FA SMS from my account
and instead use the Google app whether to authorize the login or not.

~~~
matt_wulfeck
Google supports push notifications to the "google" search app. It's not
authenticator. Also it only supports google accounts.

When signing in from an unknown location, the app pops up and says "are you
trying to sign in?" Just click yes.

------
bitmapbrother
I'm currently using the Google prompt for 2 step authentication. Is there any
downside to this compared to using Google Authenticator?

~~~
con022
to my understanding, if someone can receive your sms, then he can use it to
login your gmail (recovery gmail account by sms)

------
tlb
A useful tool for cybercrooks would be a 'do not fuck with' list, of people
who are in or connected to the security community and are likely to create
more blowback than normal. Fred should be on it, and Brian Krebs [0]

[0] [https://krebsonsecurity.com/2016/01/guy-who-tried-to-
frame-m...](https://krebsonsecurity.com/2016/01/guy-who-tried-to-frame-me-in-
heroin-plot-pleads-guilty-to-cybercrime-charges/)

------
alimoeeny
> Call your cell phone provider and put a “do not port under any
> circumstances” hold on your phone number.

How do I do this for AT&T?

~~~
troydavis
AT&T Web-based chat support will do it in about 5 minutes. Ask for a "port
block" so other carriers can't port your number away from AT&T.

Even if you don't use SMS as a second factor, unless you regularly switch
carriers, there's no downside to doing this.

~~~
tbird24
Do you know if this is reversible? If I ever want to switch at some point in
the future?

~~~
troydavis
Yes, just chat with or call your existing carrier to un-lock your number
before porting.

------
pg_bot
Has anyone done a write up of implementing FIDO-U2F into their own web
applications?

------
Eridrus
Bitcoin is still totally the future though, right?

~~~
lostmsu
What do you think your bank will do if somebody gets your password and moves
funds out of your checking account?

------
rrhyne
Does anyone else think he shouldn't have given the attacker all that
information about his defenses?

------
slim
Don't use Google authenticator.

HOTP and TOTP are IETF standards and any compatible app should work. Android
Token works great and is 67kb in size.

Last time i tried to use Google authenticator it phoned home supposedly
connecting my mobile IP address to my DSL IP adress thus making me less secure

------
hopelesslytaken
Recently using windows 10 I observed that the screen flashed every 5 minutes
or so, using firefox without javascript, and the same happen in Edge. I used
two antivirus: Defender and Karspersky, a full scan doesn't find anything bad,
but I think my computer is being controlled. Last time I used my computer for
transfering money a strange messaged appeared: The platform is iniciating, I
aborted the operation and I am not longer using this computer for accesing to
my bank account. I think that my router and my computer can be compromised, so
now I only use my mobile phone and avoid using wireless since that could
introduce new trojans while updating the phone. I could try to find if there
is MITM attack, redireccion of urls in the ip tables, and so on, but I am lazy
and if my computer is compromised I think that the hackers can avoid and
restore any backdoor. Can you give my any advice about how to proceed?

Perhaps there should be a service able to reboot your computer remotely and
scan any hardware device, bios configuration, iptables, init programs and much
more, applying machine learning or other tools to detect hidden agents waiting
to attack.

~~~
MrQuincle
Not to start an OS war, but there might be serious reasons to do banking with
another OS.

\+ How easy is it to see all the processes running on your machine?

\+ Is it easy for you to limit the permissions of your browser?

\+ Is it easy to monitor weird network activity?

\+ Do you have some idea about the security standards of the software you use?
This does not say that it needs to be open source, there might be other ways.

\+ Do you have the right setup to receive security updates.

\+ Do you restrict yourself to non-mainstream software to reduce the chance to
be a target?

\+ Do you consider read-only media at the time you do your banking?

There is a lot you can do without opening up your computer to a remote scan.

~~~
hopelesslytaken
Completely off topic, I saw your 150 days old link: Why does unsupervised deep
learning work? (arxiv.org), I wonder if you have more links, it seems
interesting. Also the Diaconis article you link to is one of my prefered one.
I wonder if group theory can help to illustrate why deep learning works.

~~~
MrQuincle
For now:
[https://news.ycombinator.com/item?id=14527686](https://news.ycombinator.com/item?id=14527686)

