
Vulnerabilities in mobile networks opens Bitcoin wallets to hackers - ezhil
https://www.ptsecurity.com/ww-en/about/news/285038/
======
sowbug
Slightly less exciting TLDR: as many of you already know, SMS isn't a good
second factor for auth. That includes entrusting your Bitcoin wallet's private
keys to a company using SMS for 2FA. Let's mention "cryptocurrency" as well to
show up in more news alerts.

~~~
cairo_x
Paypal is offender number one. I don't understand why they can't use google
authenticator. Is it some kind of pride thing, like paypal and Amazon?

~~~
Crosseye_Jack
Basically its a hangover from the PayPal football days (A PayPal branded
Verisign 2fa token hardware device) they used to sell.. No idea why they don't
transition over to Google Auth Style TOTP Algo.

But They still haven't ported all their systems to 2FA yet. Some pages require
you to enter your password and append your 2fa token to the end of it (Mainly
when logging in on mobile) and I know of a couple of stores that due to their
PayPal integration I can not get to the final "Pay Now" page on paypal even
though I successfully log into PayPal. But when you would normally get to that
final page to press "Pay" the page just times out. I have to disable 2fa and
do it again.

You can use "Symantec VIP" (it was renamed after Verisign was brought out).
Though they don't make the sign up very easy. You have to go to the 2 factor
page ("Security key") under security, press "Get security key", when prompted
to enter your phone number press "cancel" then press "Activate your PayPal or
VIP (VeriSign Identity Protection) token" and then enroll up as normal.

Its not Google Auth and it kinda feels like I can now gaining a collection of
2FA apps (iirc Namecheap's non sms 2fa is powered by Authy but you can not use
Authy) so I do which they would all adopt a standard.

------
nym
I was targeted this evening by a hacker who ported my phone number, and then
got into FB + Yahoo (SMS reset).

The motive appears to be bitcoin, based on the people contacted via facebook.

Is it possible the initial PIN that was sent by Tmobile was intercepted via
SS7? I am trying to find out if my phone (android) is compromised as well.

The accounts and phone number are back under my control but I want to find out
the vector as soon as possible -I don't trust tmobile to honor requests not to
allow porting.

~~~
sasas
What a frightening experience! I'm sorry this happened to you. Curious to
understand how these attacker obtain your phone number in the first place? I
mean it's not something you publish widely right?

~~~
kevingrahl
I don’t mean to say it was OP’s fault but you shouldn’t really use your
primary phone number for 2FA anyways. Using a burner dumb phone dedicated only
for 2FA should be standard, right?

~~~
Hanswurst133742
Standard? As far as I know, the majority of users dont even use 2FA at all.
How do you expect them to have a dedicated phone for it...

------
sturmeh
Coinbase is not a Bitcoin wallet any more than your bank is a USD (whatever
your local currency is) wallet.

This has no relevance to Bitcoin wallets.

~~~
mirimir
Well, Coinbase provides what it calls Bitcoin wallets. But yes, they're just
accounts, which control Bitcoin wallets.

Still, this is what many have come to think of as Bitcoin wallets.

Me, I only use local wallets. If I had lots of Bitcoin, they'd be offline.

~~~
kakarot
I think it's important to hammer in the distinction into the minds of the
public. The takeaway being that one should not treat coinbase as a wallet and
thus should never leave coin in their accounts.

For example my boss lost coin trusting it in the hands of coinbase. He has
contacted support to no avail. And there are no legal reprecussions for them
doing this, just as Paypal reserves the right to freeze or steal your assets.

------
redshark1802
How many times do we have to read that X is vulnerable to SS7 attacks? This
has been going for the last couple of years.

SS7 in itself is huge disaster, I can recommend the following presentations:
[https://media.ccc.de/v/31c3_-_6249_-_en_-
_saal_1_-_201412271...](https://media.ccc.de/v/31c3_-_6249_-_en_-
_saal_1_-_201412271715_-_ss7_locate_track_manipulate_-_tobias_engel) and
[https://media.ccc.de/v/31c3_-_6531_-_en_-
_saal_6_-_201412272...](https://media.ccc.de/v/31c3_-_6531_-_en_-
_saal_6_-_201412272300_-_ss7map_mapping_vulnerability_of_the_international_mobile_roaming_infrastructure_-
_laurent_ghigonis_-_alexandre_de_oliveira)

tldr: everything that uses sms is vulnerable.

edit: as others already mentioned, use offline 2fa like google authenticator.

~~~
mannykannot
> How many times do we have to read that X is vulnerable to SS7 attacks?

Until all those whose job it is to secure the various Xs stop ignoring the
problem?

------
Marazan
_Cryptocurrencies offer unprecedented transaction speeds_

Lol.

~~~
SippinLean
Maybe not Bitcoin, but most other currencies have near-instant transactions.
Even Bitcoin's transaction speed outperforms wire transfers (in the US) by a
matter of days.

~~~
sillysaurus3
Actually, I was shocked how quickly Bitcoin transfers were. About a week ago I
watched someone transfer me $10 in BTC and I got "unconfirmed: $10" within a
few seconds.

It wasn't confirmed until a few minutes later, but that was enough time to
assume everything was fine and to keep doing stuff in the meantime.
Concretely, you can assume almost every unconfirmed transaction will be
confirmed, and you'll almost never be wrong. That means Bitcoin is effectively
instant for every transacfion you don't need to care about, and in the other
cases you can just wait a few minutes.

------
1001101
So, a little anecdote, a friend of mine was the victim of an attack and wanted
my advice. The attackers used the SS7 hack, but he also used a phone based
TFA, and somehow attackers were able to get the keys to this. He was able to
get some of his coins elsewhere on a paper wallet, but they got everything in
his hot wallet, and he received a notification that his coins were being moved
out of his cold storage. Thankfully this process takes some time, so he was
able to get that company on the line and stop it (probably pure luck that the
attackers didn't intercept this). I told him to lock down the cold storage and
trash his phone (based on the level of control that would be required to get
TFA private keys). So, there hasn't been any further analysis done on this
attack (the cold storage coins are safe, that's the main thing), but just want
to mention this to get your gears turning. It's possible coins being stolen
this way are being used to fund a nuclear program - keep them close.

------
yeukhon
Sadly, as far as I know, Paypal only allows SMS. I believe business account,
you cannot link your Paypal to Braintrees and thus you cannot use any 2-auth
authenticator.

If I am wrong, please correct me, but I see no other options on Paypal, which
is ridiculous, considering Paypal is such an important service. SMS should not
be used for any critical services, but in cases like Paypal there is no
choice.

~~~
pricechild
It is possible to enroll hardware tokens, but I believe SMS is a prerequisite.

It's also allegedly possible to deactivate in a bunch of other ways, e.g. by
adding a new credit card.

[https://github.com/dlenski/python-
vipaccess](https://github.com/dlenski/python-vipaccess)

~~~
yeukhon
Paypal itself I do not believe supports hardware token. If that is possible,
it should be a bug, because that's a non-public feature...

------
r1ch
I wonder if you could use the interest in bitcoin wallets as a canary for
device compromise - load up servers, phones, desktops, etc with unprotected
wallets, add a small amount of bitcoin and set up an alert system if the funds
are moved.

------
tmlee
Mobile phones should be used as a hot wallet storing small amount for
convenience. The rest of the bulk should be on a
[https://trezor.io/](https://trezor.io/)

~~~
patrickk
Or a paper wallet, which is free, although it involves jumping through some
extra hoops.

Here's the steps the steps commonly advised for Ethereum (also works for
storing ERC-20 tokens):

Look up "My Ether Wallet" (be extremely paranoid and treble check the URL so
you don't get scammed with a fake duplicate website). If you follow the steps
below, your wallet is as hack-proof as a Nano/Trezor (just store the paper
wallet securely, because it's the same as cash when the wallet is loaded with
Ether).

1\. Create an offline MEW wallet, on a secure PC not connected to the internet
(e.g. boot Linux ISO from a read only DVD)

2\. Print out the wallet details (will have the private key, a QR code for the
wallet address, and another QR code for the private key).

3\. Send a small amount of Ether to test that you have the correct details (if
you bought on Coinbase, use their app to scan the QR code of the paper
wallet). The Ether should show up in the wallet within a few seconds (use
etherscan.io to check your new address).

4\. If the test went ok, send the remaining Ether from Coinbase -> MEW.

5\. (Optional) Backup a digital copy of the MEW wallet on a clean USB, that
you exclusively use for that purpose. Store the wallet details in a password
manager on the USB, e.g. KeePass, Keeweb, (any open source password manager
that is kdbx compliant). This is convenient for when you wish to do transfers.
Make sure you don't accidentally copy these details to another PC, upload them
online somehow, etc.

~~~
j_s
HN user jrruethe offered his 2015 guide to bitcoin paper wallets a week ago:

[http://jrruethe.github.io/blog/2015/04/23/bitcoin-paper-
wall...](http://jrruethe.github.io/blog/2015/04/23/bitcoin-paper-wallets/)

src:
[https://news.ycombinator.com/item?id=15246588](https://news.ycombinator.com/item?id=15246588)

------
vinniejames
Clickbait, has almost nothing to do with Bitcoin "the first cases of attacks
exploiting SS7 were registered in Germany, in which money was stolen from bank
accounts"

------
rawoke083600
Use the Fiber Luke !
[https://www.fibretiger.co.za](https://www.fibretiger.co.za) :P

------
solotronics
This is why I use a hardware wallet [https://trezor.io](https://trezor.io)

~~~
yebyen
I'll be a happy man when the code and specs for this little guy become public:

[https://firefly.city](https://firefly.city)

("Airgap" ETH wallet for $5)

~~~
yebyen
Oh shit, I swear I did not see that coming

[https://www.reddit.com/r/ethereum/comments/71jc83/firefly_up...](https://www.reddit.com/r/ethereum/comments/71jc83/firefly_update_the_5_diy_hw_wallet_fireflycity/)

New crowd-funding page!

------
sillysaurus3
Arg. I wish this article were more substantive, since it's an important topic.
But there are no details.

~~~
nikcub
After tons of reports of Coinbase accounts being broken into they looked into
it, replicated it and then reported it.

SMS isn't a secure nor authenticated transport and never has been. Avoid
anything that uses SMS as a transport for secrets or phone numbers as auth.

It's not just SS7 vulns but also number portability.

afaik Coinbase is still using SMS as an optional second factor, while iCloud
still only allows SMS.

~~~
snuxoll
> while iCloud still only allows SMS

? I’ve had 2FA turned on for my iCloud account for a while, any time I’ve
needed to authorize a device I’ve had to approve it on my iMac or iOS device,
it doesn’t use SMS.

~~~
nikcub
you can approve login requests using notifications but you need at least one
backup trusted phone number on your account

see step 2: [https://support.apple.com/en-
au/HT204915](https://support.apple.com/en-au/HT204915)

"trusted phone number" is an oxymoron

