
The Most Expensive Lesson of My Life: Details of SIM Port Hack - mrb
https://medium.com/@cooncesean/the-most-expensive-lesson-of-my-life-details-of-sim-port-hack-35de11517124
======
eridius
The part of the chart for "threat level I should have had based on everything
I know now" is way off. It should have been at least yellow with "zero cell
coverage" (assuming the author normally has reasonable cell coverage at that
location), should have been red at "got popups to log back into google", and
should have broken out of the page and come knocking on your door at the
"password didn't work".

If I get unexpectedly logged out of my email account, even if I can log right
back in, this should already be at "something seriously fishy is going on and
I need to investigate immediately", such as checking the account for any
activity. Not being able to log in to my email is "check my provider's status
page to make sure they're not having a widespread outage, and if they're not,
get on the horn with support immediately".

As the author says, your email account is the keys to the kingdom for
virtually every other account you have. Anything that threatens it is serious
business.

~~~
idlewords
I compare this to driving. We all think we are safe drivers who will not drive
when tired, not go too fast in thick fog, and pay attention to our
surroundings. In practice, it's hard to live by these rules 24/7.

I thought the author did a good job describing how he rationalized away these
warning signals as flakiness, and had a bad mental model of the situation
("SIM card is being weird") that prevented him taking timely action. He also
mentioned outside factors (needing to sleep, stress at work) that affected his
judgement.

It's easy to say this would never happen to you, but even sophisticated people
get caught by this stuff, since we are in the end human. Writing this article
in the aftermath of losing so much money was a brave and considerate gesture.

~~~
juliusmusseau
This reminds me of Popehat's "Don't judge the victims too harshly" paragraph
from Chapter 5 from his "Anatomy of a Scam"
([https://www.popehat.com/2011/09/18/anatomy-of-a-scam-
investi...](https://www.popehat.com/2011/09/18/anatomy-of-a-scam-
investigation-chapter-five/)):

> Many of you are thinking, "Jesus, I would never fall for the "the check's in
> the mail, we had trouble with the wire transfer, the money is coming in from
> our affiliate in New York, I'll get you the tracking number" routine day
> after day. But sociopaths are very, very good at this. You don't want to
> believe you've been conned, you don't want to believe you have to go hire a
> lawyer and file a lawsuit, you don't want to believe someone can do this to
> you, you want the income that this transaction promises, and often you don't
> want to go tell your superiors — so you keep hoping that the money is coming
> any day now. It can happen to you. It's happened to very smart lawyers I
> know. It's happened to me. And I used to put these people in jail. So don't
> judge the victims too harshly. When you find yourself in such a situation,
> you've got to focus — to convince yourself to bail out and cancel the
> contract, stop providing services, and file suit if necessary.

------
tpetry
In his learning he is missing the biggest mistake: resetting the email account
by sms

2FA and all are secure enough, the problem for him was that his mobile phone
number was the only thing needed to gain access because the attacker wad (1)
able to reset the password for the mail account by sms and (2) 2fawas sms
based.

There should be _absolutely no_ way of resetting the password of your mail
account besides some pregenerated tokens you are keeping safe somewhere.

~~~
antimora
I just tried and confirmed Gmail requires a recover phone number or email for
standard set up. And Gmail gives you an option to recover with SMS =\

~~~
idlewords
There are two places in Gmail where you might have your phone number. The
first is in 2FA options, and it's easy to delete if you add TOTP or a security
key.

The second is "recovery phone number" in a different settings pane. That one
is easy to miss!

------
throwaway45636
Coinbase Pro has address whitelisting feature, which adds a 48 hour wait
before a new crypto address can be used for withdrawals. This may have also
mitigated the attack.

------
blunte
Seems like you have a valid law suit against the phone company that ported
your sim.

~~~
jandrese
What law did the phone company break? Breech of contract? I wouldn't be
surprised if they indemnified themselves in the TOS for your phone plan.

~~~
blunte
Regardless of what is written in a contract, if enough money is involved there
can be a lawsuit that might result in a settlement or award.

~~~
unnouinceput
People forget that the cell company is giving you the possibility to recover
your account as well through standard practices. I believe what happened to OP
is that he used a weak one, that was based on publicly available informations
(he states that in article himself) and that is how the attacker got the
foothold in the first place. After that was a simple game of playing by the
rules all the way to the coinbase account and draining it.

------
watersb
Very good walk-through of the _experience_ of being the victim of a SIM (cell
phone service porting) attack.

With flow charts and timelines.

------
throwaway45636
Similar story from two years ago - [https://medium.com/@CodyBrown/how-to-
lose-8k-worth-of-bitcoi...](https://medium.com/@CodyBrown/how-to-
lose-8k-worth-of-bitcoin-in-15-minutes-with-verizon-and-coinbase-com-
ba75fb8d0bac)

------
londons_explore
Something's up here...

Assuming it was a Google account with 2 factor enabled, you aren't allowed to
reset the password with an SMS only.

You need _two_ factors. I suspect his original password was leaked, or perhaps
he had a recovery email address also broken into?

~~~
eightysixfour
It almost always starts with a phishing attempt to get the original password.
These attacks are unfortunately common for those working with cryptocurrency.

~~~
ndiscussion
And those working with cryptocurrency seem to be very ill-equipped for
protecting their wealth. Seems like a natural filter.

------
throwaway45636
I wonder if the victim was able to find the transaction of the withdrawal on
the blockchain. It may be interesting to see what the hacker did with the
coins.

~~~
unnouinceput
Probably a lot more transactions hard to track along the blockchain and most
likely converted to other currencies as well, using the mentioned Coinbase as
well, and in the end in a new minted wallet.

