
The Most Expensive Lesson of My Life: Details of SIM Port Hack - Reedx
https://medium.com/coinmonks/the-most-expensive-lesson-of-my-life-details-of-sim-port-hack-35de11517124
======
2819b
It's an extremely odd decision by the author to publish this piece. Port
attacks on cryptocurrency accounts is nothing new, and outside of publishing
the number ($100k!) there is nothing special about this account of events vs
the countless other near identical articles that have been published on Medium
on the same old attack.

The reason I say it's odd is that he's an _engineering manager_ at BitGo,
which is a leading cryptocurrency custody solution! His job is literally to
secure and protect institutional cryptocurrency wallets, and to publicly tell
the world how careless he was with his own personal account looks extremely
poorly on his employer despite the fact that this was an unrelated incident.

~~~
arcticbull
It's a reminder that crypto is fundamentally dangerous due to its lack of
regulation and compliance requirements, its fundamental irreversibility and
lack of authority/censorship. It's a lesson we should all take to heart about
what makes for a functional financial system and what doesn't. It's also a
lesson about the security of phones.

IMO its great to learn about what goes well but super valuable to learn when
people face-plant.

~~~
lixtra
Traditional financial regulation and compliance is a joke and mostly security
theatre from the perspective of a security engineer or cryptographers.

\- credit cards with secrets printed and shared in plain sight

\- hacked banks

\- hacked atms

It only works because most involved are somewhat trustworthy and the damages
are small enough that it’s still worth to have the system.

But the latter also seems to be true for crypto. It shifts the responsibility
further to the user. Some like it because they assume they can provide better
opsec than their bank (which was easy in the past). Others don’t like to take
responsibility and leave it with some exchange, which in some cases even lack
behind banks.

~~~
SmellyGeekBoy
When I was a student 15 years ago my debit card was skimmed (here in the UK)
and someone in the middle east completely emptied my bank account. I called my
bank, they explained what had happened and what little money I had was back
the very next day.

So while the infrastructure may be fundamentally insecure, quite frankly
that's not my problem. If it was a crypto wallet I would have had zero legal
recourse and of course never would have seen that money again - as we're
seeing again and again.

I do hold some ETH but I don't see it replacing my bank anytime soon.

~~~
nstart
Ouch. Sucks to read that. For anyone who might be interested in a possible
alternative to this, I keep two bank accounts with the same bank with only one
being connected to my debit card. I keep a tiny balance in the account
connected to the debit card so that even if I lose it, the damage is minimal.
Whenever my balance is running low, I do a quick transfer via online banking.

No idea how feasible this might be in other countries, but wanted to share in
case its helpful. It's really helped me have ease of mind in using my card
when I've been abroad.

Doesn't stop me from attempting to dismantle any ATM though whenever I use one
:')

------
Klathmon
I'd like to see more companies introduce "time locks" into various big aspects
of accounts.

Want to port a SIM? I'll put your request in now but it will wait for 5
business days before it happens, and at any point if you or someone claiming
to be you calls up to stop it, we stop it, no questions asked.

Want to change 2 factor information for an account? We can put in the request
now and it won't take effect for a week while we reach out to you using every
communication method we know how to let you know it's happening and give you
ample time to stop it if you discover it wasn't actually you that did it.

It seems like a fairly "low cost" way of upping the security quite a bit.

Also, not to make the OP feel worse, but Coinbase even offers a service like
this called the "vault". The idea being that withdraws are time-locked for a
specific amount of time, and there are multiple ways to stop it during that
time lock, even if you got locked out of your account entirely.

And while we are doing PSAs, I'd like to give one piece of seemingly
conflicting advice: make sure you have backups of your multi-factor
authentication systems.

Sure, having your accounts taken over is awful, and it can happen to anyone,
but something just as bad is losing your 2-factor systems and being locked out
of accounts with no way to recover them.

Print out 2-factor backup codes, put them somewhere safe, maybe split them in
2 and put half of the codes in one place, and half in another. Think through
possible problems. It really sucks to have your house flood, then find out
that your phone with the 2-factor app on it was destroyed, and your backup
codes ruined as well...

~~~
bigiain
> I'll put your request in now but it will wait for 5 business days before it
> happens

This to me seems to be a complete misunderstanding of the telcos business and
motivations. They sell mobile telephony - voice, sms, and data - and their
_prime objective_ is to make it as easy as possible for their customer to
spend as much money doing that as possible. Making you wait five days to get
reconnected to "your number" when you have, for whatever reason, lost control
of it is just not going to happen. They'll move mountains to get you back onto
your data/voice plan before you've walked out of the store.

Nobody ever advertised their phone/sms plans as "banking grade secure". Telcos
have been telling us for years that they are explicitly _not_ secure for that:

[https://www.itnews.com.au/news/telcos-declare-sms-unsafe-
for...](https://www.itnews.com.au/news/telcos-declare-sms-unsafe-for-bank-
transactions-322194)

Communications Alliance chief executive John Stanton, representing the
interests of mobile providers Telstra, Optus and Vodafone, took the
extraordinary step of of declaring the technology insecure in the wake of
numerous reports of Australians being defrauded via a phone porting scam first
uncovered in Secure Computing magazine.

"SMS is not designed to be a secure communications channel and should not be
used by banks for electronic funds transfer authentication," Stanton told
iTnews this week.

Telcos are not interested in securing that, they get _way_ more complaints
from people who lost/broke their phone who want their replacement one to work
RIGHT NOW, than they do from people who got defrauded with a sim porting
attack. And the first group of people are spending _way_ more money
collectively than the second, so of course telcos will continue to make it
quick and easy to sim port.

Everybody else needs to deal with that. While sms 2FA is marginally better
than not having any 2FA at all, it's not the telco's problem if you choose to
use it to "secure" your $100k worth of crypto. In my mind, a large part of the
blame here goes to COinbase for even offering it. I'm also looking at your
PayPal...

~~~
RachelF
Yes, Paypal is bad, they took away their support for the Symantec 2FA codes
and forced users in many countries to use SMS instead.

This is pretty easy for the telco to prevent, though. Your existing telco
should simply phone you and ask if you wish to leave them before letting the
number get ported out.

Note that all telcos will prevent the number being ported out if you owe them
any money on the account.

~~~
mehrdadn
> Note that all telcos will prevent the number being ported out if you owe
> them any money on the account.

Wait really? Is there a way to force yourself to perpetually owe them a small
amount of money then? Could be really worth the money.

~~~
cortesoft
An attacker could just pay the balance.

~~~
mehrdadn
Seems like a decent hurdle to make an attacker jump through? Given they'd want
the payment to be untraceable etc.

------
rubyn00bie
In all seriousness folks, as someone who long ago worked for a big wireless
carrier, do not use SMS-based two-factor auth for anything. Number porting is
a huge and easily performed attack vector, it requires very, very little
information, a lot of which can be gathered from publicly available
resources... or pretty easily obtained via social engineering. To make matters
worse, the information doesn't even need to be entirely accurate.

Once they have your number ported getting it back will take, at least, a few
days; during which, they'll have unfettered access to anything that uses your
mobile number to authenticate.

Use a dedicated 2FA application on a device you physically control and _write
down_ the backup keys somewhere physically safe.

~~~
foobiekr
So what’s the alternative? Especially financial institutions insist on using
SMS in addition to even hardware keys. It’s crazy.

~~~
dontbenebby
Many carriers let you set an "account password" or "account pin" \- changes
can't be made to the account without it (even with personal info like SSN,
bday, etc)

Financial institutions offer it to sometimes - my credit union requires the
account password, or a visit to a branch to show ID - no amount of personal
info will allow you access.

~~~
jjeaff
Any carrier will allow you to change your password or pin using other
information .

Otherwise, what would happen in the frequent case where users forget their
pin?

~~~
dontbenebby
> Any carrier will allow you to change your password or pin using other
> information .

If by "other information" you mean "come into a store and show a government
issued photo ID" you are correct. That's a fairly high bar to clear.

That's the way my carrier does it, and I assume if they violate their own
procedures I could evaluate my legal options... though as a practical matter I
use a VOIP # which requires a 2FA protected login to port out for vendors that
force me to use SMS 2FA.

~~~
jjeaff
Which carrier is that?

------
cdiamand
I was attacked in the same manner this weekend. I'll dump what I know below in
the hopes it helps someone.

I lost money when MTGox went under and made some online posts (on reddit, I
think) several years ago. Maybe this is what caused me to be targeted?

This weekend a malicious actor posing as the account holder on my account was
able to get my number transferred to his phone. At&t fraud says this happened
at a store, and the user had the last 4 of one of my family member's social
security number, as well as a fake id. I'm not sure I believe this, but will
request more info in writing.

I regained access to my account. The attacker came from IP 216.162.42.85
(santa clara california)

They entered my email and according to google activity logs immediately went
after my coinbase account. They got in (joke's on them I didn't have
anything). Then they searched my email for 'btc', and also made a visit to my
bank website. They weren't able to get access.

As far as I can tell, they were in and out within 10 minutes. I wonder if this
was related to the author's experience?

~~~
dbancajas
This is the reason I have disabled SMS as a recovery option in my gmail/google
account. My 2FA for gmail is now my iphone and ipad. THey have to know my
password and get one of my devices to hack my account. I also use protonmail
and for SMS based 2FA, I plan to use a google voice number from a totally
different google account w/c forwards the text to my protonmail account.
Google voice numbers cannot be ported out. Hence, avoiding the sim hack. They
can port out if they hack my "shadow" google account. The trick is to never
use the shadow account for anything. Hence, the attackers have no way to get
to your google voice.

~~~
pg_bot
I'm fairly certain that any phone number in the US has to be portable by law.

~~~
dontbenebby
You can port out a voice number - it's $3 if it was originally a voice number:

[https://support.google.com/voice/answer/1065667?hl=en](https://support.google.com/voice/answer/1065667?hl=en)

Weirdly, you can't port a Gsuite google voice # to a gmail account. (I looked
into it when considering canceling my Gsuite account)

------
inetknght
> _Google Voice 2FA_

Unfortunately many places are actively refusing to work with Google Voice. I
got a message from Bank of America saying specifically that they're removing
Google Voice support:

> _You can 't enroll in Zelle with a landline, Google Voice or VOIP (voice
> over internet protocol) phone number. (Section 3.C.3 Enrolling in the
> Service)_

This follows with some other unnamed (because I don't remember them) services
which also refuse to work with Google Voice.

That's really unfortunate because I've been using Google Voice for nearly 10
years without issue until recently (when companies specifically remove
support...)

~~~
rando444
If you ported a previous phone number to google voice, how would they know?

~~~
mleonhard
It's easy to find out the company hosting a phone number:
[http://twilio.com/lookup](http://twilio.com/lookup)

------
Uptrenda
Stuff like this freaks me out and I'm sure I'm not the only one. Thanks for
the wake-up call. It's a terrible amount of money to lose. I hope things get
better for this guy in the future (and I don't think anyone would say they're
to blame for this.)

Security is becoming so difficult to balance with an every day life... I don't
know how anyone can remember everything that they're "suppose" to know about
security.

------
Havoc
This is frightfully common in South Africa except aimed at banks - they use
SMS as their 2FA. ("SIM swap")

Another common tactic to watch out for: Repeated calling of your phone to
annoy you enough so that you switch it off/silent it. That can give the
attacker enough time where you don't notice the swap.

------
jaden
This is frightening. If you're using texts for 2-factor auth you're at the
mercy of your phone service provider's customer service. And they're trying to
balance being helpful with security, which can be in opposition. Losing
$100,000 with no hope of recovery is the kind of thing that could sink many
people's finances.

His summary of how to avoid having this happen to you:

    
    
      * Use a hardware wallet to secure your crypto
      * SMS-based 2FA is not enough
      * Reduce your online footprint
      * Use Google Voice for 2FA
      * Create a secondary email address
      * Use an offline password manager

~~~
d1zzy
There may not be a choice. Vanguard refused to log me in until I configured
2-factor SMS.

~~~
ndiscussion
I would consider that an alarming sign that I need to change investment
companies asap (probably after loudly complaining and trying to change it,
since Vanguard is somewhat unique).

~~~
anaisbetts
Fidelity also only uses SMS-based 2FA :-/

------
ikeboy
Everybody involved in something like this should be suing the phone company
that gave away their phone number in violation of policy.

[https://www.silvermillerlaw.com/current-
investigations/crypt...](https://www.silvermillerlaw.com/current-
investigations/crypto-cellphone-sim-port-hijacking/) comes up on a search and
says they'll do contingency in cases like this. Got nothing to lose.

------
Gwypaas
How can a mobile carrier operate like this?? No authentication that the
request isn't fraudulent?

In Sweden I switched to another carrier, still keeping the number in the same
name. To do that I got a text message with a code I had to input to initiate
the process.

When I ported my phone number from my father to me within the same carrier
when I turned 18 that required the same confirmation to initiate the process
and signed request/approval both from me and my father posted to the company,
with associated emails about the process.

This isn't even hard? This is just basic steps to prevent identity theft....

~~~
jsnell
This is not about porting the number to a different carrier or even a
different owner though. It's more analogous to getting a replacement SIM card.

The last time I had a phone stolen, I went to the carrier's store, they
checked my ID, and gave me a replacement SIM. And the things is, if the
customer service representative is empowered to do that, they could also be
bribed by the attacker.

~~~
Gwypaas
I checked, to get a replacement sim my carrier sends out inactive cards that
needs to be activated through their web service using the printed number on
the card.

If you don't have an account you need to contact customer service, and to get
through there they most likely authenticate you based on your SSN and an
already active app on your phone (BankID) where you input your personal
password.

This has actually created problems when people get their stuff stolen abroad.
The ID application is authenticated using your bank and a device using your
physical bank card, a generated number from the webpage and your pin and then
the generated number is put into the webpage. So if you get both phone and
card stolen it's essentially impossible to get into your accounts until you
can get a new one posted to you. Especially fun if your bills end up in a
digital mailbox requiring that login....

Using that app is how essentially all identification is done in Sweden since
it's based on an already approved physical device and a personal password.
With your bank as insurance that the information is correct based on your
physical bank card and the account associated to it.

~~~
knorker
See recent Tele2 attacks. This is a problem in Sweden too.

Maybe the Tele2 attacks made them finally sort things out.

~~~
Gwypaas
Googled. Is it regarding using social engineering to enable call forwarding
last autumn? Can't find anything else.

~~~
knorker
Yeah. Which is how this guy got hacked, too. Whether it's by forwarding or new
sim card is a detail. It's the same social engineering vulnerability.

~~~
Gwypaas
And reading the article everyone was already at the time working on preventing
it, because any unauthorized change is illegal.

The prevention seems to be either through BankID authentication or actually
calling/texting the number being forwarded to make sure the request is
legitimate.

------
maxlamb
Large tech companies like Google push 2-factor auth to "increase" security,
but this article shows that 2-factor auth with SMS verification opens up a
huge security hole since the attacker can access your email if they can get
your provider to port your SIM over to their device. Am I missing something
and if not how did companies like Google not foresee this huge security hole?

~~~
latortuga
Google offers many different 2 factor methods including Google Prompt, TOTP,
and security key - all of which are better choices than SMS. The author is
right to say that SMS is not enough but he didn't go far enough: only use SMS-
based 2FA if it's your only 2FA choice for your critical accounts, and
consider alternative services if it's your only choice.

~~~
Macha
The issue is that the forgot/lost device flow allows you to remove your more
secure 2FA with only SMS verification.

~~~
knorker
You can turn off SMS/phone auth fallback, at least in gsuite.

------
socialist_coder
Sucks to be the OP but storing any crypto in an exchange is idiotic and
literally the first thing on any list of "how to secure your crypto" is to not
do it. This shows the OP is just being willfully ignorant.

Exchanges get hacked or are victims of internal fraud at a level that is far
beyond any acceptable risk. [https://coinsutra.com/biggest-bitcoin-
hacks/](https://coinsutra.com/biggest-bitcoin-hacks/)

If you have any kind of serious crypto holdings, you should either be using
hardware wallets or a PC that you _only_ use for crypto. Nothing else. * Buy
crypto, transfer to your PC, turn off PC.

~~~
thinkmassive
For any significant crypto holdings you should be using a hardware wallet, and
for serious holdings you should also use a multisig setup.

~~~
pazimzadeh
Right but what if the blocks fill up and transactions are taking forever right
when you (and others) have the most interest in selling?

~~~
aphextim
This is why you do long term holding in BTC or any coin that may take longer
to confirm on the chain and the money you are playing/trading with should be
in an asset like XLM which transfers in seconds.

Now if the whole thing is tanking and you want to transfer your entire savings
to try and ride the wave you are already too late if your money is not already
on an exchange and you shouldn't be 100% swing trading anyway.

Just my opinion on how I handle it.

------
ktsmith
This person's Google account is likely still vulnerable to the attacker and if
they used chrome password sync all of their other accounts are also likely
owned. You can recover a google account if you know some basic details such as
a previously used password or the creation date of an account. After having a
google account owned enrollment in the advanced protection program and
ensuring only the strongest recovery methods are enabled are best next steps.

[https://landing.google.com/advancedprotection/](https://landing.google.com/advancedprotection/)

------
apo
> Do not leave funds idle on exchanges or fiat on-ramps.

This warning has been publicly repeated _hundreds_ of times since 2010, yet
people still insist on ignoring it.

The author didn't lose anything. He gave Coinbase his bitcoin in exchange for
a promise to pay it back. That deal backfired.

> I knew the risks better than most, but never thought something like this
> could happen to me.

There's knowing the risk, and then there's _knowing_ the risk. I'd suggest
that the author didn't really know the risk, or he would never have considered
leaving such a valuable asset in the care of an organization so ill-equipped
to safeguard it.

~~~
781
Do you also keep your cash under your mattress, instead of into a bank
account?

~~~
galimaufry
Someone please correct me if I'm wrong, but at least in the US banks take on
all risk of fraud. If someone starts writing bad checks in your name, that's
ultimately the bank's problem rather than yours.

~~~
apo
Coinbase is not a bank. It acts like one. It spies on its customers on behalf
of federal regulators like one. But it most definitely is not a bank.

The author has to eat the loss, as per the user agreement.

------
nicolaslem
SMS should not be used for anything even remotely related to security. If you
still need to be convinced, the Reply All episode about it[0] is eye opening
while being entertaining.

[0] [https://gimletmedia.com/shows/reply-all/v4he6k/130-the-
snapc...](https://gimletmedia.com/shows/reply-all/v4he6k/130-the-snapchat-
thief)

------
atemerev
I wonder how nobody sees the elephant in the room.

2FA by SMS is terribly insecure. Numerous security researchers recommended
never using it. Using phone numbers as primary authentication mechanism is
insecure and never should be used. Phone numbers can be spoofed, SMS messages
can be intercepted, SIM port attacks can and will happen. If your email or
banking accounts depend on 2FA by SMS, especially when SMS can be used to
reset the password — disable it now. Avoid it like plague.

More than that — if your account has significant value that you absolutely
can’t afford to lose, you shouldn’t use _any_ 2FA services linked to your
phone, at all, including Google Auth. Your phone can be lost or stolen
anytime. Use a dedicated device which you don’t take with you all the time.

~~~
therealmarv
I know SO many real banks which still use 2FA by SMS.

~~~
klardotsh
And it was a hell of a fight to even get _those_.

Alliant Credit Union, for example, only just rolled out SMS-based 2FA in the
past ~year. No TOTP/U2F/FIDO* options at all (in fact, according to
[https://dongleauth.info/](https://dongleauth.info/), exactly zero major
banks/CUs in North America support anything better than SMS or TOTP).

When I can lock my GitHub account more securely than my _money_, it's a bit
(read: lot) depressing.

------
781
This kind of sums up the whole article:

> _I knew the risks better than most, but never thought something like this
> could happen to me_

This also explains why this article is useless as a warning. Someone who will
be hacked like this in the future is reading now this article and saying "hmm,
I should be securing my holdings against this, but I don't have time now, and
this won't happen to me right away, I'll look into it next week"

It's like the countless articles which appear after backup failures. "I knew I
was supposed to test restoring from backup, but...."

------
ForHackernews
This is the kind of stuff that convinces me we'll never see mass adoption of
cryptocurrency -- or that if we do, it will be only by replicating the
existing financial system and slapping a cryptocurrency label on it.

If security engineers at cryptocurrency firms are getting hacked, what hope do
mom & pop user have? And once your money is stolen, you have basically zero
recourse and no way to reverse the transaction. I know many proponents
consider that a feature, but I'm telling you for the average user, it is
absolutely a bug.

------
petercooper
I have a question related to this that someone expert in Bitcoin could answer.

Could the victim monitor where the bitcoin (we assume) went to using the
public blockchain record? Then, trace it every step of the way (and in
whatever chunks it divides into) until it reaches the account of a publicly
identifiable entity? At that point, there might be legal recourse in recouping
stolen goods (at least, this is how it works in the UK with stolen physical
goods.. even if someone "legitimately" buys them, they can be reclaimed).

~~~
drexlspivey
Kinda but it's hard and there are measures to counter this. There is one thing
called coinjoin which attempts to tumble coins.

Imagine you stole 10 btc and you split it to 10 outputs of 1 btc each. Then
you use 2 of them to perform a coinjoin with several other people where in a
single transaction 10 inputs of 1 btc (2 of them yours) produce 10 outputs of
1 btc (again 2 of them yours). There is no way to tell which coin is which
anymore. Of course this requires some degree of interaction with other people
but in other coins such as grin that use the mimblewimble protocol this
happens automatically for every block.

Another thing you can do is try to do an atomic swap with someone on another
blockchain i.e Litecoin. In this case you send your coins to a specific script
address, the other person sends his LTC to another script address and you
effectively swap BTC with LTC.

------
Animats
_" I treated Coinbase like a bank account and you have absolutely zero
recourse in the case of an attack."_

Now that's the real problem. Coinbase acts like a bank or a broker/dealer, but
isn't regulated like one.

~~~
knorker
That and Bitcoin is specifically designed to not give you a recourse in case
of an attack.

Cryptocurrency designers seem to think that banking was designed as a mistake
without anyone thinking. That laws people wanted were just unfortunate side
effects.

~~~
Animats
Bitcoin isn't the problem here. Coinbase is regulated as a "money
transmitter". You can get into the same situation if you send money via
Western Union, which is also regulated as a money transmitter, and tell them
to "waive identification" at the receiving end.[1] That's used as a payment
method by some scams.

Coinbase will pay out via PayPal, so someone with access to an account's
credentials could pull of this scam without involving cryptocurrency at all.

Now if Coinbase was regulated by the SEC as a "broker/dealer", which is what
they really are, they'd be subject to SEC regulations on fraud, and would have
SIPC insurance to protect the customer up to $250K.[2]

Coinbase does, in fact, have a New York State "BitLicense", which makes them
subject to various New York State regulations. Among other things,
transactions larger than US$10,000 have to be reported to the New York State
Department of Financial Services within 24 hours, and Coinbase is subject to
rules about cybersecurity, fraud, and its activity as a custodian of the funds
of others. You can complain to the New York State Department of Financial
Services.

DFS pulled Bittrx's license last month and gave them one day to get out of New
York State.

[1] [https://www.westernunion.com/us/en/fraudawareness/fraud-
ques...](https://www.westernunion.com/us/en/fraudawareness/fraud-question-and-
answer.html)

[2] [https://www.sipc.org/for-investors/what-sipc-
protects](https://www.sipc.org/for-investors/what-sipc-protects)

------
VLM
That's interesting, I did not know it was possible to have a coinbase acct
without working google authenticator.

I found out the hard way it takes over a week of time and multiple
verifications and contacts to reset my authenticator when my old phone was
broken; as it should be.

------
knorker
I'd like to point out that preventing things like this is literally this guy's
day job. (Look him up)

And he didn't know about SIM attacks.

And he kept $100k of irreversibly transactible "money" on an exchange, despite
their history of being hacked.

This is what happens when you get involved with organized crime (which I
consider Bitcoin to be): you become a victim.

His lessons learned is of course not that reversible transactions is something
good, not a "mistake" in the fiat banking system.

------
js2
Additional discussion yesterday. Perhaps the mods can merge these submissions:

[https://news.ycombinator.com/item?id=19964089](https://news.ycombinator.com/item?id=19964089)

------
simo_dax
I still don't get one thing: how could the attacker port OP's number without
proving he owns the sim? Where I live (in EU) it's mandatory, isn't it the
same in the US?

~~~
mercora
at least in germany ordering new sim cards to new addresses your provider
never heard of before was a thing some years ago. I think porting a number is
a lot easier if you know the detailed process though.

~~~
simo_dax
Oh, my bad, I thought US was the exception

Here in Italy you must provide your ID card and wait a couple days for the
carrier to check the data. Goverment websites even use 2fa as a proof of your
physical identity

~~~
hombre_fatal
Why is it so common for some people to use "EU"/"Europe" when talking about a
quirk about their country? Americans do it too, though the states are far less
unique than countries.

~~~
ozchris
Because many of the rules are made on the EU level, not by the individual
country.

------
arcticbull
If only there was a way to trace the transactions and reverse them. Sadly, the
"future of banking" is all immutable ledgers with zero recourse so the money
is gone. If this were a _real_ bank he'd have his money back right quick.

------
gruez
>Do not leave funds idle on exchanges or fiat on-ramps. I treated Coinbase
like a bank account and you have absolutely zero recourse in the case of an
attack. I knew the risks better than most, but never thought something like
this could happen to me

I wonder why he'd think that. Disregarding the risk of you getting
phished/hacked (which you can prevent), there's nothing you can do about
coinbase getting hacked (eg. mt gox), running away with the funds, losing
their funds because of incompetence (eg. quadrigacx), or locking your account
and taking months to unlock.

------
dillonmckay
I am a bit surprised at the lack of opsec considering the author’s employment
and experience.

Definitely sucks to have $100k stolen.

------
GhostVII
Is Google's password reset system a massive security risk? I set up a couple
of recovery phone numbers without thinking about it too much, but after
reading this it seems like I'm just a little bit of social engineering away
from having my Gmail account taken over, along with anyone else who set up a
recovery number. If someone took over my SIM and reset my password overnight,
they would have 8 hours to do whatever they want with my Gmail account before
I saw that my password had been reset.

~~~
derekdahmer
Yes, my google account was simjacked last year. I lost access to my email,
photos, and ability to login via Google. They were after my Coinbase account
(luckily the only account I used real 2FA on). They could have initiated bank
transfers too but didn’t try.

Customer support for personal gmail accounts is almost nonexistent.
Fortunately I had a friend who worked at Google and had them put a word in on
my reset request otherwise I would have been SOL.

Disable phone number resets and switch to Google Authenticator w/ backup codes
ASAP.

~~~
ktsmith
Go through the password reset process with google and it's worse than most
people think. The first thing it asks you is:

> Enter the last password you remember using with this Google Account

Which of course the attacker knows because they changed your password. If they
don't know that you can click try again and go through the various two factor
methods set up (hardware token, totp code, sms) and then the very last and
also terrible option is putting in the date the account was created. If your
account has been owned the attacker likely knows this too. Advanced account
protection is pretty much the only option if you've had your account breached
at any time.

~~~
nulbyte
>> Enter the last password you remember using with this Google Account

> Which of course the attacker knows because they changed your password.

The site asks for the last password _you_ remember using, not the last
password that _was_ used (presumably by the attacker). I don't think this is
as bad as you think; the attacker doesn't likely know the previous password,
or else they would not have needed to hijack your phone number.

------
kevin_b_er
The major US provides are looking to get you to replace all your logins with
direct cell-provider authenticated logins, so they can skip the email recovery
part:

[https://www.fiercewireless.com/tech/project-verify-will-
brin...](https://www.fiercewireless.com/tech/project-verify-will-bring-mobile-
connect-tech-to-u-s)

With this the attackers get direct access to all your services once they
socially engineer or identity theft attack your cell account once.

------
fheld
Is there a mobile carrier focusing on security?

something like what CF (and others) are doing with domains

~~~
benjohnson
I would think that an online-only MVNO like Ting.com would be harder to fool -
even if their call agent fell for the trick, they'd still have to mail a new
sim out. But you'd have to log in yourself to swap the sim using the Ting
website. As I understand it, attacker would have to fool you and coax you to
swap the sim.

------
codedokode
This type of attack has been happening for a long time in Russia where
criminals often have accomplices among employees of a cellular carrier or its
dealer. There is often no serious responsibility for this and such employees
often get away with a fine or just being fired.

The most notable example is when a certain person's SIM card was reissued 4
times within 2 days in different cities by criminals while the owner was
trying to restore access to her phone.

To prevent it, some Russian banks have agreements with carriers that allow
them to check SIM card's identifier and detect whether it was reissued. If
such situation is detected, the bank doesn't allow to use new SIM card to
confirm operations.

Some carriers block new SIM cards from receiving SMS for 24 hours and send a
SMS with notification to an old SMS card so that the owner can restore access.
Also, one can restrict a list of locations where your SIM card can be
reissued.

------
joncursi
This same thing happened to me last month (SIM Swap). I also made a post
recapping the event, plus the security steps you need to take to help mitigate
this attack vector, here:

[https://www.youtube.com/watch?v=Uww4Bu6Uzxk](https://www.youtube.com/watch?v=Uww4Bu6Uzxk)

------
umvi
Seems like 2FA in this case is significantly weaker than 1FA if you have a
long password. I suppose it depends on if it is easier to answer the security
questions or to convince a customer support rep, but my security questions are
pretty obscure and I have a security question salt that I always append to the
answer.

~~~
askvictor
2FA is not in itself weaker (for the same password). It's account recovery
that's that downfall here - the password is forgotten and not one of the
factors, so the system allows to to recover your password with _only_ the
second factor (mobile phone number).

------
asdfasgasdgasdg
This inspired me to disable SMS verification on my Google account. Now, the
attacker may be able to port my phone number, but without my logged in Android
phone, or one of my printed pass codes, they would not be able to subvert my
email address.

I was wondering how the attacker found out this guy's phone number, so I
searched my own online. Disconcertingly, it was visible on
truepeoplesearch.com. So I also submitted a record removal request there.

I mean, I think the best option is to not own any assets that can be
fraudulently, irreversibly transferred away. That's what I do. But a little
extra security won't hurt.

------
newnewpdro
Phone-based 2FA is security theatre that just adds a new and easy attack
vector in the process, pushed by service providers obviously to attain your
phone number instead of just an email address.

For anything important I use air-gapped hardware tokens for 2FA. If a
brokerage or bank doesn't support hardware token 2FA they don't get my
business, full stop.

At the last startup I worked for, which was rather security sensitive, the
leadership actually insisted on employees setting up gmail w/SMS 2FA on their
smartphones. I kept using backup codes and never set it up.

------
alias_neo
Slightly off topic, but I briefly addressed SIM swap in my prequel blog post
to "SSH 2 Factor...", "SSH 2-Factor's First Factor".

The goal was to help beginners in security and technology as a whole
understand why SMS based two-factor is insecure and should be avoided.

It's just a couple of paragraphs in a larger post on securing your SSH
sessions but hopefully it's of interest.

[https://2byt.es/post/totp2](https://2byt.es/post/totp2)

------
carbocation
Coinbase should not allow your phone number to be used for 2FA.

~~~
verroq
I don’t think they’ll change it either because doing so would be admitting
responsibility.

------
tga
Part of the problem here is the lack of fraud insurance from
CoinBase/exchanges. If the attacker would have instead stolen from his bank
(several US and Canadian banks I know happily allow logins with only a
password or are only starting to introduce SMS-only 2fa), it is likely that
the bank would have returned the money, whether they could revert the
transaction or not, and then pursued the hackers themselves.

~~~
knorker
_because_ they can (usually) revert it.

Because reversibility is a good thing.

~~~
aeorgnoieang
Fraudulent transactions made with a regular bank account are pretty
irreversible too. There's a whole extra layer of infrastructure on top of the
'core' banking services that allows them (banks) to 'reverse' a fraudulent
transaction. But I'd be very very surprised if fraudulent charges are
'reversible' in any other way than the bank reimbursing the account holder.

In other words, crypto-currency exchanges _could_ do the same thing (but then
they'd almost certainly have/want to charge for that).

Double-entry bookkeeping is also, ideally, irreversible.

~~~
knorker
Real banks have been hacked (e.g. full mainframe root access), and the hackers
have made international transfers which were reversed.

Sure. When bank _accounts_ get hacked sometimes the bank just eats the cost,
but if $100k goes to another bank they'll contact that bank to have the money
be clawed back.

Now I say "reversed", but the end goal I mean is "the money was transferred
back" because it's traceable and doesn't require the cooperation of the
receiving account holder. Not that it gets "undone" in double-entry
bookkeeping.

Indeed bank hacks have lost some money when the "reversal" incurred currency
fluctuation effects. (which could have gone the other way, too).

Also no, regular bank transfers are very reversible because courts can order
it so. The justice system can order accounts frozen. With cryptocurrency the
illusion is "math is the ultimate arbiter", but of course "math" can't solve
"so what happens if one party broke the law", but is forced to answer "well...
I guess they win, then".

Also compare smart contracts. You can make an illegal contract. Say the
equivalent of selling yourself into slavery. Smart contracts _want_ there to
be no court that says "actually, that's slavery, and this contract is void,
also the money must be returned". To think that "math" can provide justice
better than a justice system is not just holding low esteem for justice
systems in general. It's anarchy, and tyranny by exploitation.

"People" are not lawyers, which is why some things are not allowed in
contracts. "People" are not coders, which is why smart contracts are also not
a thing that will happen (on a scale cryptocurrency people dream of).

------
tushar-r
Here in India pretty much every online banking transaction requires an SMS
OTP. To get a SIM card changed, you need to provide govt ID + you don't get
any text messages for 24 hours. IIRC, if you go into a store asking for a SIM
swap they also send you an OTP, and ask you to text the new SIM's serial
number to a special number to activate it.

------
js2
> In these cases, you might be better off creating a Google Voice phone number
> (which cannot be SIM ported) and using that has your 2-Factor Auth recovery
> number.

I hoped this too but someone commented to me recently that GV is not immune to
porting attacks:

[https://news.ycombinator.com/item?id=19886705](https://news.ycombinator.com/item?id=19886705)

------
forgotmypw
Coinbase's password reset delay is a great idea, but not as useful without
Coinbase indicating it in the UI for the current session.

------
dontbenebby
Seems like a "better than nothing" mitigation for sites that insist on SMS 2FA
is using a Google Voice number so the recovery # is 2FA protected.

Out of curiosity are there any decent free/cheap voip services that support
2FA aside from Google Voice? Using the same provider for email + recovery
codes makes me a little nervous.

------
chris_wot
I'm curious how difficult it would be to do this hack in Australia. Anyone
have any idea?

------
scurvy
I have access to all of this data for other people because they sign up for
services with the wrong email address (mine).

Tying all security to only an email is dumb for important services.

------
ashishb
Email services like Gmail should not treat all emails as identical. Some
emails like change in the security settings eg. password reset, change in 2FA,
suspicious activity notifications from Google as well as 3rd party, etc. are
more important than usual emails. Such critical emails should not be allowed
to be deleted by the user for a certain period of time say 1 week. While it
might be annoying to see those emails lying around in your inbox. I would
prefer that over an attacker being able to clear their traces after taking
control of my account.

------
baybal2
Do not ever activate password recovery over SMS

------
chx
Yeah this is why I don't have mobile numbers on any of my accounts as a
recovery method.

------
narrator
Put your number in Google Voice and use two factor authentication. Unlike the
phone companies, Google actually has decent security.

------
hartator
It's why most of 2FA implementations is BS. It's truly only whoever has access
to your number or email can do whatever.

~~~
rando444
I wouldn't say it's BS. It's just not perfect.

The standard person today isn't capable of managing multiple secure tokens,
and actually keeping them separate.

One smashed phone, and truly secure accounts would be lost forever, or require
significant resources on the part of the provider to re-verify people's
identities.

------
tjpaudio
Federal laws and the protections/insurances a US bank provides would have you
without losses right now. Why do we want a decentralized currency again?

~~~
BlackRing
A non-federally controlled pseudo-anonymous currency similar to cash has the
positive upside of enabling digital privacy in spite of the blockchain. That's
why. There are still trustworthy tumbler services to obfuscate and hold your
bitcoins similar to a bank. And with what some claim, inarguably so, of
government overreach and corporate over-sharing of your personal data, it's
something I can sympathize with.

~~~
mAEStro-paNDa
Similar to a bank as in a guaranteed insurance of my funds, like the FDIC in
the US?

~~~
romwell
FDIC _is_ the government overreach the parent was talking about.

It's also a relatively new thing.

People who cry about government overreach seem to rarely ponder why it is
there in the first place. Well, TFA shows why.

~~~
hndamien
TFA?

~~~
romwell
The eFfing Article (as in RTFA, "read the effing article"). I.e. the thing
we're all discussing here.

~~~
hndamien
Thanks.

