
Identity Thieves Hijack Cellphone Accounts to Go After Virtual Currency - otterley
https://www.nytimes.com/2017/08/21/business/dealbook/phone-hack-bitcoin-virtual-currency.html
======
pmarreck
I submitted this apparently just after:
[https://news.ycombinator.com/item?id=15070199](https://news.ycombinator.com/item?id=15070199)

I got hacked a week ago in this exact fashion (I haven't tried to keep it a
secret that I was involved in Bitcoin earlyish-on). I don't think they were
able to get anything (largely because I am mostly out of the crypto space) but
please remove cellphone 2FA from all your online dealings and add something
like Google Authenticator instead (don't forget to print out, or at least
encrypt a PDF of, the backup codes!)

My mistake was LEAVING cellphone 2FA in there on my main Google account even
after I had activated Google Authenticator.

That was a mistake, because you can actually remove cellphone 2FA after adding
GA 2FA. Which you should do!

My 2nd mistake was using a dumb PIN on my cellphone account.

The cellphone companies could prevent this attack entirely by requiring in-
person (with ID) transfers of cellphone numbers to new hardware, at the store.
Given the infrequency that I would have to do that, the extra inconvenience is
acceptable.

After getting hacked and trying to move most of my online affairs to another
account still under my control, I noticed that Facebook has a "name 5 trusted
friends" feature which helps you regain access to an account after it's
compromised, which might be useful to others... only issue being that once my
private messaging and files are discovered (google drive :( ), the damage is
already done.

~~~
ikeboy
>The cellphone companies could prevent this attack entirely by requiring in-
person (with ID) transfers of cellphone numbers to new hardware, at the store.
Given the infrequency that I would have to do that, the extra inconvenience is
acceptable.

Fake IDs are cheap. This would not prevent a motivated attacker.

~~~
pmarreck
What do you suggest instead, then?

~~~
Frogolocalypse
Don't put enough crypto on your phone to matter for one. I treat it as i would
treat my actual wallet.

I use an electrum wallet on my desktop, and use one of the addresses in that
multi address hd wallet as my hot wallet. I load that address on my android
electrum install. That way if i ever lose my phone, there isn't much on it,
and i can always move the funds using my desktop wallet if required.

But it does suck that it happened. Sorry to hear it.

------
davotoula
This was raised by Kraken back in November 2016. Shortly afterwards I removed
mobile phone as 2FA from all my accounts.

The simple fact is that I don't own my mobile number; the mobile operator
does. As such I should not use it as 2fa.

[https://blog.kraken.com/post/219/security-advisory-mobile-
ph...](https://blog.kraken.com/post/219/security-advisory-mobile-phones/)

------
Tepix
Perhaps using a non-published extra phone number registered to someone else
(perhaps your child) can provide protection? It's security through obscurity
but with the phone number being the crucial piece of information, keeping it
secret will go a long way.

Of course the real fix would be to have better trained people working at the
call centers.

~~~
johnwaynedoe
The issue within the call centers are poorly enforced rules. If you have
several customers a day demanding something eventually they just wear the reps
down. When management fails to enforce those rules, and angry customers keep
pushing, eventually the reps just do it. I've unfortunately seen/heard it more
times than I can count in call center environments. I believe they honestly
are trained well enough to know better, they just become apathetic. Not saying
its right, its just what I have witnessed. Within my call center I am looked
at as a stickler because I follow documentation to the T. It's sad that this
generally makes you an anomaly within a call center.

------
konceptz
It's nice to see this covered by The NY Times.

Cell phone account security issues are among my top personal "getting hacked"
fears.

------
derrickchen
Another huge looming problem: My emails were hacked recently with a fraudulent
domain transfer using a fake ID. This exposes other accounts that use emails
from the domain for recovery.

I lucked into some compelling evidence I'd like to share with any security
experts that would be able to help me.

------
hakanderyal
In Turkey, when you move your phone number, 2FA automatically gets locked (you
can't receive the code till you reactivate) for banks, requiring calling
customer service or visiting a branch to reactivate.

It would be nice to have a similar system for all kind of 2FA solutions
involving cell phones.

------
pfarnsworth
The problem is that there is too much power in the hands of first level
support personnel. They should hand it off to a specialized team that is
extremely well trained to understand how to stop phishing. This should be
standard practice for all companies with customer support.

------
whipoodle
> _Accounts with banks and brokerage firms and the like are not as vulnerable
> to these attacks because these institutions can usually reverse unintended
> or malicious transactions if they are caught within a few days._

Ah, I see.

~~~
tetromino_
_Can_ but (in case of some banks) _won 't_. As I have learned from a friend
who was a victim of debit card skimming and theft - with TD bank failing to
block obviously out-of-character fraudulent transactions and refusing to
revert the fraudulent charges, and then charging fees for fraudulent overdraft
to add insult to injury.

~~~
whipoodle
Well shit, might as well put everything in a bitcoin wallet then.

~~~
ghostbrainalpha
On a USB stick. ($70) In a hand gun safe ($110), buried under a tree in the
backyard ($Priceless).

------
ikeboy
Why hasn't any of these people losing six figures plus sued the phone company?
Even if it's a longshot, it's worth it for the chance of recovery.

~~~
reefoctopus
You can't sue them due to arbitration clauses.

~~~
ikeboy
So sue in arbitration.

------
qrbLPHiKpiux
Cell phones are the most least secure devices. Although convenient, you can't
trade that for security. The public wants convenience.

