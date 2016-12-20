Hacker News new | comments | show | ask | jobs | submit login
Hackers Have Stolen Millions of Dollars in Bitcoin Using Only Phone Numbers (forbes.com)
56 points by seventyhorses 2 hours ago | hide | past | web | 53 comments | favorite





It's completely ridiculous for a service to offer 2FA with SMS and also password recovery via SMS to the same phone number. It sounds like that's how this guy got hacked. He was effectively using more like half-a-factor authentication. He probably didn't realize because his email service didn't clearly show him how it will grant access.

It would be great if online services showed a clear matrix of authentication methods so you can see which combinations are sufficient and necessary to access your account. Simply adding a 2nd factor is a bad idea because it means if you lose either one, you're locked out of your account, so you also need a 3rd factor to protect you from yourself. I personally have 4 factors for my gmail account - regular SMS 2FA, a friend's phone number for password recovery and paper backup codes. This way, I can lose almost any two factors and still have access. If I forget my password and also lose access to my friend's phone for password recovery, then perhaps I'll be in trouble but Google doesn't make it clear if they'll let you in using only your backup codes and 2nd factor phone number.

reply


I thought the story sounded familiar - Jered Kenna - this story's lead, claimed to have lost 800 BTC in 2013 (1)

That story got him quite significant press at the time, I found thousands of deviations of the original Bloomberg story - people LOVE the "darwin award" story category.

I was going to crack a joke about this being a Paul Graham submarine strategy (2) but it's just too sad and I believe him, 2FA is a mess.

(1) https://www.bloomberg.com/news/articles/2013-04-10/meet-the-...

(2) http://paulgraham.com/submarine.html

reply


It's a shame that 2FA is often implemented via unsecure SMS.

The apps are actually more secure.

reply


I agree, but it's worse than that, with SMS widely used for account recovery.

> But 2FA via SMS is ubiquitous because of its ease of use. “Not everyone is running around with a smartphone. Some people still have dumb phones,” says Android security researcher Jon Sawyer. “If Google cut off 2FA via SMS, then everybody with a dumb phone would have no two-factor at all. So what’s worse — no two-factor or two-factor that is getting hacked?”

The thing is, SMS is worse than a reasonably good password. So it's a bit annoying that Google strongly encourages me to register my phone number with my gmail account for recovery.

And many services, including Google, make it difficult or impossible to enable TOTP without first registering a phone number. They really really push the SMS route. Brings up the average security level for the average person, I'm sure. Very annoying for me.

reply


Not only dumb phones, but all regular Android users in China. They don't have the Play store app on their phones and can't sideload it because it's not a simple apk file. Even if they managed to hack that, it's blocked through the great firewall anyway. Whatever Android 2FA app an email service used would probably only be available via the Play store and thus cut off all Chinese users, and even people from China who moved to another country and brought their old phone with them.

reply


This is interesting to me, as I live in an area with no mobile reception.

So (for me) it's a real PITA when places require a mobile phone number and there's no way to skip it. Obviously, can't use those services.

Does anyone know if Google Authenticator would run on a wifi iPad? As a potential workaround for the "no mobile network" situation.

reply


It should require no connectivity at all, so yes.

reply


Coinbase offers FULL digital currency insurance against theft, underwritten via a Lloyds of London Syndicate:

http://www.coindesk.com/facebooks-ben-davenport-leaves-bitco...

Lloyds isn't getting involved unless they have an incredibly high degree of satisifaction in security processes, in fact they stripped Elliptic of their first ever "vault" insurance shortly after awarding claiming they didn't like the "publicity".

http://www.coindesk.com/lloyds-back-bitcoin-insurance-deal-e...

reply


If you use coinbase, you don't own your bitcoins. Coinbase does, and they pinkie promise to give them back when you ask.

Get a mobile wallet like Mycelium. It's very simple, and you back up your wallet forever with a short string of words. You also retain control of your private keys.

reply


pretty insane he was making 50 btc for mining in a day....he must've had a sizable sum.

I really do not condone ripping people off or hacking but I have to admire the tenacity of these hackers, nothing is out of bounds, every opportunity to steal or rip people off is a naked call option where only their time is the currency that can be lost with a failed heist.

It's the new bank robbers of our age but without films or hollywood glamourizing it (yet) the same bank robbers.

Crime does pay but it's a shame smart talent is being used to destroy not build. We can't point fingers at specific regions or countries with a depressed economy and expect them to find honest work-they may not exist there when government corruption has already robbed their citizens of the livelihood they were owed. This is not a justification for criminal action but a mere observation of the structural environment giving rise to such behaviours.

reply


This story was interesting: http://www.bbc.com/news/magazine-37735369

I don't see how to stop it though. For areas of the world with few economic opportunities, and little resources to chase you...the risk/reward profile is just too tempting.

reply


bizarre and an extremely brutal way of extorting money from people. The mob used to ask for protection money, if you refused, they'd fuck your store up.

but this is just fucked up and repulsive. it's sad how poverty can dehumanize people into doing inhuman things for money.

reply


I remember reading online that to bait the valve half life 2 leaker/hacker to come to the US for authorities to capture, valve sent the hacker a phoney job offer. At the end of the day, all these smart tech workers want is to get paid for their skills.

https://www.wired.com/2008/11/valve-tricked-h/

https://arstechnica.com/gaming/2016/06/what-drove-one-half-l... (better story)

reply


man I really got a new perspective on Gabe. Blatantly deceiving the German guy to cause tremendous harm to his life by colluding with the Gestapo even when Half Life 2 was a tremendous success and none of his precious monies were lost in the process, in fact the leak only raised the profile for Half Life 2 resulting in more sales.

I definitely won't be buying Half Life 3.

TIL Gabe Newell is actually very narrow minded and not a nice guy. Hacking and leaking is also bad but it's not clear that the action led to losses when Half Life 2 was a phenomenal success. It's the deceptive tactic of pretending to offer an olive branch and going back on your word. He should be fucking ashamed of himself.

reply


For the hacker types there are things like bug bounty programs where they could make money in a legitimate way. The story I linked to though is just regular extortion artists with no discernible skills. I'm not sure how you address that.

reply


This is why I would never store any substantial amount of bitcoin on ANY online service, no matter how good their reputation for security.

If the amount is above say, $500 or so, it should be stored in something like a Trezor, where only you have the keys to access it.

reply


Related, but not directly to the article:

This post [1] from Kraken covers how to protect yourself from this kind of attack. It's quite thorough. Interesting even if this isn't a concern for you directly.

1 - http://blog.kraken.com/post/153209105847/security-advisory-m...

reply


> http://blog.kraken.com/post/153209105847/security-advisory-m...

A 40-step instruction "how to make your google account secure" as a proof of the sad state of internet security. No way my parents can do it.

reply


Never attach a cold wallet to an online machine. Sign transactions offline and transfer them to an online machine for uploading.

reply


I know hindsight is 20/20, but with a wallet that valuable, it would have been prudent to split that into smaller encrypted wallets of, say, $1000 apiece, and only mount what was necessary (partition the external HD).

reply


So banks come in handy after-all.

I regularly get aggravated about the sensitivity of my bank's fraud screening. I have to call them constantly just to spend my money. But, I am at least reassured about how difficult it is to siphon money from the account.

reply


TLDR, don't bind anything valuable to a phone number. If a service wants you to, pick an alternative.

reply


>Windows account, which was the key to his PC.

The windows 10 experience

reply


Yeah that part was hard to read.

But Macs work similarly IIRC; if someone has access to your iCloud account, they own your machine as well.

I think this is more of a comment on the cloud-centric-everything-must-live-in-the-cloud-now mentality than anything else.

reply


Of course, macOS and Windows 10 both still give you the option of creating user accounts independent of an Apple ID or MS account, which is what I do on my macOS and Windows 10 systems.

But there's good reason these OSes tie local logins to online accounts. The average user is more likely to get frustrated forgetting or not understanding why their email password is not their login password, than the (comparatively) rare scenario that someone will compromise the one-account-to-rule-them-all and wreck all their data. My grandmother confuses her Gmail login with every other online account because they all use the email address as a username.

Also, I'm continually amazed how little normal people care about the data on their computers. I still have all my files from when I was 5 years old on my main machine, but most people only care about bringing over whatever they're currently working on when they get a new machine.

reply


Why would you go through the rigamorole of encrypting something if it can be undone with a text message?

If you want to store Bitcoin, use (in order of preference) a reasonably secure computer (not an obviously poorly secured windows machine), a secure cell phone (not a $50 backdoored Chinese android phone), or a hardware wallet. Don't use cloud services, web wallets, or anything else that very obviously sucks from a security perspective.

I would be more than willing to trust, say, $50,000 in Bitcoin to an iPhone with a good passcode, running an SPV wallet. Above that and you probably ought to put in the modest investment for a hardware solution.

reply


I hate the forbes.com website, but a great story. Guy's phone number got hijacked, then they reset his other accounts by sending codes to his phone number on file. Maybe we need 3FA?

reply


I still don't understand how jacking his phone yielded his wallet password.

reply


Seems like he was very much targeted. Someone knew this guy and knew he had a LOT of bitcoin. If they actually remoted into his computer, waited until he mounted some external drive with the wallet and then acted. It's clear this was a targeted act. Poor guy.

reply


One of the accounts that ended up being compromised using his compromised email accounts was his Microsoft account, which he used to log in to Windows 10. Presumably the attackers were able to connect remotely, or maybe download his files out of the cloud, or something. They had the keys to the kingdom.

reply


That's the WTF for me here. I don't store anything valuable on the Windows 8 PC I run at home, but when I set it up, I remember feeling quite uneasy about the way the Microsoft account and the local user login apparently are one and the same. I assumed that surely it's just convenience and gaining access to the MS account isn't sufficient to give access to my PC - that would be insane, right?

Is this being reported correctly? This sounds completely nuts.

reply


You can create a local account independent of the MS network, they just make that option partially obscured.

reply


Changed my user account to local just now. Good thing I always assumed this computer is a sieve. I still have a hard time believing every single modern Windows OS is essentially intentionally backdoored. That's just completely, incredibly unacceptable.

reply


Could a Yubikey have prevented it?

reply


Anyway, the wallet was password protected. Still don't get it.

reply


From what the article said, I understood the hard drive the wallet was on was encrypted. Once mounted, the wallet would be accessible to anyone with login access to the OS.

reply


If you have access to the machine you can install a keylogger.

reply


The article says his password was 30 characters long. But maybe it still wasn't a strong password. Weak ones can be brute-forced pretty easily.

reply


If they knew what they had there (and the balance of the wallet was in the blockchain, they probably knew exactly who they were targeting here), you could throw an awful lot of resources at bruteforcing the password. (Lets face it, they had this guy's bank accounts and PayPal - I wonder how much of his own money they spent on AWS cracking his wallet password?)

reply


What if the wallet was actually liquid in one of the online bitcoin banks which the browser helpfully logged them in as?

reply


Many (most?) of the online wallets have 2-factor auth, though maybe that wouldn't come into play if the login appeared to be coming from a familiar computer.

reply


The word hacker is giving me an identity crisis every time a headline like this comes out.

http://blog.ikura.co/posts/dear-mainstream-media.html

reply


That battle was lost years ago.

reply


When you consider the array of different exploits the thieves had to use to steal this guy's bitcoins, I think that this is a rare case where they are accurately described as hackers. But in the more common cases, such as Podesta's email account getting spearphished, you're correct that calling the perpetrators hackers is an insult to hackers.

reply


Couldn't somebody make a phone company with better security? It seems stories about accounts being stolen via the phone company as weak link have been around for several years now.

reply


Why would you want to trust the phone company? This is a solved problem, use IP and SSL. Of course you can't implement the really dumb "half factor" SMS authentication this way (because it's shown for what it is.)

reply


This is of course why bitcoin is a bad choice for most people, except for beer money amounts. Despite a lot of security precautions from a savvy user, someone made off with this stash.

Shame he didn't keep them in an exchange. Oh wait...

I always thought had I got in early in bitcoin I'd plan to sell off in tranches at $1, $10, $100 value etc. Then at least when the coins get stolen or worthless I'd have something to show for it.

My prediction: Bitcoin will become worthless in the long term once the crypto is cracked by mathematics, a backdoor or quantum computing

reply


Bitcoin is secured by relatively simple algorithms, mostly relying on the SHA-256 hash. If this is broken, the internet has far bigger problems than bitcoin becoming worthless.

reply


A $60 hardware wallet does a good job protecting larger amounts.

reply


Quantum computing doesn't provide speedups for hash algorithms, generally. It breaks public key cryptosystems based on factoring and discrete logs.

reply


> This is of course why bitcoin is a bad choice for most people, except for beer money amounts.

It places users in the position of either having to provide their own bank-level security, or to leave their bitcoin with a BTC bank (the exchanges). The latter has had a few issues.

reply


I am going to coin the term "Bitcoin Rodeo".

It refers to the fact that people get rich from bitcoin if they don't fall off their bull by:

Losing their coins e.g. forgetting a password, throwing away a laptop.

Having their coins hacked from their computer by a Trojan or the mentioned attack.

An exchange loses them or shuts down.

Due to greed you wait it out and bitcoin plummets to zero

Due to greed day trade your stash into the ground.

Due to fear sold your 1000 btc at 10$ each back in the day.

Etc.

reply


And this is why Bitcoin is doomed to fail as a genuine currency. Imagine if your bank said they had lost your money and tough luck on you. Or you bank emails you to say they have been hacked and all your money is gone. Or the bank just disappears offline and your money is gone. Or you forget a password and so your bank says sorry, but that means all your money is gone forever.

Great system.

reply




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: