Published on November 9th, 2019 📆 | 3622 Views ⚑0
He Thought His Phone Was Secure; Then He Lost $24 Million to Hackers
The first hint that
was about to have his digital life turned upside down—and lose a cryptocurrency windfall potentially valued at $24 million—seemed like an unremarkable annoyance. His mobile phone lost its signal.
But Mr. Terpin wasn’t driving between cell towers. He was working at a desk in his Las Vegas home. Way off in Norwich, Conn., someone had just taken over his phone number.
Within minutes, the hackers began trying to take over his Gmail accounts, using Google’s “Forgot password?” account reset feature. With access to his phone number and email, they were quickly able to steal millions in cryptocurrency from digital wallets Mr. Terpin believed to be secure.
Online, phone numbers have been slowly taking over passwords as our last line of defense against digital intrusions. As it has become clear that passwords alone don’t do enough to keep users secure, technology companies have been pushing an alternative—what they call a second factor of authentication. Most of the time, this second factor is a text message to a user’s mobile phone.
This past May, Google released research showing that by adding a phone number, users could block most types of attacks on their accounts.
Security researchers agree that for most people, adding text-message authentication is a big step up from only using a password. But Google also said that while using a phone number as a security layer stopped most targeted attacks, about a third of them still worked on Google users.
Google said even when its users added a phone number as a security layer, about a third of targeted attacks managed to succeed.
That is partly because of SIM swapping, a relatively new attack where criminals steal a victim’s phone number. It is what undid Mr. Terpin; and it is how hackers were able to post racist and anti-Semitic tweets to the feed of Twitter Chief Executive
The odds of someone being hit with a SIM-swapping attack are infinitesimal, but the people who investigate these attacks consider them some of the most harmful they have ever seen. In its rush to jury-rig the mobile phone to fix the glaring problems with password security, the tech industry might have created another long-term risk.
Even before Mr. Dorsey’s incident, law-enforcement agencies across the country have been seeing a rise in SIM-swapping complaints, and the attackers are getting better organized and more adept at covering their tracks, said
director of cyber intelligence at the New York City Police Department.
SIM swappers can operate with surgical precision. Within minutes of breaking into a victim’s Gmail account, they will scour through old email messages looking for any evidence of financial accounts—cryptocurrency accounts for sure, but also social media, bank accounts and even IRAs, Mr. Selby said. In New York, the NYPD is now seeing victims whose online bank accounts were compromised.
“The speed in which this can happen is astounding,” he said.
To get your number, criminals pretend to be you. They might bribe employees, or walk into retail outlets with a fake identity card or enough stolen data to trick the carrier into putting your number on a new phone. (The term “SIM swap” refers to those little “subscriber identity module” chips that your phone uses to store your number.)
In May, federal authorities charged two former
contract employees, saying criminals paid them between $50 and $150 per SIM swap. Authorities say they performed 41 SIM swaps for a group of identity thieves that called themselves “the Community.” A third man, who worked at Verizon, allegedly received $3,500 to provide SIM swappers with the inside information needed to answer security questions designed to protect user accounts, prosecutors said. Verizon said it had fired the former employee and is working with law enforcement on the investigation.
With your phone number under their control, the SIM swappers use the “Forgot my password” tool in various popular online services to take over online accounts. Gmail is usually first, because Google will typically let you reset a password if you control the associated phone number.
Once inside a Gmail account, the criminals lock you out.
Once inside a Gmail account, the criminals lock you out. That means switching Google security settings so that the account can’t be reset via text message when you finally do recover your number. (Carriers can often restore your service in as little as an hour.) Instead, the crooks use Authenticator, a slick mobile app built by Google itself. With the app, even if you recover your phone number, you can still be locked out of your Gmail.
The attack is “super dead simple,” said
a researcher with the cybersecurity firm Flashpoint.
Back in 2013, online gamers pioneered SIM swapping as a way of stealing prestigious Twitter and Instagram accounts. Sometimes they would do this for laughs, sometimes for money, Ms. Nixon said. By 2016, some realized that they could make big money by targeting cryptocurrency enthusiasts, who were often big holders of digital cash.
Mr. Terpin, a cryptocurrency investor and marketer, was hit on Jan. 7, 2018, at the height of bitcoin mania. The thieves stole some lesser-known cryptocurrencies from him, which they quickly traded for about 1,500 bitcoins. At the time, the booty was ostensibly valued at $24 million.
Here is the really scary part: Mr. Terpin had been SIM-swapped seven months earlier. He got lucky and didn’t lose any money that time, but had taken serious steps to prevent it from happening again. He had consulted with security professionals. He had gone to an AT&T store and added a security feature to his account that required a secret six-digit PIN to make any changes. He removed text-message authentication where he could, replacing it with Google Authenticator.
Mr. Terpin believes employees at an AT&T authorized dealer handed hackers control of his phone number, and those hackers found a way into his digital wallets by breaking into accounts of his that couldn’t be protected by Authenticator.
“On a scale of 1 to 10, I’d say my security protections were a 9.8 or higher,” he said. “But these hackers, all they do is they sit around in a basement and figure out ways of hacking people.”
“It is unfortunate that Mr. Terpin experienced this, but we dispute his allegations,” an AT&T spokesman said in an email message. (The company didn’t say which specific allegations it disputed.) The company is working with law enforcement, industry partners and consumers to combat SIM swapping, he said.
SIM swapping can cost millions, but it is also a deeply personal attack. Investigators with the Regional Enforcement Allied Computer Team, a law-enforcement task force in Santa Clara County, said they know of more than 3,000 victims, accounting for $70 million in losses nationwide. Most of those victims were holding cryptocurrency, said
a deputy district attorney with the county, but these investigators have also seen SIM swapping used to gather compromising photos for extortion and blackmail, she said.
Victims are often too embarrassed to pursue charges, Ms. West said. “You’re accessing everything about them. You’re accessing their emails of their kids’ soccer games, but also the dispute they had with their sister about their mom’s inheritance,” she said. “It’s a hideous violation of privacy.”
Meanwhile, phone carriers are getting better at flagging warning signs and putting holds on accounts that might be at risk, the NYPD’s Mr. Selby said. But some carriers are better at this than others, he said, and he doesn’t think they can stop it outright.
“What is easier to do is to protect the accounts that are the ultimate target,” he said. “You want to protect your accounts from being able to be reset simply because somebody has your phone number.”
Here’s How to Protect Yourself
Getting to the heart of SIM swapping means understanding the different ways your account can be recovered when you forget your password. The harder you make things for the SIM swappers, the harder it is going to be for you when you lose your phone or forget your password. These steps will take you closer to a state of super-security.
• Call your carrier and add a passcode on your mobile-phone account, and save that passcode in a place where you won’t lose it. (If you are paranoid, call your carrier to see if you can get into your account without it.) AT&T offers an “extra security” option here.
• Get a password manager like Dashlane and make sure you are using different passwords for your different accounts.
• Try out the “Forgot my password” option on your important accounts and see how they work. You are likely to find that many important accounts—bank accounts for example—can be reset with little more than access to your email, so lock that down first.
• If you want to add an additional factor, try adding a security key such as Yubikey or Google’s Titan. Many companies that offer online services—from
and SquareSpace—have added support for them, which you can generally find in the security settings.
• Once you have a good second factor in place (such as Google’s Authenticator app or a security key), turn off SMS authentication wherever possible. This is a tricky step, since it is hard to recover if you lose your phone or security key, and not all online services will let you. But if they do, it will be in your account’s security settings. For Google, go here. For Microsoft, go here.
• If you are a high-net-worth individual and want to really lock down your account, you can enroll in Google’s free Advanced Protection program. Just make sure that you have several security keys so you don’t get locked out permanently.
—For more WSJ Technology analysis, reviews, advice and headlines, sign up for our weekly newsletter.
Write to Robert McMillan at Robert.Mcmillan@wsj.com
SHARE YOUR THOUGHTS
Do you use text verification for secure access to your accounts? Will you continue or find an alternative, and why? Join the conversation below.
Copyright ©2019 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8