In recent months, there has been a trend of cyberattacks against venture capitalists, entrepreneurs and tech developers, and others who may be likely to hold bitcoin. Bitcoin is sometimes preferred by bad actors, because of the irreversibility of a bitcoin transaction. This is a positive attribute for a merchant who doesn’t want a sale to be reversed (as with a chargeback), but a definite negative for stopping the illegitimate transfer of assets.
The hackers operate by using the phone number of the targeted individuals – and they can use it against anyone who links their phone number for security purposes for a number of services, including PayPal, iCloud, and Dropbox.
The hackers use two-factor authentication to their advantage, getting a security code sent to the mobile number they have taken control of. They can then use this code to gain access to customer accounts.
The potential vulnerability of two-factor authentication has led the National Institute of Standards and Technology (NIST) to discourage the use of SMS-based authentication. A NIST document stated: “It’s not just the vulnerability of someone stealing your phone, it’s about the SMS that’s sent to the user being read by a malicious actor without getting her or his grubby paws on your phone.”
In addition, NIST senior standards and technology officer Paul Grassi said that SMS verification, “never really proved possession of a phone because you can forward your text messages or get them on email or on your Verizon website with just a password. It really wasn’t proving that second factor.”
The FTC has received 1,038 reports of these hacks in January 2013 – representing 3.2 percent of of all identity theft reports in that month. By January 2016, the total number of incidents had reached 2,658 – 6.3 percent of identity theft reports.
According to Forbes, Coinbase estimated that the number of cases doubled from November to December among its customers.
Read More about the cyberattacks at Forbes.com.
Laura Shin at Forbes has published a list of recommendations for consumers to protect their data from the phone number scam. Read her full article here.
Shin offers the following recommendations:
1. Make sure your phone account has a password or passcode. However, if the hacker gets a customer service representative who is lenient on security, this may not be enough.
2. Use a separate email address just for your mobile carrier. This minimizes the risk to your main email address should your phone number be compromised; an account that is used for multiple sensitive websites (such as banking) in addition to your phone carrier could lead to the hacker accessing those accounts as well.
3. Disable online access to your mobile account. This means you will have to go into a store or call a hotline in order to manage your account, but it removes one way a hacker can access your information.
4. Alternately, you can specify to your mobile carrier that changes to your account can only be made in person with a photo ID.
5. Try Google Voice or another service with an option to “freeze” transfers of your phone number to another device. According to Shin, Google Voice is the only service available now with this function. By default, Google Voice numbers are “locked” to a specific user.
None of these methods are foolproof – but they present further hurdles for hackers and other bad actors. Much like bars on your windows or a security system aren’t 100 percent effective in deterring a burglar, they still provide enough obstacles that a bad actor may move on to the next person. Laura Shin also offered advice for how to secure all online accounts. Her recommendations are:
1. Create passwords that are harder to guess. This includes using plenty of symbols and various alphanumerics, as well as considering using a password manager that creates a random, hard to guess password.
2. Mix up your security questions (and answers). Don’t use the same questions on all your accounts, and don’t necessarily use the correct answers all of the time.
3. Do not connect your main phone number (unless it has a “port freeze” courtesy of Google Voice) to any sensitive accounts (such as online banking).
4. Use a password generator, such as Google Authenticator. This gives you a new, temporary passcode to use when logging in (Facebook, Twitter, Dropbox, and a few others offer this compatibility as a security option).
5. Use a physical security key device. These work with a USB port or by Bluetooth.
6. Use a device with biometric authentication – such a fingerprint scanner. What you are (a biometric characteristic) is much harder to steal than “what you know” (a password).
Read Laura Shin’s full article for Forbes giving more detail about the above security methods, here.