Hackers hijack mobile phone numbers to grab e-wallets

In a growing number of online attacks, hackers have been calling up Verizon, T-Mobile US, Sprint and AT&T and asking them to transfer control of a victim's phone number to a device under the control of the hackers.
In a growing number of online attacks, hackers have been calling up Verizon, T-Mobile US, Sprint and AT&T and asking them to transfer control of a victim's phone number to a device under the control of the hackers.PHOTO: BLOOMBERG

NEW YORK (NYTIMES) - Hackers have discovered that one of the most central elements of online security - the mobile phone number - is also one of the easiest to steal.

In a growing number of online attacks, hackers have been calling up Verizon, T-Mobile US, Sprint and AT&T and asking them to transfer control of a victim's phone number to a device under the control of the hackers.

Once they get control of the phone number, they can reset the passwords on every account that uses the phone number as a security backup - as services like Google, Twitter and Facebook suggest.

"My iPad restarted, my phone restarted and my computer restarted, and that's when I got the cold sweat and was like, 'OK, this is really serious,'" said Mr Chris Burniske, a virtual currency investor who lost control of his phone number late last year.

A wide array of people have complained about being successfully targeted by this sort of attack, including a Black Lives Matter activist and the chief technologist of the Federal Trade Commission.

The commission's own data shows that the number of phone hijackings has been rising. In January 2013, there were 1,038 such incidents reported; by January 2016, that number had increased to 2,658.

But a particularly concentrated wave of attacks has hit those with the most obviously valuable online accounts: virtual currency fanatics like Mr Burniske.

Within minutes of getting control of Mr Burniske's phone, his attackers had changed the password on his virtual currency wallet and drained the contents - some US$150,000 (S$204,120) at today's values.

Most victims of these attacks in the virtual currency community have not wanted to acknowledge it publicly for fear of provoking their adversaries. But in interviews, dozens of prominent people in the industry acknowledged that they had been victimised in recent months.

"Everybody I know in the cryptocurrency space has gotten their phone number stolen," said bitcoin entrepreneur Joby Weeks.

Mr Weeks lost his phone number and about US$1 million worth of virtual currency late last year, despite having asked his mobile phone provider for additional security after his wife and parents lost control of their phone numbers.

The attackers appear to be focusing on anyone who talks on social media about owning virtual currencies or anyone who is known to invest in virtual currency companies, such as venture capitalists. And virtual currency transactions are designed to be irreversible.

Accounts with banks and brokerage firms and the like are not as vulnerable to these attacks because these institutions can usually reverse unintended or malicious transactions if they are caught within a few days.

But the attacks are exposing a vulnerability that could be exploited against almost anyone with valuable emails or other digital files - including politicians, activists and journalists.

Last year, hackers took over the Twitter account of Mr DeRay Mckesson, a leader of the Black Lives Matter movement, by first getting his phone number.

In a number of cases involving digital money aficionados, the attackers have held e-mail files for ransom - threatening to release naked pictures in one case, and details of a victim's sexual fetishes in another.

The vulnerability of even sophisticated programmers and security experts to these attacks sets an unsettling precedent for when the assailants go after less technologically savvy victims. S

Security experts worry that these types of attacks will become more widespread if mobile phone operators do not make significant changes to their security procedures.

"It's really highlighting the insecurity of using any kind of telephone-based security," said Mr Michael Perklin, chief information security officer at the virtual currency exchange ShapeShift, which has seen many of its employees and customers attacked.

Mobile phone carriers have said they are taking steps to head off the attacks by making it possible to add more complex personal identification numbers, or PINs, to accounts, among other steps.

But these measures have not been enough to stop the spread and success of the culprits.

After a first wave of phone porting attacks on the virtual currency community last winter, which was reported by Forbes, their frequency appears to have ticked up, Mr Perklin and other security experts said.

In several recent cases, the hackers have commandeered phone numbers even when the victims knew they were under attack and alerted their mobile phone provider.

Mr Adam Pokornicky, a managing partner at Cryptochain Capital, asked Verizon to put extra security measures on his account after he learned that an attacker had called in 13 times trying to move his number to a new phone.

But just a day later, he said, the attacker persuaded a different Verizon agent to change his number without requiring the new PIN.

A spokesman for Verizon, Mr Richard Young, said that the company could not comment on specific cases, but that phone porting was not common.

"While we work diligently to ensure customer accounts remain secure, on occasion there are instances where automated processes or human performance falls short," he said. "We strive to correct these issues quickly and look for additional ways to improve security."

Mr Perklin and other people who have investigated recent hacks said the assailants generally succeeded by delivering sob stories about an emergency that required the phone number to be moved to a new device - and by trying multiple times until a gullible agent was found.

"These guys will sit and call 600 times before they get through and get an agent on the line that's an idiot," Mr Weeks said.

Coinbase, one of the most widely used bitcoin wallets, has encouraged customers to disconnect their mobile phones from their Coinbase accounts.

But some customers who have lost money have said the companies need to take more steps by doing things like delaying transfers from accounts on which the password was recently changed.

"Coinbase looks like a bank, stores millions of dollars like a bank, but you don't realise how weak its default protections are until you are robbed of thousands of dollars in minutes," said virtual reality developer Cody Brown, who was hacked in May.