27 comments

[ 3.4 ms ] story [ 64.9 ms ] thread
(comment deleted)
It's nice to see this covered by The NY Times.

Cell phone account security issues are among my top personal "getting hacked" fears.

Perhaps using a non-published extra phone number registered to someone else (perhaps your child) can provide protection? It's security through obscurity but with the phone number being the crucial piece of information, keeping it secret will go a long way.

Of course the real fix would be to have better trained people working at the call centers.

The issue within the call centers are poorly enforced rules. If you have several customers a day demanding something eventually they just wear the reps down. When management fails to enforce those rules, and angry customers keep pushing, eventually the reps just do it. I've unfortunately seen/heard it more times than I can count in call center environments. I believe they honestly are trained well enough to know better, they just become apathetic. Not saying its right, its just what I have witnessed. Within my call center I am looked at as a stickler because I follow documentation to the T. It's sad that this generally makes you an anomaly within a call center.
I submitted this apparently just after: https://news.ycombinator.com/item?id=15070199

I got hacked a week ago in this exact fashion (I haven't tried to keep it a secret that I was involved in Bitcoin earlyish-on). I don't think they were able to get anything (largely because I am mostly out of the crypto space) but please remove cellphone 2FA from all your online dealings and add something like Google Authenticator instead (don't forget to print out, or at least encrypt a PDF of, the backup codes!)

My mistake was LEAVING cellphone 2FA in there on my main Google account even after I had activated Google Authenticator.

That was a mistake, because you can actually remove cellphone 2FA after adding GA 2FA. Which you should do!

My 2nd mistake was using a dumb PIN on my cellphone account.

The cellphone companies could prevent this attack entirely by requiring in-person (with ID) transfers of cellphone numbers to new hardware, at the store. Given the infrequency that I would have to do that, the extra inconvenience is acceptable.

After getting hacked and trying to move most of my online affairs to another account still under my control, I noticed that Facebook has a "name 5 trusted friends" feature which helps you regain access to an account after it's compromised, which might be useful to others... only issue being that once my private messaging and files are discovered (google drive :( ), the damage is already done.

Those "two-factor" authentication often turn out to be one factor in reality - for some time, knowing your phone was the only thing needed on Gmail to initiate password recovery with banal questions. This is how an attempted hack of British MPs was done (a Russian cellphone operator rerouted their phones using a roaming request, while KGB guys were trying to pound password recovery on MPs' private mailboxes)

The same password recovery vulnurability was present on Facebook for some time as well

Is having Project Fi (Google as the carrier) safer?
Yes, according to Kraken. "Consider switching to a more secure telco, without a human interface. Google Fi: no phone support agents, no physical locations, no problems."

https://blog.kraken.com/post/219/security-advisory-mobile-ph...

That's very interesting. I've looked at Google's lack of human support as a bug in the past, but when Google is used to protect currency that could be a feature.
Google Fi actually has great support. When I ported a number over to them, I had several issues and each time I called, they were able to help and I was always connected to someone instantly. That was a year ago.
I have no experience with them. From Kraken's perspective, human support is a negative; it's just an opportunity for a clueless rep to hand your account to a hacker.
>The cellphone companies could prevent this attack entirely by requiring in-person (with ID) transfers of cellphone numbers to new hardware, at the store. Given the infrequency that I would have to do that, the extra inconvenience is acceptable.

Fake IDs are cheap. This would not prevent a motivated attacker.

What do you suggest instead, then?
Don't put enough crypto on your phone to matter for one. I treat it as i would treat my actual wallet.

I use an electrum wallet on my desktop, and use one of the addresses in that multi address hd wallet as my hot wallet. I load that address on my android electrum install. That way if i ever lose my phone, there isn't much on it, and i can always move the funds using my desktop wallet if required.

But it does suck that it happened. Sorry to hear it.

Cell phones are the most least secure devices. Although convenient, you can't trade that for security. The public wants convenience.
In Turkey, when you move your phone number, 2FA automatically gets locked (you can't receive the code till you reactivate) for banks, requiring calling customer service or visiting a branch to reactivate.

It would be nice to have a similar system for all kind of 2FA solutions involving cell phones.

Another huge looming problem: My emails were hacked recently with a fraudulent domain transfer using a fake ID. This exposes other accounts that use emails from the domain for recovery.

I lucked into some compelling evidence I'd like to share with any security experts that would be able to help me.

> Accounts with banks and brokerage firms and the like are not as vulnerable to these attacks because these institutions can usually reverse unintended or malicious transactions if they are caught within a few days.

Ah, I see.

Can but (in case of some banks) won't. As I have learned from a friend who was a victim of debit card skimming and theft - with TD bank failing to block obviously out-of-character fraudulent transactions and refusing to revert the fraudulent charges, and then charging fees for fraudulent overdraft to add insult to injury.
Well shit, might as well put everything in a bitcoin wallet then.
On a USB stick. ($70) In a hand gun safe ($110), buried under a tree in the backyard ($Priceless).
(comment deleted)
Why hasn't any of these people losing six figures plus sued the phone company? Even if it's a longshot, it's worth it for the chance of recovery.
You can't sue them due to arbitration clauses.
So sue in arbitration.
The problem is that there is too much power in the hands of first level support personnel. They should hand it off to a specialized team that is extremely well trained to understand how to stop phishing. This should be standard practice for all companies with customer support.