60 comments

[ 21.4 ms ] story [ 129 ms ] thread
> Ross had approximately $1 million stored in two [cyrptocurrency] exchanges when he was attacked, according to a report by investigators.

You know what happens if someone tries this with your brokerage? It takes three days, not one hour, there's a name on the destination account (know your customer), it takes days (at least) to withdraw money from it, and there's a medallion signature on the transfer, so your brokerage is on the hook for it.

There's a reason fraudsters are targeting cryptocurrency exchanges: arguably less security, but more importantly, it's easy to quickly and irreversibly transfer the money.

I only skimmed the first couple paragraphs but I immediately wondered why no financial protections came into play. That explains it. Sort of a misleading headline.
Only half of the US deposits are FDIC insured AFAIK
"there's a medallion signature on the transfer, so your brokerage is on the hook for it"

I'm...not sure that's how it works. Yes, common sense suggests it's much more difficult with conventional financial assets, but is that signature guarantee or whatever you call it protecting you or the institution? In the sense that, if someone successfully forges one, what actually happens next?

From Wikipedia[0]:

> A medallion signature guarantee is a guarantee by the transferring financial institution that the signature is genuine and the financial institution accepts liability for any forgery.

[0] https://en.m.wikipedia.org/wiki/Medallion_signature_guarante...

I'm not sure I understand that. Because the signature guarantee isn't "by" the transferring financial institution, is it? You want to transfer an account from "A" to "B" and you get the guarantee from someone that provides guarantees, call them "C". And if someone forges the guarantee, then "C" never did guarantee anything, so why would they be liable, let alone "A" and "B"?

Maybe I'm forgetting how this works...

...reading the wikipedia page, it sounds like the idea is to deal with forgeries of signatures provided to the guarantor. Not with forgeries of the guarantor's approval.

Then again, maybe you can't really forge a guarantee as long as it can be looked up or invalidated by their database.

I think what they are saying is that in the banking system is nearly impossible to steal someone's life savings via a hack and get away with it, or at least if you do they have insurance at the brokerage to cover it.
You'll be surprised how many people bank accounts get drained.
Without recourse? I am ready to be surprised. Could you give me more information with sources?
And what I was saying was that is probably true, but I'm not sure what would happen with a similar hack only aimed at the guarantor.
True like in CC they've guarantees against such unauthorised usages
How is someone persuading your provider to transfer your number to another provider, a hack?
Social engineering.

> Hi, AT&T, I was at the bar last night and I lost my phone. I still have my old phone, though. Can you help me transfer it? Mother's maiden name? Why yes, it is on whitepages.com!

Anything where you're accessing or affecting an informational system in a malicious way could be called a hack. Social engineering is a mainstay at Def Con.
There is so much information available online on you which is sufficient for any one to hack you
You call the provider's help line and tell the minimum wage call center worker on the other end that your phone has been stolen and you want to assign it to a new SIM code.
Not in our case where we go through 11 step process. In addition to this our staff is highly trained and everytime a request is made, we assume it's an attack
Which company do you work for?

(I’m on T-Mobile and this has happened to me 3 times)

> How is someone persuading your provider to transfer your number to another provider, a hack?

It sounds like you are not aware of the existence of the term “Social Engineering”.

I invite you to read this Wiki page [1] which explains what the hack is about.

Social Engineering is, in fact, one of the most common techniques used by hack people, for example, by tricking someone into clicking a malicious link in a phishing email. There is also “Smishing” which is the same —tricking someone into reading and clicking a malicious text or link— but via SMS. In this specific case the hackers are using a technique commonly known as “Vishing” or “Voice Phishing” [2] which is a criminal practice of using social engineering over a telephone system to gain access to private personal and financial information from the public for the purpose of financial reward (verbatim from WikiPedia).

Have you heard stories of hacks where an employee plugged an infected USB, CD-ROM or floppy-disk into a computer connected to a secure facility? Well, this is another social engineering technique commonly known as “Baiting” used by hackers to attack systems that otherwise would be impossible to access from outside [3]. Stuxnet [4] is one of the most famous examples of a social engineering attack, among several other techniques.

As you can see, social engineering is the very beginning of many hacks.

[1] https://en.wikipedia.org/wiki/Social_engineering_%28security...

[2] https://en.wikipedia.org/wiki/Voice_phishing

[3] https://en.wikipedia.org/wiki/Air_gap_%28networking%29

[4] https://en.wikipedia.org/wiki/Stuxnet

Someone tricked ATT that led to swim swap and this guy losing $1 million. Yet ATT "disputes the allegation and intent to prove it in court"?

I get the fact that the real crook is the thief, but surely ATT is at least partly negligent. How much are they responsible?

Everyone is trying to make phone networks the liable party because it’s cheap for them, and the phone networks don’t want to be the liable party. Even the federal government (SSA) uses SMS as 2FA for proof of identity.

And unlucky people are caught in the middle.

The same Federal Government says not to use SMS for 2FA, for quite a while:

https://www.pindrop.com/blog/nist-explains-proposed-ban-on-s...

Why should we use outdated and vulnerable networks when social engineering is all you need to steal stuff?

This from 2012: https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking...

I encourage everyone to use a hard to guess email alias (foo+bar@gmail.com) for your LOGIN — not password. This thwarts many of these attacks!

“Sir, let’s reset your password. What is your email please?”

“foo@gmail.com”

“Sorry, we have no such user.”

“Really? But—“

“Really.”

ATT’s login is the phone number itself.
Through Efani.com we do take responsibility which is backed by $5M insurance policy.
How does this work? I don’t understand how adding an additional party between me and my vendor could add security.
Because we control the # at that time. We disassociate your personal information from your # and then mask every information that's required to do a port-out
Enfani (previously don't port) has a product to prevent this: https://efani.com/

I haven't used it. I want to, but haven't wanted to deal with changing my family plan. It does make me more interested in a dual-sim phone.

That’s interesting - I wonder how it actually works, other than some hand wavy military technology?

I want to know how it would’ve prevented this social engineering attack

Hey - I am Haseeb Founder of Efani. So we deploy atleast 11 ways to authenticate a user over couple of weeks to make sure that this is a legitimate request + use some manual & automated processes to kill any illegal attempt
So how do you protect against attacks on your MNOs?

Sure, you can make porting difficult. That doesn’t get you very far.

Can you be more specific with your question ? All the port out are blocked by default & no have access to your account # + our UI & our system is in different silos . Finally we've a $5M insurance policy
For most users the problem is someone intercepting their text messages and then using that access to rob them. Port-outs are one way to accomplish this, but certainly not the only way.

Can you defend against sim swap attacks if your MNO is compromised, how?

Where can I read more about your insurance policy? I can’t find any specific details on your website.

I am updating the website within a week so that'll have the complete information. Just rebuilding it to aspire some more confidence in the product honestly.

We do defend against SIM swap attacks because MNOs can't access our account

>We do defend against SIM swap attacks because MNOs can't access our account

How does that work? Your contracts might stipulate this, but I don’t understand how this could work from a technical PoV.

I'll give you a very simple explain. Imagine you're ATT customer & you're roaming in Canada on Rogers network. Would the roger employee be able to SIM Swap you ? No because you're not his customer and even the kiosk guy can't look into the account either
I'm guessing he's talking about SS7 attacks. Sure, you do everything on your side to prevent sim swaps or the numbers from being ported out, but all of those measures are moot if they're bypassed at the carrier level.
Not really SS7 attacks, it seems that this service is just built on top of regular MVNO/reseller APIs offered by the big carriers that we already know to have serious trouble with not getting hacked.

They might be able to protect you against regular port-outs, but not SIM swap attacks performed by people who’ve compromised carrier infrastructure.

I strongly recommend against Family plans because this connects your family to you which makes them vulnerable as well
How is this supposed to work? Efani seems to just be a MVNO, there’s no way they can protect you against attacks on the carriers they resell.

The language on the page is downright hilarious “11-Layer of Military Grade Authentication”.

It's a hybrid of MVNO and reseller & I can challenge that we can protect. Happy to give you a bounty if you're able to break into the system.
>Happy to give you a bounty if you're able to break into the system.

Yeah, the problem here is that since you’re a MVNO the easiest angle of attack would might just be to go for the big MNOs that you resell (Verizon, ATT, Sprint,Tmo). You can’t really offer bounties for such attacks, and I can’t see how you could defend against them either.

We can because due to our relationship, we control the # and they don't. We've a slightly different arrangement. Think of that you've ATT and you're roaming in Canada on Rogers network. Rogers employee can't port you out or do funny things to your account. Similarly, we're using their network but they can't access your account
You control the #, sure. But what specific technical measure prevents the carrier from associating that customer line with another sim card?

The fact that you control the # might defend against port-outs, I don’t understand how that could prevent SIM swaps though.

Carriers don't have access to the customer account. They don't even know who the customer is and our SIMs have a different serial number
during SS7 attack your phone is pushed to deprioritize to a lower network. We've programmed our SIMs against that so if SNR goes high, we don't abide to default settings. This does take out 99% of the attacks . Looking into a setting to inform customers the moment we believe there is any such attempt
One could argue that the greatest weakness in this case is in holding your life savings in cryptocurrency.
Have happened to people having a bank account as well
Not only that, but holding it in a way that they can get to it. If I had a million bucks in crypto, I'd have a few geographically separate offline laptops with the codes on them, fully encrypted, as cold storage.
People are generally lazy and it has happened to non-crypto folks too where other information was stolen
It's rare to impossible to do this to a regular bank account, and if they did, the bank would be liable. Crypto is a great solution for some stuff, but it's not a pancea to solve every problem.
SIM companies could prevent a lot of cases by trying to call or text the phone that is currently active on the SIM. If AT&T would have called the number then it’s likely this could have been prevented.
ATT is built around selling you cheap plans and the SOPs are not that strong. There are 1000s of ports every days so they want to make it simple for their employees
No actual guide on how to protect yourself. In fact, none of the carriers listed seem to do anything remotely effective.

Seems like the best answer is to not reuse passwords, use complex passwords and avoid giving "real" answers to security questions.

And if course, don't keep your life savings in an account that can be withdrawn entirely on a moments notice...

I have been a victim 4 times which is the reason I built Efani.com
Could you explain how your company defends against these attacks?

From a quick look at your website, it looks like you are offering prepaid services through different providers similar to H20 Wireless. You claim to offer protection but give no detail on it except that you use "military grade protection".

Yes updating the website this week with complete information. Our arrangement is somewhat similar to any other MVNO with just that we've blocked sim port attacks & have specific measures in place along with a $5M insurance
Another step one can take is to use a separate number for authorising banking transactions. This number should be 'unlisted', i.e. not shared with anyone but your bank(s).
Should never use phone number as a second factor with a crypto exchange. At the very least use an authenticator app, better yet hardware keys.