Op Ed: Lessons From a Cryptocurrency Hack (A Public Service Announcement)
Cryptocurrency-related cyber attacks are on the rise. As cryptocurrency continues to explode in value and public awareness, we can only expect this trend to continue. I was recently the target of such an attack. I also personally know of multiple other cases of the same attack being successfully carried out. Even worse, this type of attack is becoming ever more common and is likely to see an even bigger boost thanks to the professional excellence of firms like Equifax, making it an urgent topic as almost everyone is at immediate risk.
This article describes this increasingly common attack vector and provides immediate steps you can take to protect yourself. I will also provide additional tools and best practices to further safeguard yourself and your funds more generally.
As a computer programmer active in the crypto ecosystem since early 2013, I’ve always been too aware of the constant threat of cybersecurity attacks and the possibility that I could be targeted at any time. Cryptocurrency is the perfect hacker pay day. Once it’s transferred away from your control it’s gone forever, and it’s easily liquidated in any number of ways. Black hats are constantly prowling for possible cryptocurrency holders.
As such, I’ve always taken the minimum precaution of keeping my coins off third-party accounts, and have always advised others to do the same. But what I couldn’t prepare for was how unnerving being the target of an attack could be regardless of your level of preparation. The hypothetical can become reality in a matter of seconds, and you never truly understand the personal value of putting proper security in place until it’s too late. For those with enough at stake, it can be ruinous. Ultimately none of my funds were compromised by this attack, but others have not been so lucky.
“But not all accounts are created equal for data thieves — and the most valuable online accounts to steal are like the ones belonging to Mr. Burniske, who is a cryptocurrency fan. In the few minutes it took to get control of his phone, the virtual currency investor saw his virtual currency password change and its accounts drained of $150,000.” -PYMNTS
It started when I received a text message from my cellular service provider alerting me that my SIM card had been “updated.” Included in the text was a number to call if this “update” wasn’t in fact authorized by me. I read this text several minutes after it had been sent, and by the time I called the number provided a minute or two later, my cell service and data were suddenly cut off by what I began realizing must be an attacker. Almost immediately, I was also logged out of my Facebook messenger window right before my eyes. With control of my phone number, my attacker had managed to quickly reset my Facebook password and gain control of the account.
As the reality of what was happening to me sank in, I felt an initial wave of panic. Suddenly, I didn’t know if the years of precautions I had taken amounted to anything at all. I had no idea how robust the attack was, how deep the attacker had penetrated my numerous online accounts or what my first reaction should even be. I momentarily feared the worst. Could my coins be at risk?
I forced several deep breaths. Thankfully my coins were not at risk via a phone, social media or email hijacking. Reminding myself of this eased my fears and allowed me to focus on going on the defensive and taking back control of my accounts as quickly as I could.
Using FaceTime from my laptop, I was able to get a family member to call the number provided by my cellular provider’s text message and initiate the process to eventually retake control of my phone number. Using an old email strictly used as an emergency recovery email for situations such as these, I was also able to lock down my Facebook account and regain control soon after.
What I discovered once I logged back in confirmed that the attacker had specifically targeted me due to my public cryptocurrency involvement. In the brief span of time they controlled my Facebook account, they had sent the same message to several friends of mine also involved in the ecosystem, many of whom I’ve known for years. The messages claimed I had an emergency and needed to borrow several bitcoins or the equivalent value in alternate coins for a day. The attacker was in the middle of sending out many more such messages to even more of my friends when I regained control.
At the end of the day, the damage done to myself was limited to being spooked. Unfortunately, however, at least one of the recipients of my fake Facebook messages was later the target of the same attack. I’ve decided to learn from these events and share those lessons, and hopefully help some avert the worst. First and foremost is eliminating this specific and trivially easy attack vector completely.
How to Stop It Before It Happens
Text message two-factor authentication (2FA) is the default security precaution for most online accounts today, and cellular service providers are woefully unprepared for this reality. It is almost trivially easy for an attacker to contact your service provider and pretend to be you.
In all the cases I’ve personally observed, it began with the attacker identifying an individual likely to have cryptocurrency and contacting their cell provider. They impersonate their target using personal information like social security numbers and home addresses from any number of possible leaks, Equifax being the most obvious and concerning source.
After successfully convincing your cell provider that they are you, they then port your SIM card to a phone they control. This approach is known as a social engineering attack, and with today’s common security default of using text messages for 2FA, they immediately have the keys to the kingdom. With your phone number they can now reset the password to any account you have with text 2FA enabled, including cryptocurrency wallets and accounts.
The minimal action you should take right now to prevent this: Contact your cellular service provider and request restrictions to be placed on your account so that no changes can be made to it without special verification. This can include setting a password on your account or requiring you to physically visit a store with your ID to make any account changes. Call again once this is in place and attempt to change your own SIM card as a test to ensure the restrictions have indeed been put in place and are being properly enforced by your cellular provider.
This simple step means that no matter what information an attacker may have on you, socially engineering a takeover of your SIM card is no longer a trivially simple endeavor. However, this precaution isn’t ironclad, and there’s also a variety of other attacks you can be the target of.
Taking It a Step Further
Black hat actors tend to focus on the low-hanging fruit, which is why the social engineering SIM attack has become so prevalent. But it is by no means the only way to compromise your accounts, and as the low-hanging fruit become harder to find, attackers will move on to these other methods. I highly recommend everyone implement these precautionary steps to further secure yourselves. The upfront investment needed to set up these measures may seem tedious now, but can pay invaluable dividends in the future.
1. If you hold any significant amounts of cryptocurrency, invest in an offline hardware storage solution.
These devices contain your cryptocurrency private keys and can remain completely disconnected from the internet or any computer until you need to make transactions, so that your funds remain totally safe regardless of any of your other devices or accounts being compromised. These devices include OpenDime, TREZOR and Ledger. Even if you do not opt for any of these solutions, at a bare minimum do not store funds on third-party services such as Coinbase or exchanges, especially on any service or wallet that integrates email or a phone number to authorize access to funds.
2. Ditch text messaging 2FA.
Placing verification restrictions on your cellular service account is a big step up in security, but can still be circumvented by an insider or even just a careless customer service rep who doesn’t do their job properly. Text message authorization is also still too incredibly insecure to be relied on in any way, period. Recent research shows that intercepting text messages is a trivial task for someone with the right tools, and many other exploits are likely to be discovered in the future.
The first item on this list will protect your personal funds from theft, but as I learned the hard way your money isn’t the only thing at risk. With access to your social media accounts and emails, an attacker can trick your friends into giving them funds or exposing themselves in other ways. They’ll also obviously have a clear look into all your messaging and file history on those accounts, which can expose you and your social circle even more. Shoring up your 2FA is a big step in preventing this.
Eliminate all of your text messaging–based 2FA and at a minimum replace it with Google Authenticator. However, like storing cryptocurrency, you can take it a step further with a dedicated hardware solution. I highly recommend YubiKeys.
You can configure many major online accounts (not Coinbase yet) to require you to physically insert and activate your YubiKey as your 2FA authorization, eliminating the risk of a remotely compromised phone.
3. Use multiple emails with interlinked recovery options, and use completely different and robust passwords for those emails and other online accounts alike.
Luckily I did not have text messaging 2FA enabled on the email account associated with my Facebook profile; otherwise my attacker could have seized control of that as well. If they did, I have a chain of recovery emails I could have used to regain control of it, all with different passwords. This practice also means that having your password being captured or leaked for any one of your accounts won’t jeopardize all of them.
4. Stay vigilant, stay paranoid.
To quote the Onion Knight, “Safety is never a permanent state of affairs.” Don’t get lazy and begin recycling passwords or leaving funds on Coinbase or other third-party accounts. Be aware of the technology you are using and the tradeoffs you are making or exposure you are generating by doing so. Stay up to date on the latest breaches, exploits and technology. Opt to use end-to-end encrypted messaging services like Signal, Telegram or WhatsApp. Don’t answer calls from strange phone numbers, and use apps like Hiya to filter out known spam numbers to reduce the risk that you do. Ultimately, however, there is no easy fix for security and no list that can guarantee you won’t get hacked.
Make no mistake, there are individuals out there who want to harm you and are actively working to do so. The time needed to reasonably secure yourself can seem tedious and time-consuming up front, but can easily and quickly become a priceless investment as I and many others have learned firsthand.
This guest post by Ariel Deschapell was originally published on Medium and is reproduced here under a Creative Commons License. The views expressed do not necessarily reflect those of BTC Media or Bitcoin Magazine.