Amateurs hack systems, professionals hack people - Bruce Schneier
Imagine you live in an enchanted castle with a drawbridge that only lowers when you present two things: a secret song and a divine orb. One night at the tavern, you had too much to drink and sang your secret song. Every lord, crook and wench heard the song and committed the melody to memory. They come to your castle and sing the song, hoping to plunder your treasures, but the bridge won't lower because they don't have the orb. Your castle is safe, and you can compose a new secret song once you're inside. Unless you left the orb at the tavern, they wouldn’t have everything they need to lower the bridge. So it’s a good thing you always carry your orb with you. In fact, you used it to summon a horse to ride back to your castle.
Two-factor authentication (also known as two-step verification or 2FA) is a security measure that requires you to have two things, hence the name, that verify your identity before granting you access. These two things, in order, are typically a combination of something you know (like a password or secret song) and something you possess (like a smartphone or divine orb). Hackers know that many people use the same password, so the only real protection for most people is the second level of authentication. In other words, having something that you possess for a second authentication is the best way to keep your accounts secure. That being said, what are some things you could prove you own that could serve as a second authentication?
If you want to prove that you have possession of your eyes, a retinal scan can be used as a 2FA method. Similarly, a fingerprint scan can be used to prove possession of your fingers. Alternatively, if you want to prove possession of a smart device or USB, a numerical code can be used for authentication. Many people already own a smartphone, watch, or tablet, making them the most commonly used 2FA devices. However, the method by which the numerical code is delivered to your device can increase the potential for security threats. To protect your identity, it is important to keep the delivery method as secure and isolated (air-gapped) as possible.
Some of the most common delivery methods include email, text messages, or an authenticator app. However, it is important to AVOID using email or text messages, as they are not secure. Email authentication codes are only as secure as your mail provider, and email hacks are common. Text message authentication codes are only as secure as your mobile service provider, so they are also a weak choice. The best practice is to use an authenticator app, which is stored on your device in a secure enclave or on a specialized USB. These methods do not transmit anything over the internet, making them as strong as the random number generator that creates the code. This level of security even meets military-grade standards. The weakest link in this case would be physical custody of your phone or USB authenticator, so it is important to keep your devices safe at all times.
JOEL ORTIZ
THE BOSTON SIM SWAPPER
On the 17th of August 2017, Jeremiah Nichol watched, with a “gut punch feeling”, as hackers broke into his personal email and exchange wallets. They swept everything in 30 minutes. There wasn’t any time to react.
He had been casual about security in the past so he decided to tighten access to his digital accounts. As an elementary school music teacher, Jeremiah didn’t know much about these things so he asked an I.T friend for help. Together, they added 2FA to his security protocols, requiring a text message from his mobile service provider before he could sign into his accounts from a new device. This upgrade was a major improvement from his previous security measures, and things remained quiet for over a year.
On November 28, 2018, as Jeremiah was taking a walk, his phone began to overload with alerts. He received notifications of successful password changes for many of his accounts, and the gut-punch feeling returned. The hackers had struck again, and this time it felt as though they had his phone. But they didn't - it was right in his hands. Despite his best efforts, Jeremiah was unable to stop the attack. He called his mobile service provider for help but this is what they said to him:
…we’re sorry, but you just activated your phone somewhere else with your photo ID
No I did not.
Jeremiah didn’t know what to do so he tried emailing himself with an alternate account in an attempt to appeal to the hackers' sympathetic side. He quickly realized that hackers and thieves don't care about their victims, just as an eagle doesn't care about the wellbeing of a rabbit. The internet can be a scary place, and Jeremiah had fallen prey to a vicious predator - the SIM swapper. Frustrated and upset, he messaged the hacker, an angry tear rolling down his cheek:
I can’t win. Why do you do this to me?
Earlier that year in the middle of May 2018, Jeremiah had reached out to other victims through social media. He was hoping to share experiences and perhaps learn from each other but many of them were busy at the time. They were on their way to Consensus 2018 in New York for the annual "Shitcoin"1 conference.
On May 14th that year, the residents of the Midtown Hilton in New York were surprised to see an unusual amount of traffic and noise on the streets. Obnoxious convoys of revving Lamborghinis, driven by people who looked out of place, filled the streets. It was clear that the nouveau riche had arrived in force.
Some 8500 people had purchased $2000 tickets to attend the conference. They were eager to exchange business cards and boast about the amount of money they raised from retail investors. However, the organizers had sold too many tickets, causing registration lines to stretch across the hotel lobby and up to the escalators on the next floor. The event was crowded and chaotic.
There was a concentration of newly minted millionaires at the conference. They smelled of money and were all connected on social media. One of the guests was Seth Shapiro. He had spent most of his career in media and technology, and was now exploring the world of blockchains. His company had recently raised $50 million, and they were excited about adding videos to a blockchain.
In the midst of the celebration, Seth looked down at his phone and noticed that it didn't have a signal. Everyone else at the conference had service bars, but he didn't. It was strange. Seth tried moving around the hotel to see if he could find a better signal, but it was no use. He was unable to connect to the internet or make any calls. Seth decided to ask the hotel staff if there was a problem with the wireless network. They assured him everything was working fine and that there was no known issue with the network.
Unconvinced, Seth left the conference and hurried to a service provider in Manhattan to try and figure out why his phone wasn't working. When he arrived, the support staff were almost as confused as he was. They told him that his SIM card had been disabled because someone had just registered it on another phone.
Seth immediately purchased a new phone and SIM card, but it was no use. As he was setting up the new phone, he received notifications that his exchange wallets were being cleaned out. He watched in disbelief through his glossy new screen as his money was stolen right in front of his eyes.
Later that day, a colleague at the conference messaged Seth to let him know what had happened. The colleague had also fallen victim to a hacking attack, and they were both shocked by the speed and efficiency of the thieves.
My fucking phone has been hacked
Seth was shaken by the experience and felt fragile for the rest of the day. He called his wife to tell her what had happened. She was able to talk him down and offer words of comfort and encouragement.
Earlier that day, a smiling 19 year old boy was holding up an ID to an AT&T customer representative. Joel Ortiz told the representative that he had lost his old phone and needed to port his SIM card to a new one. He answered all the security questions and gave them his social security number. Then he thanked the representative and walked out of the store with a new SIM card.
Joel and his friends had been carrying out this scheme at multiple stores over the last few months. They would pose as legitimate customers and use stolen or fake IDs to obtain new SIM cards. Once they had the SIM cards, they would use them to gain access to other people's accounts and steal their money or personal information.
Within minutes of acquiring the new SIM card, Joel and his friends began orchestrating a sweep of all the social contacts and emails associated with Seth's phone number. They had done their homework and gathered all the information they needed from Seth's social media feeds.
To change Seth's email password, they needed to receive a six-digit verification code through text. This is where the SIM swap came in handy. Since they had already swapped Seth's SIM card, they were able to receive the verification code and use it to reset his email password.
Once they had access to Seth's email account, it was easy for them to reset his other accounts, including his bitcoin wallets. They quickly withdrew all of the funds from these accounts into their own wallet addresses. For each withdrawal, the exchange required a six-digit verification code sent to the account phone number, which was now in Joel and his friends' possession.
While Joel was nervously waiting for the withdrawal to go through, Seth was in Manhattan trying to recover his SIM. Seth was prompted for a six-digit verification code but since his SIM had been swapped, the code was sent to Joel and his friends instead. When they saw the code, they realized that their scheme had been discovered and that time was running out. That is when Joel started to panic. He told his colleagues:
He’s trying to get number back. I’m getting text messages.
Joel stared at the withdrawal progress, his heart racing for what seemed like an eternity. Meanwhile, Seth was gaining on them. The anxiety was palpable and the ensuing anticipation in lockstep.
The tension was interrupted by the sound of two phones receiving a text message at roughly the same time. Joel and his friends looked at their phones in excitement. Seth looked at his in disbelief. A dubious exchange had taken place.
That night as Seth mourned his losses, Joel reveled in newfound riches. He spent the next few months living like a rap star from the 1990s, with bottles of Dom Pérignon, overpriced jewelry, and stacks of cash scattered across tables at L.A’s finest clubs. People were paid to hold up signs with his Instagram handle, @0, outside the window, and Joel loved the attention. He was spending money like an election candidate with plummeting ratings, while enjoying the unique disconnect that came with spending other people's money. He even rented a luxurious Airbnb on a hill in Hollywood, complete with a helicopter to fly him back from the club each night.
Joel's life was transformed. He donned new designer clothes and felt like he deserved his new status in society. He craved attention and spent lavishly to ensure that he got it. Ironically it was his extravagant partying that caught the attention of law enforcement and criminals alike. One night, after the usual debauchery, Joel was robbed at gunpoint as he was leaving the club. The incident shook him and reminded him that nothing in life was permanent. He live-streamed his reaction to the ordeal on Instagram, showing his vulnerability to all his followers:
They stole like $40,000 worth of shit…
I had like $8000 cash and a Rolex and bitcoin chain
Joel’s thought process changed dramatically after his encounter with old-school criminals. In an effort to escape any repeat encounters in Los Angeles, he decided to move back to Boston. He announced his plans on Instagram, including an itinerary for a concert abroad.
On July 12, 2018, Joel dressed in his finest Gucci clothing and headed to the airport. As he checked in, federal agents positioned themselves around the airport, waiting for the right moment to make their move. It was at the final metal detector that two agents approached Ortiz, badges in hand, and arrested him.
About six months later, Joel was charged with 41 counts, including grand theft, identity theft, and computer crimes. He was linked to multiple victims in the case. The Santa Clara county in California sentenced him to 10 years in prison.
REKT
The first time Jeremiah Nichol, the elementary school music teacher, was hacked, it was a wake-up call for him to take online security seriously. He wasn't tech-savvy, so he entrusted the security of his accounts to an IT friend with more experience. Unfortunately, his friend wasn't as qualified as Jeremiah had hoped. They setup 2FA with a mobile phone number to receive important security codes. It was the right technique, but with the wrong tools.
Seth was no different from Jeremiah. He also setup 2FA with his telephone number. This was why a group of young hackers were able to bypass their other security safeguards and take all their money. Over the next few years, Seth and his wife would work hard to rebuild what he had lost while Seth continued to explore the world of blockchains. He eventually pivoted his video expertise to the next shiny new thing: non-fungible tokens (NFTs).
2FA from mobile service providers can be a nuisance to hackers, but it is not a complete deterrent. In the cases of Jeremiah and Seth, the hackers found a workaround the mobile number authentication; they tricked gullible service representatives into handing over both their SIM cards. With other victims, they even paid the service reps to be their inside person .
While most hackers go through the trouble of social engineering, the sophisticated ones can intercept messages to mobile numbers without a SIM card. They can hack telecom networks and read messages in real time. This scary attack is called “man-in-the-middle”. As the name implies, they position themselves between you and your network while they listen for valuable information. Corporate and government espionage used to be the only type of hacking that this attack was used for, but now individuals who flaunt bitcoin on social media can also become targets.
Our perpetrator, Joel Ortiz, was the social engineering type. He didn't start out swapping SIM cards for bitcoin but as a member of a platform called OGUsers, which was popular among people involved in hijacking online accounts and conducting SIM swapping attacks. It was on this platform that he learned to trade vanity social media handles in black markets. He also discovered that the easiest way to steal a social media handle was to deactivate it with the user's phone number and then register it again on a new number.
Joel’s lightbulb moment came when he realized that many bitcoin holders employed the same security hygiene as Instagram users. This opened up a new market for the same old tools and tactics. And so he searched Instagram and Twitter to scout his targets. After successfully stealing his first few bitcoins, he started bragging, as amateurs who engage in such activities tend to do.
Joel didn't work alone. He had a crew of young criminals like himself. They put the big scores together and divided the spoils afterwards. However, they weren't disciplined enough to keep their cover and stay under the public radar. They were always trying to outdo each other on social media. On some nights, they would pour out $1500 bottles on their expensive watches to entertain followers on Instagram. This was how law enforcement caught wind of them; young men living above their financial means with no discernible source of income. It was now up to good old-fashioned police work to follow the money and bring these young criminals to justice.
After hacking another attendee at the 2018 New York conference, Joel became greedy and began harassing family members for bitcoin and loans. He thought he was untouchable, but he was wrong. Law enforcement had noticed that he was using the stolen phone number excessively, and they used it to their advantage.
They obtained a warrant for the number and discovered that the activity was coming from a Samsung phone which the victims did not own. This was the first clue that something was not right. They then sent Google a search warrant for data activity connected to that phone.
To their surprise, they found emails associated with several exchanges. This was how they knew where Joel was converting his stolen coins. Next, they sent warrants to all the exchanges and were able to trace about $1 million across all the accounts.
As they continued their investigation, they found payments to an Airbnb in Hollywood Hills. This was the final piece of the puzzle. They knew where Joel was staying and could’ve arrest him at any time but they waited. They wanted to make sure they had all the evidence they needed to put him away for a long time. It wasn't until Joel announced he was leaving the country that they obtained a warrant for his arrest.
Law enforcement estimated that Joel and his accomplices swindled around 40 victims. The data from the warrants on his stolen phone number revealed the identities of his accomplices. It turned out that they all shared access to the same email addresses in order to coordinate better, but mostly because they didn't trust each other. This ultimately led to their downfall.
LESSON
SIM cards are the most widely used identity modules, so it makes sense for various services to outsource identity verification to SIM providers. The major drawbacks of this approach are that:
SIM cards can be easily lost or stolen, making it easy for someone to impersonate the legitimate owner of the card.
Text message by nature are not air-gapped connections. The medium between the operator and the recipient is vulnerable to hackers with the right tools.
While SMS-based 2FA is better than relying on a password alone, it is not as secure as using an authenticator app. This is because SMS messages can be intercepted or redirected, allowing an attacker to gain access to the one-time code and use it to impersonate the legitimate user.
Before social media and bitcoin became popular, very few people used SMS-based 2FA. But as more people started to protect their assets and data with SMS-based 2FA, it became lucrative for hackers to exploit. They figured out that it was easier to steal SIM cards because telecom representatives had not been trained to spot social engineering attacks.
The security questions that are meant to prove identity are often easy to bypass. For example, if a hacker wants to know a person's mother's maiden name or the first car they bought, they could check their social media accounts to find the information. Or, if that is too much trouble, they could bribe a customer representative to carry out the SIM swap for them. Once they had a person's SIM card, they could gain access to all of their other accounts that were associated with that SIM.
All of that is changing now that customer service representatives are more aware of the risks of sharing client data and working with criminals. Even with these measures in place, the best way to avoid this type of attack is to not use SMS-based 2FA for any services. There are simply too many attack surfaces when it comes to using a phone number for 2FA. Instead, use an air-gapped authentication app on your device or a specialized hardware. This way, if your SIM is swapped, there would be nothing for the hackers to steal. However, you should always keep your physical device with you and make sure it is never out of sight long enough to be hacked.
Jeremiah and Seth would not be a footnote in the long history of bitcoin hacks if they had used the right 2FA setup. They would have been protected from SIM swap attacks and never known about it. Jeremiah would have gone about his life teaching music, and Seth would have continued putting videos on the blockchain, both oblivious to the dangers of SMS-based 2FA.
SEAN COONCE
ANOTHER SIM SWAP ATTACK
Sean Coonce worked as engineering management at Bitgo, a company specializing in digital assets security. Despite being well-versed in online security, he made two mistakes that non-security experts make: he kept his funds in a custodial exchange, and used SMS-based 2FA to verify his primary email. These simple mistakes cost him over $100,000 in 24 hours. Let us examine the events that led to this tragedy.
MAY 14TH 2019, TUE 10:00PM
Sean was making plans for the following day like he always did. He was going through his calendar when he realized there was no service. He thought it was a minor inconvenience and wished that cellular providers had better coverage.
What he didn’t know was that, 24 hours earlier, his cellular provider had ignorantly ported his number to an impersonator - a SIM swapper. It is common practice to delay password resets and SIM ports as a way to reduce fraud. However, this preventive measure only works if the person being hacked is aware of it. The SIM swapper now had control over Sean's SIM from another phone, which was why he didn't have any cellular coverage.
TUE 10:05PM
After a short while, Sean was logged out of his Google account and received a prompt to sign in again. He couldn't remember the last time this had happened - Google rarely logs users out because they need data like a fish needs water. Sean assumed that this was connected to the earlier cellular service outage, which made sense to him as someone who was familiar with security issues. He tried his password, but it didn't work. It was late, so he decided to deal with the problem in the morning and went to bed with the issue unresolved.
What Sean didn't know was that the SIM swapper had already reset his password, thanks to the two-factor authentication code that his cellular provider had sent to the swapper's phone. It was now easy for the swapper to reset Sean's Google password. The swapper had positioned himself between Sean and his cellular provider, effectively "man-in-the-middling" him like a sandwich.
WED 11:00AM
The following morning, Sean went to his cellular provider to fix the issue with his service. They acknowledged that something was wrong with his SIM card and issued a new one. At this point, Sean was starting to become suspicious. He then remembered that he had recently dropped and cracked his phone, which might have damaged his SIM card. This explanation made sense to him as a security professional.
Now that his SIM was reinstated and he had two-factor authentication again, Sean was able to reset his primary email. He was happy to have his email restored and even happier to have his cellular services back. What a day! He went back to work, back to securing other people's digital assets, and back to being a security guy.
What he didn’t know was that while he was dealing with the issues caused by the SIM swapper, the swapper initiated a password reset on Sean's Coinbase account and monitored his email to delete any incoming security notifications. This was to prevent Sean from learning anything if he somehow managed to regain access to his accounts.
WED 10:00PM
That night, as Sean was in the middle of planning the following day's routine, his cellular service dropped again and he was logged out of his Google accounts. It was like déjà vu - could he have received a faulty SIM card? He was angry at the thought. He decided that he would deal with it in the morning and went to bed with the issue unresolved.
What he didn’t know was that the SIM swapper had struck again. They had ported his SIM once more, and it was clear that they either had superhuman discipline that allowed them to operate at exactly 10:00 every day, or they had studied Sean's habits on social media, including the fact that he didn't like to be bothered at bedtime. Sean was completely unaware of the lurking danger as he drifted off to sleep.
WED 10:01PM
Sean was “sound” asleep. That was quick! He’s a security guy.
What Sean didn't know was that the SIM swapper was in the midst of executing the final stages of their scheme. They had initiated a password reset on Sean's Coinbase account 24 hours earlier, and Coinbase's 24-hour delay policy was no longer in effect. The SIM swapper copied and deleted Coinbase instructions and links to cover their tracks, so Sean didn't catch on when he regained access to his account earlier that day. The SIM swapper now completed the password reset using the link they had saved from Sean's email.
Within minutes, Sean's account was drained of all its coins. They were gone, and there was no way to get them back - not even Coinbase could do anything about it. The coins would be verified on the bitcoin network just like any other transaction where possession is ten-tenths of the law. Sean was completely unaware of what was happening as he slept soundly.
THUR 9:00AM
Sean went back to his mobile carrier to fix his cellular service problem which persisted despite a previous visit. As he approached the service counter, he was greeted by a friendly representative. "Hi sir, how may I help you today?" the rep asked. Sean explained the ongoing issues he was still having with his service, as the rep nodded sympathetically while typing on a computer. After a few moments, the rep looked up.
I'm sorry Sean, but it looks like your account has been locked. I'm not able to unlock it for you. Were you in Nevada yesterday?
No.
Sean listened to the rep continue as he stared at his mobile device. He had just logged into his Coinbase account, only to be greeted by an error message stating that his session was no longer valid. This could only mean one thing: someone had successfully changed his Coinbase password.
He immediately called Coinbase customer service, his heart racing in denial. After explaining the situation to the representative on the other end of the line, he waited anxiously for their response.
"~It appears your account has been compromised," the Coinbase rep said, confirming Sean's worst fears. The funds in his account had been transferred out of Coinbase's custody to an on-chain address on the bitcoin network.
What he didn’t know was that the SIM swapper was long gone. They had moved on and were already spending the fruits of their labour.
After processing the traumatizing events for a week, Sean collected himself and wrote a medium article2 about it.
REKT
Sean had always considered himself to be a savvy individual when it came to technology and online security. After all, he worked for a company that was known for its cutting-edge technology and security solutions.
Despite this, when it came to his investments, he made a number of questionable decisions. For one, he chose to keep his coins on Coinbase, a third-party exchange that was known to be less secure than Bitgo. This was likely because he wanted to take advantage of Coinbase's user-friendly interface to participate in market speculation.
To make matters worse, Sean had also secured his Coinbase and Gmail accounts with SMS-based 2FA, a method that has been repeatedly proven to be insufficient when it comes to protecting against sophisticated cyber attacks.
As it turned out, Sean's lax approach to online security came back to haunt him. One day, he discovered that his Coinbase account had been hacked, and all of his funds had been transferred out of his control.
If he had used an authenticator app or a hardware solution for his 2FA, it would have been nearly impossible for the hacker to break into his accounts without physical access to his phone or hardware. SMS-based 2FA, on the other hand, grants hackers the ability to steal remotely, which is how they prefer to operate.
In the end, Sean was left to regret his decisions and vow to be more careful in the future. No one ever thinks it can happen to them until it does, and Sean was no exception.
LESSON
When it comes to securing your bitcoin, no amount of protection is overkill. You should be wary of any technical solutions that are too convenient, as these often come with security trade-offs that may not be immediately apparent.
For example, you might assume that using your existing telephone number to receive important verification codes is a convenient and safe choice. In reality, however, this is a potentially dangerous decision. Hackers can easily gain access to your phone number and use it to compromise your accounts, rendering your verification codes useless.
To avoid this, you should go through the extra trouble of downloading a secure authenticator app or purchasing a hardware authenticator for the sole purpose of logging into your important accounts. This may be inconvenient, but it is a small price to pay for the added security it provides.
Additionally, you should always assume that whatever measures you take is 100 times harder for external hackers to bypass. So, making it twice as hard for yourself to access will make it 200 times harder for hackers to do the same, and so on.
Of course, a strong password is still essential, but even the strongest password can be compromised. That's why it's important to have a robust 2FA solution in place as a backup. By taking this extra step, you can greatly reduce the chances of hackers stealing your bitcoin.
In a far-off land, a chad named Sean,
Lived in a castle with a drawbridge tall,
To enter, you needed a song and orb divine,
A clever trick, with an even simpler design.
Without the two, the drawbridge would not descend,
Didn’t matter if you were a foe, maid or friend,
Sean used this setup to keep looters at bay,
Who plotted with thieving intent everyday.
One night at a tavern, he had too many drinks,
He sang his song, giving the maidens naughty winks,
The whole tavern heard and committed to memory,
As they planned to loot his castle and treasury.
The looters came in the dead of the night,
And sang Sean’s song with all of their might,
But the drawbridge stood tall, it did not descend,
Without the orb, it didn’t matter if you were a friend.
When Sean came to his senses and seen what had happened,
He changed his song to protect his castle,
Never again will he sing after too much wine,
Or go anywhere without his orb divine.
This is how Sean might’ve avoided a dreadful situation,
And kept his castle safe with two-factor authentication.
If you enjoyed this story, leave a comment below. Next, we learn why a Nation State can’t ban bitcoin in “CHAPTER 6”. They never learn. Don’t forget to comment and tell your friends. Lord Thoth appreciates you.
A "shitcoin" is a derogatory term used to refer to a cryptocurrency or digital token that is considered to be of low quality or little value. This term is often used by investors and traders to refer to cryptocurrencies that are considered to be scams, have no real use case, or are otherwise not worth investing in.
https://medium.com/coinmonks/the-most-expensive-lesson-of-my-life-details-of-sim-port-hack-35de11517124