Let’s use a crime spree to teach a lesson.
Nine people were charged this week by the Justice Department this week with stealing $3 million in cryptocurrency by a scheme called SIM hijacking.
SIM hijacking is an elaborate but relatively straightforward bit of fraud and social engineering in which crooks steal phone numbers from targets by various means, in this particular case by bribing customer support representatives or in other cases by impersonating the victims.
The victims of this scheme held millions of dollars in cryptocurrency in online exchanges and used those phone numbers as two-factor authentication delivered via text message (SMS) to secure their money. Once the alleged hackers hijacked those numbers, they were able to leverage them to break into the accounts and take the money.
What makes cryptocurrency such a tempting target is that once it’s stolen, there’s no getting it back. No bank to call, no centralised authority to appeal to. That’s the appeal of cryptocurrency for a lot of people, right? And that tends to be what makes it such a juicy target.
Two-factor authentication is one of the easiest and most important steps you can take to secure your online life. Unfortunately for those who got their Bitcoin ripped off, there’s a small but important wrinkle to be aware of.
Here’s the lesson: Two-factor authentication that relies on phone numbers and text messages is weak and if you use it to protect something like, I don’t know, millions of dollars of cryptocurrency, you’re going to be an easier target.
That’s not brand new information but it’s important. It’s clear that despite years of research, too many people still rely on this weak authentication to secure their online accounts. For cybersecurity, it can take years to shift to the new paradigm.
The phone numbers are never the only tool needed to get into the accounts but they are supposed to be the failsafe, the second authentication factor to go with a password that makes your account exponentially safer. But ultimately phone numbers are weak authenticators and any important account you have should be using more to secure it.
This is not a victim-blaming blog and this is not their fault. Obviously, the crooks are first at fault but the websites themselves should be doing better on security. For important accounts, it probably shouldn’t even be a choice to use text messages as two-factor authentication. Any website with important accounts that offer it can probably do better and any website that offers only text message two-factor authentication can hardly do any worse.
There’s a lot going on here — this group congregated on one of the weirdest and most childish centres of cybercrime on the internet and antagonised targets over Twitter — but let’s keep things simple for the sake of the lesson.
Here’s the background information: The cybersecurity consensus is that all your accounts need two-factor authentication. What does that mean?
That means two factors are needed to gain access because it’s shockingly easy to lose control of your password. The first factor is typically your password and that’s easy enough. The second factor might be your phone number so they may text you a text message (SMS) code and give you access.
The second factor could also be an app like Google Authenticator that will supply a code or a hardware key like the Yubikey that you use like one would use a physical front door key.
The best common form of two-factor authentication is a physical key. This is the kind of authentication that Google gives to political campaigns, dissidents, and journalists among others — the kind of people whose lives can depend on their cybersecurity.
A physical key is pretty easy to set up but, ok, maybe you don’t need to measure up to life-or-death cybersecurity. An authenticator app is a strong and simple choice. Google Authenticator is a great way to get that second factor in a secure way delivered straight to your phone.
Lowest on the list is the text message.
It’s been almost four years since the U.S. government warned agencies to move away from SMS authentication because it’s impossible to verify and easy to intercept but it’s still widespread — including, apparently, but some poorly secured cryptocurrency exchanges.
“While a password coupled with SMS has a much higher level of protection relative to passwords alone, it doesn’t have the strength of device authentication mechanisms inherent in the other authenticators allowable…,” Paul Grassi, NIST’s senior standards and technology adviser, explained in 2016. “It’s not just the vulnerability of someone stealing your phone, it’s about the SMS that’s sent to the user being read by a malicious actor without getting her or his grubby paws on your phone.”
Let’s end the lesson with a simple takeaway: Always use two-factor authentication. If it’s something important — your money, your social media accounts, your email — download an authenticator app or get a key.
Or just haplessly lose a few mil and hope the cops eventually catch the bad guys. Sometimes that works too.