16
Aug 18

Hanging Up on Mobile in the Name of Security

An entrepreneur and virtual currency investor is suing AT&T for $224 million, claiming the wireless provider was negligent when it failed to prevent thieves from hijacking his mobile account and stealing millions of dollars in cryptocurrencies. Increasingly frequent, high-profile attacks like these are prompting some experts to say the surest way to safeguard one’s online accounts may be to disconnect them from the mobile providers entirely.

The claims come in a lawsuit filed this week in Los Angeles on behalf of Michael Terpin, who co-founded the first angel investor group for bitcoin enthusiasts in 2013. Terpin alleges that crooks stole almost $24 million worth of cryptocurrency after fraudulently executing a “SIM swap” on his mobile phone account at AT&T in early 2018.

A SIM card is the tiny, removable chip in a mobile device that allows it to connect to the provider’s network. Customers can legitimately request a SIM swap when their existing SIM card has been damaged, or when they are switching to a different phone that requires a SIM card of another size.

But SIM swaps are frequently abused by scam artists who trick mobile providers into tying a target’s service to a new SIM card and mobile phone that the attackers control. Unauthorized SIM swaps often are perpetrated by fraudsters who have already stolen or phished a target’s password, as many banks and online services rely on text messages to send users a one-time code that needs to be entered in addition to a password for online authentication.

Terpin alleges that on January 7, 2018, someone requested an unauthorized SIM swap on his AT&T account, causing his phone to go dead and sending all incoming texts and phone calls to a device the attackers controlled. Armed with that access, the intruders were able to reset credentials tied to his cryptocurrency accounts and siphon nearly $24 million worth of digital currencies.

According to Terpin, this was the second time in six months someone had hacked his AT&T number. On June 11, 2017, Terpin’s phone went dead. He soon learned his AT&T password had been changed remotely after 11 attempts in AT&T stores had failed. At the time, AT&T suggested Terpin take advantage of the company’s “extra security” feature — a customer-specified six-digit PIN which is required before any account changes can be made.

Terpin claims an investigation by AT&T into the 2018 breach found that an employee at an AT&T store in Norwich, Conn. somehow executed the SIM swap on his account without having to enter his “extra security” PIN, and that AT&T knew or should have known that employees could bypass its customer security measures.

Terpin is suing AT&T for his $24 million worth of cryptocurrencies, plus $200 million in punitive damages. A copy of his complaint is here (PDF).

AT&T declined to comment on specific claims in the lawsuit, saying only in a statement that, “We dispute these allegations and look forward to presenting our case in court.”

AN ‘IDENTITY CRISIS’?

Mobile phone companies are a major weak point in authentication because so many companies have now built their entire procedure for authenticating customers on a process that involves sending a one-time code to the customer via SMS or automated phone call.

In some cases, thieves executing SIM swaps have already phished or otherwise stolen a target’s bank or email password. But many major social media platforms — such as Instagramallow users to reset their passwords using nothing more than text-based (SMS) authentication, meaning thieves can hijack those accounts just by having control over the target’s mobile phone number.

Allison Nixon is director of security research at Flashpoint, a security company in New York City that has been closely tracking the murky underworld of communities that teach people how to hijack phone numbers assigned to customer accounts at all of the major mobile providers.

Nixon calls the current SIM-jacking craze “a major identity crisis” for cybersecurity on multiple levels.

“Phone numbers were never originally intended as an identity document, they were designed as a way to contact people,” Nixon said. “But because of all these other companies are building in security measures, a phone number has become an identity document.”

In essence, mobile phone companies have become “critical infrastructure” for security precisely because so much is riding on who controls a given mobile number. At the same time, so little is needed to undo weak security controls put in place to prevent abuse.

“The infrastructure wasn’t designed to withstand the kind of attacks happening now,” Nixon said. “The protocols need to be changed, and there are probably laws affecting the telecom companies that need to be reviewed in light of how these companies have evolved.”

Unfortunately, with the major mobile providers so closely tied to your security, there is no way you can remove the most vulnerable chunks of this infrastructure — the mobile store employees who can be paid or otherwise bamboozled into helping these attacks succeed.

No way, that is, unless you completely disconnect your mobile phone number from any sort of SMS-based authentication you currently use, and replace it with Internet-based telephone services that do not offer “helpful” customer support — such as Google Voice.

Google Voice lets users choose a phone number that gets tied to their Google account, and any calls or messages to that number will be forwarded to your mobile number. But unlike phone numbers issued by the major mobile providers, Google Voice numbers can’t be stolen unless someone also hacks your Google password — in which case you likely have much bigger problems.

With Google Voice, there is no customer service person who can be conned over the phone into helping out. There is no retail-store employee who will sell access to your SIM information for a paltry $80 payday. In this view of security, customer service becomes a customer disservice.

Mind you, this isn’t my advice. The above statement summarizes the arguments allegedly made by one of the most accomplished SIM swap thieves in the game today. On July 12, 2018, police in California arrested Joel Ortiz, a 20-year-old college student from Boston who’s accused of using SIM swaps to steal more than $5 million in cryptocurrencies from 40 victims.

Ortiz allegedly had help from a number of unnamed accomplices who collectively targeted high-profile and wealthy people in the cryptocurrency space. In one of three brazen attacks at a bitcoin conference this year, Ortiz allegedly used his SIM swapping skills to steal more than $1.5 million from a cryptocurrency entrepreneur, including nearly $1 million the victim had crowdfunded.

A July 2018 posting from the “OG” Instagram account “0”, allegedly an account hijacked by Joel Ortiz (pictured holding an armload of Dom Perignon champagne).

Ortiz reportedly was a core member of OGUsers[dot]com, a forum that’s grown wildly popular among criminals engaging in SIM swaps to steal cryptocurrency and hijack high-value social media accounts. OG is short for “original gangster,” and it refers to a type of “street cred” for possession of social media account names that are relatively short (between one and six characters). On ogusers[dot]com, Ortiz allegedly picked the username “j”. Short usernames are considered more valuable because they confer on the account holder the appearance of an early adopter on most social networks.

Discussions on the Ogusers forum indicate Ortiz allegedly is the current occupant of perhaps the most OG username on Twitter — an account represented by the number zero “0”. The alias displayed on that twitter profile is “j0”. He also apparently controls the Instagram account by the same number, as well as the Instagram account “t”, which lists its alias as “Joel.”

Shown below is a cached snippet from an Ogusers forum posting by “j” (allegedly Ortiz), advising people to remove their mobile phone number from all important multi-factor authentication options, and to replace it with something like Google Voice.

Ogusers SIM swapper “j” advises forum members on how not to become victims of SIM swapping. Click to enlarge.

WHAT CAN YOU DO?

All four major wireless carriers — AT&T, Sprint, T-Mobile and Verizon — let customers add security against SIM swaps and related schemes by setting a PIN that needs to be provided over the phone or in person at a store before account changes should be made. But these security features can be bypassed by incompetent or corrupt mobile store employees.

Mobile store employees who can be bought or tricked into conducting SIM swaps are known as “plugs” in the Ogusers community, and without them SIM swapping schemes become much more difficult.

Last week, KrebsOnSecurity broke the news that police in Florida had arrested a 25-year-old man who’s accused of being part of a group of at least nine individuals who routinely conducted fraudulent SIM swaps on high-value targets. Investigators in that case say they have surveillance logs that show the group discussed working directly with mobile store employees to complete the phone number heists.

In May I wrote about a 27-year-old Boston man who had his three-letter Instagram account name stolen after thieves hijacked his number at T-Mobile. Much like Mr. Terpin, the victim in that case had already taken T-Mobile’s advice and placed a PIN on his account that was supposed to prevent the transfer of his mobile number. T-Mobile ultimately acknowledged that the heist had been carried out by a rogue T-Mobile store employee.

So consider establishing a Google Voice account if you don’t already have one. In setting up a new number, Google requires you to provide a number capable of receiving text messages. Once your Google Voice number is linked to your mobile, the device at the mobile number you gave to Google should notify you instantly if anyone calls or messages the Google number (this assumes your phone has a Wi-Fi or mobile connection to the Internet).

After you’ve done that, take stock of every major account you can think of, replacing your mobile phone number with your Google Voice number in every case it is listed in your profile.

Here’s where it gets tricky. If you’re all-in for taking the anti-SIM-hacking advice allegedly offered by Mr. Ortiz, once you’ve changed all of your multi-factor authentication options from your mobile number to your Google Voice number, you then have to remove that mobile number you supplied to Google from your Google Voice account. After that, you can still manage calls/messages to and from your Google Voice number using the Google Voice mobile app.

And notice what else Ortiz advises in the screen shot above to secure one’s Gmail and other Google accounts: Using a physical security key (where possible) to replace passwords. This post from a few weeks back explains what security keys are, how they can help harden your security posture, and how to use them. If Google’s own internal security processes count for anything, the company recently told this author that none of its 85,000 employees had been successfully phished for their work credentials since January 2017, when Google began requiring all employees to use physical security keys in place of one-time passwords sent to a mobile device.

Standard disclaimer: If the only two-factor authentication offered by a company you use is based on sending a one-time code via SMS or automated phone call, this is still better than relying on simply a password alone. But one-time codes generated by a mobile phone app such as Authy or Google Authenticator are more secure than SMS-based options because they are not directly vulnerable to SIM-swapping attacks.

The web site twofactorauth.org breaks down online service providers by the types of secondary authentication offered (SMS, call, app-based one-time codes, security keys). Take a moment soon to review this important resource and harden your security posture wherever possible.

Tags: , , , , , , , , , , , ,

96 comments

  1. I am skeptical that the google voice this is good fix. The problems that I see are (a) now one is exposed to google insiders (b) the google voice number can go away (or alternatively the google voice service can go away) since this service is nowhere near as mainstream as AT&T or similar cell phone services.

    • If it goes away then you’ll just have to move to a different VOIP provider. Not a big deal.

    • Former Googler here. Worked with one of the security teams for 6 months. I’ll be the first to admit that Google isn’t perfect, but their internal security? Damn near it. Trust me when I say that the more things you get over to Google the more security you will have. Exposed to Google insiders? EXTREMELY unlikely. The reason is that there are incredibly advanced systems and policy controls in place making sure that an employee will not become a threat. First, very few people in the organization have any access at all to user information like that, being only those who absolutely need that access. At every point the internal controls favor not providing access to any of this information whenever possible. If they can access only a small portion of user records to do the necessary work, or use anonymized user data they will every time. Those that do have access are under very tight surveillance when they do access these systems. Second, someone WOULD NOTICE. It’s not one of those places where things slip through the cracks. Access is highly granular. Multiple systems are ensuring user data safety and privacy. It’s hard to illegitimately access data when you must file a report to gain access to it, and every activity is subject to meticulous auditing.

  2. One problem with using GV: many businesses, especially in the financial industry, consider the use of VoIP numbers like GV to be a fraud indicator. Be prepared for the possibility of additional hassle, ranging from account freezes that require in-person verification to account closures or denials.

    How do old-fashioned landlines stack up? While the carrier might be the same AT&T or Verizon that can’t keep cell phones secure, by their nature they eliminate the SIM swapping issue. You still might be vulnerable to fraudulent port-outs, fraudulent service moves (but at least you’d have a physical address to send the cops to), or call forwarding, but those can be mitigated to some extent with account PINs, port-out blocks, etc. As is seen in mobile, those measures aren’t completely effective in the face of incompetent or corrupt employees, but there still may be a benefit: the proliferation of cell phone stores and authorized resellers seemingly makes it easy for criminals to find willing insiders, while there are fewer opportunities to establish relationships with corrupt insiders in the landline department of a telco.

  3. 11. I will not be using Google Voice for any other purposes, so I don’t care if I’m able to make phone calls…

    At least two financial institutions I’ve dealt with require a call from the phone number in your profile at the financial institution to activate a payment card, credit or debit card.

  4. I gave up on GV a couple of years ago for two reasons:

    1) Some sites requiring verification would not text to a GV number, and

    2) Sometime the notification to my phone of an incoming call didn’t work. This is not an issue for the trick advocated, though.

  5. The trouble with this advice is that it asks you to trust Google, which I’m afraid is a no no as far as I’m concerned, Google are just as usless at security as everyone else, the only difference between google/apple mega-corps is the better at burying bad news, their no more secure, no more honest than anybody else.
    The best thing to do to secure devices is to do what Google etc have done and use secure keys, I shall be saving up my £80 for one that works on android, I would rather trust that than a know bunch of liers like google, tracking data at all times, even when turned off !!!!

    • If one sets up a single-use Google account, there isn’t much to “trust Google” with. All it–or somebody who managed to hack your account–will know is that certain websites send SMS messages. No real names, login names, passwords, browsing history, or contact information need to be exposed to the Google or Google Voice accounts beyond a phone number (that can be deleted after the GV mobile app is installed).

      Beyond that, we’re talking about risk management here. Security is about tradeoffs. Personally, I feel using GV on websites that don’t offer non-SMS authentication is less risky than relying on my mobile phone provider to not carry out a SIM-swap. GV has far fewer points of failure including, perhaps most importantly, not having a far flung network of retail locations staffed by poorly paid, high turnover workers.

      • I’m sorry, but lumping Google, whose business model depends on slurping every bit of informatin, including personal information, and in some cases selling it would n to dodgy “analytics” firms in the pay of fascist political organizations, is a lot different from that of Apple, who routinely go to the mat with the federal government to protect user privacy. Both want to make a buck off you, but only one does it with your personal information.

        • [Citation needed]

        • So Google certainly collects personal data, however, did you know that you have the control to delete all the data they have on you? Try getting that from Apple (or anywhere else). If you think that they and all these other places aren’t selling your data, you’re living in a dream world. Every. Single. Data. Firm. Every one is using your data in different ways. At least Google tries to be very transparent about that. Good example of the flawed thought that leads people to be so wary of Google: A major car review magazine wrote a review of Android Auto some time ago. Their verdict? They preferred Mercedes and Apple smart car systems because Google shows a message that tells you they will collect your data and use it for certain things. They received no such warning from the other two, and that SOMEHOW made them feel more secure. Idiotic. Google was transparent about it, the other two services didn’t do anything to try to let you know what was going on and make sure you consent. Why exactly is that better? Really believe the other two just aren’t collecting that data? If you do, I’ve got some really bad news for you.

    • By any chance can you give some real world examples of how Google is “just as useless at security as everyone else.” As a former Googler who worked with their security staff for a quarter, I think that statement more than a little spurious. Unlike all these typical companies that take the “we’ll put money into security stuff IF or WHEN something happens” route, Google is willing to dump nearly unlimited amounts of money into security precisely because user trust is so important to their business model.

  6. One thing I’ve not seen much discussion of when it comes to the sending of security keys via SMS are the alternate methods the big cell phone companies provide to their users for accessing their SMS.

    Verizon, for example, provides additional access by way of a web app as well as multi-platform apps (desktop, android, ios, etc.).

    Those apps do not tend to be protected by any form of 2FA that I’m aware of. Presumably, one would only need to wrangle the account online password out of the customer support agent in order to get access to the web app and read texts.

    At least with Google Voice, you can leverage Google’s multiple methods of 2FA to limit unauthorized access to the many avenues by which you can receive Google Voice messages.

    That said, the additional protection that comes from the limited customer support available for Google Voice means you’re out of luck if you ever really do need customer support. The forums are manned primarily by volunteers who can only do so much when things go wrong. I abandoned GV several years back when it simply stopped forwarding calls and after days back and forth with the community forum hosts, we couldn’t fix the problem.

  7. I quite agree that everything is stored on our mobile device and if it is stolen or left you face big issues. Noonethought of this before smart phones came and now that they are in everyday use you do not think of consequences of your smart phone loss. i do not think that operators, app creators or any provider could be made responsible for your acts. You need to face your attitude.

  8. The introduction of cell phones has created multiple security breaches. There are too many ways in which people can spy on us nowadays and we are letting it happen for the sake of convenience. This needs to be taken under control fast.