SIM card exchange attacks stolen coins, how can Bitcoin practitioners protect themselves?
Source | bitcoinmagazine
Production | Blockchain Base Camp
Using phone numbers for authentication is a less desirable method of secure authentication. Bringing bitcoin to a third party that provides services such as cryptocurrency exchange or lending also reduces security-"not your keys, not your coins" is security advice, This has spread widely on Twitter and Bitcoin. For example: For most of the past ten years, the combination of these two practices has led to more and more SIM exchange attacks, ultimately leading to increasingly rampant theft of Bitcoin and other cryptocurrencies.
SIM card exchange is a low-cost, non-technical way for an attacker to gain control of a victim's wireless phone account. To launch an attack, hackers need to know how mobile wireless operators verify their identity and some information about the victim. Usually, it is sufficient to get a phone number for the victim.
Now, there is clear evidence that most people in the United States with wireless carrier phone numbers are vulnerable to SIM exchange attacks. This fact can be even more painful if you hold bitcoin that you don't want to be stolen.
The rise of SIM card exchange
A joint research team of professors and doctors from Harvard's Department of Computer Science and Princeton University's Information Technology Policy Center demonstrated the growing potential of SIM exchange in an empirical study published in January 2020.
Arvind Narayanan, an associate professor at Princeton University and one of the authors of the paper, concluded on Twitter: "The carrier that the attacker called you, pretended to be you, and asked to transfer the service to a new one. On a SIM card controlled by an attacker. This is bad enough, but hundreds of websites are still using SMS (Short Message Service) for two-factor authentication, putting your account at risk. "
The study tested the authentication protocols of five major U.S. wireless carriers-AT & T, T-Mobile, Tracfone, US Mobile, and Verizon. The SIM card exchange test tried 10 different prepaid accounts for each operator. After testing, the authors found that all five operators used authentication methods that were considered insecure.
"Together, these findings help explain why SIM card swaps have been an ongoing problem."
What's more troublesome is that the SIM card exchange problem has been so serious that during the study period, the mobile phone SIM cards in Narayanan were exchanged. When he called to report fraud, his operator's customer service department was unable to verify the professor after verifying the attacker. Finally, Narayanan regained control of the wireless account by using the research results to exploit the operator's protocol loopholes.
Fortunately, Narayanan did this quickly. Once the attacker has control of the victim's wireless account, they have the potential to do a lot of damage. As stated in the research, this is largely due to insecure authentication methods set by users for online access to digital assets (such as SMS-based or call-based 2FA, these methods are once the attacker can access your wireless account It ’s not safe) and security issues (which involve easily accessible public information, such as the mother ’s maiden name). In addition, the study found 17 websites that could destroy user accounts with SIM exchange alone (the basis of this method is from the twofactorauth.org dataset). Shortly after the study was published, T-Mobile informed the authors that after reviewing it, it had stopped using "recent numbers" for customer authentication.
Stealing Bitcoin via SIM exchange
The SIM exchange has been going on for many years. Many SIM card exchange targets fall into one of two categories: celebrities with precious social media accounts, such as the CEO of Twitter, Jack Dorsey, or someone with a large number of cryptocurrencies. Last year, during the heyday of the Bitcoin bull market, some cryptocurrency owners were exchanged for SIM.
In December 2019, cryptocurrency journalist and podcaster Laura Shin posted a podcast clip about her experience as a victim of a recent SIM card exchange. Shin hasn't been robbed, but her experience is worth noting because she revealed that despite her previous coverage of the topic in 2016 and active protection of her account a few years ago, she remains vulnerable.
Ultimately, the fact that makes Bitcoin owners easier to target as SIM exchanges than other wireless carrier customers is the fact that Bitcoin transactions are recorded on the blockchain, so they cannot be revoked. Unlike wireless accounts, it is much more difficult for authorities to capture stolen Bitcoins (although it can be tracked through blockchain analysis).
In addition, unlike most online bank accounts, only a few cryptocurrency exchanges (such as Coinbase, Gemini, ItBit, and Binance.US) are guaranteed by FDIC insurance, which provides insurance up to $ 250,000 for deposits in member banks. This is reasonable when considering the value of Bitcoin as a decentralized, immutable asset. But it also means that security should never be taken for granted.
The wheel of justice is turning too slowly
Entrepreneur and investor Michael Terpin is the owner of high-net-worth cryptocurrencies, and he co-founded the first angel fund for Bitcoin enthusiasts, the Bitangels Fund, and they all know this purpose very well .
> "The wheel of justice is slow," Turpin said in an interview with Bitcoin Magazine.
The judicial dispute over the Terpin case was involved in his ongoing US $ 224 million lawsuit against AT & T in August 2018. Two organized hackers exchanged SIM cards associated with Terpin's T-Mobile and AT & T accounts. According to him, after the first SIM exchange, a group of attackers "beat each other in two stores in Boston to make me give up credentials for both accounts."
After these exchanges, hackers snatched more than half of Bitcoin in the exchange account opened by Terpin. "At that time, Bitcoin was about $ 100."
After the first SIM exchange, Terpin asked both operators to provide higher security. It turns out that AT & T and T-Mobile each offer "advanced configuration protection options." But, as Terpin said, when T-Mobile's in-store verification "no port" option and the six-digit account password added by AT & T proved to be useless, in January 2018, a 19-year-old AT & T retailer in New Jersey Employees sold Terpin's account password in exchange for a $ 100 bribe.
In return, this group of attackers stole $ 24 million in altcoins.
"Yes," Terpin said, "the only thing they can get is altcoins, but they happened to be of great value that day."
Unlike Bitcoin, Terpin's stolen altcoins (TRIG, SKY, and STEEM) do not have an available wallet private key hardware backup option.
Although Terpin's last SIM exchange happened more than two years ago, he said that a new SIM exchange victim was contacted every week for help. If they really want to solve it, he will point them to his legal team and the REACT working group in California.
SIM card exchange thief story
Terpin also participated in a civil lawsuit against Nicholas Truglia, a 21-year-old New York City resident charged with stealing $ 24 million through a SIM card swap. Truglia was initially accused of stealing $ 1 million in cryptocurrency from Ross Valley executive and founder of StopSIMCrime.org.
Terpin claims that evidence (an iCloud backup file) at another SIM fraud bail hearing in Truglia suggested that Truglia could also be the SIM card swapper behind his $ 24 million attack. On the same day as Terpin's attack, Truglia emailed family and friends that he had stolen more than $ 20 million worth of cryptocurrency from his wallet and converted it to Bitcoin, and his life changed forever. Although the investigation is still ongoing, Terpin claims that Truglia is a member of the 26-person decentralized SIM card exchange team.
Investigative reporter Brian Krebs combined Truglia's case with several other arrests, charges and penalties for the theft of SIM card exchangers, describing these roles in detail. According to Krebs, they are all male and under the age of 25.
In January 2020, a report accused Samy Bensaci, an 18-year-old Canadian resident, of implementing a SIM exchange with Don Tapscott, the leader of the blockchain research group. Fortunately, this failed. This story links many of the SIM exchange goals in the cryptocurrency community to the attendance of its annual consensus conference in New York City. It also confirmed Krebs' report, which linked SIM exchange cryptocurrency theft with users of an online forum called OGUsers.com.
"I think everyone is always caught off guard by the younger generation's adoption of new technology," said Matt Odell, a Bitcoin and privacy expert. He has been involved in multiple projects, such as co-hosting the "Cellar Story" podcast.
Just like the mass adoption itself, the phenomenon of bitcoin and related SIM card exchange theft appears to have been initiated by the younger generation against victims of more primitive systems.
Choose safety over convenience
"The laws created around this technology are always lagging," said Webroot's security analyst Tyler Moffitt. He was referring to the unique danger that Bitcoin owners have due to their wireless carriers. "I don't see [tighter carrier consumer protection laws] coming up in the next five years, and by then, hackers have made a lot of money from SIM stolen cryptocurrency."
Moffitt is one of many people who believes that people will always favor convenience when weighing convenience and security. This is exactly how wireless operator accounts and the entire American society are designed.
But a loud sound started to make. On January 9, 2020, six U.S. lawmakers signed a letter to Ajit Pai, chairman of the Federal Communications Commission (FCC), who previously served as Verizon's general counsel. The letter advocates enhanced SIM exchange fraud protection for wireless customers, and notes the statement of investigators and the REACT working group on total SIM exchange losses: "They already know more than 3,000 SIM exchange victims, which has caused US $ 70 million in losses. . "
The letter also addresses allegations that SIM card exchange hacking has become more complicated. Now, attackers are also tricking or forcing retail employees to run malware on their computers in the form of Remote Desktop Protocol, which directly invades wireless carrier computers, not just bribes.
The letter reads: "Have you ever seen reports of violations … involving intrusions into wireless carriers, including computers in retail stores and computers used by customer service agents?"
What's more, the letter's legislators and authors recognized that theft of SIM card exchanges posed a very real threat to national security. It is said that many government agency employees use different levels of 2FA. Under this assumption, an organized group of hackers or nation-state actors can access the email account of a public official and then use that access in several serious and disruptive ways, such as alerts and warnings from the Federal Emergency Management Agency Issued a false emergency alert.
Terpin sent a similar letter to the FCC in the fall of 2019 with more specific requirements.
"I recommend that the FCC have all U.S. carriers recover their private passwords," he wrote.
This is a core security fault for wireless operators – unlike banks, airlines, and hotels, password access to wireless accounts for these institutions is "passed" or "failed" based on whether they have a password, but operator employees can use the entire wireless The password for the account. It's mainly for customer convenience, when a customer breaks or loses their phone, and then desperately needs to return to our mobile-centric world. However, given the fact that many operator stores, even those named under the name of the largest operator, are actually owned and operated by third parties, this core security vulnerability seems even worse.
"It's not just employees at telecommunications companies," said Guido Appenzeller, Yubico's chief product officer. Yubico is a hardware security company known for inventing YubiKey. "Each third-party retail employee has access to these databases."
In some regions, the minimum hourly wage of a third-party retail operator is as low as $ 10 per hour, which is clearly why retail retailers leak thousands of account passwords for every $ 100.
Protecting yourself from the SIM exchange should be part of the Bitcoin culture
From the beginning, there has been a common belief in Bitcoin's culture that is deeply rooted in its code-gaining true freedom means taking a new level of personal, financial and technical responsibility. Privacy and operational security are no different. Usually we don't sacrifice them for convenience, but we lose them in profit-making activities such as trading and lending. Overall, losses are the best motivation for improving Bitcoin security, but it's important not to think that your luggage is not big enough to be a victim of theft.
Breaking the rules is one of the reasons wireless operators have not optimized for Bitcoin users. Most people won't be the target of SIM exchanges, but, according to Appenzeller, if anyone "says that there is a bitcoin wallet in excess of $ 10,000, SIM exchanges are undoubtedly economically attractive to hackers."
There are also more complex and more accessible instances of malware attacks that bypass application-based 2FA without the need for SIM exchange. These include phishing websites that use impostors, such as those used in the last Binance hack, and more harmful DNS hijacking or poisoning, often used by ethnic actors to conduct espionage, such as the Turtle operation.
The good news is that there are technologies available to prevent SIM switching and more sophisticated phishing attacks. The most powerful 2FA method on the mass consumer market is U2F, which is two-factor authentication using USB. Appenzeller said the use of U2F eliminated the risk of SIM-based attacks and eliminated "phishing and other man-in-the-middle attacks and other malware attacks."
His company Yubico co-founded U2F with Google and uses U2F in its flagship product, YubiKey. In this way, YubiKey is equivalent to 2FA's hardware wallet, and at the time of writing, no user has become a victim of SIM-related theft.
How to avoid SIM card swap attacks
For this article, we spoke with several security experts and members of the Bitcoin community. Based on this information, here is a list of "do not do" to avoid SIM card swap attacks:
For beginners and ordinary Bitcoin users
Keep Bitcoin in a hardware wallet and stop using phone-based 2FA.
"Please use hardware devices and multisig to protect your private keys. Do not use browser-based wallets because they have a huge attack surface. Do not use hardware-based 2FA for any web applications that support it. Do not use SMS 2FA And do n’t reset / restore your online account by phone number. "-Jameson Lopp, Bitcoin Core Engineer
If you do not use Bitcoin for trading, please do not keep it on the exchange. See this list of transactions (https://bitcoinmagazine.com/articles/ infographic-overview-compromised-bitcoin-exchange-events), these exchanges have lost their customers' money due to hacking and other malicious activities.
Discuss enhanced security with your phone operator and use an application-based authenticator.
"You can ask the phone operator for more security. You shouldn't use an SMS authenticator. Use an authentication application like Google Authenticator or Authy."
Taylor Moffett For anyone (most of us) sharing identity using a wireless phone account
Revisit the security policies of your wireless carrier and other online accounts. You can try to hack your account for testing. Twofactorauth.org is a good starting point.
"In the long run, I think the real question is why do we still use phone numbers? The easiest way to check if you are safe is to try to use your phone number to access all accounts, and if you can, you will run into a SIM card exchange loophole . "
—Matt Odell For those who think their Bitcoin hardware wallet is secure enough
Use a password manager with your Bitcoin wallet. Test your program regularly, even if it is simple.
"I'm using a password manager, which is a good practice. Everyone who works with me uses a password manager."
— Guido Appenzeller
"In terms of password / key management, I use a reliable password manager with multiple encrypted USB backups. At least one backup outside the house (and at least one backup inside the house). I always carry a copy when traveling, occasionally with My wife and another brother are testing and setting up browsing. Most of my assets are located on the hardware wallet and then moderately placed into the Bitcoin core wallet, and I use it for all my Casa, mobile apps, Lightning, beta customers, etc. Funding."
—Cryptocurrency Podcast Host Guy Swann
For maximum security, consumer friendly
Owning at least one YubiKey, they are relatively cheap.
"Buy multiple YubiKeys (for redundancy) and use them for 2FA whenever possible. Many password managers support YubiKey 2FA, and many web applications now support U2F 2FA, and newer YubiKeys also support it. If the web application Only TOTP scrolling code is supported, you can still save data on YubiKey using the Yubico Authenticator app. "
Avoid more complex attacks
Bookmark sensitive account pages.
"The Binance hack is a good example of when the application 2FA might fail. In this case, they are searching for Binance in Google and selecting the first webpage, in this case, this is a fake website, Promote it to the top of Google Search for a day by paying. You should bookmark sensitive pages, and hackers may try to forge those pages. "Tyler Moffitt
Actively improve your operational safety
Set up Google alerts for "SIM card exchange" or "hacking" and "court cases."
"As a civilian, it is difficult to treat operational safety as something important to other (law-abiding) citizens. Many of the best examples of operational safety in the real world-good operational safety and poor operational safety-are usually from Extracted from court documents detailing criminal organizations. Other good examples often come from the intelligence or military fields and seem to be rarely applicable. "
— @ 5auth, cryptomarket and dark market researcher For more information on how to protect your Bitcoin from SIM exchange attacks and what to do in case of an accident, see the SIM Exchange Bible. When the Bitcoin bull market, attacks (SIM exchanges or other means) often occur.