Sophos Cloud Optix
Jered Kenna was pretty cautious with his bitcoins, keeping his savings mostly offline. But his process had one big flaw, and it cost him a lot.
Writer Laura Shin tells the tale in an exclusive Forbes article. She describes how Kenna’s troubles first started coming to light when he was notified that passwords were reset on two of his email addresses. He tried creating new passwords by prompting the email service to send him text messages with a code, to no avail.
“I called the company to make sure I hadn’t forgotten to pay my phone bill, and they said, you don’t have a phone with us. You transferred your phone away to another company,” Kenna told Shin.
He ultimately discovered that a hacker faked his identity and moved his phone number from T-Mobile to a carrier called Bandwidth that was linked to a Google Voice account the hacker controlled. Shin writes:
Once all the calls and messages to Kenna’s number were being routed to them, the hacker(s) then reset the passwords for Kenna’s email addresses by having the SMS codes sent to them (or, technically, to Kenna’s number, newly in their possession). Within seven minutes of being locked out of his first account, Kenna was shut out of of up to 30 others, including two banks, PayPal, two bitcoin services – and, crucially, his Windows account, which was the key to his PC.
Though he did have some bitcoins in online services, particularly since his businesses accept bitcoin as payment, he kept almost all his bitcoins on an encrypted hard drive. “It was essentially my never-sell-this-until-it-goes-to-a-billion-dollars nest egg,” he says. He had kept it offline for most of the past several years, but had connected that device in recent weeks to move them somewhere more secure and sell some. Though he had locked it with a 30-character password, the hackers moved the coins off. And unlike a credit card transaction, a transfer of a cryptocurrency is irreversible.
Bitcoin hunger fuels ransomware surge
Kenna’s story is part of a larger trend of hackers aggressively going after bitcoins. A perfect example of this is the surge in ransomware, where attackers use malware to lock accounts and demand ransom payments in exchange for returning control to the victim. In many cases, the bad guys want their payment in bitcoins.
The scope of the problem was made clear in a September 2016 survey of 1,250 consumers Sophos polled in the US , UK, Germany, Switzerland and Austria. ReRez Research conducted the study and asked consumers about their awareness of phishing, ransomware, malware, spyware, hack attacks and other prevalent cyberthreats. More than 30% of those surveyed were not familiar with ransomware or perceive it as a low threat, despite being among the most notorious and debilitating cyberthreats right now.
“Those within cybersecurity circles know ransomware has become a lucrative billion-dollar business for an army of cybercriminals who use toolkits developed by super hackers,” John Shaw, vice-president of Sophos’ Enduser Security Group, said after the survey results were released last week. “Consumers are the most vulnerable to ransomware, malware and spyware, because unlike at work, they don’t have an IT department looking over their shoulder and handling cyber security as part of a full time job.”
With ransomware awareness low and the hunger for bitcoins high, we can expect to see a lot more of this.
The weakest link
As Kenna’s situation demonstrates, even heightened awareness isn’t enough sometimes. Despite Kenna’s precautions, all it took for the hacker to succeed was access to a phone number he used for more than one account. Security experts have long warned against using the same phone number or password for multiple accounts because of this type of situation.
Shin writes:
In a larger wave of bitcoin scams that have hit everyone from everyday people to hospitals, Kenna’s experience is only one of a spate of recent hackings of high-profile cryptocurrency industry players such as venture capitalists, entrepreneurs, C-level executives and others who have had their phone numbers hijacked, some of whom have also suffered financial losses, several of whom have been threatened or ransomed, and one of whom was put in physical danger.
But the security weakness being exploited here is not one that only affects cryptocurrency industry players — they are simply being targeted first because such transactions cannot be undone. The security loophole these hackers are milking can be used against anyone who uses their phone number for security for services as common as Google, iCloud, a plethora of banks, PayPal, Dropbox, Evernote, Facebook, Twitter, and many others. The hackers have infiltrated bank accounts and tried to initiate wire transfers; used credit cards to rack up charges; gotten into Dropbox accounts containing copies of passports, credit cards and tax returns; and extorted victims using incriminating information found in their email accounts.
Kenna’s situation is a stark reminder that once your bitcoin (and ID) are gone, you can’t get them back.
Don’t use the same phone number for different accounts? How many phones do you expect us to carry around? What we really need is something that isn’t a phone and can’t have its service ported away so easily.
Agreed. The concept of phone as security is flawed. You would think with multimodal biometrics decreasing in cost and far more available, we could take bigger steps over the next few years toward a security architecture that makes sense. Someone needs to take the lead.
some have a work and personal phone (like myself) but yeah i agree you probably wont have multiple phone numbers…
maybe this should be a service, “2FA cheapo pre-paid phones” that only do text messaging (limited to a few hundred messages/month) for $5/month.
“millions of bitcoins”? As a bitcoin is approximately $825 each, I’m guessing the headline should read “millions IN bitcoins”. Reading the Forbes article confirms this…
And as the first poster points out, if we’re expected to keep multiple phones to protect multiple accounts, then the security industry needs a serious revamp and we should all just give up in the interim.
You are right, and I thank you for catching that. Headline is being changed.
This: “Kenna’s situation is a stark reminder that once your bitcoin (and ID) are gone, you can’t get them back”
is why banks and credit unions are better, unless your hiding criminal activity that is.- like having stolen bit-coins lol
OK, so the hacker got access to Kenna’s email account. But how did the hacker then get remote access to Kenna’s Windows PC and crack the 30-character password of the attached encrypted drive?
My “O’Really” detector is going off over this story, too, but as far as the drive goes, I think that password could be a red herring. It sounds as though he may have had the drive plugged in, decrypted and mounted for use. Like leaving your computer logged in and unlocked, it kind of makes the password irrelevant, though it makes the hacking story seem more way-out.
Right, must of had a gotomypc account in there somewhere too!
At what point will phone companies be held liable for losses directly hinged on illicitly-ported phones? What’s the guarantee that the phone number protecting millions of micro-pennies will remain under my control?
If Joe Schmoe can steal my number with “dude, trust me–I’m ME” then why is the system so callous and indifferent if I forget my PIN?