Maybe I am old school, but isn’t that something that would be fixed with a more traditional bank, instead of cryptomoney? I guess the bank could have rollbacked the transactions or have fraud insurance?
Yeah, that’s one of the major trade-offs of cryptocurrency compared to fiat money. You gain the ability to do things financially that the traditional banking system doesn’t want you to do, at the cost of losing the protections that the traditional banking system sometimes gives to people.
This was a particularly expensive lesson for the guy because one of the things he had under the control of his SIM card 2FA email was his coinbase account with a lot of crypto in it. But the attack had nothing to do with cryptocurrency per se - it had to do with the fact that his email account was easy to break into because of vulnerabilities of the SIM card system. I’ve read about similar SIM card attacks being used to steal peoples’ valuable twitter handles, and anything valuable at all that can be reset via email is vulnerable to this kind of attack.
I try to avoid giving my phone number to online services and don’t use SIM card 2FA myself unless forced to - although this has more to do with the fact that I don’t want online services to have my phone number than because I’m particularly worried about a SIM port hack.
“Engineering Leadership at BitGo. Enjoy reading and writing about software development at scale.”
I really really feel for this guy. That’s a hell of a theft to shoulder personally.
However, also I note his role. Perhaps the attacker was more interested in company access, than his access, but decided at the last minute to take what was already on the table? I’d love to see a follow-up up post on how the company ensured that it’s not next on the list.
I’m confused by the terminology used here. “SIM port hack”… A SIM card is a physical device. Am I correct that what actually happened here was that the attacker got the user’s “phone number” switched to a new device? And that new device had its own SIM, etc. So, the attacker pretended to be the user and carried out the same actions that the user would do if he’d actually purchased a new phone. And nothing about this is really about the technology inside SIM cards. Eh?
Am I the only one to feel that, principally, AT&T is at fault here? As in if they hadn’t mistakenly ported the author’s SIM, wouldn’t this all have been avoided? (Or at least the attacker would have to try try a different approach)
Of course, you can treat someone’s phone number and SIM card as a library card. It has grown to be an identity for many, so you got to handle these kinds of cards very carefully, and it seems in US things like this are super easy to scam.
I doubt that AT&T makes any guarantees that messages sent via SMS are guaranteed to be both secure (encrypted, they are not), timely, and sent to the intended recipient. It’s not what SMS was developed for. Using it as a vehicle for 2FA is inherently insecure, but AT&T cannot be responsible for the security decisions of 3rd parties.
This is not to say that having your SIM ported without your knowledge is a huge hassle for the victim, and as a simple customer satisfaction matter AT&T and others should do better. But legally I believe they are in the clear.
Maybe I am old school, but isn’t that something that would be fixed with a more traditional bank, instead of cryptomoney? I guess the bank could have rollbacked the transactions or have fraud insurance?
This is still terrible for that poor lad :(
Yeah, that’s one of the major trade-offs of cryptocurrency compared to fiat money. You gain the ability to do things financially that the traditional banking system doesn’t want you to do, at the cost of losing the protections that the traditional banking system sometimes gives to people.
This was a particularly expensive lesson for the guy because one of the things he had under the control of his SIM card 2FA email was his coinbase account with a lot of crypto in it. But the attack had nothing to do with cryptocurrency per se - it had to do with the fact that his email account was easy to break into because of vulnerabilities of the SIM card system. I’ve read about similar SIM card attacks being used to steal peoples’ valuable twitter handles, and anything valuable at all that can be reset via email is vulnerable to this kind of attack.
I try to avoid giving my phone number to online services and don’t use SIM card 2FA myself unless forced to - although this has more to do with the fact that I don’t want online services to have my phone number than because I’m particularly worried about a SIM port hack.
“Engineering Leadership at BitGo. Enjoy reading and writing about software development at scale.”
I really really feel for this guy. That’s a hell of a theft to shoulder personally.
However, also I note his role. Perhaps the attacker was more interested in company access, than his access, but decided at the last minute to take what was already on the table? I’d love to see a follow-up up post on how the company ensured that it’s not next on the list.
I’m confused by the terminology used here. “SIM port hack”… A SIM card is a physical device. Am I correct that what actually happened here was that the attacker got the user’s “phone number” switched to a new device? And that new device had its own SIM, etc. So, the attacker pretended to be the user and carried out the same actions that the user would do if he’d actually purchased a new phone. And nothing about this is really about the technology inside SIM cards. Eh?
The attacker uses social engineering to convince the phone company the target’s phone + SIM is stolen, and to issue a new SIM to a phone they control.
Then they can MiTM the traffic to the phone.
They can receive the traffic. The attacker is on the end, not the middle. The original phone/sim lose service.
You are correct. The real recipient doesn’t even know a request for a 2FA SMS has been initiated.
Am I the only one to feel that, principally, AT&T is at fault here? As in if they hadn’t mistakenly ported the author’s SIM, wouldn’t this all have been avoided? (Or at least the attacker would have to try try a different approach)
Of course, you can treat someone’s phone number and SIM card as a library card. It has grown to be an identity for many, so you got to handle these kinds of cards very carefully, and it seems in US things like this are super easy to scam.
I doubt that AT&T makes any guarantees that messages sent via SMS are guaranteed to be both secure (encrypted, they are not), timely, and sent to the intended recipient. It’s not what SMS was developed for. Using it as a vehicle for 2FA is inherently insecure, but AT&T cannot be responsible for the security decisions of 3rd parties.
This is not to say that having your SIM ported without your knowledge is a huge hassle for the victim, and as a simple customer satisfaction matter AT&T and others should do better. But legally I believe they are in the clear.