Hackers Have Stolen Millions Of Dollars In Bitcoin -- Using Only Phone Numbers

[ebliever]

Article at link:

http://www.forbes.com/sites/laurashin/2016/12/20/hackers-have-stolen-millions-of-dollars-in-bitcoin-using-only-phone-numbers/#3e024ad522db

Lessons learned:
2FA using SMS is badly compromised.
You can't outsource your computer/cryptocurrency security to a 3rd party like your phone carrier. It's a recipe for disaster.
Hackers are targeting prominent bitcoiners - but it's only a matter of time for the rest of us.
Thieves are impersonating prominent bitcoiners, asking friends for "loans" of BTC (etc) - which just means more victims.
It's not just bitcoins - bank accounts and everything else are vulnerable. (And you can't fix those with a Trezor or paper wallet.)

What else?

[1714994074]

1714994074

[ranochigo]

Article at link:

http://www.forbes.com/sites/laurashin/2016/12/20/hackers-have-stolen-millions-of-dollars-in-bitcoin-using-only-phone-numbers/#3e024ad522db

Lessons learned:
2FA using SMS is badly compromised.

Definitely. Phone companies are especially vulnerable to social engineering. It has happened to various other people, including linustechtips and even cloudflare's CEO.

You can't outsource your computer/cryptocurrency security to a 3rd party like your phone carrier. It's a recipe for disaster.

The services are vulnerable too. 2FA isn't safe if you use it with your phone number.

Hackers are targeting prominent bitcoiners - but it's only a matter of time for the rest of us.

Hackers are likely more interested with the people holding a larger amount.

Thieves are impersonating prominent bitcoiners, asking friends for "loans" of BTC (etc) - which just means more victims.

It's weird if a friend asks you for a loan over the phone. Anyone receiving such a request SHOULD verify it physically, especially if its for a large amount.

It's not just bitcoins - bank accounts and everything else are vulnerable. (And you can't fix those with a Trezor or paper wallet.)

For the banks I use, the bank account have physical OTP keys and they are much more difficult to compromise.

Bitcoins aren't vulnerable if you choose to secure your coins with a desktop/cold wallet. The reason why Bitcoins are lost through this is because of people storing them in services.

[shamzblueworld]

You can't outsource your computer/cryptocurrency security to a 3rd party like your phone carrier. It's a recipe for disaster.
Hackers are targeting prominent bitcoiners

I completely agree with this. You can not trust all your apps blindly, it is a great risk to do that and sooner or later, you will regret it if you do  keep sharing sensitive info with your mobile phone, even the words you type from your mobile phone are recording by your keyboard, how can you be sure they cannot reuse them for harmful reasons?
So try to be as secure as possible and only do it with PC, though it is also not that secure but at least it is way more than the so called smartphone.
 

[ebliever]

Guys, read the article. (It is a good read.) The hackers are able to access PC's starting with the phone hacking. Sounds like a very ugly episode when everything - bank accounts, Windows login, desktop wallets, etc. - all get seized in one swoop. Because phone companies still think of themselves as phone companies, and not as gatekeepers to people's financial and personal property on a vast scale. They can't keep screwing up like this.

If the evidence that this operation(s) is based in the Phillipines is right... well, the hackers might not be too happy once Duterte catches up with them. If he treats them like he does drug dealers, they will have a _very_ short life expectancy.

[Arrakeen]

You can't outsource your computer/cryptocurrency security to a 3rd party like your phone carrier. It's a recipe for disaster.
Hackers are targeting prominent bitcoiners

I completely agree with this. You can not trust all your apps blindly, it is a great risk to do that and sooner or later, you will regret it if you do  keep sharing sensitive info with your mobile phone, even the words you type from your mobile phone are recording by your keyboard, how can you be sure they cannot reuse them for harmful reasons?
So try to be as secure as possible and only do it with PC, though it is also not that secure but at least it is way more than the so called smartphone.
 

As secure as possible with a pc would mean an isolated box, where your funds/keys are stored. Even if that means  looking over then typing everything individually, better than a possibly compromised USB stick.

[avatar_kiyoshi]

I have same case like kenna, fortunately I just lose few bucks. Using 2FA phone number is very vulnerable, it's proved when I lost my money using these features. Although it's keep offline.

[davis196]

Article at link:

http://www.forbes.com/sites/laurashin/2016/12/20/hackers-have-stolen-millions-of-dollars-in-bitcoin-using-only-phone-numbers/#3e024ad522db

Lessons learned:
2FA using SMS is badly compromised.
You can't outsource your computer/cryptocurrency security to a 3rd party like your phone carrier. It's a recipe for disaster.
Hackers are targeting prominent bitcoiners - but it's only a matter of time for the rest of us.
Thieves are impersonating prominent bitcoiners, asking friends for "loans" of BTC (etc) - which just means more victims.
It's not just bitcoins - bank accounts and everything else are vulnerable. (And you can't fix those with a Trezor or paper wallet.)

What else?

Let`s just stop using bitcoins and stop online banking because of the hackers.

Let`s use only gold and silver coins for trading purposes.

Hackers can`t hack gold and silver coins. Just kidding.

Hackers are a serious problem.

[MingLee]

Everything is vulnerable as long as they can find your phone number and contact your phone service provider and get your SIM card info.

There is nothing that can especially prevent anything, but phoning up your provider and setting up additional security for something like this can help ease these woes, again, to a certain extent.

There are cases like this for YouTube users as well, so it's not rare or specific.

[NorrisK]

How about proper training to people that give out personal details of others?

If the people got some training on how to verify better that its the real person, it may become less common. I mean, most companies only ask for publically available information such as address and birth date before they give you whatever you want...

[maydna]

How about proper training to people that give out personal details of others?

If the people got some training on how to verify better that its the real person, it may become less common. I mean, most companies only ask for publically available information such as address and birth date before they give you whatever you want...

its a good idea but i don't think this could be solve the problem as we can see that many people is not giving their attention for the 2FA phone number. but at least that person know how to solve their problem with 2FA, and i think we can using another security for saving our account so we can prevent of hackers attack.

[Kakmakr]

Ok, explain this to me. Why would a early Bitcoin adopter store 1000's of coins on a hardware device? This smells a bit fishy, to say the least. I never keep all my coins in the same device. I always split my coins over 100's of paper wallets, and I store those in different places. If I need coins, I just grab one paper wallet and sweep it online. < not everything in one go, because that would be VERY stupid >

None of this are proven statements, so they can just publish any shit they want to, to sell papers and get more hits on their news sites. 

[Roger Burton]

A very good hacker knows how to handle you and take information from you. All we have to be very careful with those we're talking to. It's for our safety, not only for our money but for our lives. So people do not give your informations.

[bitbunnny]

Hackers are always step ahead. It's needed to develope the new security mechanisms all the time. But it seems that everything that is considered to be secure in fact it's not. That also happened with 2FA. So, what can we do, what method, mechanism or tool can actualy protect our coins? Is there anything that we can fuly trust?

[BitcoinGirl.Club]

Thought that 2FA was the safest thing out there. Apparently not!

[Yakamoto]

Thought that 2FA was the safest thing out there. Apparently not!

2FA is actually one of the safest methods of securing your data that exists. The only issue is that hackers can access your SIM card if they know your number and call your phone company, and then make a blank and get the same info you get from your 2FA services.

It's not easy, per say, but it can be done and it is simpler to do than dictionary-attacking a password. It requires a lot of information first though.

[Sithara007]

Thought that 2FA was the safest thing out there. Apparently not!

2FA is actually one of the safest methods of securing your data that exists. The only issue is that hackers can access your SIM card if they know your number and call your phone company, and then make a blank and get the same info you get from your 2FA services.

How they are going to hack in to the SIM card? Especially if the mobile phone used is a basic variant instead of a smartphone? How they are going to install trojans and other spyware in such a phone?

[Lauda]

The hackers are able to access PC's starting with the phone hacking.

Nope. Sounds to me like a case of someone who thinks they understand security, but actually don't. The article is unnecessarily long and pretty much useless (doesn't outline ways of protecting yourself well, but rather tells us a story). Here are some semi-easy ways for prevention:

1) Do not use your personal phone number for 2FA. Use SIM cards without contracts.
2) Do not use social networks (they aren't for the brightest anyways).
3) Delete anything you can find online about yourself -> effectively kills social engineering attempts.
4) Disable Javascript, Flash and everything else by default.
5) Do not use any web wallets or online services to keep Bitcoin. If you need to keep them on an online device (for whatever reason), at least make sure that you're talking about a local desktop client.

Alternative:
A) Use a different computer solely for Bitcoin, banking et al. (Note: This does not save you from targeted network intrusion, rootkits and similar).

How they are going to hack in to the SIM card?

People need to stop watching hacking in movies.

[nizamcc]

The hackers are able to access PC's starting with the phone hacking.

Nope. Sounds to me like a case of someone who thinks they understand security, but actually don't. The article is unnecessarily long and pretty much useless (doesn't outline ways of protecting yourself well, but rather tells us a story). Here are some semi-easy ways for prevention:

1) Do not use your personal phone number for 2FA. Use SIM cards without contracts.
2) Do not use social networks (they aren't for the brightest anyways).
3) Delete anything you can find online about yourself -> effectively kills social engineering attempts.
4) Disable Javascript, Flash and everything else by default.
5) Do not use any web wallets or online services to keep Bitcoin. If you need to keep them on an online device (for whatever reason), at least make sure that you're talking about a local desktop client.

Alternative:
A) Use a different computer solely for Bitcoin, banking et al. (Note: This does not save you from targeted network intrusion, rootkits and similar).

Quoted you to discuss your first and fifth points.
I just wanted to know that if I use my personal phone number (specifically non-contract sim cards), isn't it still on the edge of getting hacked?
And when you said that we should keep our coins in a local desktop client, say if I am using any web wallets like blockchain, so is it not good to have all my coins be kept there?

[Bigdan]

That's why you need to download the entire blockchain and wallet and keep your private keys.

[dontryjustdoit]

use a burner phone not in your name to have your codes texted to. dont even tell you wife.