Bitcoin Forum
November 14, 2024, 03:10:38 AM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Pages: « 1 [2] 3 4 »  All
  Print  
Author Topic: Hackers Have Stolen Millions Of Dollars In Bitcoin -- Using Only Phone Numbers  (Read 2942 times)
Lauda
Legendary
*
Offline Offline

Activity: 2674
Merit: 2965


Terminated.


View Profile WWW
December 22, 2016, 11:46:03 PM
 #21

1) Do not use your personal phone number for 2FA. Use SIM cards without contracts.
5) Do not use any web wallets or online services to keep Bitcoin. If you need to keep them on an online device (for whatever reason), at least make sure that you're talking about a local desktop client.
Quoted you to discuss your first and fifth points.
I just wanted to know that if I use my personal phone number (specifically non-contract sim cards), isn't it still on the edge of getting hacked?
Your carrier shouldn't be able to revoke a non-contract sim to which no information is actually bound. In that sense, it should not be 'hackable' in a way as described

And when you said that we should keep our coins in a local desktop client, say if I am using any web wallets like blockchain, so is it not good to have all my coins be kept there?
Your web wallets, and those especially that use 2FA are vulnerable to social attacks. A desktop wallet is only vulnerable to targeted attacks, in which you machine has to be compromised. There's a huge difference in the possible approaches for a malicious individual.

"The Times 03/Jan/2009 Chancellor on brink of second bailout for banks"
😼 Bitcoin Core (onion)
SmartIphone
Legendary
*
Offline Offline

Activity: 1204
Merit: 1000



View Profile
December 23, 2016, 12:33:32 AM
 #22

You can't outsource your computer/cryptocurrency security to a 3rd party like your phone carrier. It's a recipe for disaster.
The services are vulnerable too. 2FA isn't safe if you use it with your phone number.

How is 2FA not safe?
There two layers here, the password and the time password or 2FA which I consider the safest way when logging in somewhere.
CyberKuro
Hero Member
*****
Offline Offline

Activity: 798
Merit: 506


View Profile
December 23, 2016, 01:21:10 AM
Last edit: December 23, 2016, 01:56:36 AM by CyberKuro
 #23

Article at link:

http://www.forbes.com/sites/laurashin/2016/12/20/hackers-have-stolen-millions-of-dollars-in-bitcoin-using-only-phone-numbers/#3e024ad522db

Lessons learned:
2FA using SMS is badly compromised.
You can't outsource your computer/cryptocurrency security to a 3rd party like your phone carrier. It's a recipe for disaster.
Hackers are targeting prominent bitcoiners - but it's only a matter of time for the rest of us.
Thieves are impersonating prominent bitcoiners, asking friends for "loans" of BTC (etc) - which just means more victims.
It's not just bitcoins - bank accounts and everything else are vulnerable. (And you can't fix those with a Trezor or paper wallet.)

What else?
Yeah, we get the lesson by Kenna experience.
Hackers actually can steal our information, but the most important thing is ourselves as the last defense of our wealth.
Bitcoin is better to save in offline wallet or keep it on an encrypted hard drive and just small amount of the rest on online wallet, I thought that is the best way to be safe.
Papa Bear
Full Member
***
Offline Offline

Activity: 188
Merit: 100



View Profile
December 23, 2016, 01:28:04 AM
 #24

Kenna’s experience is only one of a spate of recent hackings of high-profile cryptocurrency industry players such as venture capitalists.
0xfff
Full Member
***
Offline Offline

Activity: 224
Merit: 100


View Profile
December 23, 2016, 01:30:27 AM
 #25

I have always been hesitant to use paper wallets because I fear my printer make record everything I print and if my networks gets compromised the private key will be there.  Embarrassed
digaran
Copper Member
Hero Member
*****
Offline Offline

Activity: 1330
Merit: 899

🖤😏


View Profile
December 23, 2016, 01:43:53 AM
 #26

Every one knows internet is not always safe, always in any sort of case there are security issues no doubt.
But could you tell me how can one simply steal bitcoins by using only a phone number? why not using hardware and or paper wallets no use for securing our funds?
Are you trying to scare away the people with little knowledge about online security from crypto? it seems like it from my point of view.

🖤😏
x4
Hero Member
*****
Offline Offline

Activity: 1106
Merit: 508



View Profile
December 23, 2016, 02:55:32 AM
 #27

I don't really think that some hackers can do things like this, tho this kind of method is not impossible, but this is very rare to happen, so everyone must be aware of this type of incident. Everyone must be careful especially to those who have huge funds with their web wallets.
TastyChillySauce00
Legendary
*
Offline Offline

Activity: 3178
Merit: 1038


Leading Crypto Sports Betting & Casino Platform


View Profile
December 23, 2016, 03:01:50 AM
 #28

You can't outsource your computer/cryptocurrency security to a 3rd party like your phone carrier. It's a recipe for disaster.
The services are vulnerable too. 2FA isn't safe if you use it with your phone number.

How is 2FA not safe?
There two layers here, the password and the time password or 2FA which I consider the safest way when logging in somewhere.
As spoken by him 2FA is not so safe if you use 2FA through SMS verification. Didn't know whether 2FA which use software like google authenticator or similar could be compromised but news above in the main post is a proof that SMS verification could be compromised

I don't really think that some hackers can do things like this, tho this kind of method is not impossible, but this is very rare to happen, so everyone must be aware of this type of incident. Everyone must be careful especially to those who have huge funds with their web wallets.
Yeah you said some hackers can't do things like this but maybe the hackers which were mentioned in the news are the rest hackers who could

..Stake.com..   ▄████████████████████████████████████▄
   ██ ▄▄▄▄▄▄▄▄▄▄            ▄▄▄▄▄▄▄▄▄▄ ██  ▄████▄
   ██ ▀▀▀▀▀▀▀▀▀▀ ██████████ ▀▀▀▀▀▀▀▀▀▀ ██  ██████
   ██ ██████████ ██      ██ ██████████ ██   ▀██▀
   ██ ██      ██ ██████  ██ ██      ██ ██    ██
   ██ ██████  ██ █████  ███ ██████  ██ ████▄ ██
   ██ █████  ███ ████  ████ █████  ███ ████████
   ██ ████  ████ ██████████ ████  ████ ████▀
   ██ ██████████ ▄▄▄▄▄▄▄▄▄▄ ██████████ ██
   ██            ▀▀▀▀▀▀▀▀▀▀            ██ 
   ▀█████████▀ ▄████████████▄ ▀█████████▀
  ▄▄▄▄▄▄▄▄▄▄▄▄███  ██  ██  ███▄▄▄▄▄▄▄▄▄▄▄▄
 ██████████████████████████████████████████
▄▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄
█  ▄▀▄             █▀▀█▀▄▄
█  █▀█             █  ▐  ▐▌
█       ▄██▄       █  ▌  █
█     ▄██████▄     █  ▌ ▐▌
█    ██████████    █ ▐  █
█   ▐██████████▌   █ ▐ ▐▌
█    ▀▀██████▀▀    █ ▌ █
█     ▄▄▄██▄▄▄     █ ▌▐▌
█                  █▐ █
█                  █▐▐▌
█                  █▐█
▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀█
▄▄█████████▄▄
▄██▀▀▀▀█████▀▀▀▀██▄
▄█▀       ▐█▌       ▀█▄
██         ▐█▌         ██
████▄     ▄█████▄     ▄████
████████▄███████████▄████████
███▀    █████████████    ▀███
██       ███████████       ██
▀█▄       █████████       ▄█▀
▀█▄    ▄██▀▀▀▀▀▀▀██▄  ▄▄▄█▀
▀███████         ███████▀
▀█████▄       ▄█████▀
▀▀▀███▄▄▄███▀▀▀
..PLAY NOW..
jacktheking
Legendary
*
Offline Offline

Activity: 1484
Merit: 1001


Personal Text Space Not For Sale


View Profile
December 23, 2016, 03:28:11 AM
 #29

The article is too long and I only read the first half of the article. Anyway, it seem that the hacker is targetting US consumers that have a lot of Bitcoin and uses 2FA verification. I personally don't really use 2FA but I do actually think that 2FA is secure as long as we know how to protect ourself - from the article, Jered Kenna already did his best (it was the service provider that easily accept "faked" request"). I couldn't believe how the "hacker" managed to fake his identity and transfer his phone number to another service provider. That is something that the provider have to help us secure.

So sad! This profile does not appear as the #1 result (on anonymous) Google searches anymore.

Time to be active on the crypto forums again? Proud to be one of the few Legendary members of the Sparkie Red Dot!

Gonna put this on my resume if I ever join a cryptocurrency/blockchain industry!
JasonXG
Hero Member
*****
Offline Offline

Activity: 770
Merit: 500


View Profile
December 23, 2016, 03:55:03 AM
 #30

That was a very interesting article and I am glad that you showed us it. Wow hey ? That hacker got into 30 accounts and changed his phone number to another service using social media engineering . So the hacker had control of everything.

What can people do to prevent things like this though ? I wonder how exactly the hacker managed to get the guys phone number and then have it change to another company ?
ebliever (OP)
Legendary
*
Offline Offline

Activity: 1708
Merit: 1036


View Profile
December 23, 2016, 04:59:33 AM
 #31

The issue is not with all 2FA, but with 2FA using SMS specifically, so far as this article goes. It is noteworthy that Coinbase just sent out an email pushing people to using Google Authenticator for 2FA - probably due to the issues/incidents in this article.

Seems I've been doing some things right by accident. I use GA already, and on a "tablet" that is a smartphone with no phone contract.

Luke 12:15-21

Ephesians 2:8-9
monsanto
Legendary
*
Offline Offline

Activity: 1241
Merit: 1005


..like bright metal on a sullen ground.


View Profile
December 23, 2016, 06:24:40 AM
 #32

Hackers are always step ahead. It's needed to develope the new security mechanisms all the time. But it seems that everything that is considered to be secure in fact it's not. That also happened with 2FA. So, what can we do, what method, mechanism or tool can actualy protect our coins? Is there anything that we can fuly trust?

DNA 2FA might work, although they could then just steal some genetic material. 

Or maybe they could use AI to have a conversation for a few minutes with you when you signup, where it asks you some odd questions.  It could then use this info to test to see if your responses later indicate it's really you.  So if you want to port your phone number you'd then have to have another brief convo with the AI to check if it's you.

Hmm or maybe just offer 3FA.. authenticator + phone#sms + password
aarons6
Legendary
*
Offline Offline

Activity: 1736
Merit: 1006


View Profile
December 23, 2016, 07:25:30 AM
 #33

there HAS to be some inside information for this to work..

first off, someone has to get to know this individual enough to know their phone number, address, and their cell phone provider..

also they need to know their email, and whatever kind of web wallet they used..

this is a long shot to just guess..

so after they "guess" this info, they are supposed to call the cell phone company, and HOPE they send a replacement sim card?
i hate to break it to you, but. ive had to do this, legitimately, and the cell phone company made me to into a store to show id.. so now our "hacker" needs to fake the victims id..

now, once this all happens, the victim is NOT SUPPOSED to figure out his phone stops working?? because  um, once you activate a new sim card the old one deactivates..

now this hacker, is supposed to "guess" the guys email, get them to send the sms text to sign in? and well hope that when this happens the "victim" doesnt notice the sign in attempt that just so happens to get emailed to you?? and if you were smart and used gmail, they email you not only on ONE email but on a BACKUP email..

plus now that the email password is changed.. he is supposed to guess all the other passwords??


sounds far fetched..
aarons6
Legendary
*
Offline Offline

Activity: 1736
Merit: 1006


View Profile
December 23, 2016, 07:29:18 AM
 #34




Hmm or maybe just offer 3FA.. authenticator + phone#sms + password

blockchain.info has 3fa, or 4fa if you choose to enable it..

you would need to verify the sign in attempt by an email link..
you would need to verify the password..
you would need to verify the 2fa code..
and to send funds you need to verify the secondary wallet password..

i would imagine if you were smart and these weren't simple passwords it would be impossible to guess them.

oh and they dont have a password seed.. so you cant just call them up and say i lost my password please reset it.
royalfestus
Hero Member
*****
Offline Offline

Activity: 2464
Merit: 519


View Profile
December 23, 2016, 07:55:35 AM
 #35

Is so unfortunate that hackers are not getting less smart and they also increasing in number daily. That is why we need to equip ourselves as much as possible, educating ourselves on cybersecurity. Internet is not safe, choice of wallet should also be considered. In most cases with identity theft by hacking it is not done by professionals but local meth users, so Inside knowledge/information can mostly make it easy.
Longsnowsm
Hero Member
*****
Offline Offline

Activity: 868
Merit: 517


View Profile
December 23, 2016, 12:17:17 PM
 #36

I know this article has set off discussions at the phone carriers.  However I don't really know what steps are being taken to address the issues at this point. 

Multifactor authentication (something that you know, something that you are(possibly biometrics, voice print, body scan, retna scan etc), and something you have like an external factor like the Google authenticator, or other similar services would make it far more difficult for thieves in an online context.  The more factors used the harder it is to impersonate someone.  I know people are going to scream that it isn't convenient.  If you have something worth protecting you will take the extra steps to secure it and put up with the inconvenience.  Relying on one or two factors for authentication is going to be too weak.

But as someone else noted if you have money you are trying to protect then offline in paper wallets probably makes sense.  Which really just makes me laugh a little because we are basically saying "cash" is more secure than the online world.  Sadly at the moment that is probably true. 

The other thing that someone said that is very true is limit what someone can know about you.  Search online and see what you can dig up about you and then go scrub it if you can.  Give would be thieves less clues about who you are so they have less chance of piecing together a puzzle that leads them to your personal data and funds. 
bryant.coleman
Legendary
*
Offline Offline

Activity: 3766
Merit: 1217


View Profile
December 23, 2016, 12:23:54 PM
 #37

Is so unfortunate that hackers are not getting less smart and they also increasing in number daily. That is why we need to equip ourselves as much as possible, educating ourselves on cybersecurity. Internet is not safe, choice of wallet should also be considered. In most cases with identity theft by hacking it is not done by professionals but local meth users, so Inside knowledge/information can mostly make it easy.

There is an advantage for these sort of hackers, when compared to the old school thieves and burglars. Hackers can target an online wallet located in another country, and due to the bureaucracy involved it becomes almost impossible to catch them. Now most of the hackers are coming from countries such as China and Russia. If someone's bank account located in the US is hacked and the funds stolen, then it becomes extremely difficult for the US law enforcement authorities to catch the perpetrator, as they don't have any authority in Russia and China.
royalfestus
Hero Member
*****
Offline Offline

Activity: 2464
Merit: 519


View Profile
December 23, 2016, 03:05:41 PM
 #38

Is so unfortunate that hackers are not getting less smart and they also increasing in number daily. That is why we need to equip ourselves as much as possible, educating ourselves on cybersecurity. Internet is not safe, choice of wallet should also be considered. In most cases with identity theft by hacking it is not done by professionals but local meth users, so Inside knowledge/information can mostly make it easy.

There is an advantage for these sort of hackers, when compared to the old school thieves and burglars. Hackers can target an online wallet located in another country, and due to the bureaucracy involved it becomes almost impossible to catch them. Now most of the hackers are coming from countries such as China and Russia. If someone's bank account located in the US is hacked and the funds stolen, then it becomes extremely difficult for the US law enforcement authorities to catch the perpetrator, as they don't have any authority in Russia and China.
We all know where almost all attacks come from. When it is against countries, it is peculiar to some countries. Just lately some countries  had to amend their laws to punish hackers making there territories a hideout. Now when bitcoin is point of discussion on hacking, I need to attend to such big issue, because it is getting to the neighborhood.
JessicaG
Sr. Member
****
Offline Offline

Activity: 343
Merit: 252



View Profile
December 23, 2016, 03:33:11 PM
 #39

I have always been hesitant to use paper wallets because I fear my printer make record everything I print and if my networks gets compromised the private key will be there.  Embarrassed

Making a screenshot of your private key and printing that one out (so as a graphical file), could circumvent your worries regarding your printer.

      ░▓██████████████░
    ░▒██            ▒██▒░         ▓█████▓                               ░█████▒               ███                   
█████▓░     ██████░   ▒▓████      ██░░░▓█▓                             ▒███▒▓███              ███                     
██        █▓▒▒▒▒▒▓▓█▓▒    ██     ▒█▓    ██                             ███   ▒██▒                                 
▓█      ░█▓▒▒▒▒▒▒▒▒▓▓▓█░  █▓     ▓█▒   ▒█▓  ░████▓    █████   ░█████▓  ██▓    ██▓  ███████▓   ▓██   ▒█████▓   ███████▓
░█░    ░█▓▒▒░░░░░▒ ░▒██  ░█░     ██    ██░  ██  ▓█▒  ██░ ▒█▓  ▓█▓  ██  ██▓    ██▓  ███▒ ▓███  ███  ▒██▓ ▒██▒  ███▒ ▓███
 ██    ██▒░░░▒▒ ░░▒▒▓█▒  ██     ▒█▓    ██  ██   ▒█▒ ▓█░   █▓  ██   ██  ██▓    ██▓  ███   ███  ███  ▓██   ██▓  ███   ███
 ▒█░ ░▒█▒▒▒░░░░░▒▒▒▒▒▒█ ░█▒     ▓█░   ▒█▓  ███████  ███████░ ░█▓   ██  ██▓    ██▓  ███   ███  ███  ▓██   ███  ███  ░███
  ██ ░██▓▒▒░░░▒▒▒▒░░░█░ ██      ██    ██░ ▒█▓░▒░░  ░█▓░▒░░░  ▓█░  ▒█▒  ██▓    ██▓  ███  ░███  ███  ▓██   ███  ███  ░███
   ██  █▓██▓▒▒▒▒░▒▒▓█▒ ██      ▒█▓   ░██  ██       ▓█░       ██   ██   ███   ▒██▒  ███  ░███  ███  ▓██   ██▓  ███  ░███
    ██    ▒▓███████▓  ██       ██▒  ▒██   ██  ░██  ▓█░  ██░ ░██  ▓█▓   ▓██▓▒▒███   ███  ░███  ███  ░██▓░▓██▒  ███  ░███
     ██░       ░    ░██        ██████▓    ▒█████   ░█████░  ▓█████▓     ▒█████▓    ███  ░███  ███   ▒█████▒   ███  ░███
      ▒██          ██▒                                      ██                                                   
        ▒██░     ▓██                                       ▒█▓                                                         
          ▓██░ ▓██░                                        ██░                                                         
            ▒██▓
Tor Integrated & Secured
Kprawn
Legendary
*
Offline Offline

Activity: 1904
Merit: 1074


View Profile
December 23, 2016, 07:34:50 PM
 #40

1) Do not use your personal phone number for 2FA. Use SIM cards without contracts.
5) Do not use any web wallets or online services to keep Bitcoin. If you need to keep them on an online device (for whatever reason), at least make sure that you're talking about a local desktop client.
Quoted you to discuss your first and fifth points.
I just wanted to know that if I use my personal phone number (specifically non-contract sim cards), isn't it still on the edge of getting hacked?
Your carrier shouldn't be able to revoke a non-contract sim to which no information is actually bound. In that sense, it should not be 'hackable' in a way as described

And when you said that we should keep our coins in a local desktop client, say if I am using any web wallets like blockchain, so is it not good to have all my coins be kept there?
Your web wallets, and those especially that use 2FA are vulnerable to social attacks. A desktop wallet is only vulnerable to targeted attacks, in which you machine has to be compromised. There's a huge difference in the possible approaches for a malicious individual.

In my country employees working for the service providers, work with syndicates to social engineer Sim swaps. The one moment your

phone is working, and then the phone freeze. You reboot and then your Sim card is cloned and swapped. Many people here link their

phone to online banking, so this is the main reason why they are doing this. Everyone just need to remember that this is not Bitcoin's

fault, but a failure on a third party service using Bitcoin. 

THE FIRST DECENTRALIZED & PLAYER-OWNED CASINO
.EARNBET..EARN BITCOIN: DIVIDENDS
FOR-LIFETIME & MUCH MORE.
. BET WITH: BTCETHEOSLTCBCHWAXXRPBNB
.JOIN US: GITLABTWITTERTELEGRAM
Pages: « 1 [2] 3 4 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!