Eight Americans and one Irishman have been charged with wire fraud for stealing people’s phone identities without ever having to go near your phone. In this case, the gang used the stolen phones to compromise the victim’s cryptocurrency wallets, among other things.
This was possible because the victims used text messages as the second factor for authenticating cryptocurrency transactions rather than using the more secure authenticator apps.
Once they had control of the phone number, they requested password resets to go to the compromised phones and had control over the victim’s emails and likely other financial accounts.
It cost the victims collectively, over $2 million.
THAT is pretty inconvenient.
What is even more annoying is that three of the men charged worked for cell phone providers including AT&T and Verizon, enabling the so called insider attack.
It is not clear if any of those charged have been arrested, but since 8 of them are Americans and likely will be hard pressed to cross the border legally, they probably will be arrested.
There are a few things that you can do to help things.
First of all, whenever possible, use two factor authentication.
Then, if possible use authenticator app based two factor, if the vendor supports it. Examples of authenticator apps are Google Authenticator, Facebook Authenticator, Microsoft Authenticator and Authy. All of these apps are free.
This should be done for any account that is important to you – financial accounts, social media accounts, shopping accounts and email.
Part of this attack ring was to steal people’s social media accounts and require a ransom to get it back.
When it comes to secret security questions, there are no secrets in the day of the Internet. Where were you born? Where did you live? Where your parents met? It’s all out there. Unless you make it up. And you can make it up differently for different sites. For one site you were born in Chicago. On another site you could be born in Dallas.
Finally, for your cell phone, most providers allow you to create a security password, but it is off by default. Inconvenient.
We recommend that you turn it on.
All of this can be documented in a password safe app so you don’t have to remember it.
If this sounds like too much work, you may be right. $2.4 million right. Your choice!
Information for this post came from Brian Krebs.