John Biggs, a contributing writer for Tech Crunch described the details of a hacker’s attack on his online world.
John detailed the entire hack and it is very useful for everyone. WHY he was attacked is not clear. Was it a target of opportunity or was he specifically being attack? It appears that it may have started as a random attack and morphed into a targeted attack after the hacker found some information about John.
Here is the story.
On Tuesday night August 22, 2017, a hacker swapped his own SIM card for John’s, effectively routing all phone calls and text messages destined for John’s phone to the hacker’s phone.
Moments later, the hacker used text messages from Google and Facebook sent to the rerouted phone to change John’s GMail account passwords and Facebook account password. John was locked out of his phone, his email and Facebook.
Luckily for him, he noticed this within an hour and was able to get T-Mobile to return his phone number back to him. He then set about recovering his online account access.
From stories I have heard in the past, in many cases, convincing the providers to return your own access to you is complicated. You can’t exactly call Google on the phone and even if you could, what would you say? I’m me and the guy that just changed my password using my phone number – that wasn’t me? For most people, that process is pretty challenging.
John then went about “hardening” the two factor authentication set up on his accounts (Google just announced a new high security feature, but it comes with a price tag. I just ordered it and it cost me about $50. Still, compared to losing your digital life, for many people, that is cheap).
In the short time that the hacker had access to his account, the hacker rummaged though John’s digital life, discovered that he was from Ohio and that his dad was sick. Since the hacker had access to John’s email and texts, he was able to send out messages to John’s friends saying that John needed to pay a hospital bill or the hospital was going to pull the plug on his dad and if his friends would give him cash in the value of 10 bitcoins (probably around $30-$40 thousand at the time), that John would pay them back 15 bitcoins the next day.
As John said, luckily his friends aren’t idiots and they didn’t fall for the bait.
Two of John’s friends were also hacked and targeted with the Bitcoin scam. If you use a text message as the authentication mechanism for your bitcoin wallet, the attacker might be able to empty your bitcoin wallet as well. This has already happened multiple times. If your bitcoin wallet is emptied, that money is likely gone – no insurance, no government will be there to make you whole again.
There are things that you can do to protect yourself, but they all come with some cost or some convenience factor or both. The article linked below lists some of the possible options and we can provide other suggestions as well.
I don’t know John but he seems like someone who is at least as technically sharp as most people and probably more technically skilled than many people. Yet, he still got attacked.
Everyone needs to keep their guard up; their antennae tuned and be ready to respond. At least in this case, because of how quickly John detected the hack, he was able to reverse it quickly and minimize the damage the hacker could do. Depending what information exists in your online world – sensitive corporate information, personal financial information, pictures that you definitely don’t want to become public and probably ten other things – the amount of damage the hacker could possibly do varies. One possibility is that the hacker could just delete information from your online world and even wipe some backups. Time passing is your enemy – you must respond right away – remembering that you don’t have access to your digital life to help you.
Definitely, a challenge.
Information for this post came from Tech Crunch.