Hacking Bitcoins by Night...
The Port of it All.
By Dominic Alvieri, @AlvieriD
December 4th, 2020.
Do you know Bitcoin Jack or jack about Bitcoin? |
Porting a number is easier than you think.
The test was simple. Would a representative transfer the account?
The phone rings, "hello thank you for calling (Enter Firm Name Here) how may I help you?
Reporter, hacker, er, social engineer at this stage, " Yes this is (Enter Target Name Here) I have a problem with my phone and I need you to fix it right away.
This is not a step by step how-to but rather an important alert for all and specifically to service related security teams. A live security test. Your friend can be in attendance twenty feet away and silent as the account is transferred to a new phone in the possession of another right in front of him.
Did you have your MFA on the same device?
Once transferred many of the apps and accounts, if not all are in control.
Please use 2FA tokenized preferred. Use any 2FA and MFA securely. Ideally you should separate your MFA from the main device if at all possible. If your device is ported you can still maintain your second factor security on some accounts as long as the 2FA or MFA wasn't on the same device that was just ported.
The engineer could have a baby crying in the background like in this instance. There is generally background noise. Always a sense of urgency, an impulsive need for you the agent to rectify a wrong.
The simple ploy of a baby crying in the background can create an extra sense of urgency to rush the representative into giving away access to your account. The firm in question did not use any voice recognition technology to verify the identity on the other end of the line nor did it have any satisfactory second forms of authentication or security.
Use a secure 2FA app and find out what other security measures are available from your account and app providers. |
Simple security questions can be cracked.
In many cases , all you would need to access an account are the basics along with horrible security low marks of the last four of an account ID and a simple security question like your mothers maiden name. Plebian forms of security. Very twentieth century if you will with the advent of biometrics, tokenization and other technologies to authenticate and secure accounts and access points.
Citibank, PayPal and others are implementing voice recognition and other technologies to authenticate and validate the identity of an account. Many firms do not at this time.
Porting a number is easier than you think. |
The phone is broken...
A phone account breach is the most intimate type of theft. All of your life in bits and bytes there for the taking. Every account, every moment. Now even a regular phish can expose extra hidden losses of not only digital photos and memories but any address, account or even email account linked to any digital assets may be at risk.
If your accounts and apps, let alone digital wallets do not use any added security features such as 2FA, backup keywords, tokenization of any type or any cold storage options, you can lose all of your Bitcoins tonight once I gain access to your accounts and port your number. Many of your assets.
You didn't have your MFA on the same device did you?
A security eye opener for the ill informed. Separate your 2FA and MFA on another device whenever possible.
Cold store and secure digital assets. |
What can you do?
Start with securing your accounts. Use tokenized 2FA over SMS. Try not to have your 2FA app or MFA on the same device. You can lose both with a porting. Use end to end encryption to communicate. Back up data. Use cold storage and secure apps and services from trusted sources. Biometrics, tokenization and new technologies are available.
Have private lines and back up emails for security. Layered defense is best.
Is there a firewall on that line in the sand?
Digital currencies are coming. Many are already here. Central Banks around the world will be issuing their own versions of a Central Bank Digital Currency (CBDC) in the near future. JD.Com is the first to accept the Chinese digital currency today. The race is on. Many countries are in the process.
A CBDC will be different from the stablecoin of today. What will back the stablecoin?
A protocol is filing for a banking license?
Decentralized finance is sounding centralized when a protocol wants to file for a banking license.
The line in the sand is clear. There is no firewall. You have to defend that line.
One call can lose it all. |
One call can lose it all.
Porting or transferring of ones number and account is often done off hours in the middle of the night. In many instances the account is socially engineered, stolen and transferred overnight while you are unaware and unable to reject the unwanted intrusion.
Needless to say advanced planning must be involved in targeted campaigns and targeted defense.
Keeping your accounts securely online or offline is the difference between a secure hot and cold account. That can be the difference between red or black ink. Bread crumbs now can lead to the whole loaf if exposed.
Biometrics, MFA, secure tokenization, cold storage...
Be careful with your cryptocurrencies. |
Don't just put it on the Blockchain.
If you ever hear someone say just put it on the blockchain they don't know what they are talking about. There are several types of blockchains. There are several types of cryptocurrencies. Proof of work, proof of stake, algorithms, consensus, byzantine fault tolerances, smart contracts, wrapped Bitcoin and hacked Bitcoin.
Databases are available online for sale. Your data. My data, It is foolish to think that it is not already in the hands of a cyber criminal right now. Secure your accounts and use backups.
Hyper ledgers, digital currencies, smart contracts, wrapped coins... |
Call your service provider and add an extra layer of defense. In may instances your phone or financial account representative would be glad to assist you.
Everything is hackable. Be skilled in defense.
Take security precautions.
The Cyber Show on Google Blogger and YouTube. |
Dominic Alvieri, @AlvieriD
The Cyber Show on Google Blogger, YouTube
The CyberSecurity Show.
No comments:
Post a Comment