Nathaniel Popper of the New York Times last week wrote about a clever new threat in which hackers are targeting individual cryptocurrency traders and investors (Identity Thieves Hijack Cellphone Accounts to Go After Virtual Currency) in which they convince a telecommunications call center representative to transfer the victim's mobile number to them so they can take over their online accounts and then proceed to quickly empty their Bitcoin or other virtual currency wallets.
To find their marks, the hackers scour social media to identify cryptocurrency ‘fanatics’ who post frequently about their virtual investments and then initiate a systematic campaign to take over their phone number – the single point of access (or failure) by which a hacker can effectively wrest control over multiple online accounts. As Popper explains:
The vulnerability of phone numbers is the unintended consequence of a broad push in the security industry to institute a practice, known as two-factor authentication, that is supposed to help make accounts more secure. Many email providers and financial firms require customers to tie their online accounts to phone numbers, to verify their identity. But this system also generally allows someone with the phone number to reset the passwords on these accounts without knowing the original passwords. A hacker just hits “forgot password?” and has a new code sent to the commandeered phone.
In this particular scheme, once a hacker has succeeded in taking over a victim’s cell phone number, they can begin the fairly straightforward process of changing the account credentials of the victim’s virtual bank account and drain their virtual account. Virtual currencies like Bitcoin are an obviously appealing target to cybercriminals as they were designed to be anonymous (whereas transferring funds from a traditional bank is significantly more challenging given the rigid controls that accredited financial institutions have in place).
Seasoned security practitioners know that the weakest link is almost always a human being. In this instance, hackers set their sights on poorly trained call service representatives who can be duped into falling for a ‘phone porting’ scam, providing the hacker with a master key to every one of their victim’s online accounts:
Mr. Perklin and other people who have investigated recent hacks said the assailants generally succeeded by delivering sob stories about an emergency that required the phone number to be moved to a new device — and by trying multiple times until a gullible agent was found. “These guys will sit and call 600 times before they get through and get an agent on the line that’s an idiot,” Mr. Weeks said.
While two-factor authentication provides a supplemental measure of digital identity assurance, it can also be exploited as an attack vector if the device itself has been compromised.
This is perhaps why more organizations are beginning to adopt dynamic Multifactor Authentication (MFA) systems which are by their nature, risk-aware and offer a more layered and redundant approach to protecting their customers from Account Takeovers and other insidious threats that can tarnish their reputation.
Hackers, like the flow of water, will always find the path of least resistance. Telecommunications call centers are particularly vulnerable to these types of attacks as they must balance the need for customer satisfaction with robust security controls. While telecom providers will be under increased pressure to better train their call center representatives, the ones who also embrace more modern authentication solutions will not only help provide a greater level of assurance to their customers but will also make themselves a much less appealing target to cybercriminals.