Hackers Have Stolen Millions Of Dollars In Bitcoin -- Using Only Phone Numbers

Xester

hero member

Activity: 994

Merit: 544

Quote from: ebliever on December 22, 2016, 12:15:20 AM

Article at link:

http://www.forbes.com/sites/laurashin/2016/12/20/hackers-have-stolen-millions-of-dollars-in-bitcoin-using-only-phone-numbers/#3e024ad522db

Lessons learned:
2FA using SMS is badly compromised.
You can't outsource your computer/cryptocurrency security to a 3rd party like your phone carrier. It's a recipe for disaster.
Hackers are targeting prominent bitcoiners - but it's only a matter of time for the rest of us.
Thieves are impersonating prominent bitcoiners, asking friends for "loans" of BTC (etc) - which just means more victims.
It's not just bitcoins - bank accounts and everything else are vulnerable. (And you can't fix those with a Trezor or paper wallet.)

What else?

That is a serious problem which bitcoiners are facing. I have many friends whose validated wallets have been penetrated by hackers and withdrawn all of their balance to other wallet address. The only solution for the meantime was to make dummy accounts. Multiple dummy accounts increases your protection from hacking while your official validated wallet must not have zero balance always and must only be used during cashout.

fuathan

hero member

Activity: 1092

Merit: 520

Aleph.im

Quote from: dontryjustdoit on December 22, 2016, 07:06:52 PM

use a burner phone not in your name to have your codes texted to. dont even tell you wife.

Hahaha! It sounds like Breaking Bad. Lol. Grin

Lauda

legendary

Activity: 2674

Merit: 2965

Terminated.

Quote from: Kprawn on December 23, 2016, 03:34:50 PM

In my country employees working for the service providers, work with syndicates to social engineer Sim swaps. The one moment your phone is working, and then the phone freeze. You reboot and then your Sim card is cloned and swapped. Many people here link their phone to online banking, so this is the main reason why they are doing this. Everyone just need to remember that this is not Bitcoin's fault, but a failure on a third party service using Bitcoin.

The false assumption that 2FA provides very great security or is impenetrable is a myth that is going on among people which have limited technical knowledge (especially in the Security branch). This includes the majority of the posters in this forum, and almost all of the posters in this thread. There are plenty of different types of penetration for social attacks, e.g. spear phishing is very effective when used among a big number of employees of a certain company.

Quote from: valley365 on January 01, 2017, 03:20:31 PM

Man this is very scary. The fact they got the phone number can effectively reset all the passwords. Otherwise in 2FA they need to lnow both the passwords and the SMS code in order to enter the account. So only getting the phone would not be enough.

You will likely be able to trick most services to reset the password if you had a lot of personal information + the phone number used on the account.

silversurfer1958

full member

Activity: 474

Merit: 111

at https://bitaddress.org The url is :-

https://www.bitaddress.org/bitaddress.org-v3.3.0-SHA256-dec17c07685e1870960903d8f58090475b25af946fe95a734f88408cef4aa194.html

I'd expect the Sha256 Hash of the downloaded file to be dec17c07685e1870960903d8f58090475b25af946fe95a734f88408cef4aa194

However, after downloading the file and checking it with a Sha256 CRC it gives a Sha256 Hash of

739DDD62F01F06DDA02E7E69AEA9AF7526AB2349F02372619B92C5A952E02E6B

Where did I make a mistake.

valley365

hero member

Activity: 868

Merit: 1003

Man this is very scary. The fact they got the phone number can effectively reset all the passwords. Otherwise in 2FA they need to lnow both the passwords and the SMS code in order to enter the account. So only getting the phone would not be enough.

Daffadile

hero member

Activity: 1162

Merit: 500

CryptoTalk.Org - Get Paid for every Post!

I was wondering when the next big hack would happen. I hope things like this do not affect the price of bitcoin although maybe it is a good thing for bitcoin to go down so we can buy it and wait for it to go up again. ^^

SmartIphone

legendary

Activity: 1204

Merit: 1000

Quote from: Bitcoinpro on January 01, 2017, 12:25:40 PM

The Bitcoins are traceable it's called IP address

I don't think that always the bitcoin users are tracked when they use bitcoin by the IP addresses.
As far as I know the IP that is shown is not always the client's IP, or is it?

Bitcoinpro

legendary

Activity: 1344

Merit: 1000

The Bitcoins are traceable it's called IP address

SmartIphone

legendary

Activity: 1204

Merit: 1000

Quote from: raaajlucky on December 29, 2016, 11:26:22 PM

Quote from: SmartIphone on December 25, 2016, 08:53:12 AM

Quote from: TastyChillySauce00 on December 22, 2016, 11:01:50 PM

Quote from: SmartIphone on December 22, 2016, 08:33:32 PM

Quote from: ranochigo on December 22, 2016, 12:24:32 AM

Quote from: ebliever on December 22, 2016, 12:15:20 AM

You can't outsource your computer/cryptocurrency security to a 3rd party like your phone carrier. It's a recipe for disaster.

The services are vulnerable too. 2FA isn't safe if you use it with your phone number.

How is 2FA not safe?
There two layers here, the password and the time password or 2FA which I consider the safest way when logging in somewhere.

As spoken by him 2FA is not so safe if you use 2FA through SMS verification. Didn't know whether 2FA which use software like google authenticator or similar could be compromised but news above in the main post is a proof that SMS verification could be compromised

Quote from: x4 on December 22, 2016, 10:55:32 PM

I don't really think that some hackers can do things like this, tho this kind of method is not impossible, but this is very rare to happen, so everyone must be aware of this type of incident. Everyone must be careful especially to those who have huge funds with their web wallets.

Yeah you said some hackers can't do things like this but maybe the hackers which were mentioned in the news are the rest hackers who could

Then ok but I think that these two things are going together, first we put the phone number as a backup of the 2FA app
I use Authy and I have to give my phone number in case I forget the password or the password of this app (like Google Authenticator)

2FA accounts can not hack but still hackers will hack these accounts, I don't know how they will get verification numbers. And I heard as some online casinos were hacked, they will provide heavy security to their accounts but how hackers will hack their account?

The thing is we should secure our accounts to give high securities. Still, our account hacked means it's just our bad luck that's it.

The issue is not always on the 2FA or on the AES encryption nor the Https encryption but the implementation.
And here the hackers come and break the system and get the sensitive info, and the forum needs to implement 2FA as soon as possible.

Mometaskers

hero member

Activity: 1764

Merit: 584

Quote from: ebliever on December 22, 2016, 12:34:52 AM

Guys, read the article. (It is a good read.) The hackers are able to access PC's starting with the phone hacking. Sounds like a very ugly episode when everything - bank accounts, Windows login, desktop wallets, etc. - all get seized in one swoop. Because phone companies still think of themselves as phone companies, and not as gatekeepers to people's financial and personal property on a vast scale. They can't keep screwing up like this.

If the evidence that this operation(s) is based in the Phillipines is right... well, the hackers might not be too happy once Duterte catches up with them. If he treats them like he does drug dealers, they will have a _very_ short life expectancy.

It seems they haven't caught any of these hacking groups yet. IMHO they should tighten immigration here in the Philippines. Most of the crime syndicates here are from abroad and using the laxity of immigration to set up crime rings here. Most of the drug manufacturers are from mainland China, most of the ATM hackers are from Bulgaria, etc...

It's really a troubling thought that they would simply get all your bitcoins because the telcos are not doing enough.

Jafri101

sr. member

Activity: 546

Merit: 250

Quote from: eternalgloom on December 23, 2016, 04:42:11 PM

How safe would 2FA through Google Authenticator be?
I've considered using this wherever it's available, but I'm not sure if it's a safer option than 2FA via SMS/Text.

Yes google authenticator is the safer way to protect your accounts. Howevee while using google authenticator keep ine thing in mind that the device which has authenticator must be safe because if ull change device then 1st you have to disable authenticator. These are the minor things but creates big problems.

Zadicar

legendary

Activity: 1302

Merit: 1018

Cashback 15%

Quote from: Tanic on December 23, 2016, 05:49:51 PM

Quote from: jobach on December 23, 2016, 04:54:24 PM

paper wallets are the best option

First of all - can somebody explain what is 2FA? I have no idea about this slang.
Second is that paper wallets arenot the safest place in the world. The present of stealing money from ordinary wallets are higher than the present of hacked wallets. For now statistic is like that.

2FA is acting like a secondary password on your account which means when you tend to log-in your account with your usual password after than it would require 2fa as second layer.Its either on phone code or an email authorization that's why having 2fa on any account that has funds do really need this security and I don't know how those hackers could able to hack on 2fa.

raaajlucky

hero member

Activity: 532

Merit: 500

Quote from: SmartIphone on December 25, 2016, 08:53:12 AM

Quote from: TastyChillySauce00 on December 22, 2016, 11:01:50 PM

Quote from: SmartIphone on December 22, 2016, 08:33:32 PM

Quote from: ranochigo on December 22, 2016, 12:24:32 AM

Quote from: ebliever on December 22, 2016, 12:15:20 AM

You can't outsource your computer/cryptocurrency security to a 3rd party like your phone carrier. It's a recipe for disaster.

The services are vulnerable too. 2FA isn't safe if you use it with your phone number.

How is 2FA not safe?
There two layers here, the password and the time password or 2FA which I consider the safest way when logging in somewhere.

As spoken by him 2FA is not so safe if you use 2FA through SMS verification. Didn't know whether 2FA which use software like google authenticator or similar could be compromised but news above in the main post is a proof that SMS verification could be compromised

Quote from: x4 on December 22, 2016, 10:55:32 PM

I don't really think that some hackers can do things like this, tho this kind of method is not impossible, but this is very rare to happen, so everyone must be aware of this type of incident. Everyone must be careful especially to those who have huge funds with their web wallets.

Yeah you said some hackers can't do things like this but maybe the hackers which were mentioned in the news are the rest hackers who could

Then ok but I think that these two things are going together, first we put the phone number as a backup of the 2FA app
I use Authy and I have to give my phone number in case I forget the password or the password of this app (like Google Authenticator)

2FA accounts can not hack but still hackers will hack these accounts, I don't know how they will get verification numbers. And I heard as some online casinos were hacked, they will provide heavy security to their accounts but how hackers will hack their account?

The thing is we should secure our accounts to give high securities. Still, our account hacked means it's just our bad luck that's it.

kanazawa

hero member

Activity: 756

Merit: 500

There are many ways to do a "social engineering" using a burning cell phone and a lotta courage. I'm really astonishing that the "agressive" methods are not in use yet. If few people knew about the benefits, the resources and the "easy way" few cryptocurrencies provides to let people "free", the world would be a completely chaos.

Paninotech

newbie

Activity: 43

Merit: 0

Quote from: ebliever on December 22, 2016, 12:34:52 AM

Because phone companies still think of themselves as phone companies, and not as gatekeepers to people's financial and personal property on a vast scale. They can't keep screwing up like this.

SmartIphone

legendary

Activity: 1204

Merit: 1000

Quote from: TastyChillySauce00 on December 22, 2016, 11:01:50 PM

Quote from: SmartIphone on December 22, 2016, 08:33:32 PM

Quote from: ranochigo on December 22, 2016, 12:24:32 AM

Quote from: ebliever on December 22, 2016, 12:15:20 AM

You can't outsource your computer/cryptocurrency security to a 3rd party like your phone carrier. It's a recipe for disaster.

The services are vulnerable too. 2FA isn't safe if you use it with your phone number.

How is 2FA not safe?
There two layers here, the password and the time password or 2FA which I consider the safest way when logging in somewhere.

As spoken by him 2FA is not so safe if you use 2FA through SMS verification. Didn't know whether 2FA which use software like google authenticator or similar could be compromised but news above in the main post is a proof that SMS verification could be compromised

Quote from: x4 on December 22, 2016, 10:55:32 PM

I don't really think that some hackers can do things like this, tho this kind of method is not impossible, but this is very rare to happen, so everyone must be aware of this type of incident. Everyone must be careful especially to those who have huge funds with their web wallets.

Yeah you said some hackers can't do things like this but maybe the hackers which were mentioned in the news are the rest hackers who could

Then ok but I think that these two things are going together, first we put the phone number as a backup of the 2FA app
I use Authy and I have to give my phone number in case I forget the password or the password of this app (like Google Authenticator)

BitcoinNewsMagazine

legendary

Activity: 1806

Merit: 1164

When you spend from a paper wallet your private keys are exposed briefly and bitcoin could be stolen if malware is waiting. Many early adopters used to use Armory and two computers for cold storage. That is still probably the most private way to do it and some still swear by it. Using two computers has largely been replaced by hardware wallets like Ledger Nano S and Trezor. There has never been a reported theft of bitcoin from a Trezor or Ledger. As a bonus using Nano S or Trezor you can use your hardware wallet for secure U2F login to a number of services like Google, Dropbox, Github, etc.

Tanic

sr. member

Activity: 294

Merit: 250

Quote from: jobach on December 23, 2016, 04:54:24 PM

paper wallets are the best option

First of all - can somebody explain what is 2FA? I have no idea about this slang.
Second is that paper wallets arenot the safest place in the world. The present of stealing money from ordinary wallets are higher than the present of hacked wallets. For now statistic is like that.

monsanto

legendary

Activity: 1241

Merit: 1005

..like bright metal on a sullen ground.

Quote from: eternalgloom on December 23, 2016, 04:42:11 PM

How safe would 2FA through Google Authenticator be?
I've considered using this wherever it's available, but I'm not sure if it's a safer option than 2FA via SMS/Text.

That's what the article is all about -- that SMS 2FA is bad. Google authenticator is much better they say. Apparently the main reason SMS is used still is because not everyone has a smart phone to run an authenticator. But eventually they will phase out most/all SMS 2FA.

jobach

newbie

Activity: 38

Merit: 0

paper wallets are the best option

Topic: Hackers Have Stolen Millions Of Dollars In Bitcoin -- Using Only Phone Numbers (Read 2879 times)