The young man hurries down the street, clutching an oblong wooden case under one arm. Smiling grimly, he dials his cellphone.
“I told you I’d end up with it,” he says, gloating. “I always get what I want.”
The voice on the other end of the line scoffs. “Oh yeah? What have you got? What exactly have you got?”
At this the young man’s smile disappears. He stops. Frantically opening the case, he finds an ordinary piece of galvanized pipe … not the priceless French scepter he thought he was carrying.
Every time I see a scene like this, I cringe.
It’s bad enough when a thief discovers that he’s been double-crossed. But it’s infinitely worse when an ordinary, honest person like you discovers he’s lost it all … to an easy hack.
Private Keys and Passwords, Oh My
Many people ask me about cryptocurrencies such as bitcoin. Strangely, few want to know my opinion of the market for a specific virtual currency.
They usually want to know if it’s safe.
It’s safe, I say … as safe as something intangible can be when it’s entirely dependent on multiple systems designed and controlled by others. On access to the Internet. On electricity.
I don’t recommend cryptocurrency as a long-term investment vehicle because I don’t trust the infrastructure that makes it possible. It’s the same reason I don’t trust storing money in a bank account: Too much depends on someone else.
As poet Robert Burns put it: “The best-laid plans o’ mice an’ men gang aft agley.”
That’s certainly true of cryptocurrency security.
Cryptocurrencies such as bitcoin are stored in virtual “wallets.” These require a “private key” unique to each currency owner. It’s used to sign transactions, providing mathematical proof that they come from the owner of the wallet.
When people trade bitcoins, they use “exchanges” that facilitate the conversion of fiat currencies such as U.S. dollars into bitcoins, and vice versa. They can also act as Web-based wallets for third-party payments by and to the account holder.
Many bitcoin exchanges, such as Coinbase, allow users to store their private keys on their servers to facilitate transacting. That way, instead of entering their key every time, users just log in to the exchange interface with a standard username and password. If it’s a strong password, then that’s safe, since the private key on the exchange’s server is encrypted and unreadable to anyone, even the people running the exchange.
But what if you forget your password? Well, just like any website, you click on “forgot password” and get a link that allows you to reset it.
Given what’s at stake, e-currency exchanges — and many banks, cloud storage companies, social media networks and other sensitive accounts — offer “two-factor authentication” (2FA). This involves a randomly generated one-time code sent to your cellphone or email address, which you must enter along with your password.
That way, even if your password is hacked, your account is safe.
At least that’s what Jered Kenna thought…
Just after midnight on August 11 last year, Kenna got an automated email saying his email password had been changed. He immediately tried to reset it, but the 2FA code he requested via text message never arrived.
“I called the company to make sure I hadn’t forgotten to pay my phone bill, and they said, you don’t have a phone with us. You transferred your phone away to another company,” he said. A hacker had convinced a T-Mobile call center employee that he was Kenna, and the employee did the transfer as requested.
Once the phone number had been transferred, the hacker linked it to a Google Voice account he controlled. This routed all voice and text messages to Google Voice. The hacker then reset the password for Kenna’s email address with a 2FA code sent by text message to Kenna’s phone number.
With access to Kenna’s email account and text messages, the hacker reset the passwords on dozens of his accounts — banks, PayPal, two bitcoin exchanges … and his Windows-based PC.
Within 30 minutes of being hacked, Kenna’s entire bitcoin holdings — small balances on the two exchanges, and a massive stash of tens of thousands of bitcoins on his PC’s hard drive — had been transferred to the hacker’s accounts.
Kenna lost tens of millions of dollars in an instant. There was no way ever to get them back.
More Than Cryptocurrency
Kenna isn’t alone. In January 2016, the Federal Trade Commission received 2,658 reports of such 2FA-based incidents, representing 6.3% of all fraud reports that month. That was double the number of three years previous.
These incidents involved all four major U.S. cellphone carriers. In almost every case, a phone company employee had been convinced by a hacker to port the victim’s phone number to another carrier, giving the hacker access to 2FA codes and thereby to all the victim’s online accounts.
This entirely human-based security weakness isn’t limited to cryptocurrencies. They’re just targeted first because those transactions can’t be undone. The 2FA loophole can also be used against services such as as Google, iCloud, banks, PayPal, Dropbox, Evernote, Facebook, Twitter and many others.
That’s why the National Institute of Standards and Technology, which sets security standards for the federal government, indicated it would likely remove support for 2FA via text message for security purposes.
Stop the Hack in Its Tracks
What can you do to avoid becoming a victim of this scam? Here are three options:
- Never use text message-based two-factor authentication. Either use email, or use an authenticator app, which generates a random code for you.
- Use a disconnected token. This is a physical device that receives your 2FA codes, bypassing involving your phone and email.
- Store your cryptocurrency in cold storage on a device that is not connected to the Internet, such as a spare PC or a special hardware wallet stored in a safe.
I hate to see an actor’s face when his character has just lost everything to a scam. You’d hate it even more if it were your face in the mirror.
Editor, The Bauman Letter