Notes on recovering from a hack

A few weeks ago on October 23rd I received a strange text message from someone pretending to be a friend of mine (names / details removed for privacy reasons)

sender: “hey whats your favorite sport again? cause I’m creating a blog on my site about it”

me: “what site?”

sender: “your favorite sport. that’s all. and I’m giving u the link after the blog finish”

me: “what are you writing about? This is very confusing”

sender: “oh never mind I’ll send you the link”

(at this point I’m getting concerned as the number and the person don’t match and the English language use doesn’t match my friend)

me: “I’m still confused. Where did we meet?”

sender: “with Mike in Chicago”

me: “I’ve not been to Chicago in 25 years. You must have the wrong person”

At this point I’m really concerned because I realize this question is one of my “secret questions” that a number of sites use as a way to verify my identity. The answer by the way is very obscure (and I’ve since changed it). I decide to log on and check some accounts when I get home.

About an hour late I receive a call from Verizon saying “sorry we just got cut off, would you like to go forwards please tell me your pin”.

I responded to the effect that I had not called them and believed my account was being compromised. I also realized that the secret question / answer combo from earlier was for my Verizon online account. I was also concerned that this might not be Verizon but after being transferred a few times and attempting to verify their identity I proceeded with instructing Verizon to disable my online profile and warning them that I was concerned that my account was under attack (a few days later I did verify that I did actually speak to Verizon but in hindsight I should have called them directly to be sure).

After checking a few email accounts I went to sleep that night confident that I had narrowly dodged a bullet.

When I woke in the morning friends told me that they was getting some strange texts from me asking for my password, answers to secret questions etc. Once again the language of the texts was strange and it was clearly not me. Other friends had also texted me warning me that it looked like my accounts had been hacked.

Sure enough, despite the warning, Verizon had gone ahead and ported my number to a different carrier. What this means is that someone called up and gave them some information about me and my phone number while pretending to be me and instructed Verizon to move my number to a new carrier that they controlled.

In short, my phone number had been hijacked. I was being hacked.

Why is this a problem? Well, like many people I was using 2-factor-authentication which requires me to log in to email providers like Gmail using a password and a special code which I would normally receive on my phone. When the attacker took control of my number they were able to receive these codes, and also, more importantly, could reset my password quickly.

Sure enough when I tried to log into a few accounts my password had been changed. I could not reset my password since the attacker controlled my phone number. They had also taken control of my domain registry and hosting account on Dreamhost meaning they also had control of other domains I was hosting for people. They also had reset my password on my bank account.

Ok. So this was Monday morning. I was annoyed at Verizon already but very concerned about my financial security and also concerned that other people I knew were being contacted by me.

Why was this happening to me? Well for the last 4 years I’ve been an active investor in Bitcoin and companies using Blockchain technologies. I’ve been a high profile speaker at many conferences including Techcrunch. My phone number has been public knowledge as have many of my email accounts. Also I knew of other people in my community who had experienced similar events.

Friends of mine received texts in which the hacker pretended to be me (and my friends had no reason to believe it was not me since it was my phone number) and in which the hacker asked to borrow Bitcoin for a day — usually about $10k. Whilst this would be an unusual thing for me to ask anyway, it did almost fool one of my friends who got spooked last minute and called me.

Ok. So what now.

1. I called Verizon. They said that they ported the number because I did not have port blocking turned on. So despite the phone call on Sunday night they did not enable port blocking. After much back and forth I found that in order to port my number back which was now at Google Voice using the carrier “Bandwidth” I needed a police report. Not just the piece of paper they give you at the station when you file a report but the actual paper copy which takes 10 days. Verizon gave me a new number and apologized. I put a new security pin on my account and also told them to set up port blocking.
2. I contacted dreamhost. In order to recover my domains I needed to prove my identity. Easy enough. I faxed (yes faxed) a copy of my drivers license and a credit card to them. They gave me back my domains in 24 hours. Pretty efficient.
3. I went to the police station and filed a police report.
4. After getting my domains back I logged back into my email accounts. The hackers had not as far as I could tell, downloaded my mail, only accessing through gmail on the browser, but even so the amount of information they could have gained on me was enormous. I resolved to stop emailing sensitive information like credit cards, SSN etc. through email. It’s 2016. Why don’t we have encrypted email?
5. I set up 2 factor auth on all my accounts using Google Authenticator and also removed my phone number from these accounts.
6. I called Apple and set up 2 factor auth on my icloud account.

All in all I lost nothing except time and some embarrassment. Trying to explain this to people was one of the strangest things. People look at you different when you tell them you’ve been hacked — especially when its as strange as this one was.

Other friends have not been so lucky. I know of 15 people now who have had this happen to them. One friend lost $150k in a day. Some people have had it happen to them multiple times.

Update: December 12th.

I finally received the police report (official copy) after 5 weeks. Faxed (yes faxed) it to Verizon port department. 4 phone calls later, had assurance that they would recover my number. Received a call 2 weekend later (dec 12) and now have control of my old number.

My plan next is to follow some of the advice in the kraken blog entry on this subject. I will not be describing my exact algorithm here but if you want to learn more please contact me.