Identity Thieves Hijack Cellphone Accounts to Go After Virtual Currency


New York- Hackers have discovered that one of the most central elements of online security — the mobile phone number — is also one of the easiest to steal.

In a growing number of online attacks, hackers have been calling up Verizon, T-Mobile US, Sprint and AT&T and asking them to transfer control of a victim’s phone number to a device under the control of the hackers.

Once they get control of the phone number, they can reset the passwords on every account that uses the phone number as a security backup — as services like Google, Twitter and Facebook suggest.

“My iPad restarted, my phone restarted and my computer restarted, and that’s when I got the cold sweat and was like, ‘O.K., this is really serious,’” said Chris Burniske, a virtual currency investor who lost control of his phone number late last year.

A wide array of people have complained about being successfully targeted by this sort of attack, including a Black Lives Matter activist and the chief technologist of the Federal Trade Commission. The commission’s own data shows that the number of so-called phone hijackings has been rising. In January 2013, there were 1,038 such incidents reported; by January 2016, that number had increased to 2,658.

But a particularly concentrated wave of attacks has hit those with the most obviously valuable online accounts: virtual currency fanatics like Mr. Burniske.

Within minutes of getting control of Mr. Burniske’s phone, his attackers had changed the password on his virtual currency wallet and drained the contents — some $150,000 at today’s values.

Most victims of these attacks in the virtual currency community have not wanted to acknowledge it publicly for fear of provoking their adversaries. But in interviews, dozens of prominent people in the industry acknowledged that they had been victimized in recent months.

“Everybody I know in the cryptocurrency space has gotten their phone number stolen,” said Joby Weeks, a Bitcoin entrepreneur.

Mr. Weeks lost his phone number and about a million dollars’ worth of virtual currency late last year, despite having asked his mobile phone provider for additional security after his wife and parents lost control of their phone numbers.

The attackers appear to be focusing on anyone who talks on social media about owning virtual currencies or anyone who is known to invest in virtual currency companies, such as venture capitalists. And virtual currency transactions are designed to be irreversible.

Accounts with banks and brokerage firms and the like are not as vulnerable to these attacks because these institutions can usually reverse unintended or malicious transactions if they are caught within a few days.

But the attacks are exposing a vulnerability that could be exploited against almost anyone with valuable emails or other digital files — including politicians, activists and journalists.

Last year, hackers took over the Twitter account of DeRay Mckesson, a leader of the Black Lives Matters movement, by first getting his phone number.

In a number of cases involving digital money aficionados, the attackers have held email files for ransom — threatening to release naked pictures in one case, and details of a victim’s sexual fetishes in another.

The vulnerability of even sophisticated programmers and security experts to these attacks sets an unsettling precedent for when the assailants go after less technologically savvy victims. Security experts worry that these types of attacks will become more widespread if mobile phone operators do not make significant changes to their security procedures.

“It’s really highlighting the insecurity of using any kind of telephone-based security,” said Michael Perklin, the chief information security officer at the virtual currency exchange ShapeShift, which has seen many of its employees and customers attacked.

Mobile phone carriers have said they are taking steps to head off the attacks by making it possible to add more complex personal identification numbers, or PINs, to accounts, among other steps.

But these measures have not been enough to stop the spread and success of the culprits.

After a first wave of phone porting attacks on the virtual currency community last winter, which was reported by Forbes, their frequency appears to have ticked up, Mr. Perklin and other security experts said.

In several recent cases, the hackers have commandeered phone numbers even when the victims knew they were under attack and alerted their cellphone provider.

Adam Pokornicky, a managing partner at Cryptochain Capital, asked Verizon to put extra security measures on his account after he learned that an attacker had called in 13 times trying to move his number to a new phone.

But just a day later, he said, the attacker persuaded a different Verizon agent to change Mr. Pokornicky’s number without requiring the new PIN.

A spokesman for Verizon, Richard Young, said that the company could not comment on specific cases, but that phone porting was not common.

“While we work diligently to ensure customer accounts remain secure, on occasion there are instances where automated processes or human performance falls short,” he said. “We strive to correct these issues quickly and look for additional ways to improve security.”

Mr. Perklin, who worked at a Canadian mobile phone operator before joining ShapeShift, said most phone companies would write down any additional security requests in the notes of a customer account.

But agents can generally act on their own, he said, regardless of what is in the notes, and can easily miss what is in the notes.

The vulnerability of phone numbers is the unintended consequence of a broad push in the security industry to institute a practice, known as two-factor authentication, that is supposed to help make accounts more secure.

Many email providers and financial firms require customers to tie their online accounts to phone numbers, to verify their identity. But this system also generally allows someone with the phone number to reset the passwords on these accounts without knowing the original passwords. A hacker just hits “forgot password?” and has a new code sent to the commandeered phone.

Mr. Pokornicky was online at the time his phone number was taken, and he watched as his assailants seized all his major online accounts within a few minutes.

“It felt like they were one step ahead of me the whole time,” he said.

The speed with which the attackers move has convinced people who are investigating the hacks that the attacks are generally run by groups of hackers working together.

Danny Yang, the founder of the virtual currency security firm BlockSeer, said he had traced several attacks to internet addresses in the Philippines, though other attacks have been tracked to computers in Turkey and the United States.

Mr. Perklin and other people who have investigated recent hacks said the assailants generally succeeded by delivering sob stories about an emergency that required the phone number to be moved to a new device — and by trying multiple times until a gullible agent was found.

“These guys will sit and call 600 times before they get through and get an agent on the line that’s an idiot,” Mr. Weeks said.

Coinbase, one of the most widely used Bitcoin wallets, has encouraged customers to disconnect their mobile phones from their Coinbase accounts.

But some customers who have lost money have said the companies need to take more steps by doing things like delaying transfers from accounts on which the password was recently changed.

“Coinbase looks like a bank, stores millions of dollars like a bank, but you don’t realize how weak its default protections are until you are robbed of thousands of dollars in minutes,” said Cody Brown, a virtual reality developer who was hacked in May.

Mr. Brown wrote a widely circulated post about his experience, in which he lost around $8,000 worth of virtual currency from his Coinbase account, all as he sat online and watched, getting no response from the customer service at either Coinbase or Verizon.

A spokesman for Coinbase said the company “has invested significant resources to build internal tools to help protect our customers against hackers and account takeovers, including compromise through phone porting.”

The irreversibility of Bitcoin transactions has often been lauded as one of the most important qualities of virtual currency because it makes it harder for banks and governments to intervene in transactions.

But Mr. Pokornicky said the virtual currency industry needed to alert new users to the added risk that comes with the new features of the technology.

“It’s powerful to be able to control your money and move things without any permission,” he said. “But that privilege requires a clear understanding of the downside.”

The New York Times

Should Pregnant Women Hang up their Mobile Phones?

London- Children whose mothers were frequent cell phone users during pregnancy were more likely than those of less frequent users to be hyperactive, a new study finds.

But lead author Laura Birks is not advising expectant mothers to hang up their cell phones.

She cautioned that she could not say if electromagnetic radiation from cell phones or any number of other factors, such as parenting styles, might explain the link between maternal cell phone use during pregnancy and childhood behavioral problems.

“I would say interpret these results with caution, and everything in moderation,” she said in a Skype interview with Reuters.

Birks and her colleagues analyzed data on more than 80,000 mother-child pairs in Denmark, Spain, Norway, the Netherlands and Korea. They found consistent evidence of increasing risk of behavioral problems – particularly, hyperactivity – in 5- to 7-year-old children the more their mothers talked on cell phones during pregnancy.

Given that there is no known biological mechanism that could lead prenatally emitted cell phone radiation to promote hyperactivity in offspring, the results were surprising, said Birks, who is a doctoral student in biomedicine at the Barcelona Institute for Global Health in Spain.

The association held firm across five countries and time periods.

Offspring of mothers who reported being on at least four cell phone calls a day, or in one cohort speaking on a cell phone for more than an hour a day, were 28 percent more likely to be hyperactive than offspring of mothers who reported being on one or fewer calls a day, researchers found after accounting for a variety of confounding variables, such as maternal age, marital status and education.

The data spanned a variety of time periods from 1996 through 2011. Only the earliest cohort, in Denmark starting in 1996, had enough women who never used a cell phone while pregnant to study women who did not use cell phones during pregnancy.

But the children of mothers who never used cell phones while pregnant had a lower risk of behavioral and emotional problems than any of the children whose mothers used cell phones, according to the report in Environment International.

Dr. Robin Hansen, a pediatrician and professor at the University of California, Davis in Sacramento found the report raised more questions than it answered.

“Is it something about the cellphone itself?” she asked in a phone interview. “Is it something that impacts your parenting behavior? Those are issues that can’t be answered by this study.”

As a pediatrician who works with children who have behavioral problems, Hansen is less inclined to consider cellphone radiation and more inclined to consider parenting styles, habits and personalities as a possible link between maternal cellphone use and childhood hyperactivity, she said. She was not involved in the study.

“Now we have to dig deeper and figure out why,” Hansen said. “Is it the electronic signals that go through your brain and your body, or how it changes your interactions with your child postnatally?”

American pediatricians advise parents to limit their children’s screen time. But parents also need to consider how their time spent tethered to their phones takes them away from their children, Hansen said.

When parents stare at their phones and fail to respond to their kids, their children quickly learn how to get the attention they crave, she said.

“It’s not until you cry or you throw something or make a lot of noise, that your parents shift their attention from the cellphone to you,” she said. So children learn to make a racket in an effort to pull their parents toward them and away from their devices.

“It reinforces hyperactive, attention-getting behavior,” she said.

Device-free Dinner Campaign Launched by Advocacy Group

Washington-Common Sense, an advocacy and education group for parents, has urged families to try a device-free dinner.

The group has launched a campaign challenging families to put the devices away at dinner, stay off their phones and talk to one another. In sports-themed spots running during the Olympics, the group hopes to show how being distracted by devices can disconnect you from what’s going on around you.

NBC is airing the spots during primetime Olympic coverage.

Common Sense sees the overall campaign as a multiyear effort; future aspects of the campaign will have a “holiday-specific pledge and New Year’s resolution component.”

The group, which has done extensive research into how devices affect kids and families, decided to focus on family dinner because it found that many families struggle over whether smartphones and other devices should be allowed at the table. A new survey from the group, released with the PSA, found more than half of parents or guardians said they’re concerned about technology at the table taking away from dinner. Thirty-five percent said they’d had an argument about using devices at the dinner table.

Despite those concerns, 47 percent said that they or a family member had recently taken a device with them to dinner. Nineteen percent said they keep their tech on the table while they eat — which has been shown to disrupt conversations even when the devices aren’t in use. And families are, overall, happy about the effects of technology: Sixty-one percent said they feel it brings them together.

That paints a complicated picture, said Michael Robb, director of research at Common Sense. “Clearly they’re struggling with this internally,” he said. “It feels like they’re torn on how to modernize these family moments.”

Family dinners were an obvious place to focus on, Robb said, because they’re already a place for conversation and personal connection. Studies have suggested that family meals are important for developing vocabulary as well as ideas about nutrition. Others have shown that kids who have dinner with their families are less prone to acting out or substance abuse.

And while the idea of a family dinner may seem like a relic from a 1950s sitcom, Robb said that the group’s research shows that it’s still very common. The group polled more than 800 families with kids ages 2 to 17 across socioeconomic and racial lines for its survey and found 70 percent of families reported they carve out the time to have dinner together five or more times a week.

“That was higher than I was expecting,” Robb said. “But it points to the importance of family dinner as a cultural institution. And it means that this is attainable for most families; it’s not just something of times gone by.”

Common Sense is not interested in making you give up your phone altogether. Nor, Robb said, should parents feel like they have to be militant about enforcing a no-tech table.

Unplugging for just the 20 or so minutes that you eat together may be enough to calm parents concerned about what the “right” balance of screen and offline time should be for their families.