recommended reading

Threatwatch

Hackers Target Phones to Get Access to Cryptocurrencies

Stolen credentials

To get their hands on cryptocurrencies like bitcoin, hackers are turning to phones.

They are increasingly calling up mobile phone providers such as Verizon, T-Mobile U.S., Sprint and AT&T to transfer victims’ phone numbers to devices under their control, according to The New York Times. Phone numbers act as keys to reset many online accounts—two-factor authentication doesn’t prevent it because the hijacked phone number receives the authentication codes.

Perpetrators appear to choose targets by monitoring social media for people discussing virtual currency. They use phone numbers to verify account ownership and transfers assets out—a step a traditional bank could intervene in but cryptocurrency transactions are irreversible by design, according to the Times.

Digital wallet provider Coinbase points to the telecommunications companies as the "weakest link" in their security processes and recommends using Google Authenticator or another offline authenticator app instead of a mobile phone number.

“[S]ending SMS to your phone actually verifies you have access to your phone number, not really your phone device. This distinction is really important as it turns out phone numbers can be stolen far more easily than physical phone devices,” a company blog post said.

sector

Financial Services; Web Services

reported

August 21, 2017

reported by

The New York Times

number affected

Unknown

location of breach

Unknown

perpetrators

Criminals

location of perpetrators

Unknown

date breach occurred

Unknown

date breach detected

Unknown