Financial Services // Web Services
To get their hands on cryptocurrencies like bitcoin, hackers are turning to phones.
They are increasingly calling up mobile phone providers such as Verizon, T-Mobile U.S., Sprint and AT&T to transfer victims’ phone numbers to devices under their control, according to The New York Times. Phone numbers act as keys to reset many online accounts—two-factor authentication doesn’t prevent it because the hijacked phone number receives the authentication codes.
Perpetrators appear to choose targets by monitoring social media for people discussing virtual currency. They use phone numbers to verify account ownership and transfers assets out—a step a traditional bank could intervene in but cryptocurrency transactions are irreversible by design, according to the Times.
Digital wallet provider Coinbase points to the telecommunications companies as the "weakest link" in their security processes and recommends using Google Authenticator or another offline authenticator app instead of a mobile phone number.
“[S]ending SMS to your phone actually verifies you have access to your phone number, not really your phone device. This distinction is really important as it turns out phone numbers can be stolen far more easily than physical phone devices,” a company blog post said.