15 Mar 2017

Hackers Stole My Phone Number - A Personal Story

By Michael Krieger: On March 3rd, at approximately 9pm, hackers stole my phone number. I didn’t become aware of this until a little more than 24 hours later, but hacking attempts on my other accounts began right away. Prior to this nightmarish experience, I had never heard of this happening to anyone else; however, in the days that followed I quickly became aware of its rapidly growing popularity and frightening ease of execution. Pulling off this attack requires virtually no technical skills, rather it relies entirely on social engineering, persistence, and an incompetent telecom employee. If this can happen to me, it can happen to virtually anybody.
The 48 hour period beginning at around 5am on March 4th was one of the most trying, confusing and frightening of my life. At that point, my wife and I had been up pretty much all night due to our son being in the midst of a horrible sleep regression. In fact, his crying was so hysterical I ended up calling our pediatrician’s office to ensure he wasn’t suffering from something more serious. I was going on two hours of sleep, the sun was about to rise and I was dealing with an inconsolable child. I thought things couldn’t get much worse. Boy was I wrong.
I had time to kill while waiting for the on-call nurse to ring me back, so I checked my email. I quickly realized something had gone horribly wrong. At least one of my accounts had been entirely compromised, and I received multiple alerts from two other accounts notifying me of unauthorized actions and password change attempts. At this point I realized there would be no hope of any additional sleep, and I immediately got to work contacting the three accounts that had been attacked. There was considerable damage to one of my accounts, but support immediately took care of the issue. The other accounts were only partly compromised, and appeared safe. I proceeded to log into my other accounts in order to change passwords and investigate whether or not anything else had been compromised, with my email the most pressing concern. Everything else seemed fine. I passed out that evening shaken, but somewhat relieved despite the fact I still had no idea what was going on or how the hackers compromised the things they did.
My attempt at rejuvenation via a good night’s sleep was quickly dashed at about 2am with a phone call to a rarely used alternate number from my father. He was in panic mode telling me that someone had been texting him from my phone number asking for a “code.” Fortunately, my dad had no idea what this person was talking about and refused to continue the conversation without a phone call. When my dad called my phone number a strange person answered pretending to be me. My dad cursed him off and immediately called me. This was the scariest moment of the entire episode. It was 2am, someone had compromised my phone number, and who knew what else. I didn’t know what was happening other than I was in a serious pile of shit, and this was the only time I wondered if my physical safety might be at risk.
Once again, it was in the middle of the night, and I felt even more violated, isolated and helpless than the day before. When you’re that sleep deprived and being attacked virtually non-stop, it’s very hard to think clearly. I had no idea if my entire phone had been taken over somehow, and I had no idea what they would be targeting next given their enhanced capabilities. All I knew was this was not good. On the positive front, I hadn’t gotten a stream of emails alerting me to additional account penetrations as I had the day before. I suddenly felt very fortunate to have taken the steps to change my passwords the previous day.
Not knowing the extent of the problem, I called the police. I was transferred to an extraordinarily nice deputy who talked me through everything. While he couldn’t really do much, he did put my mind at ease and also called my phone number to see who answered. The attackers did not answer the phone, but the deputy told me the voicemail said it was related to a Google Voice account. This presented me with my first clue. I had never even heard of Google Voice before, let alone had an account. So how the heck did hackers snatch my number and move it over to a Google Voice account controlled by someone else?
Over the next couple of hours, I started to put together additional pieces of the puzzle. I realized that I could still send text messages and make phone calls from my device, but I wasn’t receiving any incoming phone calls or texts. Thus it became clear the hackers hadn’t taken over my phone, but had somehow forwarded my calls and texts to an outside device under their control. They were also able to send text messages from my phone number, which is how they launched the attempted phishing, social engineering attack against my dad. Unnervingly, I still didn’t know how this happened, and I had to wait hours until someone at my carrier would become available over the phone.
Once I got someone on the phone, I knew enough to at least tell them Google Voice had somehow been connected to my phone and that I needed that severed. This person told me that she would do what she could from her end. To my great relief, I was once again able to receive text messages, but incoming phone calls were still not arriving at my device. I figured this might take some time, so I decided to devote my resources to alerting Google to what had happened, and to see what they could do. As you might expect, you can’t exactly get someone on the phone at Google, so I had to fill out various forms online and pray for a response. I went to bed that night not hearing from Google, and with my phone calls still being redirected.
I finally got some decent sleep Sunday evening. Refreshed and excited it was Monday since I figured it would provide me with greater opportunities for help, I decided to try my telecom carrier’s online chat to see if that would provide a better support experience. I was quickly able to get to a technical professional who seemed genuinely horrified about what had happened to me, and he suggested I call the company’s fraud department. I then asked him about the pesky issue of my phone calls not coming to me, and he solved the problem within minutes. I thanked him and immediately called the fraud department, as suggested. This is where things started to get really weird, and completely infuriating.
The woman who picked up the phone at the fraud department seemed to be the most competent person I ever talked to at the company. She expressed concern and decided to look into the history of what happened, focusing on March 2nd, when someone began pestering customer support non-stop claiming they were me and saying their phone broke and needed my number forwarded. She then notified me that after several attempts, the hacker successfully convinced a representative to forward my number without verifying my identity.
Once my SMS messages were being forwarded to the hackers, they were able to initiate and complete a connection of my number to a Google Voice account under their control. While relieved to have discovered how this whole scam worked, I was simultaneously horrified. Was it really this easy to steal someone’s phone number? Seemingly all you had to do is pester call-center telecom employees incessantly until one of them gets sloppy. Then presto, your phone number is stolen.
At this point, I asked the fraud representative if she could email me the chat transcripts of the hacker pretending to be me in order to investigate further. This is when things got extremely troubling. I knew from my earlier chat that the transcripts are saved and then emailed out to the person who initiated the chat. The woman on the phone then started to act weird and suddenly transferred me away to another department. The person who answered next could barely speak english and had no idea what was going on in my case.
Extremely frustrated, I called the fraud department back and was connected to a different person. I explained the situation and he said he’d look into it. The demeanor of this person was completely different from the prior representative. He was extremely cautious and took forever to answer the simplest of questions. He told me an entirely different story from the person I had just spoken to. He said that someone incessantly called pretending to be me asking for call forwarding, but that none of the customer service representatives agreed to it since they couldn’t verify their identity. He confirmed that the hackers contacted customer service on at least 15 distinct occasions on March 2nd alone, a day before my number was switched over to the attacker’s Google Voice account. It seemed like the company was frantically covering its tracks. I then asked this person to send me the chat transcripts. He said he would submit a request and send it to the email on my account. I have yet to receive any chat transcripts.
Unfortunately, I can’t prove that a telecom representative agreed to call forwarding without verifying my identity, but it seems almost certain that this is what happened. As I learned in the following days as I conducted more research, this sort of attack is rapidly increasing in popularity and effectiveness since there’s a huge weak link: telecom call-center employees.
Laura Shin wrote an excellent article on the topic back in December at Forbes titled, Hackers Have Stolen Millions Of Dollars In Bitcoin — Using Only Phone Numbers, which explains almost exactly what happened to me. Here are a few excerpts:

In all these cases, as with Kenna’s, the hackers don’t even need specialized computer knowledge. The phone number is the key. And the way to it get control of it is to find a security-lax customer service representative at a telecom carrier. Then the hacker can use the common security measure called two-factor authentication (2FA) via text. Logging in with 2FA via SMS is supposed to add an extra layer of security beyond your password by requiring you to input a code you receive via SMS (or sometimes phone call) on your mobile phone. All fine and dandy if you’re in possession of your phone number. But if it’s been forwarded or ported to your hacker’s device, then that code is sent straight to them, giving them the keys to your email, bank accounts, cryptocurrency, Facebook and Twitter accounts, and more.
Their experience is part of a larger trend. In January 2013, the Federal Trade Commission received 1,038 reports of these incidents, representing 3.2% of all identity theft reports to the FTC that month. By January 2016, 2,658 such incidents were filed — 6.3% of all such reports that month. There have been incidents involving all four of the major carriers.
Blockchain Capital VC Pierce, whose number was hijacked last Tuesday, says he told his T-Mobile customer service representative, “It’s going to go from five customers to 500. It’s going to become an epidemic, and you need to think of me as the canary in the coal mine.”
Last summer, the National Institutes of Standards and Technology, which sets security standards for the federal government, “deprecated” or indicated it would likely remove support for 2FA via SMS for security. While the security level for the private sector is different from that of the government, Paul Grassi, NIST senior standards and technology advisor, says SMS “never really proved possession of a phone because you can forward your text messages or get them on email or on your Verizon website with just a password. It really wasn’t proving that second factor.”
Worst of all is if the hacker doesn’t have your password but the password recovery process is done via SMS. Then they can reset your password with just your phone number — one factor.
Jesse Powell, CEO of U.S.-based exchange Kraken, who wrote an extensive blog post detailing how to secure one’s phone number, blames the telcos for not safekeeping phone numbers even though they are a linchpin in security for so many services, including email. “The [telecom] companies don’t treat your phone number like a bank account, but it should be treated like your bank. If you show up without your pin code or your ID, then they shouldn’t help you,” he says. “But they prioritize convenience above all else.”
In order to find that opening through the customer service representative, hackers often employ what’s called social engineering, used in 66% of all attacks by hackers. An elaborate version is demonstrated in this video (starting around 1:55), in which a woman with a baby crying in the background (really just a YouTube recording) claims she’s newly married and doesn’t know what email address is used to log into her husband’s account. She then has the rep change the email and password, locking the victim out.
Hadnagy says that with LinkedIn, Facebook, Twitter and FourSquare, “I can create a very accurate psychological profile — what you eat, what music you listen to, your work history, marriage history, I know enough about you to pretext as you with most of your utilities and services.” Birthdates are easily discovered on sites like Facebook and birth years deduced from LinkedIn, so a hacker employing social engineering can use that information to call up, say, a telco and claim they forgot the pin to the account but give a birthdate, phone number and address or even the last four of the Social Security Number since it is so commonly used to identify people, to reset that passcode, Hadnagy says. He also notes that in the last two years, hackers have increasingly been using phones to perpetrate a hack because the ability to “spoof” a line — make it seem like you are calling from another number — has become so easy.
“You can do it through most VoIPs for free, and there’s no way to validate it,” he says. “I can take this number you’re calling me from and call you back in a minute from this number. If this is your cell number and you didn’t have a pin, I can call this number from your number and log right into your voicemail. I can call you from the White House. I can spoof any number in the world.”
In the phone hijacking of Micah Winkelspecht, chief executive and founder of blockchain company Gem, a persistent hacker called T-Mobile six times in one day trying to impersonate him. Five times, the hacker was denied access to the account, but the sixth representative let him in and allowed him to move the line to another phone. “This is not the fault of the customers. It’s the fault of the carriers for not following their authentication procedure,” he says. “I was using a password manager, random passwords, 2FA — you name it, I use it.” Winkelspecht, who didn’t lose any money, says he could take every precautionary method available to him and still be victim because “a single employee at a call center can make a mistake and it can compromise your entire digital identity.”
But most victims agree that it isn’t a lone hacker, but a team or multiple teams — which is likely how they are able to breach so many accounts in such a short time period once they do hijack a number.
As becomes clear when you read the article above, this isn’t an issue specific to my phone carrier, it’s a vulnerability being exploited at other major telecom companies as well. This is an industry-wide problem, and if it isn’t addressed, and addressed properly, will turn into an epidemic. While it’s a sad fact of life that there will always be exploitable employees if you try enough times, there were many things my carrier could’ve done to mitigate the impact of this situation.

First, how are there no red flags in the system when someone persistently pretends to be me, asks for call forwarding and then repeatedly fails to verify identity? Second, when you initiate a chat with my carrier, you are asked to enter your email, but you don’t have to enter the email associated with the account. As such, the attackers simply put their own email addresses in, and all the fraudulent chats got sent to them, not me. It should be an obvious rule that all chat transcripts associated with a customer’s number automatically also get sent to the email address on file. If this had happened, I would’ve known about the attack on March 2nd, a full 24 hours before my number was moved over to an outside Google Voice account. Unfortunately,I received no emails of any of the fraudulent chat transcripts. Finally, as a last resort, every telecom company should automatically email their customers when something as significant as call-forwarding or Google Voice activation is added to your account. A simple, standard email saying something like “Google Voice has been linked to your account, if you didn’t request this, contact us immediately.” I received nothing of the sort, which is mind-boggling.
I generally keep my personal life separate from this website, and I was very hesitant to write about this extremely difficult experience. Ultimately, I decided that if the purpose of Liberty Blitzkrieg is to help people stay informed and vigilant, I needed to outline publicly what happened to me so as many people as possible become aware of the situation. This in turn will hopefully pressure carriers to get their act together and close, or at least mitigate, this gaping security vulnerability. Fortunately, it appears at this time that I did not suffer any serious damage, other than emotional hardship for a week or so, and wasted time when I could’ve been working. In other words, I dodged a serious bullet and consider myself extraordinarily lucky. So what are the major takeaways?
I left out many details of the attack because they weren’t necessary to the main point of the article. The attack was actually far wider and more concerning than I am willing to divulge, but that’s a personal matter. The purpose of this piece is to highlight the huge vulnerability at telecoms that is being exploited by hackers. It is to inform people that this sort of thing can and does happen, so that if you ever get a text from someone you know that seems strange, asking for information, don’t divulge anything over text. Hop on the phone and confirm they are who they say they are. Second, non-SMS based two-factor authentication seems to have saved me serious problems in this case. If you use SMS (texts) as your second factor, consider changing that setting immediately and use something else if available from the service provider. As I demonstrated, since SMS messaging is easily compromised, your second factor won’t do any good if your texts are being sent to someone else’s device.
To conclude, without divulging additional details, I want to assure you that it is entirely clear that this was not just one hacker, but a group. They clearly did extensive research before launching this attack, and knew personal things about me I’m still not sure how they attained. As soon as Google Voice was activated on my account without my permission, they immediately got started and targeted many accounts simultaneously over a 36 hour period. With a young child and a very pregnant wife at home, it was a hellish experience I wouldn’t wish upon my worst enemy. The purpose of this post is to put everyone on alert, since I don’t want this to happen to anyone else.
Finally, I want to conclude this article with a couple of resources:
A Beginner’s Guide to Beefing Up Your Privacy and Security Online (ArsTechnica)
Tips, Tools and How-tos for Safer Online Communications (EFF)

In Liberty,
Michael Krieger


No comments:

Post a Comment