A Cautionary Tale from Sean Coonce

Not sure if this has been posted yet, don't think it has--former Whiskey developer Sean Coonce posted this story on Medium yesterday about being the victim of a Sim port attack that drained his coinbase account. Feel terrible for his loss--remember to be safe!

https://link.medium.com/oeZw5YH5RW

What's a coinbase?

@flstyle: A site for buying and selling e-currency like bitcoin.

There's something about that article that reads like an ad to me and I can't figure out what.

I have never heard anything good come from bitcoin & the like. The fact that this has happened does not surprise me in the slightest.

Yikes, that's a shitty situation.

Alot of us are going to have to get hurt to start a movement to make tech companies secure our shit.

His suggestions are all good, but I didn't even know hacking an SMS was a thing someone could do. The bad guys are going to always be one step ahead, at least closing major loopholes at the hardware level would severely limit their options. There is only so much we can do as individuals, with that intel hack you can read encrypted data right off a CPU, what is a consumer supposed to do about something like that? ? Toss the computer? Intel sure as hell isn't going to pay anyone back for leaving the door open on the purchased product.

Also I still don't get bitcoin. Sean points out that this is a bad idea, but if you aren't actively investing money why leave it in a bitcoin account? In a bank it's at least ensured, right?

To anyone thinking this is a story about a Bitcoin problem it's actually a story about Telecom services and their lax security protocol. This story should concern you if you have any financials or business that you manage or even access on your phone. This is an issue especially if you use your phone to authorize anything, if your use your phone for 2 Factor Authorization or if you receive log in authorization codes via Email or SMS.

So, if I understood this correctly the SIM port attack isn't even a security flaw with the phone, but a social engineering tactic used to get the victim's phone provider to deactive their SIM card and port it to the attacker's phone?

I had definitely heard of security issues with MMS messages, which is why I disable automatic retrieval of those on every new phone, but this doesn't actually seem to be accessing your phone through a SMS security flaw or anything, it's just straight up changing which phone will receive future SMSes, and then make a service send their two factor authorization code to the wrong phone?

Skimming through the internet, it sounds like you need one of the following documents to be able to port a sim. `Driving Licence, Passport, Adhar Card, Voter ID, or Pan Card. As an address proof you can submit a copy of the Rent agreement, Landline Bill, Electricity Bill, or a three month bank statement`

Aren't those all quite unlikely to be shared on the internet for an attacker to start this whole process? Or are there telecom providers out there that will do it for you as long as you provide a picture & an adress?

@fisk0: Pretty much yes. In fact there is a possibility that an ATT representative might have even spoken to the Attacker using publicly known information about Coonce and transferred service to a new phone. It sucks and losing that much money is a straight up nightmare.

Motherboards podcast Cyber had an episode about this or something very similar for one of it's first episodes. Link below for those interested, they have a lot of other good episodes that show just how unprepared companies and individuals are for what the future holds with regards to attacks like this.

https://play.acast.com/s/cyber/simhijackingandthephonenumberransom

i'm definitely looking into one of those security keys, seems like a smart idea.

@onemanarmyy: The thing about social engineering is it is basically just tricking customer service into giving out someones info/account. If they call up and get someone who follows the rules about verifying the information you just hang up and try again, until you get a person who is more lax about giving that info out.

Here are a few articles about how stuff like this happens.

https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/

https://www.vice.com/en_us/article/43ebpd/the-long-weird-story-explaining-why-i-bid-dollar700-for-a-stolen-psn-account

Even if you follow good rules about cyber security, it may all be for nothing if big tech companies don't train there customer service staff properly.

Never trust SMS-based 2FA. The porting attack isn't the only weakness anyway.

The advice he has at the bottom is actually useful for everyone.

• Reduce Your Online Footprint: Reduce the urge to needlessly share personally identifiable information (birthdate, location, pictures with geolocation data embedded in them, etc.) online. All of that quasi publicly available data can be turned against you in the event of an attack.
• Google Voice 2FA: In some cases, an online service will not support hardware-based 2FA (they rely on weaker SMS based 2FA). In these cases, you might be better off creating a Google Voice phone number (which cannot be SIM ported) and using that has your 2-Factor Auth recovery number.
• Create a Secondary Email Address: Instead of binding everything to a single email address, create a secondary address for your critical online identities (bank accounts, social media accounts, crypto exchanges, etc.). Do not use this email address for anything else and keep it private. Back up that address with some form of hardware-based 2FA.
• Offline Password Manager: Use a password manager for your passwords. Even better, use an offline password manager like Password Store. lrvick has an excellent comparison chart of various password managers as well as a vetted recommendation for the more technically inclined.
  
  

That first bit of advice is KEY, reduce your exposure...it is never too late to hide some tracks.

COONCE! I MISS THAT FUCKER!