SIM Swapping Cryptocurrency Theft Case Exposes OTP Weaknesses
Date: 2019-06-13
Author: Anders Adolfsson, Technical Consultant
News articles provide reasons nearly every week of why pushed one-time passwords (OTP) and out-of-band as identification are terrible ideas when it comes to data security.
In one recent egregious example, nine people were charged with stealing nearly $2.5 million in unnamed cryptocurrency from random people. As the story goes, six members of a hacking group known as “The Community” apparently bribed three mobile phone service providers to turn over the stolen identities of their companies’ users.
One member of the hacking group, Irish citizen Conor Freeman of Dublin, just 20 years old, faces as much as 100 years in a U.S prison – he’d be extradited to the U.S. — for his part in the scheme. All the defendants are being charged with wire fraud. The hackers also are charged with aggravated identity theft.
As their name implies, one-time passwords are valid for just one login session or transaction, on a computer system or other digital device. An out-of-band authentication is a type of two-factor authentication requiring a secondary verification method through a separate communication channel along with an ID and password.
The trick in cases like this is that as users must watch and better understand their log-in activities and adjust their security requirements as needed with any and all external identity providers (IDP). When they log in using SMS, for instance, they are relying on the security of a third-party infrastructure (the cell company, in this case) and are trusting the company to handle user identities (and their authentication/verification) carefully.
Because in this case the infrastructure was attacked – by an inside job – the security of the workflow was compromised, and the hackers made off with nearly $2.5 million.
In the cell phone case, the U.S. Department of Justice says the “SIM swapping” the hackers used involved fraudulently porting a user’s number to a new SIM card belonging to the attacker. They fooled the provider into porting the number to the SIM card by providing required personal information (in this case, information supplied by the telco’s employees).
Once they had the numbers successfully linked to their SIM cards, the hackers reset passwords and gained access to online accounts – from cloud storage to email to cryptocurrency wallets.
SIM swapping – especially when it can lead to infiltrating cryptocurrency accounts – is reportedly a growing trend, according to other reports in the news.
What this incident and others like it tell us is that even when users and subscribers are skilled in technology (and not everyone is) companies should be informing them if and when any security concerns take place in back-end systems regarding their Activity like this would give the end user the chance to “monitor” such things and alert the IT department about suspicious actions being performed.
To learn more about how vSEC:CMS can help protect your customers and employees, contact us here,
vSEC:CMS
Our product suite provides all the software tools to administrate and manage credentials in a secure and convenient way.
Free Product Trial
Versasec provides enabling IT security products centered on the usage of security devices such as smart cards. Our solutions enable customers to securely authenticate, issue and manage user credentials more cost effectively. Get a free product trial.
Job Openings
We are always looking for new exceptional persons to join our team! Find out more about our job openings.
Versasec Support
Versasec customers with an existing support and maintenance contract can access the Versasec Support Portal, offering extensive professional support and maintenance services. The Versasec Support Portal offers a variety of services, allowing for customers and any site visitor to communicate directly with support engineers.
Company Blog
Our blog addresses the latest security trends and stories. The posts discuss how identity and access management are playing a larger role in keeping corporate data safe as well as brand reputations intact.