Cryptocurrency users have always been a tempting target for cybercriminals. Since none of these currencies have reversible transactions, stealing money is a guarantee for success. It now appears criminals are targeted telecommunication providers across the United States for this purpose. More specifically, they try to have companies transfer control of a victim’s phone number to them. This allows criminals to bypass most 2FA authentication methods used by cryptocurrency exchanges and wallet providers.
It becomes more and more difficult to keep one’s cryptocurrency-related accounts safe from harm. This is especially true when using exchange services and enabling two-factor authentication. Although this security measure should be mandatory, it can also be disastrous in some cases. According to a NY Times article, criminals are targeting US telcos for this specific purpose. Once control of a mobile phone number is transferred to a criminal, they can bypass 2FA measures on all platforms with ease.
Phone Hijacking is a Problem for Telcos and Cryptocurrency Users
So far, affected telcos include AT&T, Sprint, Verizon, and T-Mobile. It is unclear how successful these attempts really are, though. There have been a lot of stories regarding users losing control over their phone number. In the minutes following such an incident, hackers successfully drain any online cryptocurrency wallet linked to the victim. Phone hijacking is a very serious problem and only seems to grow worse a sore time progresses. Cryptocurrency users are one of the main targets for criminals using phone hijacking as an attack vector.
One of the main issues with these attacks is how few people effectively report them. When one loses a few hundred dollars, it can be written off as a loss. When the number goes into the thousands or more, there is a big problem. This method is still gaining more popularity as we speak. US telcos are not the only target for criminals, as these hijacking attempts take place on a global scale these days. Unfortunately, there is very little the victim can do. Exchanges will not reimburse the missing balance by any means. Nor is the telco at fault, assuming the criminal provides enough relevant information.
It appears criminals target victims through social media. A lot of people are very open about their cryptocurrency portfolio and purchases. It doesn’t take much effort to find some personal information about these people and attempt to hijack their phone number. This is a very worrisome trend that is only now gaining some recognition by security experts. Unfortunately, it is virtually impossible to prevent this from happening. Carriers are taking steps to address these attacks, but social engineering has always been a fatal weakness for any industry. Not relying on SMS-based 2FA is a start, but it’s not a perfect solution either.