The most expensive mistake in my life: in detail about the attack on the port of the SIM card
Hi, Habr! I present to your attention the translation of the article "The Most Expensive SIM-port Of My Life: Details Of SIM port hack" by Sean Coonce.
Last Wednesday, I lost over $ 100,000. The money evaporated within 24 hours as a result of the “attack on the port of the SIM card”, which cleared out my Coinbase account. Four days have passed since then, and I am devastated. I have no appetite; I can not fall asleep; I am filled with feelings of anxiety, conscience and shame.
It was the most expensive lesson in my life, and I want to share experiences and lessons learned with as many people as possible. My goal is to increase people's awareness of these types of attacks and motivate you to increase the security of your online identity.
It is still very damp (I still have not told my family about it); Please keep the conviction of the naive security practices described in this post.
')
You may ask: “And what is this all about the attack on the port of a SIM card?” To describe the attack, let's first consider a typical online personality. The diagram below should be familiar to most of you.
Many of us have a primary email address, which is connected to a HUGE number of other online accounts. Many of us also have a mobile device that can be used to recover a forgotten email password.
One of the services offered by telecom operators to customers is the ability to port a SIM card to another device. This allows the customer to request the transfer of their phone number to a new device. In most cases, this is an absolutely legal process; This happens when we buy a new phone, change the operator, etc.
However, “attack on a SIM-card port” is a malicious port made from an unauthorized source — an attacker. The attacker ported your SIM card to the phone controlled by him. Then the attacker begins the process of resetting the password on the email account. The confirmation code is sent to your phone number and intercepted by the attacker, as it now controls your SIM card. The diagram below shows the attack step by step.
As soon as an attacker gets access to your email address, they begin to move from the service to the service where you use this email address (banks, social networks, etc.). If the attacker is especially harmful, he can block your access to your own accounts and request a fee for returning access.
Let's digress for a minute and think about the amount of personal information associated with one Google account:
To better understand how the attack takes place and see its scope, let's dip into the timeline of this attack itself. I want to show how the attack was made, what I was experiencing at this time and what you can do to protect yourself in case of such symptoms.
The time schedule is divided into four parts:
It was the most expensive lesson in my life. I lost a significant portion of my capital in 24 hours; irrevocably. Here are some tips to help others better protect themselves:
Given my practice in protecting the device, I probably deserve to be hacked — I understand that. This does not make it easier, and condemnation only blurs the meaning of the story, which is to:
I can't stop thinking about the small, simple things I could do to protect myself. My head is filled with thoughts about the "what if ..."
However, these thoughts are juxtaposed with two overlapping feelings - laziness and bias of survival. I have never taken my online security seriously because I have never experienced an attack. And even though I understood my risks, I was too lazy to protect my assets with proper severity.
I encourage you to learn from these mistakes.
Last Wednesday, I lost over $ 100,000. The money evaporated within 24 hours as a result of the “attack on the port of the SIM card”, which cleared out my Coinbase account. Four days have passed since then, and I am devastated. I have no appetite; I can not fall asleep; I am filled with feelings of anxiety, conscience and shame.
It was the most expensive lesson in my life, and I want to share experiences and lessons learned with as many people as possible. My goal is to increase people's awareness of these types of attacks and motivate you to increase the security of your online identity.
It is still very damp (I still have not told my family about it); Please keep the conviction of the naive security practices described in this post.
')
Attack details
You may ask: “And what is this all about the attack on the port of a SIM card?” To describe the attack, let's first consider a typical online personality. The diagram below should be familiar to most of you.
Many of us have a primary email address, which is connected to a HUGE number of other online accounts. Many of us also have a mobile device that can be used to recover a forgotten email password.
Authorized SIM Port
One of the services offered by telecom operators to customers is the ability to port a SIM card to another device. This allows the customer to request the transfer of their phone number to a new device. In most cases, this is an absolutely legal process; This happens when we buy a new phone, change the operator, etc.
Attack on the SIM card port
However, “attack on a SIM-card port” is a malicious port made from an unauthorized source — an attacker. The attacker ported your SIM card to the phone controlled by him. Then the attacker begins the process of resetting the password on the email account. The confirmation code is sent to your phone number and intercepted by the attacker, as it now controls your SIM card. The diagram below shows the attack step by step.
As soon as an attacker gets access to your email address, they begin to move from the service to the service where you use this email address (banks, social networks, etc.). If the attacker is especially harmful, he can block your access to your own accounts and request a fee for returning access.
Let's digress for a minute and think about the amount of personal information associated with one Google account:
- your address, date of birth and other personal information that allows you to identify;
- access to potentially compromising photos of you and / or your partner;
- access to calendar events and vacation dates;
- access to personal emails, documents, search queries;
- access to your personal contacts and their personal information, as well as their relationship to you;
- Access to all online services where your primary email address is listed as the login tool.
Sequence of events
To better understand how the attack takes place and see its scope, let's dip into the timeline of this attack itself. I want to show how the attack was made, what I was experiencing at this time and what you can do to protect yourself in case of such symptoms.
The time schedule is divided into four parts:
- What I was experiencing: how events occurred from my point of view - if you experience something like this, then you are most likely under attack.
- What the attacker did: the tactics that the attacker used to access my Coinbase account.
- The level of threat being tested: the meaning I attached to the events.
- Desired threat level: a value that I should give to events.
Lesson learned and recommendations
It was the most expensive lesson in my life. I lost a significant portion of my capital in 24 hours; irrevocably. Here are some tips to help others better protect themselves:
- Use a physical wallet for cryptocurrency: transfer your crypt stocks to a physical wallet / offline storage / wallet with several signatures whenever you do not complete transactions. Do not leave funds on exchanges. I perceived Coinbase as a bank account, but you will have no way out in the event of an attack. I knew about these risks, but I never thought that something like that could happen to me. I very much regret that I have not taken more serious measures to ensure the security of my crypt.
- Two-factor SMS-based authentication is not enough: regardless of what you want to protect on the network, go to hardware protection (for example, something physical that an attacker will have to get in order to rotate the attack). While Google Authenticator or Authy can turn your phone into a kind of hardware protection, I would recommend to go further. Get YubiKey , which you control physically and which cannot be changed.
- Reduce your online footprint: overcome desire to share personal information that can identify you (date of birth, location, photos with geo-data, etc.) without any need. All this public data can play a bad trick on you in the future .
- Google Voice 2FA: in some cases, the service may not support hardware two-factor authentication, relying on weaker SMS messages. Then it would be a good idea to create a virtual phone number in Google Voice (which cannot be ported) and use it as a number for two-factor authentication. (translator's note: this method works only in the USA)
- Create a secondary email address: instead of linking everything to a single address, create a secondary email address for critical accounts (banks, social networks, cryptocurrency exchanges ...) Do not use this address for anything else and keep it secret . Remember to protect this address with any form of two-factor authentication.
- Offline Password Manager: use a password manager. Better yet, use an offline password manager like the Password Store. Irvik has an excellent comparison of various password managers as well as recommendations for the more technically savvy.
As for the comments of readers ...
Given my practice in protecting the device, I probably deserve to be hacked — I understand that. This does not make it easier, and condemnation only blurs the meaning of the story, which is to:
- let others know how easy it is to be in danger;
- Use this knowledge and advice to prioritize the security of your online identity.
I can't stop thinking about the small, simple things I could do to protect myself. My head is filled with thoughts about the "what if ..."
However, these thoughts are juxtaposed with two overlapping feelings - laziness and bias of survival. I have never taken my online security seriously because I have never experienced an attack. And even though I understood my risks, I was too lazy to protect my assets with proper severity.
I encourage you to learn from these mistakes.
Source: https://habr.com/ru/post/453286/
All Articles