Hello, Habr! I present to you the translation of the article “The Most Expensive Lesson Of My Life: Details of SIM port hack "
by Sean Coonce.
Last Wednesday, I lost over $ 100,000. The money evaporated within 24 hours as a result of the “attack on the port of the SIM card”, which cleared out my Coinbase account. Four days have passed since then, and I am devastated. I have no appetite; I can not fall asleep; I am filled with feelings of anxiety, conscience and shame.
It was the most expensive lesson in my life, and I want to share experiences and lessons learned with as many people as possible. My goal is to increase people's awareness of these types of attacks and motivate you
to increase the security of your online identity.
It's still very damp (I still have not told my family about it); Please keep with you the conviction of the naive security practices told in this post.
You may ask: “And what is this all about the attack on the port of a SIM card?” To describe the attack, let's first consider a typical online personality. The diagram below should be familiar to most of you.
Many of us have a primary email address that is connected to a HUGE number of other online accounts. Many of us also have a mobile device that can be used to recover a forgotten password from an email.
Authorized SIM card port
One of the services offered by telecom operators to customers is the ability to port a SIM card to another device. This allows the customer to request the transfer of their phone number to a new device. In most cases, this is an absolutely legal process; this happens when we buy a new phone, change the operator, etc.
Attack on the SIM port
However, “attack on a SIM-card port” is a malicious port made from an unauthorized source — an attacker. The attacker ported your SIM card to the phone controlled by him. Then the attacker begins the process of resetting the password on the email account. The confirmation code is sent to your phone number and intercepted by the attacker, as it now controls your SIM card. The diagram below shows the attack step by step.
As soon as an attacker gets access to your email address, they begin to move from the service to the service where you use this email address (banks, social networks, etc.). If the attacker is especially harmful, he can block your access to your own accounts and request a fee for returning access.
Let's digress for a moment and think about the amount of personal information associated with one Google account:
- your address, date of birth and other personal information that allows you to identify;
- access to potentially compromising photos of you and/or your partner;
- access to calendar events and vacation dates;
- access to personal emails, documents, search queries;
- access to your personal contacts and their personal information and their relationship to you;
- Access to all online services where your primary email address is listed as the login tool.
Sequence of Events
To better understand how the attack takes place and see its scope, let's dip into the timeline of this attack itself. I want to show how the attack was made, what I was experiencing at this time and what you can do to protect yourself in case of such symptoms.
The time schedule is divided into four parts:
- What I felt: how events happened from my point of view - if you experience something like this, then you are most likely under attack.
- What the attacker did: the tactics that the attacker used to gain access to my Coinbase account.
- Threat level being tested: the value that I attached to the events.
- Desired threat level: a value that I should give to events.
Lesson learned and recommendations
It was the most expensive lesson in my life. I lost a significant portion of my capital in 24 hours; irrevocably. Here are some tips to help others better protect themselves:
- Use a physical wallet for cryptocurrency: Transfer your crypt stocks to physical wallet /offline storage/< a href = "https://www.bitgo.com/"> a wallet with several signatures always when you do not complete transactions. Do not leave funds on exchanges. I perceived Coinbase as a bank account, but you will have no way out in the event of an attack. I knew about these risks, but I never thought that something like that could happen to me. I very much regret that I have not taken more serious measures to ensure the security of my crypt.
- SMS-based two-factor authentication is not enough: regardless of what you want to protect on the network, switch to hardware protection (for example, something physical that an attacker will have to get in order to crank the attack) . While Google Authenticator or Authy can turn your phone into a kind of hardware protection, I would recommend to go further. Purchase YubiKey , which you physically control and cannot be changed.
- Reduce your online footprint: overcome the urge to share personal information that can identify you (date of birth, location, photos with location data, etc.) without the need. play a trick on you in the future in case of an attack.
- Google Voice 2FA: in some cases, the service may not support hardware two-factor authentication, relying on weaker SMS messages. Then it would be a good idea to create a virtual phone number in Google Voice (which cannot be ported) and use it as a number for two-factor authentication. (translator's note: this method only works in the USA)
- Create a secondary email address: instead of linking everything to one address, create a secondary email address for critical accounts (banks, social networks, cryptocurrency exchanges ...) Do not use this address for nothing else and keep it secret. Remember to protect this address with any form of two-factor authentication.
- Offline Password Manager: use a password manager. Better yet, use an offline password manager like the Password Store. Irvik has an excellent comparison of different password managers and also recommendations for more technical savvy.
Regarding reader comments ...
Given my practice in protecting the device, I probably deserve to be hacked — I understand that.It does not make it any easier, and condemnation only blurs the meaning of the story, which is to:
- let others know how easy it is to endanger
- use the knowledge and advice you have gained to prioritize the security of your online identity.
I can't stop thinking about the small, simple things I could do to protect myself. My head is crammed with thoughts about "what if ..."
However, these thoughts are juxtaposed with two overlapping feelings - laziness and bias of survival. I have never taken my online security seriously because I have never experienced an attack. And even though I understood my risks, I was too lazy to protect my assets with proper severity.
I encourage you to learn from these mistakes.