Identity thieves are porting users' mobile phone numbers to devices under their control in order to hijack their web accounts. This type of attack begin when hackers call up a mobile service provider. Using a bit of social engineering, the bad actors convince an agent at the provider to transfer control of a target mobile phone number to a device under their control. As many web accounts require users to input their phone numbers for identity verification, the attackers can then use the hijacked phone number to reset the passwords for the victim's accounts like their Gmail or social media profiles. Mobile number hijackers have targeted everyone from the chief of the Federal Trade Commission (FTC) to a leader of the Black Lives Matter movement. Even so, the attacks appear to primarily affect those who reveal they own or discuss investing in digital currencies on social media. Chris Burniske, a virtual currency investor, was one of those victims in 2016. As he recounted to The New York Times:
"My iPad restarted, my phone restarted and my computer restarted, and that’s when I got the cold sweat and was like, 'O.K., this is really serious.'"
Most virtual currency owners don't create their own digital wallets but instead store their funds with a digital exchange company. These services are comparatively newer than banks, which have had more time to create and refine default security measures for their customers. In the worst case, a bank can usually reverse malicious transactions if it or the customer detects them within a few days. But virtual currency hubs don't have that type of capability. Cody Brown, a virtual reality developer who lost $8,000 from his account when an attacker stole his mobile number, reflects on this state of affairs:
"[The digital exchange company I used] looks like a bank, stores millions of dollars like a bank, but you don’t realize how weak its default protections are until you are robbed of thousands of dollars in minutes."
Brown and others like him also feel that mobile service providers should do more to protect customers against phone hijackers. Users can create a PIN for their accounts. But if and when an attacker calls, it's up to the in-call agent to ask for it. And not everyone always does.
Joby Weeks at a park near his parents’ home in Arvada, Colo. Mr. Weeks lost his phone number and about a million dollars’ worth of virtual currency in 2016. (Source: The New York Times) Richard Young, a spokesman for Verizon, says the mobile service company hasn't seen too many cases of phone hijacking:
"While we work diligently to ensure customer accounts remain secure, on occasion there are instances where automated processes or human performance falls short. We strive to correct these issues quickly and look for additional ways to improve security."
Acknowledging these types of attacks, virtual currency owners should think twice before attaching their mobile numbers to their digital exchange accounts (if they own one). They and web users more generally should also consider switching to a means of two-step verification (2SV) that doesn't involve use of a mobile phone number. Finally, if they think an identity thief has stolen access to any of their accounts or sensitive information, they should file a report with the FTC and follow these recovery steps.
