All the King's horses ...
"The miscreants called AT&T, and claimed to be Terpin with a new phone."
... and that is where it all unwound rather nastily. Security isn't easy.
The victim of a $24m cryptocurrency heist is suing his assailants in what is believed to be the first ever RICO claim involving digital currency. Plaintiff Michael Terpin claims Nicholas Truglia and 25 other unnamed defendants were part of an organized crew that robbed Terpin and other high-profile cryptocurrency owners by …
more detail on how the sim swap worked here: https://krebsonsecurity.com/2019/01/stole-24-million-but-still-cant-keep-a-friend/ he did present photo id, and managed to get his name added to the
In essence though these security compromises work through a mixture of social engineering and bribery, getting your name added to an account, i.e. pose as a PA and say you need access to administrate it for your boss, and if thats not successful just pay off the lowest hanging fruit i.e. the sales chimp on the shop floor to just tick the seen appropriate id carrier arse covering nag screen on the sales terminal.
Unfortunately convenience always trumps security when it comes to consumer tech, even if it was posted there is no real way to stop the social engineer changing that as well as adding them selves to the account, and commission chasing salesdroids will always be the easiest way past what ever security is in place
Personally i cant wrap my head around why you would entrust 24m to a MFA system that uses SMS as anything but the cherry on top of at least two other methods [username password, biometric, hardware dongle/keyfob], that and the lack of stand and deliver references in this article, i mean the victim is caller Terpin!
The Krebs piece is also worth reading for its portrait of another of these psychologically-abnormal IT criminals. Truglia clearly had poor social and life skills, and limited ability to empathize. He treated life like an RPG-style video game: gathering coins, buying buffs, and grinding.
$24m wasn't carried on the phone. The phone was 2nd factor in multi-factor authentication. Sim clone then "forget password" and reset.
Or in other words, the real world of password attack.
Cell phone based 2nd factor is convenient but cell phones are really, really easy to attack. This "gang" used a particularly high effort one; in reality you just need to find an appropriate cell phone store location with a manager who needs money fast...3 or 4 digit payments to these low paid people goes a long way...
Linked source asks himself a question about "suing for RICO".
You don't sue or prosecute for RICO, you do that under the RICO statutes.
Yes it is overused. But here the "organized" bit would seem to be justified since the case concerns the activities of a gang acting in concert (or we could say "as an organization") to commit crimes requiring a high degree of coordination and pre-planning.
I've no sympathy for the gang members. Take 'em down under any and all laws that can be made to apply.
There does seem to be a lot of victim-blaming going on here. Lots of people saying "he did it wrong" but not offering up the "right" alternative they imply is lurking behind their posts.
Put yourself in the victim's shoes for a minute. Someone lifted 24 million dollars from your supposedly secure crypocash vault. Are you going to say "Fiddle de dee, tomorrow's another day" or are you going to grab a chainsaw, round up your hockey mask'n'chaps-wearing buddies and fire up the unfeasible dune buggies for a spot of takesie-backsies in a World Gone Mad?
2fa is only as good as the medium it runs on.
I would use an offline wallet for one for that amount and use either Authenticator or better yet a hardware based 2fa device like trezor. Especially if I had that amount of crypto and so many online wallets have been compromised as well.
Not got much sympathy for this guy, he was pwned for being naive. Although I can see his issue with ATT for negligence, SIM swaps need to be done in person at a store of some kind so things like signature and other authentication can be checked first, allowing over the phone just asks to be abused.
Two factor is good for you checking account with a couple grand or less in it. For something worth millions, you better have the hardware key or even something simple like Norton VIP or something that you can steal so easily like this. I want the physical key in my hand and if I loose that I expect to suffer painfully getting everything reset since this is what I deserve for loosing my keys in the first place. Geez, make it at least a little difficult for the jerks...
2FA using SMS has been known and reported to be insecure for some time now - long enough even for NIST to recommend not using it.
Generic TOTP authenticators are available for every smartphone OS, if you use 2FA SMS for any reason you should stop.
This sort of thing isn't even two-factor authentication though. Where was the "known" factor? The user name, phone number, address, etc.. is not privileged information. Sure, forgetting a password is common, but using only half the system (sending a single code to a device, and not requiring a password) defeats the entire purpose.
Using SMS for 2FA is risky yes, but this was 1FA, even worse.
If anything, something like this should use an SMS code AND an emailed code AND secret questions. Sure, you can phish for that info, but at least it requires more than just bribing some part-time AT&T employee to swap SIMs.
Really, shame on the crypto bank here.
My understanding is that in RICO cases damages are multiplied by 3 - so as well as actual loss legal costs and damages for distress etc could add up to 224.
That said, this is enty based on a 10minute talk from an old defcon talk on YouTube... Please do not consider it to be legal advice :)
Oooh. Charles Stross takes one on the chin in that one.
Well, he's not a lawyer either, and he does write a good novel. (Plus, if memory serves, back in the day he was entertainingly grumpy on rec.arts.books.sf.)
I am also not in any way a lawyer, but a quick check of 18 USC 1962 leaves me wondering which RICO provision of unlawful conduct Turpin's lawyers think Truglia et alia engaged in. Maybe they can call the SIM fraud a case of interstate commerce (I have no idea what case law might say about that), and maybe SIM fraud could be construed as "racketeering activity" under 18 USC 1028 (relating to "identification documents") or 1029 ("access devices"), or one of the zillion other sections that can be used to claim racketeering.
But AIUI, that's just the start of what a plaintiff has to demonstrate to get a judge to even let a RICO civil case proceed.
However theres no way they wont have 224 million legs to stand on. Best he can hope for there is a settlement that doesnt admit liability.
The other guy however, how do you sue a guy in prison who likely has no assets left after the government seized it all?
"Interestingly", the Australian government's mandatory all-your-life-online MyGov system, constantly nags you to create a mobilephone/cellphone 2-Factor-Authentication setup every time you log in.
AKA: we know NOTHING about security, we're just playing along with meme-du-jour. Because we're so PROFESSIONAL! And COOL!
Can wannabes PLEASE stop crying "oh you're a fool for using SMS-based 2FA; you should have a dongle."
If they require SMS 2FA, you're stuck with it. So far in my life, I've not come across any actual CHOICE, not even in ability to magically swap in another magic platform that lets me magically do what *I* want. By magic. Because I'm special. I'm all techy and stuff. I build stripped unices for Xen instances and create 4way DRBD replications on raw metal -- I'm spessssshhhhhal.
If the droids in-house decide SMS is the way to go, you're stuck with it.
Biting the hand that feeds IT © 1998–2021