P. 12



                                            BTC WALLET THEFTS

               While many of them did not take a financial hit, several did, with Kenna’s losses among the largest.
               Shen had $300,000 of his Augur REP tokens taken, plus an undisclosed amount of bitcoin and other
               cryptocurrencies. Weeks lost about $100,000 worth of bitcoin, and was cleaned out of his holdings
               in lesser known cryptocurrencies such as Ether, Ripple and Monero. Additionally, his friends also
               collectively gave the hacker, who posed as Weeks requesting to “borrow” money, $50,000 worth of
               cryptocurrency. (Weeks has introduced many people to bitcoin over the years by giving away what
               he claims is about 1,000 bitcoins, so his friends are well-versed in sending digital currency to each
               other.) Kenna and other victims also said their hackers have been hitting up friends for bitcoin and
               other virtual currencies.

               But the security weakness being exploited here is not one that only affects cryptocurrency industry
               players — they are simply being targeted first because such transactions cannot be undone. The
               security loophole these hackers are milking can be used against anyone who uses their phone
               number for security for services as common as Google, iCloud, a plethora of banks, PayPal,
               Dropbox, Evernote, Facebook, Twitter, and many others. The hackers have infiltrated bank
               accounts and tried to initiate wire transfers; used credit cards to rack up charges; gotten into
               Dropbox accounts containing copies of passports, credit cards and tax returns; and extorted
               victims using incriminating information found in their email accounts.

               Blockchain Capital VC Pierce, whose number was hijacked last Tuesday, says he told his T-Mobile
               customer service representative, “It’s going to go from five customers to 500. It’s going to become
               an epidemic, and you need to think of me as the canary in the coal mine.”


               The Phone As Your Identity

               In all these cases, as with Kenna’s, the hackers don’t even need specialized computer knowledge.
               The phone number is the key. And the way to it get control of it is to find a security-lax customer
               service representative at a telecom carrier. Then the hacker can use the common security measure
               called two-factor authentication (2FA) via text. Logging in with 2FA via SMS is supposed to add an
               extra layer of security beyond your password by requiring you to input a code you receive via SMS
               (or sometimes phone call) on your mobile phone. All fine and dandy if you’re in possession of your
               phone number. But if it’s been forwarded or ported to your hacker’s device, then that code is sent
   7   8   9   10   11   12   13   14   15   16   17