Hackers easily stealing $ millions from investors and consumers -- using only a phone number
It took only 7 minutes for Jared Kenna to lose the nest egg he'd spent over 2 decades accumulating. As he watched in stunned horror, a hacker cleared out his PayPal account, bank accounts and bitcoin accounts as easily as flicking a switch. When it was finished, Kenna, who was an early participant in bitcoin, lost millions of dollars. He'll never see a dime of it back again.
Your antivirus won't save you here Kenna was no computer dummy and had taken all the usual precautions (antivirus, didn't click on phising emails, strong passwords, etc). But in the end it didn't matter. Even after doing everything "right", all he could do was watch his money disappear. That's because the hacker used a new cell-phone-number theft method that doesn't require the victim to do anything wrong themselves. Widespread epidemic And Kenna is not alone. Hundreds of computer savvy people including C level executives, venture capitalists, technologists and investors have been targeted and robbed by this hacking scheme.
In addition to taking money, hackers have also stolen embarrassing / confidential information from social media and online storage services and blackmailed users with it. If their demands are not met, they will post real or even fake information on social media accounts that can be damaging to the victims. According to this article from Forbes, they've also put at least one person in physical danger.
How do they do it? The scheme relies on 2 things. First, it's shockingly easy to steal someone's cell phone. And 2nd, once the hacker does this they have the keys to the kingdom. They can click on the "forgot password" feature on all financial and social media accounts, to quickly gain access to them. Here's how both of those work.
"Bad telco!" 1st, the hacker gets some readily available information about you, such as your address, phone number, birthday or last 4 of your Social Security number. Maybe they research you on social media or the Internet. Or maybe they got it from a hack of a company you do business with like Target or Equifax. Then they call the phone company and tell the customer service rep that they are you. It may not work the1st time, because the rep isn't supposed to let someone into the account without full information. But phone reps are not trained as security experts, nor are they compensated to screen every call like they are. Hackers have discovered that if they call back over and over again, eventually they get a rep who will give them access. Once they do they have your phone number permanently "ported" (moved) to their own phone. When this happens, suddenly you stop getting calls and text messages, because the hacker is getting them instead. Most people don't notice this, and it's the calm before the storm.
Raiding the vaults Then the hacker goes online to your email account, financial accounts, social media, dropbox, etc. They click on the "forgot password" link, which makes the site send a text/SMS confirmation number to your phone number to protect against hackers. However in this case the hacker owns your phone. So they confirm and take over your account. Then they quickly rinse and repeat until they own all of your online life. Kenna, lost control of 30 accounts when he was victimized.
How do I stop this? All of this is scary but thankfully there are ways to stop this. The downside is that none of them are particularly easy, and take time to set up. But then again, being victimized is not really easy either. In part 2 of this article, I'll talk about ways to stop this.