On March 3rd, at approximately 9pm, hackers stole my phone number. I didn’t become aware of this until a little more than 24 hours later, but hacking attempts on my other accounts began right away. Prior to this nightmarish experience, I had never heard of this happening to anyone else; however, in the days that followed I quickly became aware of its rapidly growing popularity and frightening ease of execution. Pulling off this attack requires virtually no technical skills, rather it relies entirely on social engineering, persistence, and an incompetent telecom employee. If this can happen to me, it can happen to virtually anybody.
The 48 hour period beginning at around 5am on March 4th was one of the most trying, confusing and frightening of my life. At that point, my wife and I had been up pretty much all night due to our son being in the midst of a horrible sleep regression. In fact, his crying was so hysterical I ended up calling our pediatrician’s office to ensure he wasn’t suffering from something more serious. I was going on two hours of sleep, the sun was about to rise and I was dealing with an inconsolable child. I thought things couldn’t get much worse. Boy was I wrong.
I had time to kill while waiting for the on-call nurse to ring me back, so I checked my email. I quickly realized something had gone horribly wrong. At least one of my accounts had been entirely compromised, and I received multiple alerts from two other accounts notifying me of unauthorized actions and password change attempts. At this point I realized there would be no hope of any additional sleep, and I immediately got to work contacting the three accounts that had been attacked. There was considerable damage to one of my accounts, but support immediately took care of the issue. The other accounts were only partly compromised, and appeared safe. I proceeded to log into my other accounts in order to change passwords and investigate whether or not anything else had been compromised, with my email the most pressing concern. Everything else seemed fine. I passed out that evening shaken, but somewhat relieved despite the fact I still had no idea what was going on or how the hackers compromised the things they did.
My attempt at rejuvenation via a good night’s sleep was quickly dashed at about 2am with a phone call to a rarely used alternate number from my father. He was in panic mode telling me that someone had been texting him from my phone number asking for a “code.” Fortunately, my dad had no idea what this person was talking about and refused to continue the conversation without a phone call. When my dad called my phone number a strange person answered pretending to be me. My dad cursed him off and immediately called me. This was the scariest moment of the entire episode. It was 2am, someone had compromised my phone number, and who knew what else. I didn’t know what was happening other than I was in a serious pile of shit, and this was the only time I wondered if my physical safety might be at risk.
Once again, it was in the middle of the night, and I felt even more violated, isolated and helpless than the day before. When you’re that sleep deprived and being attacked virtually non-stop, it’s very hard to think clearly. I had no idea if my entire phone had been taken over somehow, and I had no idea what they would be targeting next given their enhanced capabilities. All I knew was this was not good. On the positive front, I hadn’t gotten a stream of emails alerting me to additional account penetrations as I had the day before. I suddenly felt very fortunate to have taken the steps to change my passwords the previous day.
Not knowing the extent of the problem, I called the police. I was transferred to an extraordinarily nice deputy who talked me through everything. While he couldn’t really do much, he did put my mind at ease and also called my phone number to see who answered. The attackers did not answer the phone, but the deputy told me the voicemail said it was related to a Google Voice account. This presented me with my first clue. I had never even heard of Google Voice before, let alone had an account. So how the heck did hackers snatch my number and move it over to a Google Voice account controlled by someone else?
Over the next couple of hours, I started to put together additional pieces of the puzzle. I realized that I could still send text messages and make phone calls from my device, but I wasn’t receiving any incoming phone calls or texts. Thus it became clear the hackers hadn’t taken over my phone, but had somehow forwarded my calls and texts to an outside device under their control. They were also able to send text messages from my phone number, which is how they launched the attempted phishing, social engineering attack against my dad. Unnervingly, I still didn’t know how this happened, and I had to wait hours until someone at my carrier would become available over the phone.
Once I got someone on the phone, I knew enough to at least tell them Google Voice had somehow been connected to my phone and that I needed that severed. This person told me that she would do what she could from her end. To my great relief, I was once again able to receive text messages, but incoming phone calls were still not arriving at my device. I figured this might take some time, so I decided to devote my resources to alerting Google to what had happened, and to see what they could do. As you might expect, you can’t exactly get someone on the phone at Google, so I had to fill out various forms online and pray for a response. I went to bed that night not hearing from Google, and with my phone calls still being redirected.
I finally got some decent sleep Sunday evening. Refreshed and excited it was Monday since I figured it would provide me with greater opportunities for help, I decided to try my telecom carrier’s online chat to see if that would provide a better support experience. I was quickly able to get to a technical professional who seemed genuinely horrified about what had happened to me, and he suggested I call the company’s fraud department. I then asked him about the pesky issue of my phone calls not coming to me, and he solved the problem within minutes. I thanked him and immediately called the fraud department, as suggested. This is where things started to get really weird, and completely infuriating.
The woman who picked up the phone at the fraud department seemed to be the most competent person I ever talked to at the company. She expressed concern and decided to look into the history of what happened, focusing on March 2nd, when someone began pestering customer support non-stop claiming they were me and saying their phone broke and needed my number forwarded. She then notified me that after several attempts, the hacker successfully convinced a representative to forward my number without verifying my identity.
Once my SMS messages were being forwarded to the hackers, they were able to initiate and complete a connection of my number to a Google Voice account under their control. While relieved to have discovered how this whole scam worked, I was simultaneously horrified. Was it really this easy to steal someone’s phone number? Seemingly all you had to do is pester call-center telecom employees incessantly until one of them gets sloppy. Then presto, your phone number is stolen.
At this point, I asked the fraud representative if she could email me the chat transcripts of the hacker pretending to be me in order to investigate further. This is when things got extremely troubling. I knew from my earlier chat that the transcripts are saved and then emailed out to the person who initiated the chat. The woman on the phone then started to act weird and suddenly transferred me away to another department. The person who answered next could barely speak english and had no idea what was going on in my case.
Extremely frustrated, I called the fraud department back and was connected to a different person. I explained the situation and he said he’d look into it. The demeanor of this person was completely different from the prior representative. He was extremely cautious and took forever to answer the simplest of questions. He told me an entirely different story from the person I had just spoken to. He said that someone incessantly called pretending to be me asking for call forwarding, but that none of the customer service representatives agreed to it since they couldn’t verify their identity. He confirmed that the hackers contacted customer service on at least 15 distinct occasions on March 2nd alone, a day before my number was switched over to the attacker’s Google Voice account. It seemed like the company was frantically covering its tracks. I then asked this person to send me the chat transcripts. He said he would submit a request and send it to the email on my account. I have yet to receive any chat transcripts.
Unfortunately, I can’t prove that a telecom representative agreed to call forwarding without verifying my identity, but it seems almost certain that this is what happened. As I learned in the following days as I conducted more research, this sort of attack is rapidly increasing in popularity and effectiveness since there’s a huge weak link: telecom call-center employees.
Laura Shin wrote an excellent article on the topic back in December at Forbes titled, Hackers Have Stolen Millions Of Dollars In Bitcoin — Using Only Phone Numbers, which explains almost exactly what happened to me. Here are a few excerpts:
In all these cases, as with Kenna’s, the hackers don’t even need specialized computer knowledge. The phone number is the key. And the way to it get control of it is to find a security-lax customer service representative at a telecom carrier. Then the hacker can use the common security measure called two-factor authentication (2FA) via text. Logging in with 2FA via SMS is supposed to add an extra layer of security beyond your password by requiring you to input a code you receive via SMS (or sometimes phone call) on your mobile phone. All fine and dandy if you’re in possession of your phone number. But if it’s been forwarded or ported to your hacker’s device, then that code is sent straight to them, giving them the keys to your email, bank accounts, cryptocurrency, Facebook and Twitter accounts, and more.
Their experience is part of a larger trend. In January 2013, the Federal Trade Commission received 1,038 reports of these incidents, representing 3.2% of all identity theft reports to the FTC that month. By January 2016, 2,658 such incidents were filed — 6.3% of all such reports that month. There have been incidents involving all four of the major carriers.
Blockchain Capital VC Pierce, whose number was hijacked last Tuesday, says he told his T-Mobile customer service representative, “It’s going to go from five customers to 500. It’s going to become an epidemic, and you need to think of me as the canary in the coal mine.”
Last summer, the National Institutes of Standards and Technology, which sets security standards for the federal government, “deprecated” or indicated it would likely remove support for 2FA via SMS for security. While the security level for the private sector is different from that of the government, Paul Grassi, NIST senior standards and technology advisor, says SMS “never really proved possession of a phone because you can forward your text messages or get them on email or on your Verizon website with just a password. It really wasn’t proving that second factor.”
Worst of all is if the hacker doesn’t have your password but the password recovery process is done via SMS. Then they can reset your password with just your phone number — one factor.
Jesse Powell, CEO of U.S.-based exchange Kraken, who wrote an extensive blog post detailing how to secure one’s phone number, blames the telcos for not safekeeping phone numbers even though they are a linchpin in security for so many services, including email. “The [telecom] companies don’t treat your phone number like a bank account, but it should be treated like your bank. If you show up without your pin code or your ID, then they shouldn’t help you,” he says. “But they prioritize convenience above all else.”
In order to find that opening through the customer service representative, hackers often employ what’s called social engineering, used in 66% of all attacks by hackers. An elaborate version is demonstrated in this video (starting around 1:55), in which a woman with a baby crying in the background (really just a YouTube recording) claims she’s newly married and doesn’t know what email address is used to log into her husband’s account. She then has the rep change the email and password, locking the victim out.
Hadnagy says that with LinkedIn, Facebook, Twitter and FourSquare, “I can create a very accurate psychological profile — what you eat, what music you listen to, your work history, marriage history, I know enough about you to pretext as you with most of your utilities and services.” Birthdates are easily discovered on sites like Facebook and birth years deduced from LinkedIn, so a hacker employing social engineering can use that information to call up, say, a telco and claim they forgot the pin to the account but give a birthdate, phone number and address or even the last four of the Social Security Number since it is so commonly used to identify people, to reset that passcode, Hadnagy says. He also notes that in the last two years, hackers have increasingly been using phones to perpetrate a hack because the ability to “spoof” a line — make it seem like you are calling from another number — has become so easy.
“You can do it through most VoIPs for free, and there’s no way to validate it,” he says. “I can take this number you’re calling me from and call you back in a minute from this number. If this is your cell number and you didn’t have a pin, I can call this number from your number and log right into your voicemail. I can call you from the White House. I can spoof any number in the world.”
In the phone hijacking of Micah Winkelspecht, chief executive and founder of blockchain company Gem, a persistent hacker called T-Mobile six times in one day trying to impersonate him. Five times, the hacker was denied access to the account, but the sixth representative let him in and allowed him to move the line to another phone. “This is not the fault of the customers. It’s the fault of the carriers for not following their authentication procedure,” he says. “I was using a password manager, random passwords, 2FA — you name it, I use it.” Winkelspecht, who didn’t lose any money, says he could take every precautionary method available to him and still be victim because “a single employee at a call center can make a mistake and it can compromise your entire digital identity.”
But most victims agree that it isn’t a lone hacker, but a team or multiple teams — which is likely how they are able to breach so many accounts in such a short time period once they do hijack a number.
As becomes clear when you read the article above, this isn’t an issue specific to my phone carrier, it’s a vulnerability being exploited at other major telecom companies as well. This is an industry-wide problem, and if it isn’t addressed, and addressed properly, will turn into an epidemic. While it’s a sad fact of life that there will always be exploitable employees if you try enough times, there were many things my carrier could’ve done to mitigate the impact of this situation.
First, how are there no red flags in the system when someone persistently pretends to be me, asks for call forwarding and then repeatedly fails to verify identity? Second, when you initiate a chat with my carrier, you are asked to enter your email, but you don’t have to enter the email associated with the account. As such, the attackers simply put their own email addresses in, and all the fraudulent chats got sent to them, not me. It should be an obvious rule that all chat transcripts associated with a customer’s number automatically also get sent to the email address on file. If this had happened, I would’ve known about the attack on March 2nd, a full 24 hours before my number was moved over to an outside Google Voice account. Unfortunately,I received no emails of any of the fraudulent chat transcripts. Finally, as a last resort, every telecom company should automatically email their customers when something as significant as call-forwarding or Google Voice activation is added to your account. A simple, standard email saying something like “Google Voice has been linked to your account, if you didn’t request this, contact us immediately.” I received nothing of the sort, which is mind-boggling.
I generally keep my personal life separate from this website, and I was very hesitant to write about this extremely difficult experience. Ultimately, I decided that if the purpose of Liberty Blitzkrieg is to help people stay informed and vigilant, I needed to outline publicly what happened to me so as many people as possible become aware of the situation. This in turn will hopefully pressure carriers to get their act together and close, or at least mitigate, this gaping security vulnerability. Fortunately, it appears at this time that I did not suffer any serious damage, other than emotional hardship for a week or so, and wasted time when I could’ve been working. In other words, I dodged a serious bullet and consider myself extraordinarily lucky. So what are the major takeaways?
I left out many details of the attack because they weren’t necessary to the main point of the article. The attack was actually far wider and more concerning than I am willing to divulge, but that’s a personal matter. The purpose of this piece is to highlight the huge vulnerability at telecoms that is being exploited by hackers. It is to inform people that this sort of thing can and does happen, so that if you ever get a text from someone you know that seems strange, asking for information, don’t divulge anything over text. Hop on the phone and confirm they are who they say they are. Second, non-SMS based two-factor authentication seems to have saved me serious problems in this case. If you use SMS (texts) as your second factor, consider changing that setting immediately and use something else if available from the service provider. As I demonstrated, since SMS messaging is easily compromised, your second factor won’t do any good if your texts are being sent to someone else’s device.
To conclude, without divulging additional details, I want to assure you that it is entirely clear that this was not just one hacker, but a group. They clearly did extensive research before launching this attack, and knew personal things about me I’m still not sure how they attained. As soon as Google Voice was activated on my account without my permission, they immediately got started and targeted many accounts simultaneously over a 36 hour period. With a young child and a very pregnant wife at home, it was a hellish experience I wouldn’t wish upon my worst enemy. The purpose of this post is to put everyone on alert, since I don’t want this to happen to anyone else.
Finally, I want to conclude this article with a couple of resources:
A Beginner’s Guide to Beefing Up Your Privacy and Security Online (ArsTechnica)
Tips, Tools and How-tos for Safer Online Communications (EFF)
As always, if you enjoyed this post and want to support genuine, independent media, consider visiting our Support Page.
In Liberty,
Michael Krieger
Donate bitcoins: 35DBUbbAQHTqbDaAc5mAaN6BqwA2AxuE7G
Follow me on Twitter.
That is indeed a very scary story. I actually had the opposite problem with low paid, incompetent telecom employees recently. I was having a major problem getting a new device to connect to my DSL because (as it turned out) of the outdated and crappy equipment provided by Verizon. It took me several hours just to convince the idiots on the phone that it was their service at issue and not the brand new laptop I had just purchased. After arguing with them about it, at one point I even took the new laptop to a Starbucks and signed on there, just so I could indisputably prove to the idiots that the computer was fine.
Related to your story, the Verizon billing in is my wife’s name and not mine, and she was out of the country. I had to go through a lengthy verification process to prove I have legal access to the account–which is fine, obviously as your story shows that is the way it should be.
So then, after a long, fruitless effort of trying to talk me through possible technical fixes, the tech services representative finally agreed to send me a new updated router. But instead of just fulfilling my request, she transferred me to “sales” to complete the transaction. Of course, the idiot from sales had no idea what had just transpired and I had to explain the problem all over again. Bad enough, but this moron asked me again to verify my identity–yet for some mysterious reason he was not able to do it through the same method the previous representative did.
Keep in mind that I had been transferred to him by someone in his own company–AND all I was asking for was to have the new router sent to me as promised. As I said to him at one point as we were arguing, if I was a crook, I was a pretty dumb one to go through all this trouble just to have a lousy Internet router sent to the address of a Verizon customer. I repeatedly asked to speak to his supervisor, but that person was mysteriously not available. Finally, I got frustrated I hung up on him. I then called the tech services department back, and after threatening to cancel our Verizon account altogether the new idiot representative agreed to my request after speaking to his supervisor.
Everyone I talked to during this ordeal sounded like they had just graduated from college, and from what I know of stories I’ve heard from a few Verizon employees I know were probably hired to replace more experienced people who’ve been laid off to save the company money. None of them seemed to have a lick of knowledge or common sense. The first tech representative kept putting me on hold as she was talking me through the technical fixes as if she were being given instructions from probably the last person in that company who actually knows what they are doing who hasn’t yet been fired.
This is the kind of garbage that happens when companies focus on nothing but the bottom line, pay their employees as little as possible and treat them like replaceable drones. Personally, I’d rather pay a few more dollars and get good customer service when I need it, but I guess I’m just old fashioned. Yet my story is merely one of extreme inconvenience, yours is truly frightening.
I use my own router with Verizon and have never had any kind of problem.
Use it with FIOS.
I don’t understand – if they got control of your phone number, that’s only 1 of the 2 factors. They’d need your password(s) too, in order to take over accounts. Passwords are usually a lot more difficult.
Unless they were only targeting accounts that (stupidly) did password reset via SMS (common?).
My pet prediction – automated electronic warfare is going to be utilized to silence, or at least hog-tie, ‘fake news’ disseminators aka. people who don’t tow The Party’s line.
Yep, that’s the issue. Some companies will allow you to reset password via SMS code.
See, it was a quite loud bang few years agom when Amazon+Apple were leaking passwords.
For example: http://www.ibtimes.co.uk/apple-amazon-suspend-password-reset-mat-honan-371540
But you better read the original article of the victims.
Thing is (veeeery figuratively speaking) each company was willing to disclose few next “letters” of “password”, if you proved knowing some other etters, so the Kevin Mittnik follower just kept swinging between the companies back and forth while they give him away more and more details muntil he gotthe whole Appl and Amazon accoutns of the victim.
But since those two big A’s were “too big to sink” the story was gagged fast
This is why using a mobile carrier is like living in the last century. Their support is most likely some numnut in another country whose reading off a computer screen on what to say as well as what to answer. Their security is non-existent. They operate based on monopoly and large advertising. They care about sales. Not security or support.
The better solution is to use a smaller VoIP operator. You use a virtual number. The pricing is much cheaper. The routing capabilities are so much better and more flexible. The support is usually done by the developer or similar if it’s a smaller operation. The ability to steal the number is a much lower probability. And if it were to happen it could be reversed quickly. But it cannot happen over the phone no matter what information they have.
What do you connect to your VoIP service with? The only one I have available I connect to with my small business router and a ‘landline’ phone handset. No incoming (yet) and no SMS for use with 2FA.
Additionally, with a mobile carrier, the nsa records everything. What’s bad about this is they know it’s you because your mobile contract is in your name or your wife most likely. Boom, an exact match which makes it easy for them to research you directly and easily.
With a VoIP operator, the account could be in your name or not. No way to know which it is. Which means the virtual telephone number in an account is tied to your name or maybe another one. But that virtual number might be in the name of a company 3-4 layers up the Telecom chain. Someone would have to do a lot of digging to figure all of this out along with subpoenas the entire way to get to the bottom layer which is you but the account may have another name on it. So it may not be you.
The point is, why make it easy for the criminals that want to invade and compromise your privacy?
I say, make them work for it. They will most likely move on to easier prey.
This attack is most likely a coordinated attack on all the alternative media sites that’s providing people real, truthful news as opposed to propaganda. Their goal is to agitate you. Don’t let them get you down. They are weak. They know it. We know it. The only power they have is the power you give them. So don’t give them any.
Re. your last paragraph, I’m wondering the same thing.
Sorry to hear that and thank you for the info and advice you’ve shared.
Thank you for sharing, Michael. I’m emailing this widely.
any suspicions you were targeted because of your political message by people who are pretending to just want your money, but want to gaslight you?
if you see more social engineering from anonymous folks whose intent it is to undermine you. you know you are on some institutions’ black list now mike.
hopefully, you are just being targetted by some bitoin pirates and this is all just good fun for stealing money.
when money is the problem, then things can possibly be readily fixed if there isn’t a money emergency. it’s when the problem isn’t money, that it can be much more serious………..
To Greg: if I understand your question correctly, you connect your virtual number to any IP device. That means a sip softphone which can be any app or sip hardphone like a Linksys adapter. It can work through any decent internet connection. You can also send and receive SMS or text messages too.
The point is it’s possible to replace a mobile carrier with a better alternative if you want to. It’s all choice.
To Buddha – You’ve just got an alternate way to receive SMSs – not really a replacement for a mobile carrier. You’ve only got mobile coverage wherever there’s WiFi.
Set yourself up for targeting disappointment, lol! You willingly use and provide the tools needed to hack you. I find it very entertaining to see people become the victim of their own ignorance.
About 20 months ago I had my email on my desk top compromised by people from India (sounded like) and that came from using Google chrome a lot. I had been using windows explorer to serf the internet and do business almost exclusively prior to that. To this day I Believe Google collaborated with these Criminals to take over my computer and cost me a lot of money getting it all cleaned up. I am Not a computer wizard and so it was easier for them to trick me no doubt, but I still Believe Google is Evil and Collaborates with Criminals. I use explorer almost exclusively since on desk top. I don’t have a smart phone nor use those other social media.
quote
The 48 hour period beginning at around 5am on March 4th was one of the most trying, confusing and frightening of my life.
unquote
If that is correct, then I must say you ain’t seen nothing yet. It’s a phone number, for christ’s sake !
You have no idea what actually happened, because for security and privacy reasons I will not divulge details.
Karma’s a bitch. I hope nothing like this happens to you.
Mh505…..Are you an idiot? Did you Not read all of the Access that the Hackers gained to Krieger’s personal accounts of all types – Just by Hi jacking his phone number?
Michael – as a result of this experience, what are you doing differently? Humans are funny – most don’t take security/safety concerns seriously until they have personal experience.
Might I suggest Firefox (open source, not Google) with the NoScript extension as a good start? No reason for any and all websites to be running code on your computer just to deliver text and images.
I was thinking it would be good if there was a list of services that were stupid enough to send password resets over email. Quick Google search, and it appears many big email providers offer this. Game over man – once they have someone’s email, they can do password resets on everything else, and have the reset go to that email.
And, an SMS-only scam I hadn’t thought of: https://www.symantec.com/connect/blogs/password-recovery-scam-tricks-users-handing-over-email-account-access
I’m wanting to have another ‘lock-down’ obsession for a week or so!
Mh505 (not my real name) obviously has a TL;DNR problem when it comes to anything longer that a Tweet.
Michael, glad things worked out for you in the end.
I just spend 2 hours playing with a new/fake Google Account (yay, self-employment!).
Good news.
If you don’t have the password and ask it for help, it grills you for everything you know, and I still couldn’t get in. Even knowing the date the account was created (who knows that normally?), using a one-time code via Authy, a disposable recovery email address, *and* using an SMS code, it still wouldn’t let me in.
It apparently requires a known recovery email account. I tried setting and then providing that too, but it didn’t send anything through and skipped right to the next step – possibly because the association was less than an hour old?
I also never provided a remembered recent password.
So the algorithm is strict, and somewhat opaque. I’m still not sure what other conditions I would have to meet to get in.
Also, once you have 2FA set up to an app like Authy or Authority, you can turn off the SMS recovery option.
But don’t ever forget your password 🙂
“known recovery email account”
Ironically as it may be – those recovery emails are rather often used to hijack the account, once some rather old email wasused and finalyl service was stopped and domain freed – ijackers tend to register such a domain, set mail server there and use it for recovering passwords, where they know the email (or where the recovery email is partyay shown letting deduce the domain )
I have two points which are related to this issue
1 two hacks
I have been hacked by D*a*r*p*a for no obvious reason. As I was told by techies, they had taken control of my Internet connectivity. I immediately posted it on my blog, below, just for posterity
One time, I had been ridiculing GWB43 on my blog, when to my surprise the blog was hacked and obvious hints were left behind on that story and others to make it clear that someone was displeased. Funny thing was that he had already left office.
2 the Wapo list indicates open season?
I was wondering whether the propornot article had any kind of dog-whistle significance to somebody, but came up with the obvious conspiracy idea that regardless of truth, these 200 sites would be targetted for censoring by google etc.
Until your story, that is. Perhaps this hack is an indication that propornot was the signal to the deep state hackers (who already have the means) to take that list and turn the lives of its members upside down. opinions?