Issue #7: The Hack
This week’s issue is a cautionary tale.
I have worked in crypto for 8 years, and my personal data security practices are much more sophisticated now than they were when I started as a 26 year old lawyer.
I learned about personal security the hard way…by getting hacked (twice!).
The first incident began in a Las Vegas hotel and ended with a call from the Department of Homeland Security.
This is that story…
Las Vegas
In March 2018, I was attending a conference in Las Vegas. It was Day 2 of the event and I was eating lunch at one of the hotel restaurants. In between bites, I looked down at my phone and saw “No Service” in the top right corner of the screen where you would expect to see four bars of service.
Now this fact alone wouldn’t draw concern from 99 out of 100 people. After all, I’m on the first floor of a giant casino floor where reception isn’t great to begin with. Probably just a dead zone.
Not me. My first thought?
My phone has been hacked. Let me explain.
By this point, several friends and colleagues in the industry had been the victim of what is known as a “SIM Swap” attack, where a hacker is able to convince your carrier to transfer your phone number to a device they control. This is done either in person at a physical store, or by calling your carrier’s customer support line repeatedly until an unsuspecting support representative grants them access to your account. Once the hacker has control of your phone number, they attempt to access your email account, and ultimately, your crypto exchange accounts.
Once you lose control of your phone number, it’s a race to regain control before the hacker does too much damage. I know people that have lost millions.
Back at the hotel restaurant, I convince myself everything is fine.
10 minutes pass.
I finish lunch, get the check, walk through the lobby and out of the main entrance. Standing at the curb, I flag down a taxi. We pull out of the long circle driveway of the hotel onto Las Vegas Blvd.
We drive 3 blocks. Still no service.
My paranoid brain is now on high alert, and I’m becoming increasingly convinced something is wrong. Another minute passes before I tell the driver “take me back to the hotel”.
When we arrive back at the hotel, I open the car door and sprint inside, running through the lobby to the elevators. I make it to my room and immediately grab the land line phone. Remember, my cell phone doesn’t have service.
It takes me a few minutes to find my carrier’s customer support number, but I eventually get connected to a representative. I can’t remember her name, but I ask if there has been any activity on the account, and she tells me that approximately 30 minutes ago someone had my number transferred over to a different phone.
Shit.
I tell her this was unauthorized activity and to immediately cut service to my phone number. To her credit, she was very helpful and understanding.
After we hang up, I try to log into my email account.
“Your password was recently changed”.
Shit.
At this point, I should have been 100% screwed. No phone service, no email. I’m fighting with two hands tied behind my back. But by the grace of God, my email client had an automated prompt that allowed me to login with my old password if they suspected my account was compromised. I don’t know what combination of data points made that prompt available, but that was a lifesaver.
Within minutes, I was able to regain control of my email account and change my password.
I cancelled all of my afternoon meetings. I also emailed my exchange contacts and instructed them to freeze my accounts immediately until further notice. This is war.
I bought myself some time.
Deep breath.
My attention shifts to re-gaining control of my phone number, and I use my laptop to find the closest [cell carrier] store. It’s in a shopping mall 10 minutes away.
When I arrive at the mall, I realize the “store” is really a kiosk, and the sales agents can’t help me. I borrow one of the sales agent’s phones to look up another store location and find one 8 minutes away.
Back in the cab.
I arrive at the second store location, walk in, and flag down a customer service representative. I explain what happened, and he pulls up my account. He tells me that the unauthorized activity occurred in person at another store location in Atlanta, GA. I asked how that was possible, and he explained that accessing your account required a photo ID and the 4-digit security pin.
Did the hacker have a fake ID with my name on it? WTF.
I was thoroughly confused at the time, but I’ve since learned that employees at large cell carriers have been charged with conspiring to hack customer’s phones in SIM swap attacks. I never learned exactly what happened in the Atlanta store, but it seems reasonable that an employee was involved.
After 30 minutes, I had reactivated my number and reset the 4-digit security pin on my account (which is completely worthless if the hacker is persistent, btw).
90 minutes after the hack, I was back at the hotel. I spent the rest of the evening resetting every password I could think of.
What. A. Day.
6 weeks later…
It’s a Wednesday and I’m at work in a small office usually reserved for phone calls. I get up and go to the restroom, and when I come back I see a missed call on my phone.
I listened to the voicemail and hear “Hi Mr. Beal, my name is Agent X (redacted for privacy) and I’m calling from the Department of Homeland Security. We believe you may have been the victim of identity theft. Please call me back at your convenience. Thank you.”
Department of Homeland Security?! It takes me a minute, but I eventually connect the dots. Vegas. SIM Swap attack.
I returned the call and Agent X answers. Now this agent had a very memorable last name. Honestly, so memorable it sounded fake. My paranoid brain started working again.
Is this actually a Homeland Security agent, or is this the hacker? It is unfortunately quite common for hackers to call victims days or weeks after the incident and attempt to extort them for more money. They usually claim to have found sensitive or embarrassing information in your email account.
I ask Agent X if he could confirm his identity and affiliation with DHS. A minute later, I receive an email from him. While he was doing that, I was also able to find his profile on Linkedin.
He checked out (actual email below).
Agent X worked in the Cyber Crime Division of the DHS Detroit Field Office. He tells me that a few weeks ago, the Detroit Police Department seized a trunk full of laptops, cell phones, SIM cards and hard drives. The Police Department had a hunch the devices were being used for nefarious activity, but weren’t sure what and didn’t have the technical expertise to figure it out. So they reached out to the DHS Cyber Crime division for help.
Agent X and his team turned on the devices and started digging. What they found amounted to a victim’s list – names and phones numbers of people across the United States.
I was one of them.
By the time they spoke to me, his team had pieced together through other conversations that the devices were used to hack into crypto exchange accounts, but they didn’t understand how the scheme worked.
I told him I knew. Before I began, he invited a few more colleagues into his office.
On speaker phone to an office full of DHS cyber crime agents, I explained…
You port the victim’s phone number over to a new device (hacker’s phone). This is typically done by brute force, calling the victim’s phone carrier over and over again until someone grants you access to the victim’s cell phone account. You are then able to transfer the phone number on the account to a new mobile device.
If you know the victim’s email account, you visit their email login page (ex: Gmail) and click “Forgot Password”
The email client sends a 4-digit recovery PIN to the phone number on the email account. Because the hacker controls the phone number, he receives the text with the recovery PIN.
Using the PIN, the hacker resets your email password and gains access to your email account, effectively locking you out.
With access to your email account, he searches your email history to determine where you maintain exchange accounts.
Once the hacker determines where you maintain exchange accounts, he performs Steps 3-5 above at each exchange.
If he gains access to your exchange account, he withdraws crypto from your account to his wallet address.
Your crypto is gone forever.
After explaining how cyber crime works to a team of cyber crime agents, I was feeling bold and asked whether they had identified any suspects.
“Yes, we have identified and made contact with an individual in the Detroit Area we know to be involved”, said Agent X.
He tells me the individual they identified is an 18-year old high school student living in the Detroit suburbs (with his parents). The had been monitoring him for a few weeks. When they contacted him asking if he was willing to cooperate with the investigation, he refused.
The balls on this kid.
While I don’t respect his choice of profession, I did weirdly respect his attitude toward authority. If I have the opportunity to speak with him, I would say “You’re obviously extremely smart and opportunistic. Don’t you realize you can make more money helping companies prevent this from happening?”.
I don’t know if that is technically true, but that’s the older brother in me.
Agent X and I spoke for another 15 minutes, and told him that if his team was interested in doing forensic analysis on any stolen funds, there were software tools they could use.
What. A. Wednesday.
Agent X and I haven’t spoken since, and I never heard whether they filed criminal charges against the 18-year old. Regardless, I hope he learned a lesson and is using his talents in a more productive way.
Parting Thoughts
I wish I could say this experience inspired me to immediately overhaul my personal security practices. But it didn’t. My phone was hacked again six months later, this time while I was vacationing in Hawaii.
The second time was the charm. After that, I changed my phone number, cell carrier, email accounts, and implemented a series of new procedures to ensure my accounts and assets were secure.
If you are new to crypto, or think your security practices can be improved (and they always can), there are great resources on security best practices available here and here. Other than learning how to code, I can’t think of a better investment that will pay dividends for the rest of your life.
Thanks for reading,
Andy
Not a subscriber? Sign up below to receive a new issue every Sunday!