As you may be aware from news stories in the press, there has been a recent increase in the instances of people having their mobile phone numbers taken over by malicious attackers via social engineering of mobile phone operator staff.
In summary, the attack involves a hacker contacting a victim’s phone operator and convincing a call centre agent to transfer the victim’s phone number over to another, hacker controlled, SIM card. From there, the hacker arranges to reset the victim’s email using the SMS recovery option on their email account by which point the hacker often has all the information they need to access the vast majority of the victim’s online accounts.
What makes this different from other attacks is that someone could have reasonably good security and it can still be circumvented.
To prevent this, we recommend that you do not in any way enable the use of your phone number to recover access to your email address or vice versa.
Below is a short summary of useful steps you can take to secure your email, mobile phone and phone number if you are not already doing so.
How to secure your email
All email systems are different but high level we recommend the following:
- Do not use SMS or voice for 2FA access to your email (unless there is no other option).
- Do not use SMS or voice for password recovery for your email account (even if there is no other option).
- Set up device based 2FA solutions such as Authy* or Google Authenticator so that authentication is only possible if you have the actual phone and not just the phone number.
- Only ever enter 2FA credentials directly on the site they are meant for. Do not pass the details on to anyone or approve a Google prompt or Microsoft Authenticator notification even if you have previously been contacted and told to expect this 2FA request.
- Do not reuse passwords anywhere. One account, one password.
- Do not use password hints.
* Although Authy asks for a phone number to ease setup, by default it does not allow switching physically to a new phone, even if the phone number has not changed. This should not be disabled (by allowing Multi Device 2FA) unless it is enabled only for the period when a new device is intended to be added (such as the Chrome App or a second known phone) and then immediately disabled.
How to secure your mobile phone and phone number
- Encrypt your phone.
- Set up a lock screen password, PIN, etc.
- Take advantage of any extra security features from your phone operator, such a requiring an extra PIN or password before changes can be made to your account.
- If your phone stops working and a restart does not fix the problem, contact your phone operator immediately to find out why.
- Contact your phone operator and, if possible, ask them to require you to personally go into an operator owned store with a proof of identity in order to transfer your phone number to a different SIM card*.
* Unfortunately, this last suggestion is not foolproof and you must take action to secure your phone and email in order to limit the damage caused in the event a hacker succeeds in taking over your phone number.
CoinfloorEX’s security additions in light of the increased “phone number takeover” risk
Since day one, all CoinfloorEX users have been required to set up either Authy (SMS and App) or YubiKey Two-Factor Authentication. So if someone were to find out a user’s username and password they would still not be able to log into their account without the user’s Authy One-Time Password token or YubiKey device. 2FA on CoinfloorEX is, and always has been, mandatory.
The above advice goes beyond Bitcoin. As we all grow to rely on the internet and our phones more, the cost of our smart devices and online accounts being hacked also increases. Please be vigilant and hopefully you can prevent your phone or email being taken over or at least limit the damage significantly if they are.
What is a YubiKey?
Why YubiKey wins?
Buy a YubiKey compatible with your Coinfloor account
What is Authy?
Authy for PC - is this still Two-Factor Authentication if I am using the same device?
Using Multi-Device with Authy and device control
PCMag - Two-Factor Authentication: Who Has It and How to Set It Up