How much is good online security worth to you? How about $100,000?

Posted on May 31, 2019 by Glyn Moody

Readers of this blog know that a VPN is an indispensable tool for today’s digital world. VPNs address a key part of the challenge of staying safe online. They protect how data is transmitted between an Internet site and the user’s computer, and help to maintain privacy during transit and more widely. But there are other weak points in the digital communication chain that need strengthening. For example, the end-point – the user’s digital device – must also be protected. A firewall tries to keep unwanted visitors out by blocking them directly. However, criminals and state actors are increasingly gaining access indirectly by taking over one of the many online accounts that people use.

In recent years, the SIM swap attack has emerged as one of the most effective ways to do that. First, key personal information is gathered from public and other sources about the target. Then that data is used to convince a mobile phone operator to transfer the victim’s phone number to a new SIM, controlled by the attacker. When password reset requests are sent to Gmail, say, key information is now directed to the new SIM, allowing the attacker to take over the Gmail account. Since it is common for Gmail to be the backup email for password resets of other online services, this in its turn allows the attacker to take control of further accounts.

Recently, a forum popular among people involved in hijacking online accounts and conducting SIM swap attacks was broken into. Ironically, this exposed the email addresses, hashed passwords, IP addresses and private messages of nearly 113,000 forum users who were presumably interested in stealing exactly this kind of personal information from others. If nothing else, that’s a measure of the level of interest this kind of attack attracts today.

The reality of those attacks for victims can be terrible, as a brave post by Sean Coonce reveals in detail. A SIM swap attack resulted in his Gmail account being taken over. This was then used to compromise other online services he used, culminating in $100,000 being drained from a Coinbase account.

Coonce provides a detailed explanation of what happened to him, and how others can avoid the same fate. One recommendation is to reduce to a minimum the amount of personally identifiable information that you place online. Things like data of birth, address, and family details can all be used by malicious actors to trick mobile phone companies into assigning a person’s telephone number to another handset, thus allowing the attack to begin. The importance of keeping this information private is why leaks of personal data by third parties are so harmful. Coonce says that two-factor authentication (2FA) is also crucial, but notes that it’s important to use the right kind:

SMS Based 2FA Is Not Enough: Regardless of the assets and/or identities you are trying to protect online, upgrade to hardware based security (ie: something physical that an attacker would have to physically obtain in order to perform an attack). While Google Authenticator and Authy can turn your mobile device into a piece of hardware based security, I would advise going a step further. Pick up a YubiKey [a hardware 2FA device] that you physically control and cannot be spoofed.

That advice based on one person’s unfortunate experience chimes with newly-published research from Google. As the figures below indicate, the common practice of sending SMS codes to recovery phone numbers is vulnerable to targeted attacks because of techniques like SIM swaps, while “on-device prompts”, using things like Google Authenticator, are more resilient (although not immune to phishing):

If you’ve signed into your phone or set up a recovery phone number, we can provide a similar level of protection to 2-Step Verification via device-based challenges. We found that an SMS code sent to a recovery phone number helped block 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks. On-device prompts, a more secure replacement for SMS, helped prevent 100% of automated bots, 99% of bulk phishing attacks and 90% of targeted attacks.

Google’s research indicates that spear phishing emails impersonating family members, colleagues, government officials, or even Google itself, are the main ways to break into accounts. Attacks can persist for several weeks, and involve sophisticated man-in-the-middle techniques that prompt users to enter not just their password, but also authentication codes sent by SMS or from devices running software like Google Authenticator. Because of this weakness – and those deriving from the SIM swap attack – Google recommends that “high-risk users” enrol in its Advanced Protection Program, which requires the use of hardware 2FA keys.

The cost of these is very low now – typically around $25. Of course, the downside with such hardware keys is that they require setting up, carrying around and using. Whether the undoubted extra security is worth the extra effort will depend on individual circumstances. For those who manage to minimise how much about their personal lives appears online, it may be enough to use weaker forms of 2FA. But given the central importance of email accounts in our digital lives, and how gaining control of them makes taking over other online services much easier, it is certainly something that people should seriously consider. Buying hardware keys could prove one of the best investments they ever make. Just ask someone who didn’t, and paid the price. In the case of Sean Coonce, that price turned out to be $100,000.

Featured image by Zach Copley.