the most expensive experience of my life: sim card migration attack

Posted by tzul at 2020-04-04

In the "SIM port attack" incident last Wednesday, my coinbaes account was in short supply within 24 hours, equivalent to US $10W in total. It's been four days since this incident. I'm very depressed. I can't sleep at night. I can't eat. I'm full of anxiety, regret and embarrassment.

This is the most expensive lesson in my life. I want to share my experience and lessons with as many people as possible. My goal is to improve the awareness of such attacks and the security of your online identity.

So far, this matter is still unknown (I haven't told my family); the ignorance in this article is only my personal opinion, and I hope to keep my own judgment.

Attack details

You may be wondering what is SIM port attack. To describe this attack, let's take a look at a typical online authentication. For most people, the picture below should look familiar.

Most of us have a primary email account that is associated with many online accounts. And most of us also have a mobile device, which can be used to retrieve the password of our mailbox when we forget the password.

Authorized SIM card migration

The function of porting SIM card to another device is the normal service provided by mobile operators for customers. For example: changing a new mobile phone, changing a new SIM carrier and so on. Customers transfer their old SIM card to a new device. In most cases, it's perfectly legal.

Sim port attack

"SIM port attack" refers to a malicious migration performed by an attacker from an unauthorized source. Attackers migrate your SIM card to their controllable mobile phone. Then use your mobile phone number to reset the password of your main email account, and the email service provider will send the SMS verification code of account reset password to your mobile phone number, but the verification code at this time has been blocked by the attacker. The following figure provides a step-by-step overview of the attack process.

Once an attacker attacks your primary email account, they can move horizontally: manage your email binding to other online services (bank accounts, social media accounts, etc.) through the email account. If the attacker is very malicious, it can even make you lose the possibility of retrieving the password, so that you can not log in the account again.

We can take some time to consider what sensitive information a Google account can disclose:

1. Information about your address, date of birth and other personal identity;

2. Privacy photos of you or your friends;

3. Your calendar and recent travel plans;

4. Your private email, documents and historical search records;

5. Your personal contact person, contact information and relationship with the contact person;

6. All other online services that can be accessed by your primary email account.

time axis

The following is the timeline of this attack. Through the timeline, we can better understand how this kind of attack is executed and how dangerous it is. In this chart, I will describe how the attack was carried out, my response at that time, and what other measures you can take to protect your interests if you go through similar events.

The timeline is divided into the following four parts:

1. My experience: my view on the whole event - if you are experiencing the same thing, these may be some signs of your attack.

2. Attacker's measures: the basic strategy for hackers to enter my coinbase account.

3. Threat level I detect: the threat level I detect when the event is happening.

4. The threat level I should have: after the event, I hope I should have the threat level when things happen.

Lessons learned

This is the most expensive lesson in my life. I lost a significant percentage of my net worth within 24 hours, which is irreversible. Here are some suggestions I advise others to protect themselves better.

1. Use hardware wallet to protect your password: when you do not trade, put your password in hardware Wallet / offline storage / multi sig wallet. Don't leave money idle on the exchange. I see coinbase as a bank account and you have absolutely no recourse in the event of an attack. I know more about risk than most people, but I never thought it would happen to me. I regret that I didn't take encryption security measures.

2. SMS based on 2fa is not powerful enough: no matter what asset and / or identity you are trying to protect online, you should upgrade to hardware based security (i.e. the physical content that an attacker must obtain physically to implement the attack). Although Google authenticator and authy can turn your mobile device into hardware based security, I suggest you take it a step further - choose a yubikey that you can physically control and can't be cheated.

3. Reduce your online footprint: reduce unnecessary online sharing of personal identity information (date of birth, location, pictures of embedded geographic location data, etc.). In the event of an attack, all of this quasi public data can be targeted at you.

4. Google Voice 2fa: in some cases, online services do not support hardware based 2fa (they rely on weaker SMS based 2fa). In these cases, you'd better create a google voice phone number (which can't be ported by SIM card) and receive the authentication code with two factor authentication.

5. Establish a secondary email account: instead of binding all content to a single email address, use a secondary email account for key online identities (bank accounts, social media accounts, encrypted exchanges, etc.). And don't use this email address for anything else and keep it confidential. Use some form of hardware based 2fa to back up the address.

6. Offline password manager: use password manager to enter password. Better yet, use offline password managers such as password stores. Lrvick has excellent comparison charts for various password managers, as well as review suggestions for more technical tendencies.

Comments on Readers

Given my immature security, I may have been hacked - I see. These security measures did not reduce the damage received when attacked, weakening the focus of the story through judgment. Namely:

1. Let others know how easy it is to be attacked.

2. Give priority to online identity security through the above knowledge and suggestions.

I can't help thinking that in order to protect myself, I can do anything simple and small, my thoughts are blinded by various assumptions and alternate time nodes.

However, these thoughts are juxtaposed with two other hidden feelings - laziness and survival bias. I've never taken the security of my online identity seriously because I've never been attacked. Although I know my risk profile, I'm lazy to protect my assets with the rigor they deserve.

I ask you to learn from my lesson.

Reference articles

1. Use TOTP to customize two factor verification

2. Risks and limitations of two factor verification

3. How to configure the security password manager

4. How to evaluate and configure the most suitable encrypted Wallet

本文由白帽汇整理并翻译,不代表白帽汇任何观点和立场 来源: 本文由白帽汇整理并翻译,不代表白帽汇任何观点和立场 来源: 本文由白帽汇整理并翻译,不代表白帽汇任何观点和立场 来源: 本文由白帽汇整理并翻译,不代表白帽汇任何观点和立场 来源: