As phone scams keep evolving, criminals are beginning to realize they can exploit two-factor authentication to take control of accounts in a way no one intended.
By effecting a simple phone takeover hack, the bad guys are proving that the added layers of phone-based security we’ve all come to rely on aren’t solid as they seem.
That’s because the whole system hinges on who has control of the phone to which secondary security codes are sent.
Dangerous new phone scam arises
As if we didn’t already have enough fears about our phones compromising our security, there’s an insidious new variety of scam brewing in the wireless world.
The New York Times reports criminals are calling up major wireless carriers and asking them to port certain people’s phone numbers to a wireless device they control.
Once that port is done, the crooks can then get access to financial accounts that use two-factor authentication via text messages — one of the most popular methods of two-factor authentication.
Upon getting that two-factor authentication text message, a crook can then reset the password on any account you have tied to that number. Then they can easily drain your money!
The good news is that while accounts with banks and brokerage firms aren’t entirely immune here, they’re not particularly at risk either. That’s because unauthorized criminal transactions that drain an account at a bank or brokerage can generally be reversed if caught within a few days, according to the Times.
If, however, a criminal empties your bank or brokerage account and you fail to notice it in a timely manner, well… the sad reality is you snooze, you lose.
But the real threat here is to people who trade Bitcoin and other digital money in the virtual currency community. Criminals are specifically targeting them and their “cryptowallets” because digital currency transactions were designed to be irreversible.
The irreversible nature of transactions done in Bitcoin, Ethereum and the like goes to the heart of why cryptocurrency enthusiasts like this new breed of money so much — it exists separately from banks and governments, and is not subject to any of their rules.
Of course, the downside here is that once your Bitcoins are stolen, they’re gone for good!
How big of a problem is this?
This phone hijacking practice may be limited in scope right now, but it is a growing threat.
The Federal Trade Commission reports that there were 1,038 such incidents reported in January 2013. Just three years later, that number had increased to 2,658 by the start of 2016.
Furthermore, this particular crime is believed to be under-reported because those in the cryptocurrency world “have not wanted to acknowledge it publicly for fear of provoking their adversaries,” according to the Times.
“Everybody I know in the cryptocurrency space has gotten their phone number stolen,” Joby Weeks, a Bitcoin entrepreneur, told the newspaper.
Weeks reportedly lost $1 million in virtual currency after his phone number was stolen and the cryptowallet he used to store all his digital currency drained.
Here’s what you need to know
Crypto-currency is an inherently risky thing to begin with. This latest phone hacking scam only makes it more dangerous.
That said, if you are still interested in speculating in cryptocurrency, consider following money expert Clark Howard’s 5% rule.
The consumer champ is not opposed to you having a small percent of your investment money in Bitcoin or some other currency — maybe on the order of 5% of your overall portfolio. But his advice is to never put in more money than you would lose sleep over if you lost it altogether.
The beauty of Clark’s 5% rule is that limiting your exposure to cryptocurrency also limits your downside in the event your digital currency gets stolen!
For further protection, heed this advice if you’re really into actively trading cryptocurrency or want to get into it in the near future:
- Don’t boast on social media about owning cryptocurrency. Criminals are monitoring social feeds looking for their next mark. Boasting about your vast treasure trove of Bitcoin is a sure way to put yourself on the attackers’ radar!
- Consider disconnecting your mobile phone from any cryptocurrency trading accounts you may have.