On a Sunday evening this past summer, an attacker (not going to get into the whole misuse of the word ‘hacker’ here) took over some of my accounts and attempted to take over others. I suspect this was related to my involvement in Bitcoin and cryptocurrencies (these are nice target to steal) but I can’t be totally sure. I’ve heard a number of similar stories and read a few articles about similar incidences so I decided I should write my experience up.
A few examples of similar attacks are here, here, and here.
I got off pretty lucky. I had a few hours of inconvenience but I didn’t actually lose anything. Some of that was due to luck and some was due to the way I have things setup (but more on that later). In light of that I decided it was worth it to write up what I did right, what I did wrong, and how I could improve my security.
Timeline
Let’s start with a timeline of the incident since there are some interesting points about it. Some of this is not in the order I saw it, but it seems clearest this way.
11:00PM I finish giving my daughter a bottle and go to put it in the spreadsheet I have on my phone (you are supposed to keep track of how much infants eat and I like data, so don’t judge me). The phone says I’m logged out of my Google account. Seems odd but I’m not concerned yet. I put the baby to bed and go to my computer to see what is going on.
11:20PM I see password reset emails from bitstamp, dropbox, groupon, and gmail. Only the gmail one was successful. Since my gmail forwards to my normal mail, I have the email about the password reset.
11:27PM SMS sent from Google voice account to a 702 area code number.
11:28PM Call using Google voice to network solutions (changing my DNS).
11:33PM zoho.com email setup for my personal domain.
11:39PM I changed my gmail password back to something I control.
11:45PM I set my DNS back to my server.
12:00AM I notice my phone has no service. Log on to Verizon account and I see my phone number is set to an Apple iPhone 5s (I use an android phone and have for many years) but no recent logins on my account.
12:30AM Finally find a Verizon number to call (their security hotline). The very nice person one the line tells me that that number is for police or government callers. I have to use the Fraud Hotline which is only open from 7AM to 11PM.
2:00AM I manage to get my phone number back by sending an SMS to another phone on my account (family plan).
7:30AM Called Verizon’s fraud number. They blacklisted the MEID and SIM card for me but otherwise couldn’t explain what happened.
8:00AM Called Network Solutions. They said it was impossible for someone to change DNS over the phone (despite that I know it happened and have personally done it in the past without the account password).
8:30AM Called zoho. The confirmed that an account was made for my domain but no email got to it (since I stopped it very quickly). I assumed they wanted control of my email and would just recreate my address there but instead they made a single email address with a very bad word that I won’t post here as the address (and anyone who knows me knows that there are very few bad words that I don’t use so the choices are pretty limited here). Zoho closed the account for me.
9:00AM Discovered that the same attack was done to a coworker of mine at more or less the same time frame (and a different mobile carrier). This makes it very suspicious that we were particularly targeted for our bitcoin work.
Failure Points
Verizon Wireless
Verizon should never have switched my number to a different phone. The attacker never signed in to my account and almost certainly only had partial information about me and yet Verizon basically gave away my cell phone number which is one of the most important keys to all sort of parts of a person’s digital (and financial) lives.
Gmail
My gmail password was changed which was probably the initial goal until they discovered that I just forwarded that to my real email. This was due to my settings rather than a flaw in their systems or processes.
Network Solutions
Network solutions should not have changed my DNS over the phone. The attacked did use a number that may have been associated with me at one point (a Google Voice number) but still, changing that without my password wasn’t good.
What I Did Right
Probably the best thing I did was catch this quickly and started changing things back before any harm was done. Unfortunately, that isn’t really a strategy one can rely on.
While I didn’t have it turned on for all of my accounts, I did have two factor auth turned on for a number of accounts. That meant that the attackers couldn’t get in to everything.
The fact that I don’t use gmail as my primary email account (and don’t host my email with gmail) saved me a lot of trouble. It meant that when the attackers got my gmail account and started trying to reset passwords, they didn’t get the reset emails since they didn’t have access to that email address yet.
I don’t keep any Bitcoins or other cryptocurrencies on any exchanges which meant that there was nothing to steal without accessing computers of mine (which would be a much tougher thing to do).
Also very helpful was that I have an email client that keeps a local copy of the emails. This meant that I had access to the gmail password change email even though my email accounts were not accessible (making it much faster to recover). Webmail is the attackers friend in these cases.
What I Did Wrong
I got off very well in this, but there were still things I could have done better. Most importantly, I should have had Two Factor Authorization (2FA) turned on for my gmail account. I also should not have had a recovery phone number set for my account.
The second thing is I should not have had a domain (and an important one) registered with Network Solutions. They do not support 2FA (not even the terrible SMS version of it), and they can clearly be talked in to changing things over the phone (something I’ve seen in person even before this).
Things to Improve
There are some steps I took to prevent this from happening again. First I turned on 2FA using Google Authenticator, not SMS, for all of my google accounts and removed the recovery phone number. That part is very important since you phone number can be stolen.
Then I moved the last of my domains off of Network Solutions and on to a better Registrar that supports 2FA.
While I already used 2FA on many accounts, there were still some that I did not so I have now turned it on whereever possible.
Interesting Points
The most interesting thing about this to me was that the attack changed my Verizon number right before their fraud department closed. That made it much harder to recover. It is also worth noting that there was nothing technical about this. The first (Verizon) point and third (network solutions) in this attack was done entirely through social engineering. All of the other bits relied on using the password changes more or less as intended.
The seemingly target nature of this is also interesting. The only part that I find confusing was why they just made a bad email address on zoho rather trying to match my real address. That makes the whole thing seem much less careful than the rest of it. The only thing I can guess is that the attacker was annoyed that I was already getting things back at that point.
I’ve also considered that it might make sense to have a separate Google account just for use with Android (so just for the Android App backups, contacts, etc) and to not use that for anything else. I haven’t fully thought through if that helps enough to be worth it.
Another important point is that 2FA using SMS (when a website sends you a text message with a login code) is NOT secure.
Why Post This
I want to make a small note as to why I’m posting this. One could question posting details of an attack in case the bad guys can learn from it. While that is true, I think it is more important that everyone else can learn from it and protect themselves a bit more. I’ve already dealt with most of the ways in on my end so I’m not tremendously worried myself. The possibility of compromising a cell phone remains and until the carriers fix that, there isn’t much we can do there so it is vital to address all the issues that we can. Also, I’d posting this to shame the companies that let this happen (Verizon Wireless and Network Solutions).