Von Ralf Keuper
In letzter Zeit haben die Fälle von Identitätsdiebstählen, bei denen Bitcoin-Eigner hohe Verluste erlitten, deutlich zugenommen, wie u.a. in Identity Thieves Hijack Cellphone Accounts to Go After Virtual Currency berichtet wird.
Als Schwachstelle erwies sich dabei die Authentifizierung mittels Telefonnumer:
Once they get control of the phone number, they can reset the passwords on every account that uses the phone number as a security backup—as services like Google, Twitter and Facebook suggest.
Ein Beispiel:
Within minutes of getting control of Mr. Burniske’s phone, his attackers had changed the password on his virtual currency wallet and drained the contents—some $150,000 at today’s values.
Wichtige Hinweise lieferten die Opfer – wenngleich unfreiwillig – selbst:
The attackers appear to be focusing on anyone who talks on social media about owning virtual currencies or anyone who is known to invest in virtual currency companies, such as venture capitalists. And virtual currency transactions are designed to be irreversible.
Das Hauptproblem dabei:
Many email providers and financial firms require customers to tie their online accounts to phone numbers, to verify their identity. But this system also generally allows someone with the phone number to reset the passwords on these accounts without knowing the original passwords. A hacker just hits “forgot password?” and has a new code sent to the commandeered phone.
Das Problem ist in der Bitcoin-Szene weit verbreitet:
“Everybody I know in the cryptocurrency space has gotten their phone number stolen,” said Joby Weeks, a Bitcoin entrepreneur.
Ein klassischer Fall von Social Engineering.
Weitere Informationen:
Hacker kapern Telefonnummern von Bitcoin-Reichen