My Never-Ending Fight Against Thieves - Part 1
Roll the clock back about nine months ago. We were on vacation in Vegas at the time, and about to wrap up our trip. I got an email from Andrew Lee, the CEO of the San Franciso-based Bitcoin startup, Purse.io. He asked me to call him when I got the chance because he had something important to talk to me about. Not wanting to interrupt our vacation, I called him the following day after getting home.
They did what?!?
During our call the next day, he asked me: You didn't call me yesterday, did you?
Me: No, I did not.
Him: *Okay, I didn't think so. I got a call from your verified number; the number you're calling me from now. The guy was pretending to be you and asking me to turn off your two-factor authentication (2FA). I didn't remember you having a thick accent, and he couldn't recall our previous conversation, so I kept the 2FA on.
Me: Um, what the hell? How does someone call you from MY phone number?
I then went to my service provider, T-mobile, to figure out how someone was calling people from my phone number. While I never did figure it out, it turns out they had hacked into my T-mobile account and set up call forwarding. What was strange was that it was selectively forwarding calls and texts. Some of the communication would come to my phone, but others would get forwarded. Speaking to one of T-mobile's "security specialists" he told me he had no idea how this was happening. How reassuring.
Why would someone want access to your phone number?
If someone gets access to your phone number, it makes things a lot easier for them when they're trying to steal your identity, Bitcoin, Paypal funds, or whatever else they may be trying to plunder. When calling into many companies' service departments, you are required to go through much less security if you're calling from the phone number you have on file with them. Additionally, if you have 2FA set up on your accounts, having control of your phone number allows the thief to bypass many of those 2FAs.
Within the next couple days, 3 of my email accounts got hacked, my Facebook got hacked, my PayPal account, Authy, bank account, and about a dozen other accounts that I'm aware of.
The first order of business was to secure my email account. If someone has access to your email, that person can get into almost any other account by changing the password because password-reset links get sent to your email.
I went on to change my email passwords then set up 2FA on those accounts. Next, I had to take care of my cellular account.
Securing my T-mobile account
One of the security questions T-mobile would ask when you call in is your billing address. So I changed the billing address on my account. Additionally, to add an extra layer of security, I added a password that you'd have to know if calling T-mobile to access my account (this is how they were able to get into my account...the first time).
Authy hacked
Authy is a popular 2FA service. If using the service, when logging onto a website, you'll have to enter your username, password, and a 6 or 7 digit code from the Authy app. This code changes every 15 or 30 seconds.
Authy's entire security model is based on the user having sole control of their phone and phone number. I used it for both my Purse and Coinbase accounts, so when it got hacked, it was a big concern. Luckily, there was no damage done by the time I found out about the hack. Due to their security model, I have since stopped using their service.
Finally, they're leaving me alone!
After well over 100 password changes, many phone calls, and countless emails, it seemed as if they had stopped trying to get into my accounts. This was such a stressful time and was thrilled that I could finally relax.
My relief wouldn't last long...
all images are either my own or taken from pexels and require no attribution
That sound very scary, I had my Hungry House account hacked, someone got in and ordere 2 massive orders from take aways thankfully my bank paid me back. I have since closed my Hungry house account . Its a horrible experience
I'm glad you were reimbursed. It is an extraordinarily frustrating experience. At this point in the story I hadn't had anything stolen from me, but later that would change.
Ill take a look out for the next part :)
this is trivially easy to do if you have the right equipment (called an orange box). If not, there are subscription services like callerIDfaker.
this guy could probably explain the ins and outs of how it works:
https://steemit.com/@jdcrunchman
Oh, wow, thanks for the info.
Wow, that sounds horrible! Thinking about it, it's pretty scary how much people can do once they hack into your e-mail.
I didn't even know they can fake call from your phone, that's kind of scary...
I didn't know that was possible either. If someone had access to both your email and your phone, the results could be devastating.
Hacking and identity theft are really unpleasant. Thank for reminding people to use as much security as possible.
Yes, they are. I've had a tough ongoing battle and am not the only victim.
Very instructive article! I realized I'm not careful enough! Though some years ago my old paypal account with the associated gmail account was hacked and all my money had gone (the price of my painting and the postal fee I got from a Canadian woman). Now it's time to change all my passwords. What do you think of password managers? Are they safe or not?
If using one, I'd set up 2FA on it and not use your master password for anything else.