Top Poker Pros Have Online Accounts Hacked
Many businesses nowadays, particularly ones where a user’s information is particularly sensitive – banks, e-mail providers, cloud storage companies, etc. – encourage their customers to utilize a two-factor authentication service (2FA) in order to bolster the security of their accounts. This week, several high stakes poker pros discovered that in their cases, 2FA weakened their accounts’ security, rather than strengthening it.
Two-factor authentication is a way to add an extra layer of security to an online account, above what a password provides by itself. For example, a bank might give you the option to receive a text message that contains a special code when you attempt to login with your password. In order to complete the login, you must enter that code within a fixed time limit. Other services – I use one with Steam – utilize a code displayed with a smartphone app. It generally works quite well; the “something you know and something you have” security setup is like having two different kinds of locks. If a hacker or thief discovers your password, they still need your phone to complete the two-factor authentication.
It generally works quite well. Until it doesn’t. And then things REALLY go south.
What happened to poker pros like Vanessa Selbst, Vanessa Rousso, Dan Smith, and Cate Hall, was that some crook was able to like his way into access of their cell phone accounts. Apparently, it is as easy as calling their cell phone provider, pretending he was one of them, then just hoping that a customer service rep lets him skate through their security protocols. For instance, in Selbst’s case, Verizon normally requires customers who call in to discuss their account tell the rep a special PIN. It sounds like the “hacker” found a rep who just accepted the answer, “Uh, dur, I don’t remember my PIN,” and then let him change it.
From there, he was able to port Selbst’s number to his own phone. Now the “something you have” was in his hands and he could go ahead and gain access to any other accounts she had that used SMS text messaging as a means of resetting account passwords. He got her Gmail account and her Dropbox account.
Selbst was – and still is – incensed that Verizon could so easily give someone else the keys to her account.
“Aaaaand my @VZWSupport account is being hacked for the second time today. AFTER multiple conversations telling them not to make any changes,” she tweeted on Tuesday.
“.@VZWNow @VZWSupport FOUR TIMES TODAY I WAS INFORMED THAT NO ONE COULD CHANGE THE PIN VIA THE PHONE. A hacker has now changed my pin twice.”
“.@VZWNow @VZWSupport every time I called back to wonder how this happened,I was offered to change the pin back. YOU PROMISED I CAN’T DO THIS”
She goes on, berating Verizon publicly for deleted the notes of fraud on her account.
To help people understand the situation, Selbst linked to a December article on Forbes.com. The article discusses incidents that have occurred in the crypto-currency industry (Bitcoin, among others) in which victims have lost hundreds of thousands and even millions of dollars in cyber currency. They tend to be primary targets because they have no recourse. Because crypto-currency is decentralized, currency owners have no way to reverse transactions once the money is pilfered from their accounts.
Forbes explains a common way that hackers trick the cell phone companies into giving them access to someone else’s account:
In order to find that opening through the customer service representative, hackers often employ what’s called social engineering, used in 66% of all attacks by hackers. An elaborate version is demonstrated in this video (starting around 1:55), in which a woman with a baby crying in the background (really just a YouTube recording) claims she’s newly married and doesn’t know what email address is used to log into her husband’s account. She then has the rep change the email and password, locking the victim out.
Basically, it’s all about knowing enough about a victim – gleaning information from sites like Facebook, Twitter, or LinkedIn – to convince a customer service rep that you are who you say you are, even if you don’t know any passwords or PINs. Heck, at times you don’t even have to know anything – you just have to sound authentic.
Steve Waterhouse, former partner at Pantera Capital, had his phone number hijacked and ported. He recently got control of his account and called Verizon to turn on international dialing. From the Forbes article:
The customer service representative asked for the pin on his account. “I said, hang on, let me just remember, because I have a series of businesses and different accounts, and the guy’s like, oh, don’t worry about it, just give me the last four of your Social. I said, whoa, what’s the point of the password then? And he was like, well, you know. And I said, Can I port my number? Actually, I didn’t want to port it — it was a test. And he was like, yeah, no problem, where do you want to send it? And I said, I thought I had port blocking turned on, and he said, hang on, let me look at my notes. And there isn’t a field for this, it’s buried in a series of notes from different customer reps. And he said, oh, that’s right, this happened to you before. Oh wow, you have a high security level. Oh shoot, someone should have put that up at the top of the note. I said, Oh great, so it’s just random. If I get the right person, I can port my number then, and he was like, no, of course not. I thought, this doesn’t sound like security to me.”
So what to do? How should we protect our accounts beyond just a password. As this isn’t a tech blog, I’m not going to get into all of the details, but Forbes links to a fantastic blog post by Jesse Powell, CEO of Kraken, who goes through all the steps to take. He suggests creating a new e-mail accounts to only use with the telecom provider and switching to a more secure form of 2FA, like Google Authenticator. For those who still want to use SMS, he goes through all the steps to make sure the phone associated with the account is completely private, secure, and separate from one’s main phone.
COMMENTS