Heed this or perish.

Let’s begin with the assumption that within 24 hours your usual mobile phone number will be hijacked by social engineers. They will use your number to gain access to every account you own that utilizes phone-based authentication and account recovery, like your email. They will then use that access and information to compromise more accounts, and harass, steal, blackmail and extort you and your associates.

In the past month, there’ve been at least 10 cases of people publicly involved in the cryptocurrency scene being victimized by mobile phone hijacking. The consequences have been expensive, embarrassing, enduring, and, in at least one case, life-threatening.

If you are in any way publicly involved in cryptocurrency, consider yourself an active target. You need to immediately audit the security of your accounts – especially email, social media, social networking and mobile phone.

Somehow, the masses have been led to believe that phone numbers are inextricably bound to identities and therefore make good authentication tools. There’s a reason that Kraken has never supported SMS-based authentication: The painful reality is that your telco operates at the security level of a third-rate coat check. Here’s an example interaction:

Hacker: Can I have my jacket?

Telco: Sure, can I have your ticket?

Hacker: I lost it.

Telco: Do you remember the number?

Hacker: Nope, but it’s that one right there. 😉

Telco: Ok cool. Here ya go. Please rate 10/10 on survey ^_^

So, we need to achieve three things:

1. A shift in the way we think about phone numbers

2. The securing of your phone number (to the extent possible)

3. The separation of your phone number from any security functions

1. Changing the way we think about phone numbers

Telcos – Give up the security theater. Start thinking of yourselves more like Brinks and less like Toys “R” Us. Or, just be honest about what you offer: a gamble.

Service Providers – Stop accepting (and requiring) SMS as a method to “recover” or bypass all other security features on an account. You’re custodians of valuable identities and information whether you like it or not. You too need to think of yourselves more like a vault. Until Telcos shape up, you’re perpetuating the misconception that phone numbers are secure.

People – Understand that phone calls and SMS should only be used when you have no alternative, secure mode of communication. Certainly, do not mistake a phone number for an identity. Try to stick to services where you actually own your identity, where your communications are private, and where you can authenticate your interlocutor. See: Signal and BitMessage for a good start.

These problems of ownership in mobile numbers, email accounts, domains and other virtual identities are low hanging fruit for Blockchain entrepreneurs. Some attempts have already been made and more solutions are on the horizon. I’m hopeful that we’ll work this out in the next few years.

2. Securing your mobile phone number and telco account

Call your telco and:

Set a passcode/PIN on your account Make sure it applies to ALL account changes Make sure it applies to all numbers on the account Ask them what happens if you forget the passcode Ask them what happens if you lose that too

Institute a port freeze

Institute a SIM lock

Add a high-risk flag

Close your online web-based management account

Block future registration to online management system

Hack yo’ self See what information they will leak See what account changes you can make



Secure the email address associated with your telco account

Create a new email address that you only use with your telco Assume that telco agents will leak this to any caller Try something like: STOP.DO.NOT.PORT.THIS.NUMBER@kraken.com they might think twice before doing something stupid SKEET.SKEET.SKEET.SKEET@kraken.com they might be prohibited from saying this on the call ijljj1IiiOlI0oiiljlIlj1llillOjlli0Ijilolljoij1l0jilI@kraken.com they might not be able to accurately read it back to the attacker Make sure the email account is extremely secure Passcode bypass instructions will go to this email account Instructions on securing email, below



Consider switching to a more secure telco, without a human interface

Google Fi No phone support agents No physical locations No problems

No known, comparable other options

Consider setting up a proxy phone number to hide your real one

Google Voice Port your old main number to Google Voice Get a new number with Telco and never use it for anything but GV Handle all calls through Google Voice

No known, comparable other options

Pray

Sacrifice your virgins now because, ultimately, Xenu’s graces are the only thing preventing your phone number from being ported to a 12-year-old in Syria

There is no 100% sure way to prevent the theft of your phone number

3. Separating your phone number from security functions

Upgrade to secure 2FA methods wherever possible

Google Authenticator

Yubikey

U2F security key

Use SMS only where absolutely necessary and consider whether you want it at all if it will also be used for account “recovery” or password bypass. Ask yourself what are the chances of your password being stolen vs your mobile phone number being stolen.

If you must use SMS, you have two options:

Option A:

Get a secret, low tech, pre-paid burner phone Pay cash for the device and minutes Don’t attach your identity (name, address, birthday) to it Don’t attach your credit card to it Don’t tell anyone about it Use it exclusively for SMS two-factor and account recovery Change it if any services you use it with get hacked



Option B (recommended):

Get a Google Voice (with SMS) number Don’t attach your identity (name, address, birthday) to it Don’t attach your credit card to it Don’t tell anyone about it Don’t use the accompanying email address, drive or other services Use it exclusively for SMS two-factor and account recovery Change it if any services you use it with get hacked Set up Google Authenticator or U2F as the only two-factor method Disable account recovery



An advantage of Option B is that you can (relatively) securely share access to the SMS messages through SMS-to-email forwarding rules, and by sharing the two-factor method’s seed.

It is recommended that you keep your interactions with this Google Voice number and its SMS messages to a device separate from your primary computer and smartphone. An old smartphone would be a good option.

It is recommended that you keep a copy of your GA seed or U2F key in cold storage, else you should be prepared for the consequences of permanently losing access to the number. Decide for yourself what’s worse: your losing access or an attacker gaining access, and secure yourself accordingly.

What follows are step-by-step instructions for setting up a secure Google account (Gmail, Voice, Drive, YouTube, etc.), and following that, steps for setting up Google Voice.

Step 1: Sign up for a new account at https://voice.google.com

In order to ensure that your account is not recoverable through answering “security” questions, randomize your personal information.

Step 2: edit My Account settings

Step 3: Look for ‘Signing in to Google’ on the left

Step 4: enable 2-step verification

Step 5: you’ll need to first set up SMS 2-step verification before you can add one of the secure methods.

Step 6: enter SMS confirmation code

Step 7: turn it on

Step 8 (OPTIONAL): Set up back up codes

Step 9 (OPTIONAL): save your backup codes in a secure, offline, location.

Step 10: set up Google Authenticator (or U2F Security Key)

Step 11: scan QR Code with GA application on secure device

Step 12: enter GA confirmation code shown on GA app

Step 13: click ‘done’ to complete GA setup

Step 14: remove voice/text as second verification step option

Step 15: confirm phone removal

Step 16: confirm phone is removed

Step 17: go back to account settings

Step 18: under Account recovery options, click email

Step 19: delete the recovery email address, leaving the field blank

Step 20: delete the recovery phone number

Step 21: edit the recovery phone number

Step 22: remove the recovery phone number

Step 23: confirm removal of recovery phone number

Step 24: confirming that the curse has been lifted

Step 25: go back to sign in settings

Step 26: witness perfection – Google account now secure

Step 27: on to Google Voice setup

Step 28: get a new number

Step 29: add a US forwarding phone (can be removed later)

Step 30: verify forwarding phone number

Step 31: search number options

Step 32: select a number

Step 33: finish phone number selection

Step 34: remove call forwarding

Step 35: confirm removal of call forwarding

Step 36: configure voicemail & text

Voicemail Greeting: Record blank so as not to reveal any information about the telco or account owner to any random caller

Recorded Name: Record blank

Voicemail Notifications: disable or choose secure recipient, like another secret gmail account that you only use on your 2FA security device

Text Forwarding: disable or choose secure recipient, like another secret gmail account that you only use on your 2FA security device

Voicemail PIN: set at least 8 characters

Voicemail Transcripts: disable

Step 37: test it out

Step 38: review what your email box should look like if you’ve completed all the steps

Step 39: make sure that you never unlock your number

Step 40: relax

More background, resources and reading:

Share this: Twitter

Facebook

