By: Nathaniel Popper
Hackers have discovered that one of the most central elements of online security — the mobile phone number — is also one of the easiest to steal.
In a growing number of online attacks, hackers have been calling up Verizon, T-Mobile U.S., Sprint and AT&T and asking them to transfer control of a victim’s phone number to a device under the control of the hackers.
Once they get control of the phone number, they can reset the passwords on every account that uses the phone number as a security backup — as services like Google, Twitter and Facebook suggest.
“My iPad restarted, my phone restarted and my computer restarted, and that’s when I got the cold sweat and was like, ‘O.K., this is really serious,’” said Chris Burniske, a virtual currency investor who lost control of his phone number late last year.
A wide array of people have complained about being successfully targeted by this sort of attack, including a Black Lives Matter activist and the chief technologist of the Federal Trade Commission. The commission’s own data shows that the number of so-called phone hijackings has been rising. In January 2013, there were 1,038 such incidents reported; by January 2016, that number had increased to 2,658.
But a particularly concentrated wave of attacks has hit those with the most obviously valuable online accounts: virtual currency fanatics like Mr. Burniske.
Within minutes of getting control of Mr. Burniske’s phone, his attackers had changed the password on his virtual currency wallet and drained the contents — some $150,000 at today’s values.
Most victims of these attacks in the virtual currency community have not wanted to acknowledge it publicly for fear of provoking their adversaries. But in interviews, dozens of prominent people in the industry acknowledged that they had been victimized in recent months.