SIM-swapping has plagued cryptocurrency holders for close to a year, and now Google’s head of account security has had enough. He wants to put a stop to it with a clever gadget the size of a flash drive.
This new form of identity fraud hinges on tricking telecom staff into rerouting a victim’s telephone number to a SIM card housed in a device under the control of an attacker.
Its effect was demonstrated recently when a victim filed a $224 million lawsuit against his cell phone provider, AT&T, alleging gross negligence that led to $24 million worth of cryptocurrency being taken from his accounts.
An overt reliance on SMS-based two-factor authentication (2FA) systems has only compounded the problem. While these are regarded as an upgrade to traditional verification methods like usernames and passwords, SMS-based 2FA presents cybercriminals with a clear attack vector.
If hackers can take control of a phone number, it would be them who receive the special codes, allowing instant access to sensitive information.
Google is one of many tech giants to present a solution. It released its Titan Keys last August, a $50 set of hardware devices that cryptographically ties particular devices to accounts, effectively keeping anyone without a registered device at bay.
Users connect the Key to a device, such as a laptop or a smartphone, and sign into the account they wish to protect. This can be done via USB, NFC, or Bluetooth. A button then is pressed on the Key which will cryptographically register the device to a user account.
It’s not exactly necessary to carry around the Keys, but users will need to have at least one handy to sign in.
Purchasers of Titan Keys can also enrol in Google’s Advanced Protection Platform, which provides a supplementary bundle of security measures.
Cryptocurrency is like catnip for attackers
In light of recent trends, Hard Fork spoke with Mark Risher, Google’s head of account security, to get a sense of how the Big G is interpreting the rise of cryptocurrency-centric SIM-swapping.
According to Mark, the flouted benefits of cryptocurrency fit fraudsters perfectly, and targeted fraud through SIM-swapping is, in a sense, the “new” Viagra spam.
“We commissioned some research several years ago about spam,” Mark told Hard Fork. “The typical spammer would break into your account and use it purely so they could send out Viagra ads to everyone in your address book. The expected yield on one of those break-ins was thousandths (or tens of thousandths) of a penny. It was insignificant gain so it only worked at scale.”
Now, Viagra spammers are no longer a problem for Google, but as Mark put it: “Cryptocurrency is like catnip for these attackers.”
“Things like the instantaneous nature of it, the very, very low transaction fees, the frictionless nature of money moving around, the pseudonymity. All are great for legitimate users, but they really work in the favor of people breaking into your account,” he explained.
In this sense, the rise of SIM-swapping can be attributed to the relatively recent popularity of cryptocurrency, as those people breaking into email accounts have seen yields go from a thousandth of a penny to potentially tens, or hundreds of thousands of dollars.
“And because of the volatile nature of cryptocurrency, it could be even higher, [the price] could have just doubled overnight, and suddenly you’re a very hot target,” Mark added.
With this in mind, Mark believes its prudent for cryptocurrency investors to protect their accounts with hardware devices like Google‘s Titan Keys
Titan Keys remove the weak spot: the telcos
Mark highlighted that the Titan Key effectively removes the telephone companies from the equation altogether, eliminating the weak spot exploited by SIM-swappers.
“There’s no code that sends over the airwaves, nothing is sent to the telcos,” said Mark. “If your phone number has changed, we won’t even know as part of this flow, and if someone else has grabbed your phone number, they won’t have any higher credibility than a complete stranger.”
“The Titan Key that is physically present makes SMS a non-threat,” he continued. “A SIM-swapper taking over a phone number is not going to give an advantage to the attackers. It is a far more robust form of 2FA than simply relying on a one-time code sent via SMS.”
To date, there has been no confirmed cases of people being phished while enrolled in the Advanced Protection Program.
“So, from that standpoint, it’s 100 percent effective,” Mark noted, adding that Google itself has rolled out Titan Keys for employees.
While Google‘s device essentially registers accounts with devices, and it does support a set of approved services like Dropbox and LastPass, there aren’t any apps specific to cryptocurrency that have made that exclusive group just yet.
This means users can’t exactly secure their Coinbase accounts directly with a Titan Key. They can, however, protect their email accounts from hackers, which can be critical when under threat of spearphishing or SIM-swapping.
OK – but how are they different from other security keys?
Hard Fork asked the difference between Google’s Titan Keys and other similar solutions out on the market.
RSA’s SecurID – a physical dongle that displays a 6-digit code to be used when logging into accounts – is one. Google’s own Authenticator app is another.
To Mark, all of these kinds of models are functionally equivalent to receiving a text message, so they’re not airtight from a cybersecurity perspective.
“What happens is some device serves up a secret code and then the user needs to look at the webpage or application he or she is trying to log in to, verify that it’s real, that there’s nothing suspicious, that it’s coming over a HTTPS connection, that it hasn’t been tampered with, and so forth. They then type in that code, and that does the authentication,” he explained.
Mark is describing a ‘man-in-the-middle’ attack, where a user mistakenly visits a fake site designed to intercept their credentials.
In this scenario, all the burden of proof rests solely with the user. That’s different with the Titan Keys; Google designed its firmware to detect when a user is being phished.
Mark commented: “We’ve flipped that around, and made it so that the site has to prove itself to the key. The site, through the browser, through the USB or Bluetooth wireless connection, talks directly to the key to prove that it is who it is says it is.”
“What it means is the human being can be confused, drunk, distracted, blindfolded, what have you, there’s no human in the loop, there’s no human fallibility, so in that way it’s transformative in terms of phishing,” Mark noted.
It’s worth mentioning there are pretty similar (and cheaper) alternatives on the market, most notably Yubikey.
By all accounts the Yubikey seems great – but even recent versions don’t support wireless connection via Bluetooth.
This is a design choice flouted by Yubico, the creator of Yubikey, as it says Bluetooth presents a security risk.
It’s a whole new decentralized world
The way Mark sees it, in this cryptocurrency space, it’s all new.
Ten years ago, if you had $100,000 in online holdings, more than likely you kept a private, personal relationship with a banker. Someone who you would work with and knew by name.
Now, that’s simply not the case – for cryptocurrency investors, it’s probably an app that didn’t even exist two years ago.
“There’s far fewer of these verification channels, and in the zeal and enthusiasm around cryptocurrency – making it fast and effortless to send sums of money – it hasn’t quite caught up with, or it’s being exploited or taken advantage of, by these attackers,” he commented.
Mark warned the lack of cryptocurrency app support shouldn’t deter those users from securing their Google accounts with one of its devices.
He noted many cryptocurrency wallets request an email account during the registration process, and just by statistical prior probability, it will often be a Gmail account.
“That’s what we’re locking down, so you can still use whatever wallet you want, whatever company you’re interacting with. What we’re trying what we’re trying to do is make sure that nobody can go and grab that email address and in doing so, impersonate you with that cryptocurrency wallet,” Mark explained.
He also added that most cryptocurrency exchanges are “pretty young companies.” They haven’t had the time (and maybe the expertise) to develop robust protocols for authentication and account recovery, highlighting the need for a more secure alternative.
Wait, didn’t a Google Twitter get hacked by Bitcoin scammers?
Ironically, Hard Fork reported on a related matter a few months back involving a hacked Google Twitter account.
For a brief while, cryptocurrency scammers had somehow managed to hijack the G Suite Twitter account to tweet some very suspicious links to dubious Bitcoin giveaways.
“Yeah, there was an incident that took place, not as part of Google, in fact, our accounts are all secured with 2FA and additional confirmations,” Mark revealed.
“This was through some service provider and I’m not really sure of their relationship.”
Another dampener is that Titan Keys are currently region-locked – they can only be sold in the US.
A Google spokesperson told Hard Fork it is working on getting the required hardware compliance labeling in place to be able to sell to other markets, but it doesn’t have a timeline to share at this stage.
Still, while cryptocurrency exchanges and telecom services play catchup with their anti-SIM-swapping security measures, the Titan Key’s asking price of $50 seems a small price to pay – especially for those who enjoy self-identifying as high-value cryptocurrency investors.
Published January 23, 2019 — 10:03 UTC