A young man from Ontario, Canada, has been arrested for a multi-million dollar crypto theft that exploited the two-factor-authentication system used by many exchanges globally.
The suspect manipulated cellular network employees to duplicate phone numbers so that he could intercept the two-factor authentication details, according to the Hamilton police in Ontario.
About CAD$46M ($36.5M) worth of cryptocurrency was stolen from the victim. The apprehension of the criminal started with an investigation back in March 2020. It involved the Federal Bureau of Investigation (FBI) and the United States Secret Service, who investigated a similar incident affecting a victim in the U.S.
The Canadian Anti-Fraud Centre lists some guidelines and tips to protect digital funds that can be found here.
Vulnerable to exploitation
The British Columbia Royal Canadian Mounted Police, the British Columbia Securities Commission, the Canadian Anti-Fraud Centre, and municipal authorities have cautioned Canadian citizens of criminals using social media and dating sites to target people with crypto-related scams. In the first three quarters of 2021, residents of British Columbia lost $3.5M in crypto-related scams.
The Logic reports that more than 600 companies offer cryptocurrency-related services in Canada that are not registered with the relevant securities regulator, highlighting Canada’s lax defenses against fraud. The companies hold approximately $144B worth of bitcoin (as of March 2021).
Is two-factor crypto authentication enough?
A ‘factor‘ can be one of the following: something one knows (pin or password), something one has (cellphone), something that one is (fingerprint, face recognition). It’s often difficult to gain access to more than one of these factors at a time, hence the popularity of the two-factor authentication protocol.
Sometimes exchanges will send customers an SMS with a one-time PIN. If cellphones get stolen, or somehow the messages are faked, one of the factors will get compromised, as in the case of this crime. The use of hardware wallets can also protect users from the risk of hot wallets that are connected to the internet.
A group hacked a Coinbase account in 2017 in an experimental exercise by exploiting a flaw in the cellular network that allows text messages sent to a number to be intercepted. That allowed them to reset the Coinbase password for the account holder. The cellular network was also a vulnerability in the aforementioned Canadian attack. In a separate incident, 6,000 Coinbase users had their data stolen through a phishing attack that exploited the two-factor authentication system.
The SS7 network is a system in the U.S. that is used to manage calls and texts between phone numbers. There are many known SS7 vulnerabilities, and hijacking services are even available on the dark web.