The high-stakes poker world has been rocked by a series of high profile hacks using the same vulnerability that was deployed against prominent Bitcoin personalities earlier this year.
Poker Players Targeted
Over a 72 hour period, well-known poker personalities Vanessa Selbst, Vanessa Rousso and Dan Smith tweeted out that attempts were made to either hack into their email and social media accounts, or port their cell phone numbers to a different device.
This is insane. Someone hacked my gmail, changed PW on my @Dropbox account, and there's no one that can provide immediate help
— Vanessa Selbst 🏳️🌈 (@VanessaSelbst) May 23, 2017
Due to the poor security procedures undertaken by cellphone providers, porting a number can often be achieved by using publicly available information in conversations with support staff. Once a number has been redirected to a hacker controlled device, weaker Two Factor Authentication methods, such as SMS based verification, can be circumvented.
This gives an attacker access to the contents of a wide range of accounts. In Selbst’s case, her email and Dropbox accounts were compromised — but shockingly, even after she was assured no further security PIN changes could be made over the phone, her PIN was changed twice by an attacker:
.@VZWNow @VZWSupport FOUR TIMES TODAY I WAS INFORMED THAT NO ONE COULD CHANGE THE PIN VIA THE PHONE. A hacker has now changed my pin twice.
— Vanessa Selbst 🏳️🌈 (@VanessaSelbst) May 24, 2017
The poker industry is an increasingly obvious target for hackers. Bitcoin-only gaming sites, such as Nitrogen Sports, have increased in popularity as the online poker industry fights an ongoing battle with regulation and AML/KYC laws that have been in effect since the infamous events of ‘Black Friday’, April 15 2011.
Bitcoin has become popular due to its quick withdrawal times, and with an influx of poker players now having bitcoin wallets and exchange accounts, the need to be aware of account security becomes increasingly important.
High-stakes poker pro and YouTube personality Doug Polk dedicated a video on his channel to the event, noting that while three players reported hacks, other professionals had also fallen victim but were unwilling to go public. Polk went on to say that with Selbst, “they got access to her Gmail…. but did not get access to her bitcoin or anything like that because those accounts had 2FA that were not through text.”
Polk displays a good grasp of the issues, and spent time in his video outlining the methods used in these attacks and the difference between using a service like Google Authenticator and SMS based authentication — something critically important in this new cryptocurrency era. “Anything you back with text messaging, which many do for Gmail, is vulnerable”.
Prominent Bitcoiners Targeted With Same Flaw
Unfortunately, security at mobile network providers has been frustratingly slow to catch up to the security vulnerabilities. As far back as 2014, US Congressman Ted Lieu allowed hackers to demonstrate the ease with which they can break the cellphone standard Signaling System 7 (SS7) protocol for a CBS investigation. He followed up with this statement:
“Both the FCC and telecom industry have been aware that hackers can acquire our text messages and phone conversations just knowing our cell phone number… It is unacceptable the FCC and telecom industry have not acted sooner to protect our privacy and financial security.”
Many prominent bitcoin users agree. Lax security by network providers prompted Ryan Selkis, aka “2 Bit Idiot”, to tweet about the frustrations he’s had in dealing with them. Cleverly, Selkis used his tweets as a timestamp, publicly stating that if his number was ever ported without in-store verification he will be suing.
This spate of hacks shows us that as the use of cryptocurrency spreads, each new social group that adopts it is likely to face the same security threats as the online poker community. This serves to remind us that being individually proactive is of utmost importance in online security. Network service providers have proved too slow and cumbersome in improving security procedures and, as Vanessa Selbst’s example shows, they cannot be entrusted to stick to their policies.
Do you use text messages for authentication? Are you concerned? Let us know in the comments.
Images via Pixabay