Digital currency broker Coinbase Inc. was reportedly hit with a port swapping attack in 2016. What is a port swapping...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
attack, and are there any precautions companies should take?
Port swapping occurs when a thief ports a victim's phone number to a device under the thief's control. The attack begins with the thief searching for people who work in a particular industry or by sifting through social media accounts that mention bitcoin and Coinbase. It won't take long for the thief to find the victim's email address and mobile phone number online through a Contact Us page, for example.
Pretending to be a legitimate user, the thief calls the victim's mobile provider -- in the case of Coinbase, the provider was Verizon -- to port the phone number to a voice over IP provider, thus bypassing Authy, an app that provides multi-device two-factor authentication. Verizon accepted the phone number as an alternative to an email address to log in.
Shortly after the thief resets the email password, the victim receives a VZW FREE MSG message to confirm that his account password was created or changed. The victim didn't make the request, so he is directed to call Verizon by dialing *611 from his cellphone. The victim then discovers -- too late -- that his account was closed by the attacker.
Meanwhile, the thief changes the Coinbase password and text message information to enable two-factor authentication. If he is not caught in time, the thief is able to steal the money in the victim's account and put it in digital wallets he owns.
Here are some precautions companies should take when they get strange text messages from any phone service providers that might lead to a port swapping attack:
- Call the phone provider's customer service line and set up a temporary PIN or password that can be changed later. Place an order to freeze a port and to lock each account attached to a current SIM. Don't reply to text messages about password changes.
- Avoid using text message two-factor authentication. Disable Authy's multi-device functionality. Consider Google or Microsoft Authenticator, which use a QR code to store secret keys locally on a single device.
- Use a unique, long password for your account.
- Don't use text messaging for account recovery.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Dig Deeper on Emerging cyberattacks and threats
Related Q&A from Judith Myerson
A patch was issued for the Dirty COW vulnerability, but researchers later discovered problems with the patch. Expert Judith Myerson explains what ...continue reading
Getting firewall settings right is one of the most basic ways to protect enterprise data from accidental exposures. Expert Judith Myerson discusses ...continue reading
Expert Judith Myerson explains how IP theft can happen despite the cryptographic protections in IEEE standard P1735, as well as what can be done to ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.