At about 9pm on Tuesday, August 22 a hacker swapped his or her own SIM card with mine, presumably by calling T-Mobile. This, in turn, shut off network services to my phone and, moments later, allowed the hacker to change most of my Gmail passwords, my Facebook password, and text on my behalf. All of the two-factor notifications went, by default, to my phone number so I received none of them and in about two minutes I was locked out of my digital life.
I noticed all of this at about 10pm – I was just queuing up Rick & Morty and settling in for the evening – and I assessed the damage and called T-Mobile. By 10:30 I reset my old SIM and began the process of changing all of my passwords and hardening my 2-factor accounts and T-Mobile account, presumably ensuring that this would not happen again.
Sadly, I worry it will.
My hacker was thorough. In the course a few minutes he or she did a quick search of my Facebook Messenger messages and assessed that I was originally from Ohio and that my Dad was sick. He or she used this information to approach people I knew in the cryptocurrency space with a story that was, arguably, quite ludicrous: the hospital would pull the plug on my Dad if they didn’t get payment of a bill and that I, in my anguish, needed to borrow and sell 10 bitcoins immediately and would pay the friend back 15 the next morning. Luckily my friends weren’t idiots and immediately texted me and my wife.[gallery ids="1530578,1530579,1530577,1530576"]
The hackers’ IP (18.104.22.168), which points to LogicWeb in Plano, Texas, along with a breadcrumb noting a login from Florida suggests that the hackers were from the United States. They clearly had the modus operandi down because they also hacked two other friends of mine in the space of a week.
This all came about, I believe, after another friend in the cryptocurrency space was hacked last week. That hack bore all the same hallmarks as this one except the SIM hijacking. First the hacker grabbed access to my friend’s Facebook Messenger and contacted everyone on his list that was interested in cryptocurrency, including me. In the ensuing melee the hacker asked me to send 10 Bitcoin and that he would send me 11 back in the morning. Confused, I told them that I had some Bitcoin but not that much. I then realized the ruse and asked “Did you talk to Wallace Shawn yet? He can help. I think he’s having dinner with Andre right now.” The hacker claimed that Wallace wasn’t available. I knew I’d been had.
This interaction led to my hacking. Once it was clear that I had some bitcoin somewhere the hackers decided I was their next target.
Ultimately I got away lucky. Nothing major was stolen as of today and I took control of all of my accounts fairly quickly. I had some two-factor set up but because my phone was compromised first I lost access to most of it. I’ve since activated authentication apps for all of my accounts. The biggest question is how the hackers took control of my SIM card. This is the most troubling and T-Mobile is looking into what happened.
My trouble is not new Bitcoin exchange Kraken warns of this and suggests a few tricks to keep yourself safe. They write:
Call your telco and:
Set a passcode/PIN on your account
- Make sure it applies to ALL account changes
- Make sure it applies to all numbers on the account
- Ask them what happens if you forget the passcode
- Ask them what happens if you lose that too
Institute a port freeze
Institute a SIM lock
Add a high-risk flag
Close your online web-based management account
Block future registration to online management system
Hack yo’ self
See what information they will leak
See what account changes you can make
They also recommend changing your telco email to something wildly inappropriate and using a burner phone or Google Voice number that is completely disconnected from your regular accounts as a sort of blind for your two factor texts and alerts. I’m putting all of these into practice.
Barring any further forensics – and I’d welcome any help in hunting these guys down – I’m going to have to assume that my data is safe for now but also that it is always and forever at risk. This is my first major hack in the Facebook age and the feeling of panic I felt is still palpable. If it happens to you I can recommend first locking down your phone and then dealing with your emails and other accounts. Further, assume nothing is safe. I’m far more interested in physical security at this point, realizing that things I have in my hand are far safer than things I have on my hard drive.
I was hacked. You will probably be hacked. It’s getting harder to hack user accounts but it is definitely not impossible. Be ready for the worst and hopefully it will never happen. If it does, have a plan and a backup and maybe, just maybe, you’ll have a prayer.