The pattern is almost always the same.
The victim notices that their cell phone doesn’t have service, or they can’t log into their email.
That’s what happened to Nicholas Hoffman, a San Francisco crypto investor, two weeks ago. When he recovered his email account, Hoffman discovered that someone had logged into his crypto accounts from new IP addresses.
“I started freaking out,” Hoffman said. “They had the passwords to every single thing, ever. They didn’t log into bank accounts, or normal financial accounts.”
But the hacker did get into his Kraken, Binance, Apple and other accounts.
“They got pretty much everything,” said Hoffman, who declined to say exactly how much he lost, only to say it was thousands in cryptocurrency.
Hoffman, and many like him, was the victim of port-out scam. Someone pretending to be him bypassed his cell phone security measures at T-Mobile and transferred his identity to another device and carrier. While Reddit message boards are littered with stories of similar port-out scams, including AT&T customers, T-Mobile has been the common denominator in a rash of recent hacking events.
T-Mobile didn’t respond to a request for comment and the company is already facing at least one lawsuit, filed in February. In Washington state, Carlos Tapang filed a complaint against the cell phone carrier claiming that the company didn’t ask for a PIN number. He lost 2.875 Bitcoin (about $20,000 USD at the time) and other cryptocurrency in the attack.
“T-Mobile has failed to establish or implement reasonable policies, procedures or regulations governing the creation and authentication of user credentials for authorized customers accessing T-Mobile accounts, creating unreasonable risk of unauthorized access,” Tapang claimed in the suit.
What’s most distressing to victims of the recent port-out hacks is: this isn’t a new problem for cell phone companies and crypto figures are routinely targeted. Forbes reported on the issue in late 2016, and the New York Times published its own story last year.
Yet, T-Mobile’s problems seem unique. In October of 2017, T-Mobile closed a loophole that allowed hackers to access customer information, as reported by Motherboard. In February, T-Mobile sent a mass text to some customers, warning of the port-out scam, and directed them to a company website explaining the issue.
Still, when Hoffman talked to a T-Mobile customer support about his hack two weeks ago, “The woman on the phone tried to assure me that they’ve put thousands of hours into fixing this, and that I had nothing to worry about,” Hoffman said.
When he told her about the growing private Facebook group he belonged to for victims of the port-out scam, “She had the nerve to tell me the issue has been resolved…Of course, next day, another person with T-Mobile and an anti-porting PIN gets added to the ‘I’ve been hacked’ thread.”
Travis Wright, co-host of the “Bad Crypto” podcast, belongs to the same Facebook group which seems to add new members every day. Wright himself was a victim of the port-out cybercrime last year. His cell phone company? T-Mobile.
“I understand cybersecurity,” said Wright, a former digital strategist for security software company Symantec. “If I can get hacked, anybody can get hacked.”
Wright talked about his experience on his podcast, and he was lucky. He didn’t lose any crypto, mostly because he didn’t have any access keys stored on his phone or computer.
Now, Wright has two-factor authentication (2FA) on almost everything and has a new mantra: “Don’t keep your crypto on your computer. Don’t keep it on your phone. Don’t keep it in your house.”
Pamela Morgan, CEO of the consulting firm Third Key Solutions, recommends that even people who use two-factor authentication via their cell number or SMS switch to another service such as Authy or universal second-factor (U2F) solution, such as YubiKey.
“Service providers can encourage adoption of such techniques by supporting U2F and discouraging or disabling SMS as a second factor,” said Morgan, who wrote a series on Medium titled “Bitcoin Security Made Easy: Simple Tips for Non-Experts.”
“Remember, you might own your phone but you definitely don’t own your phone number,” Morgan said.
As for Hoffman, he’s still digging out of his hack and trying to secure all his accounts. He even hired a security expert to help him.
“It was an expensive lesson in security,” Hoffman said.
“Most of my issues would have been avoided if I had non-SMS 2FA enabled,” Hoffman said. “It’s just better all-around to use providers that don’t have the same level of vulnerability as T-Mobile. Simply having T-Mobile makes a person a more likely target, regardless of 2FA security.”
If you’ve found yourself the victim of a cybercrime or port-out scam, visit the Federal Trade Commission’s identity theft website.