Kraken Blog

Security Advisory: Mobile Phones

Heed this or perish.

Let’s begin with the assumption that within 24 hours your usual mobile phone number will be hijacked by social engineers.  They will use your number to gain access to every account you own that utilizes phone-based authentication and account recovery, like your email.  They will then use that access and information to compromise more accounts, and harass, steal, blackmail and extort you and your associates.

In the past month, there’ve been at least 10 cases of people publicly involved in the cryptocurrency scene being victimized by mobile phone hijacking.  The consequences have been expensive, embarrassing, enduring, and, in at least one case, life-threatening.

If you are in any way publicly involved in cryptocurrency, consider yourself an active target.  You need to immediately audit the security of your accounts – especially email, social media, social networking and mobile phone.

Somehow, the masses have been led to believe that phone numbers are inextricably bound to identities and therefore make good authentication tools.  There’s a reason that Kraken has never supported SMS-based authentication:  The painful reality is that your telco operates at the security level of a third-rate coat check.  Here’s an example interaction:

Hacker:  Can I have my jacket?
Telco: Sure, can I have your ticket?
Hacker:  I lost it.
Telco:  Do you remember the number?
Hacker:  Nope, but it’s that one right there. 😉
Telco:  Ok cool.  Here ya go.  Please rate 10/10 on survey ^_^

So, we need to achieve three things:

1.  A shift in the way we think about phone numbers
2.  The securing of your phone number (to the extent possible)
3.  The separation of your phone number from any security functions

1. Changing the way we think about phone numbers

Telcos – Give up the security theater.  Start thinking of yourselves more like Brinks and less like Toys “R” Us.  Or, just be honest about what you offer: a gamble.

Service Providers – Stop accepting (and requiring) SMS as a method to “recover” or bypass all other security features on an account.  You’re custodians of valuable identities and information whether you like it or not.  You too need to think of yourselves more like a vault.  Until Telcos shape up, you’re perpetuating the misconception that phone numbers are secure.

People – Understand that phone calls and SMS should only be used when you have no alternative, secure mode of communication.  Certainly, do not mistake a phone number for an identity.  Try to stick to services where you actually own your identity, where your communications are private, and where you can authenticate your interlocutor.  See: Signal and BitMessage for a good start.

These problems of ownership in mobile numbers, email accounts, domains and other virtual identities are low hanging fruit for Blockchain entrepreneurs.  Some attempts have already been made and more solutions are on the horizon.  I’m hopeful that we’ll work this out in the next few years.

2. Securing your mobile phone number and telco account

Call your telco and:

Secure the email address associated with your telco account

Consider switching to a more secure telco, without a human interface

Consider setting up a proxy phone number to hide your real one

Pray

3. Separating your phone number from security functions

Upgrade to secure 2FA methods wherever possible

Use SMS only where absolutely necessary and consider whether you want it at all if it will also be used for account “recovery” or password bypass.  Ask yourself what are the chances of your password being stolen vs your mobile phone number being stolen.

If you must use SMS, you have two options:

Option A:

Option B (recommended):

An advantage of Option B is that you can (relatively) securely share access to the SMS messages through SMS-to-email forwarding rules, and by sharing the two-factor method’s seed.

It is recommended that you keep your interactions with this Google Voice number and its SMS messages to a device separate from your primary computer and smartphone.  An old smartphone would be a good option.

It is recommended that you keep a copy of your GA seed or U2F key in cold storage, else you should be prepared for the consequences of permanently losing access to the number.  Decide for yourself what’s worse: your losing access or an attacker gaining access, and secure yourself accordingly.

What follows are step-by-step instructions for setting up a secure Google account (Gmail, Voice, Drive, YouTube, etc.), and following that, steps for setting up Google Voice.

 

Step 1: Sign up for a new account at https://voice.google.com
In order to ensure that your account is not recoverable through answering “security” questions, randomize your personal information.

 

Step 2: edit My Account settings

 

Step 3: Look for ‘Signing in to Google’ on the left

 

Step 4: enable 2-step verification

 

Step 5: you’ll need to first set up SMS 2-step verification before you can add one of the secure methods.

 

Step 6: enter SMS confirmation code

 

Step 7: turn it on

 

Step 8 (OPTIONAL): Set up back up codes

 

Step 9 (OPTIONAL): save your backup codes in a secure, offline, location.

 

Step 10: set up Google Authenticator (or U2F Security Key)

 

Step 11: scan QR Code with GA application on secure device

 

Step 12: enter GA confirmation code shown on GA app

 

Step 13: click ‘done’ to complete GA setup

 

Step 14: remove voice/text as second verification step option

 

Step 15: confirm phone removal

 

Step 16: confirm phone is removed

 

Step 17: go back to account settings

 

Step 18: under Account recovery options, click email

 

Step 19: delete the recovery email address, leaving the field blank

 

Step 20: delete the recovery phone number

 

Step 21: edit the recovery phone number

 

Step 22: remove the recovery phone number

 

Step 23: confirm removal of recovery phone number

 

Step 24: confirming that the curse has been lifted

 

Step 25: go back to sign in settings

 

Step 26: witness perfection – Google account now secure

 

Step 27:  on to Google Voice setup

 

Step 28: get a new number

 

Step 29: add a US forwarding phone (can be removed later)

 

Step 30: verify forwarding phone number

 

Step 31: search number options

 

Step 32: select a number

 

Step 33: finish phone number selection

 

Step 34: remove call forwarding

 

Step 35:  confirm removal of call forwarding

 

Step 36: configure voicemail & text
Voicemail Greeting:  Record blank so as not to reveal any information about the telco or account owner to any random caller
Recorded Name:  Record blank
Voicemail Notifications:  disable or choose secure recipient, like another secret gmail account that you only use on your 2FA security device
Text Forwarding:  disable or choose secure recipient, like another secret gmail account that you only use on your 2FA security device
Voicemail PIN:  set at least 8 characters
Voicemail Transcripts:  disable

 

Step 37:  test it out

 

Step 38: review what your email box should look like if you’ve completed all the steps

 

Step 39:  make sure that you never unlock your number

 

Step 40: relax

More background, resources and reading: