How to rob a software engineer in one night
In the spring of 2015 software developer Partap Davis lost $3,000. In a few short night hours an unknown hacker got access to his two email accounts, phone number and Twitter account. The culprit smartly bypassed two-factor authentication system and cleaned out Partap’s Bitcoin wallets. As you can imagine, Davis had a very unpleasant morning.
It is worth noting that Patrap Davis is a quite experienced Internet user: he always chooses reliable passwords and never clicks on malicious links. His email is protected with Google’s two-factor authentication system, so when he logs in from a new computer, he has to type in six digits that are texted to his mobile phone.
Davis kept his savings on three Bitcoin wallets that were protected with another two-factor authentication service, provided by Authy mobile app. Though Davis used all of these reasonable security measures, they did not save him from targeted hacking.
After the incident Davis got very angry and spent several weeks to find the criminal. He also reached and enlisted editors at The Verge to this quest. All together they managed to find out how the hack was performed.
As his main email Davis used Patrap@mail.com address. All letters were forwarded to a less memorably named Gmail address (as Patrap@gmail.com was already taken).
For several months, anyone who felt like it could buy a special script on Hackforum that let the owner to target a weakness in Mail.com’s password reset page. Apparently, this script was used to bypass two-factor authentication and change Davis’s password.
After that the hacker requested for a new password from Davis’s AT&T account and then asked customer service to forward Davis’ incoming calls to a Long Beach number. The support service received the email confirmation and agreed to give control over the calls to the culprit. With such a powerful tool in hand, it was not so hard to bypass Google two-factor authentication and get access to Davis’ Gmail account.
As SMSs were still sent to Davis’ old phone number, the hacker used Google accessibility function for people with weak sight. It offered to read the confirmation code out loud over the phone. So, Gmail was hacked and only the Authy app stood between the hacker and his reward.
To overcome this obstacle, the criminal simply reset the app on his phone using a mail.com address and a new confirmation code, again sent by a voice call. When literally every security measure was at his hands, the hacker changed passwords from one of Davis’s Bitcoin wallets, using Authy and mail.com address, and transferred all money out.
Money on the other two accounts remained untouched. One of the services simply does not allow to withdraw funds in 48 hours after the password was reset. The other asked to provide a scan of Davis’s driving licence, which the hacker couldn’t get his hands on.
CONTINUE READING…