News Google’s head of account security has fix for cryptocurrency...

Google’s head of account security has fix for cryptocurrency SIM-swapping


- Advertisment -

SIM-swapping has plagued cryptocurrency holders for close to a year, and now Google’s head of account security has had enough. He wants to put a stop to it with a clever gadget the size of a flash drive.

This new form of identity fraud hinges on tricking telecom staff into rerouting a victim’s telephone number to a SIM card housed in a device under the control of an attacker.

Its effect was demonstrated recently when a victim filed a $224 million lawsuit against his cell phone provider, AT&T, alleging gross negligence that led to $24 million worth of cryptocurrency being taken from his accounts.

An overt reliance on SMS-based two-factor authentication (2FA) systems has only compounded the problem. While these are regarded as an upgrade to traditional verification methods like usernames and passwords, SMS-based 2FA presents cybercriminals with a clear attack vector.

If hackers can take control of a phone number, it would be them who receive the special codes, allowing instant access to sensitive information.

Google is one of many tech giants to present a solution. It released its Titan Keys last August, a $50 set of hardware devices that cryptographically ties particular devices to accounts, effectively keeping anyone without a registered device at bay.

Users connect the Key to a device, such as a laptop or a smartphone, and sign into the account they wish to protect. This can be done via USB, NFC, or Bluetooth. A button then is pressed on the Key which will cryptographically register the device to a user account.

It’s not exactly necessary to carry around the Keys, but users will need to have at least one handy to sign in.

Purchasers of Titan Keys can also enrol in Google’s Advanced Protection Platform, which provides a supplementary bundle of security measures.

Cryptocurrency is like catnip for attackers

In light of recent trends, Hard Fork spoke with Mark Risher, Google’s head of account security, to get a sense of how the Big G is interpreting the rise of cryptocurrency-centric SIM-swapping.

According to Mark, the flouted benefits of cryptocurrency fit fraudsters perfectly, and targeted fraud through SIM-swapping is, in a sense, the “new” Viagra spam.

“We commissioned some research several years ago about spam,” Mark told Hard Fork. “The typical spammer would break into your account and use it purely so they could send out Viagra ads to everyone in your address book. The expected yield on one of those break-ins was thousandths (or tens of thousandths) of a penny. It was insignificant gain so it only worked at scale.”

Now, Viagra spammers are no longer a problem for Google, but as Mark put it: “Cryptocurrency is like catnip for these attackers.”

Google’s head of account security has fix for cryptocurrency SIM-swapping