How secure is two-factor authentication? It’s the standard of security that most of us understand to be the safest way to operate online. To sign up for many services, you have to opt out of, not into, two-factor. And, some services will relentlessly message you to set it up until you do.
When you finally break down and set up a cell phone to text so you can prove the person trying to access your information is actually you, you’re safe, right? Strangers can’t get to your digital life without your services texting you for permission. Type in the code, prove it’s really you.
I have always felt secure in using my cell phone as second-factor authorization for many of my banking and financial accounts, with my being texted unique secret codes only my phone would receive to use in logging into those accounts.
I understood that each phone has a unique, physical SIM card chip to identify my phone to the T-Mobile network, so I never let the phone out of my possession. I believed this protected me. It’s all automated and robots don’t make mistakes.
People, however, do make mistakes. Worse yet, they make educated decisions to do harm. And worst of all, malicious intent doesn’t come with horns and a tail – the nice couple walking into your store asking for help could be identity thieves. And that’s where this particular experience begins… With people.
IDENTITY THIEVES
Back on June 23, 2022, at 7:22 p.m. CDT (a Thursday night), someone posing as me walked into a Virginia T-Mobile store. I don’t know the exact story told or how the request came out, but two (not just one, TWO) T-Mobile employees approved the issuing of a new SIM card for my phone. I am based in North Texas and was not anywhere near Virginia at that time. The employees set up the SIM card, capturing my phone number, among other things, and I was not notified.
The fraudsters then used my T-Mobile phone for second verification notification to access my Yahoo! email account. The new SIM card made it possible to text their phone, while mine stayed quiet.
My T-Mobile phone number and the Yahoo! email account were then used for two-factor authentication to sign into my cryptocurrency accounts at Coinbase and Blockchain, where I had my Bitcoin (BTC), Bitcoin Cash (BCH), Bitcoin SV (BSV) and Etherium (ETH) crypto currencies.
All of this happened without my knowledge.
ALERT
At approximately 8:30 PM, I noticed an email from Yahoo! in my Gmail account (my Yahoo! account listed Gmail, along with my cell phone, as possible sources of two factor authorization). In this email, Yahoo! noted that they sent a code to my cell phone in order to change the Yahoo! password.
This surprised me since I had not made any changes or signed into my Yahoo! account, so I looked at my phone to see if I had received the code. That is when I discovered that my phone was not working. It displayed the message “your phone’s not registered on a network, so you can only make emergency calls.”
At that point I became very alarmed and signed into my Yahoo! account and changed my password using my Gmail account to receive a security code for sign in.
WHAT ELSE DID THEY HIT?
I then tried to log in to Coinbase and Blockchain and was unable to access either. I sent urgent messages to both telling them that my accounts had been hacked and to freeze them immediately. This set off two months of nightmare as I attempted to work with Coinbase and Blockchain to get access to my accounts so I could determine what cryptocurrencies had been stolen from each account.
After I tried to log into my crypto accounts I logged into my bank accounts, investment accounts, and pharmacy accounts. Although everything seemed fine, I did change the passwords and was relieved, thinking that everything except the Crypto accounts were probably OK.
The next morning, Friday, I went to the local T-Mobile store (which I have dealt with and the employees knew me, with their dutifully checking my ID) to get a working SIM card and my cell phone service restored.
I called the T-Mobile fraud hotline and was told that I couldn’t file a fraud report unless I had a police report, so I went to the local police department and filed a report there.
The report number and officer badge number were then emailed to T-Mobile with my serving notice to them that I believed T-Mobile and their employees enabled the fraud. I also filed an FBI fraud report online.
THE NIGHTMARE WITH COINBASE CUSTOMER SUPPORT
Coinbase Customer Support is set up such that you can call to talk to a support employee, but you may not communicate with the actual employees who will be working on your problem. The support employees are trained to be very sympathetic and caring in talking to you, to document your case, assign a case ID# and send the case to the support employees who will work on fixing your problem.
Over a two-month period, I have had a series of seven separate case ID’s assigned to me in an attempt to gain access to my crypto account so I could officially determine what I had lost.
And for each of the seven case ID’s, I subsequently received an email from Customer Support telling me that my case had been resolved and the case closed… even though, from my perspective, nothing had happened!! I still couldn’t access my account!
As an example, on the fourth case ID# I was told by Lorena (we only get first names) on June 24 that, “within six days,” any remaining cryptocurrency in my hacked account would be transferred to the new account I had set up per earlier instructions.
Then that case was closed, and I went through a series of other case #’s talking to Tina, Razz and Lee, with each telling me everything in my original account would be transferred to my new account… but it didn’t happen, and those case #’s were closed!
Then, Dave Lieber, the renowned Dallas Morning News reporter known as “The Watchdog” officially contacted the Manager of Corporate Communications for Coinbase for a quote about the newspaper article he was writing, and my case was then transferred on August 19th to Travis in Customer Support.
Finally, on August 19, all of my Coinbase cryptocurrencies transferred to my new account! So the hacker didn’t get any of my crypto there. Celebrate!!
Coinbase officially says that on June 22 there were “suspicious transactions” on my account so it was frozen. Of course.
But we’re not finished yet.
THE BLOCKCHAIN CUSTOMER SUPPORT NIGHTMARE
After sending Blockchain multiple online requests to freeze my account on June 22 and 23, I finally received an email from Katherine in their support area the night of June 24. It said that they had found “suspicious activities on your Blockchain account and have restricted the usage of your account’s custodial services.”
And that started the forty plus email nightmare (no phone contact provided) with Blockchain trying to log into my account to determine how much of the Bitcoin (BTC) and Bitcoin Cash (BCH) originally in account might have been taken.
Both Bitcoin and Bitcoin Cash use blockchain technology (not the Blockchain company) which, using the wallets unique identifiers, allows anyone to separately track all transactions which an individual crypto wallet has with other crypto wallets. Running the report on my Bitcoin wallet I could see all of my buying and selling transactions going back to when I first opened my Blockchain account and purchased Bitcoin in 2013.
The reports showed that there were no transactions in my wallets of either BTC or BCH when I was hacked, with current balances of what I knew was in the wallets before the hacking. But I still couldn’t log into my blockchain account to be able to access the crypto wallets!
I was ultimately told that I could use my 12 word “recovery phrase,” which was set up when the account was opened in 2013 to recover my account and the crypto wallets in the account and, after a number of attempts, I was able in Mid-August to recover my Blockchain account.
But the individual crypto wallets containing my BTC and BCH were not in the recovered account!!!
Blockchain has taken the position that they did a systems conversion in 2016 and requested everyone to convert their accounts to the new technology. And It is implied that because I did not convert my account that I have lost the crypto wallets still containing my crypto which were in the account.
But I never received any email asking me to convert my account (I have all the email received from Blockchain going back to my opening the account in 2013). And I transferred and sold BTC and BCH in 2018 without any trouble.
Blockchain has stopped responding to me, and officially gave this stand-off quote to Dave Lieber for his article “Our customers have sole control of their funds and accounts with a self-custody wallet. The company never has access to customer accounts or funds.” If we had sole control, my wallets would be where I left them.
AND THE CREDIT CARDS
On July 7, I received both a text message and email from my bank asking if I had just used one of my credit cards to purchase an order from Denny’s in California.
I immediately called the bank and learned the bank had declined the card transaction because I had made a credit card transaction in Dallas the same day. I told them to freeze the card. And I subsequently learned that once someone steals your phone via a new SIM card, they can download onto their phone everything you had on yours before it was hacked. A full clone.
And because I naively utilized the contacts on my phone to record confidential information, like credit card numbers and passwords, that was probably the source of my credit card hacking. So, my contact information had probably been uploaded to the “dark web”! I then scrambled to install a password manager and spent two days changing all passwords and replacing all bank and department store cards.
SYSTEM-WIDE ISSUE
On June 28, a T-Mobile customer care representative called me. The rep said it was unfortunate this had occurred and asked for any reports showing “proof of loss.” I noted that I was attempting to work with Coinbase and Blockchain to gain access to my accounts so I could supply reports showing what amounts of my cryptocurrencies were stolen.
Then I received an official letter from T-Mobile, dated July 22, acknowledging that “Your SIM card was reassigned without your authorization,” and noting that “this is industry-wide issue.”
For Dave Lieber’s article they noted SIM swaps “are an industry-wide problem that all providers are working to fight,” and declined to comment on my experience with them.
WHERE WE ARE
I’ve recovered one of the crypto accounts, but am still trying to get my wallets back from the other. Any financial loss is stressful, but the inability to access your own property because a combination of malicious intent and refusal to intervene stand in your way is infuriating. I still don’t know who else had access to my cards, but the banks make changing your cards easy. It all could have been worse. I could have missed the email and they could have cleaned everything out.
It also could have been better with full customer support and someone checking an ID before handing over access to the one item that most of the world uses to prove to the robots that we can be trusted; that we are who we say we are. It’s not hard to do, just ask.
WHAT WE LEARNED
But there are lessons to be learned in every situation, good or bad. From this adventure into digital security, I’ve learned that we aren’t secure. Use strong passwords that people can’t guess. People might figure out your passwords and clone your phone to get what they want.
Add a note to your phone provider account requiring that you be in front of an employee with multiple forms of identification and be sent a notice to your existing SIM card phone before they issue a new SIM card.
Make sure you have both your phone and another email address getting information on account changes across your digital life.
Sometimes, the nice people are up to no good. Every company needs to require employees to follow security rules at every level of employment. Until identity thieves come in wearing signs of intent, this is in the world in which we live.
True, over-the-phone customer service is becoming a thing of the past. Learning to get the right phrases into an email or chatbot can go a long way.
Don’t keep identifying account information in your phone’s contacts list.
And, whatever else happens, don’t lose the key phrase you created/received upon any account setup.
Thanks, Dave
I want to give a special thanks to “The Watchdog” Dave Lieber for his ongoing service in warning the public about the dangers out there. There are many, he brings them to light for the good of us all.
Richard Bowen is widely known as the Citigroup whistleblower. As Business Chief Underwriter for Citigroup during the housing bubble financial crisis meltdown, he repeatedly warned Citi executive management and the board about fraudulent behavior within the organization. The company certified poor mortgages as quality mortgages and sold them to Fannie Mae, Freddie Mac and other investors.
