For just under 90 minutes last Thursday, hackers were able to compromise the systems of cryptocurrency lending platform BlockFi, and gain unauthorised access to users’ names, email addresses, dates of birth, address and activity history.

In an incident report published on its website, BlockFi was keen to stress that the hacker’s activity had been logged and as such it was “able to confirm that no funds, passwords, social security numbers, tax identification numbers, passports, licenses, bank account information, nor similar non-public identification information” had been exposed.

DevOps Connect:DevSecOps @ RSAC 2022

That’s obviously a relief, but there are still plenty of bad things that could be done by anyone maliciously-minded who came across the information that was successfully accessed by the hacker.

So, how did the hacker gain access to BlockFi?

According to the crypto-lending platform, one of its employees was targeted by criminals who conducted a SIM swap attack, hijacking control of the worker’s phone number.

SIM swap attacks (also sometimes called Port Out scams) typically see a fraudster successfully trick a cellphone operator into giving them control of a target’s phone number.

That doesn’t just mean that a fraudster will now be getting phone calls intended for the victim. They will also be receiving SMS messages – which may include the tokens used by some systems in an attempt to authenticate a user logging into a system is who they say they are.

SIM swap attacks have become more common in recent years, and as a result there has been a concerted effort by many to push for more secure methods of authentication than a token sent via an SMS message. This is something that cryptocurrency-related firms should be particularly aware of, considering the past theft of many millions of dollars.

With the BlockFi employee’s phone number under their control, the hacker was (Read more...)