Fri. Feb 22nd, 2019

Thieves Use Doctored Photos to Steal Bitcoin

When hackers try to steal someone’s bitcoin from a cryptocurrency account, there’s a roadblock that invariably appears.

Most cryptocurrency exchanges require customers to use a two-step verification. It requires a one-time passcode to be entered after someone logs in with a username and password. It’s a crucial security tool that deflects account takeover attempts if thieves have already obtained someone’s account credentials.

Usually one-time passcodes are sent by SMS, but the safer way is to use an authenticator app  to generate the code.

Two-step verification is a common security tool used to prevent account takeovers, and it’s kept many accounts secure against hostile takeover artists. But in the event you lose your phone?

If users have not retained their set-up key or backup codes, they are locked out of their accounts. While some authenticator apps do allow syncing across devices, some don’t. Resetting it without that information can be a frustrating, days-long process involving the service provider.

Many cryptocurrency exchanges handle this by requiring users to hold up a piece of ID, a sheet of paper with some information written on it, such as a date, and take a photograph of themselves.

Fake Image: $50

Analysts at Alex Holden’s company Hold Security,  lurk in dark web hacking forums to learn of new data breaches and fraud techniques. According to Holden he has found approximately 10,000 doctored photographs, in part because the graphic designers are careless and publicly publish their work.

An altered photo costs $50, in which some are comically bad cut-and-paste jobs with mismatched pixel grains or glaring contrasts. But untrained eyes may have a hard time flagging the higher-quality fakes.

The people who actually appear in the photos may have no idea that they’re part of a scam, Holden says. Their photos have been discovered or stolen and repurposed. Pa

Cryptocurrency exchanges often have different account tiers. Some accounts have higher trading limits or those opened in countries with know-your-customer regulations may require photo ID. But if the exchange doesn’t have a photo on file to compare to the submitted one, there’s no baseline to detect the ruse.

Some companies have no ability to assert what their client looks like, and have to rely on this type of reset mechanism.

Such fraud highlights the broader problem that has plagued the commercial internet since its inception: Proving identity is difficult because personal data – from credit card data to passport numbers – can be stolen and replayed.

On the Horizon: Deep Fakes

According to Kraken an established exchange in San Francisco, they require a custom message to be displayed with each ID confirmation photo. Also, it matches the submitted photo with what it has on file, such as for Tier 3-level accounts. Kraken’s exchange allows customers to do leveraged or margin trading, and Tier 3 approved accounts can borrow up to $50,000.

A high volumed exhange company called Binance, moved to Japan after China banned cryptocurrency trading. It reports seeing many attempts to hijack accounts with bogus photos. .

Binance uses an automated risk management system that monitors users’ behavior to look for strange actions. If someone wants to reset an account or two-step verification, Binance asks for a set of photos. The individual must also complete a “face verification” step where they record videos of themselves.

Take the mashup of Jennifer Lawrence with Steve Buscemi’s face or the convincing one featuring former President Barack Obama, these techniques can eventually be applied to videos created for resetting accounts, Loveless says .

Ultimately, it will be difficult for service providers to trust nearly anything submitted by users. Mark Loveless a security researcher and authentication expert says authentication will have to progress, such as by requiring two pieces of biometric data combined with a cryptographic key stored in a hardware security module.