Dear all,Over the last couple of months I've seen many posts of people that got their funds stolen from exchanges. In some cases 2FA was reset without the user's consent.What I have also noticed during that period is ICO's popping up everywhere, asking for KYC before getting "free" tokens airdropped.The KYC procedure often requires sending a passport scan and/or selfie.Now know this...The average price of a digital passport scan on the dark web is $14.71. If proof of address or proof of identification (a selfie, utility bill and/or driver’s license) is added to a passport scan, the average price jumps to $61.27.That's one way for people to make money using your information. The next step however could have far bigger consequenses when they use the info to steal your funds from exchanges.Eg.The target has an account with a cryptocurrency exchange. They’ve set up two-factor authentication on their account, so a code is sent to an app on their phone to verify logins.Through some other means, the scammer steals the user’s password (perhaps through phishing or a data breach or by simply using the same password the user used to create an account on an ICO website). But because 2FA is enabled on the account, they can’t get in.Instead, the scammer poses as the victim and approaches the cryptocurrency exchange, saying they’ve lost access to their phone and cannot get the authentication PIN, and thus cannot log in.The cryptocurrency exchange requests the account holder send a scan of their ID to prove their identity before resetting the 2FA on the account. In many cases, companies will require the person take a selfie while holding the ID, hence the higher price for passport scans with selfies.The scammer modifies the scans from the dark web as necessary to match the demand of the exchange (Eg. name of exchange with date), then sends it to the exchange, still posing as the victim.Upon receipt of proof of identity, the cryptocurrency exchange resets or removes the 2FA on the account, allowing the hacker to access and drain the victim’s crypto assets. Hackers routinely change the passwords and email addresses associated with accounts to make it harder for the account owner to regain control.So be careful who you send your passport scans and selfies to and use cold wallets as much as possible.
Submitted November 22, 2018 at 09:22PM
No comments:
Post a Comment