Access Management , Analytics , Blockchain & Cryptocurrency

With Doctored Photos, Thieves Try to Steal Bitcoin

'Deep Fakes' May Eventually Complicate Identity Verification
With Doctored Photos, Thieves Try to Steal Bitcoin
An illustration on the website of cryptocurrency exchange Binance shows how users can reset two-step verification. (Source: Binance)

When hackers try to steal someone's bitcoin from a cryptocurrency account, there's a roadblock that invariably appears: a request for a one-time passcode.

See Also: Live Webinar | Taking the Challenges Out of Identity Security

Some cryptocurrency exchanges mandate that customers use two-step verification. It requires a one-time passcode to be entered after someone logs in with a username and password. It's a crucial security tool that deflects account takeover attempts if thieves have already obtained someone's account credentials.

A one-time passcode may be sent over SMS, but the safer way is to use an authenticator app, such as Authy, Cisco's Duo or Google Authenticator, to generate the code.

Two-step verification is the most common security tool to prevent account takeovers, and it's kept many accounts secure against hostile takeover artists. But what happens if you lose your phone?

If users have not retained their set-up key or backup codes, they are locked out of their accounts. While some authenticator apps do allow syncing across devices, some don't. Resetting it without that information can be a frustrating, days-long process involving the service provider.

Many cryptocurrency exchanges handle this by requiring users to hold up a piece of ID, a sheet of paper with some information written on it, such as a date, and take a photograph of themselves.

Foolproof, right? Not so. There's a market for doctored photographs that aim to persuade exchanges to reset two-step verification, says Alex Holden, CISO at Hold Security, a Wisconsin-based consultancy.

Fake Image: $50

Analysts at Holden's company lurk in dark web hacking forums to learn of new data breaches and fraud techniques. Over the past six months, Holden says he's found some 10,000 doctored photographs, in part because the graphic designers are careless and publicly publish their work.

Alex Holden

An altered photo costs $50, Holden says. Some are comically bad cut-and-paste jobs with mismatched pixel grains or glaring contrasts. But untrained eyes may have a hard time flagging the higher-quality fakes.

The people who actually appear in the photos may have no idea that they're part of a scam, Holden says. Their photos have been discovered or stolen and repurposed. Passport or ID details are changed to match the targeted victim's cryptocurrency account.

Cryptocurrency exchanges often have different account tiers. Accounts with higher trading limits or those opened in countries with know-your-customer regulations may require photo ID. But if the exchange doesn't have a photo on file to compare to the submitted one, there's no baseline to detect the ruse.

"Some companies have no ability to assert what their client looks like," Holden says. "They have to actually rely on this type of reset mechanism. How do you detect that there is something wrong with this picture?"

A doctored photo intended to try to reset two-step verification. The photo has been redacted by ISMG. (Source: Alex Holden)

Such fraud highlights the broader problem that has plagued the commercial internet since its inception: Proving identity is difficult because personal data - from credit card data to passport numbers - can be stolen and replayed.

Mark Loveless

"If there's a mechanism that needs to be overcome, a determined attacker with proper motivation is going to figure out a way around it," says Mark Loveless, a security researcher and authentication expert.

"Right now, the motivation is cash," he says. "They're going to think of some way to disengage whatever authentication may be in place to get access to that money."

Holden says the doctored photos appear to have had some success.

"It's not like hackers publish success rates," Holden says. "But because we know the guys that we are monitoring are actually making money off of it, I'd say yeah."

On the Horizon: Deep Fakes

Reached for comment, cryptocurrency exchanges - which are some of the most targeted businesses online - weren't eager to answer questions, for perhaps obvious reasons, given attackers' attention. But some offered insights.

San Francisco-based Coinbase declined to answer specific questions, but Elliott Suthers, its director of communications, does note that "to reset either the password or 2FA settings requires multiple levels of ID verification."

Kraken, another established exchange in San Francisco, says it requires a custom message to be displayed with each ID confirmation photo. Also, it matches the submitted photo with what it has on file, such as for Tier 3-level accounts. Kraken's exchange allows customers to do leveraged or margin trading, and Tier 3 approved accounts can borrow up to $50,000.

A less-convincing example of a manipulated photo (Source: Alex Holden)

Binance, one of the world's highest-volume exchanges, moved to Japan after China banned cryptocurrency trading. It reports seeing many attempts to hijack accounts with bogus photos. "Unfortunately, we're no stranger to these types of malicious attempts to gain access," it says.

Binance uses an automated risk management system that monitors users' behavior to look for strange actions. If someone wants to reset an account or two-step verification, Binance asks for a set of photos. The individual must also complete a "face verification" step where they record videos of themselves.

"Given the measures we currently have in place, I don't believe this threat is something for Binance to be particularly worried about at the present time," says a Binance customer support representative.

Loveless says requiring a video is clever - for now. But video manipulation is becoming more polished through advances in artificial intelligence, so much so that it has spawned a new category of deceptive content, or deep fakes.

Take the mashup of Jennifer Lawrence with Steve Buscemi's face or the convincing one featuring former President Barack Obama. Those techniques could also eventually be applied to videos created for resetting accounts, Loveless says (see: Face Off: Researchers Battle AI-Generated Deep Fake Videos).

"If someone's properly motivated, they don't even have to get good quality," Loveless says. "They could get something like that and make it a little grainy, and that will be good enough to pass."

Eventually, it will be difficult for service providers to trust nearly anything submitted by users. Loveless says authentication will have to progress, such as by requiring two pieces of biometric data combined with a cryptographic key stored in a hardware security module.

"We will have to keep raising the bar," Loveless says. "Even then, we are still going to encounter difficulty."

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.