DO NOT TRADE ON YOUR PHONE IN THE USA

ITSECfag here. This should be common sense, but this is a PSA to all Americans: Do NOT log into an exchange using your phone, especially if you live in a major metropolitan area. There is a crew using fake base stations and exploiting AKA protocol vulnerabilities to session jack people who log into remote wallets and exchanges using their phones. They are currently operating in NYC, SF bay area, LA, Houston, Chicago, Miami, Denver, Seattle, Portland, KC, DC area, Nashville, and probably many others. I've reported this activity to several LEAs, but I have no idea if/how it's being handled. Again, DO NOT USE YOUR PHONE TO MANAGE CRYPTO ASSETS IN THE USA.

Attached: bigstock-Alert-47390257.jpg (900x636, 315K)

Other urls found in this thread:

theintercept.com/surveillance-catalogue/
ssldragon.com/blog/how-ssl-certificates-protect-you-from-man-in-the-middle-attacks/
theregister.co.uk/2018/12/05/mobile_users_can_be_tracked_with_cheap_kit_aka_protocol/
twitter.com/SFWRedditImages

I got 2FA so who kares

Thanks for the help OP! Stay safe frens!

Attached: the more you know.png (500x500, 199K)

2FA wont stop a MiTM attack

would a vpn help?

Will it stop me from having sex with your mother

No, they have set up fake base stations. The connection would be your phone -> their device -> the vpn

What if I use my houses Wifi on my phone to make the trades?

Definitely not.

Funds are safu

That is safe. Basically their devices imitate cell phone towers, similar to FEDs and LEOs using Stingrays.

Yes it will you retard. How can they get to your second factor, like email or phone, if they are impersonating the exchange and don't know the email or the phone number in the first place?
If you got scammed because you don’t have 2FA, it doesn’t mean others will too.

They aren't impersonating the exchange. Read my previous posts. They can intercept your texts, email accounts you log into, the hash for your 2FA authentication, and/or your browser session.

>they can intercept your texts
Stopped reading there. Are you brain dead? Do you know how difficult is what you’re talking about? And by that I mean literally not true?
Also, what are certificates? Jesus these brainlets know nothing about routing security and cryptography.
Just stop. 2FA is enough.

A VPN encrypts the data though. How would the imposter device read vpn traffic?

CISSP, Gsec and and old af Sec+
Funny you call me a retard but think RSA/GA hashes and SMS is safe from MiTM. Fucking idiot. Even a brainlet can google this basic fact.

>not using Authenticator
not gonna make it

Because they have live access to your session. It doesnt matter if your traffic is encrypted, they aren't "reading" your traffic. They are duplicating and controlling your session.

Reverse TCP/ICMP shell doesnt care about your encryption.

you're a skid and I can smell it

Skiddie from wayback. Built black boxes and prank called other countries when I was young.

you can't MiTM on iOS. you'll have to somehow get the user to trust a rando certificate unless you rooted their phone already (or have a 0-day).

maybe on shitdroid it's possible, I don't know.

>You cant mitm on iOS
I'm here trying to help you faggots, probably better not to spout bullshit you know 0 about. Yes, iOS is susceptible to Stingray/fake base station attacks.

Attached: 1544042336604.jpg (251x242, 14K)

that would require getting a valid ssl certificate for exchange addresses.

Thanks for the warning, desu! Hopefully some anyone's have the common sense to listen. So this isn't just for trading, but even for logging in to check balances too, right?

hey, how's metasploit working for you

you fucking skiiiiiiiid

the future of money

Correct. DONT LOG IN on your phone. Afaik they aren't targeting banking credentials, this crew is specifically targeting crypto.
... no it does not. What is reverse TCP shell and how does it work?

I like Armitage because I need a GUI. ;)

Thanks OP. Now how do we set one of these base stations up to get teh n00dz. Do i just go into starbucks and name my hotspot Starbucks_public

>reverse TCP shell and how does it work?
he said it again

oh nonono. Gonna wait for another post.
HAHAHAH

Attached: pragcom.jpg (2000x1000, 208K)

Hey, thank you from a fellow paranoid non-retard.

To the retards doubting: What would ITSECanon's evil agenda be here? To get you to be safer? He's not shilling anything, just think about it.

realistically, who has the time to be anything else nowadays

holy shit stop embarrassing yourself.
Your story would make some sense if there was an exploit that allows hacking android with a fake base station, but you don't even know enough about how this all works to larp plausibly
'session jack' lmao

Bro, firesheep lmao

Finally, someone who gets me.

It's an exploit of the AKA protocol, as previously stated. Fuck. Why do I bother replying to you guys. White hat just trying to help you normies.

Relevant info user, thanks

Who would trade crypto on public wifi...period...?

>public wifi
Ok you guys are really dragging me down now. Read my previous posts.

it's irrelevant you dumb larper, the whole point of ssl is to ensure trusted and private (encrypted) communications over insecure medium.
Man in the middle attack only works for non-encrypted sites, or requires a valid certificate for a target site.

Technically stingrays only work on 3G networks. There are 4g equivalents. Honestly all you would need is an improvised IMSI catcher and you could probably intercept text messages, then it's just be a matter of getting that email address and/or username.

Things things aren't hard to build. Just Google it for fucks sake.

>hurr I think a base station attack is the same as a HTML redirect mitm
God, you are absolutely fucking daft.

how'd you find out about this? who do you think is doing it? what kind of costs and expertise are we talking about for such an intricate operation?

Thanks for the heads up.

AKA protocol handles 3g, 4g, and 5g authentication and keys. Similar fundamental idea as IMSI catcher, but exploits AKA instead.

Nigger that's literally the point of SSL/TLS. Fuck you.

i believe OP is talking about this kind of equipment: theintercept.com/surveillance-catalogue/

>Ever leaving your house so you're not on wifi
lol

Anyone giving you shit is either a genuine retard or is currently profiting from these attacks. Thanks OP. Do you have a safe keyboard and clipboard you can reccommend for android?

I'm pretty old, know a lot of people, have built and sold tools in the past, have a minor reputation.
Costs: Low, maybe $1k-1.5k a device
Expertise: High, custom built software and deep understanding of authentication protocols.

again, it's irrelevant what's below the encrypted layer.
Also stop obvious phoneposting dumb nigger, nobody is falling for your larp.

Attached: 1538812577724.jpg (643x298, 64K)

ChainLink solves this problem anyway

Just google Stringray IMSI. The attack I'm talking about is somewhat similar. If you think SSL/TLS is ultimate protection you're better off shutting your mouth and reading a little.

>sensiblechuckle.gif

what do you think this operation would look like? (brainlet here) is it fake cell phone tower boxes placed into existing arrays on the sides of buildings? or boxes in peoples' houses? what do you think such an operation physically looks like and what would you need to track it?

>have a minor reputation.
Whatever you say, Zero Cool.

This is literally the only post I have made in this thread:
I am confident that you are either engaged in this scheme or a fucking schitzo

Do you live in PR and Southern CA, OP?

>what would it look like
A well hidden Raspberry Pi with transmitter/receiver. Placed in high traffic areas. Financial districts, public transport hubs, etc.

>what would it take to track it
AIMSICD or something similar may work. I've never seen the devices I'm talking about in operation, so I honestly couldn't say. You'd want something to check/track consistency of the towers in your area, or something to whitelist known good towers (but would be a pain in the ass to manage, especially if you travel).

>last phonepost
you still have your last phone id because you didn't reset it
what are you even trying to achieve? everyone can google how ssl works and realize you're full of shit.
ssldragon.com/blog/how-ssl-certificates-protect-you-from-man-in-the-middle-attacks/

there are a lot of faggots on biz nowadays
I appreciate your information ITSECfag
Be careful ;)

Lol you are sad, man. That's another user.
>still thinks SSL cert protects you from authentication protocol vulnerabilities
You're too much work, and know far too little.

Alright, gotta run. Hope I at least helped 1 user today. Cheers. Be safe out there and may all your coins moon.

>still thinks SSL cert protects you from authentication protocol vulnerabilities
TLS is the authentication protocol.
You didn't fool anybody.

Oh look, it's already on the front page of the register, you fucking retard. Bye.

theregister.co.uk/2018/12/05/mobile_users_can_be_tracked_with_cheap_kit_aka_protocol/

So if i turn off data and use wifi im safe on my phone?

which has absolutely nothing to do with breaking tls security.
Again, the whole point of ssl is to protect against insecure base layer, like this attack.

If I use my smartphone as a hotspot, if my laptop has a VPN installed, am I protected when accessing sites/exchanges on the laptop?

Haven't these type of attacks been happening for years now? Why should i all of a sudden start worrying and when will using data become safe again?

Thanks man.

these attacks can make sms-code based 2fa insecure, but that's insecure in general because it's relatively easy to social engineer a replacement sim.
They also could potentially allow someone to record your calls or spoof numbers (ie. you call 911, but it's picked up by the attacker instead). If there's a security hole in a phone's 3g/lte stack it could be exploited to hack the phone.

That's basically it, connecting to exchanges over https is still safe (assuming unhacked phone, obviously), at worst an attacker can cut off your internet.

What if i have funds on my coinbase app on my phone? Should i not use coinbase now?

Aren't the transmissions of credentials to apps/webapps encrypted as a result of ssl/tls? Even if they can intercept your traffic, it's going to be encrypted as long as you are communicating with a valid certificate https address...

>firesheep
holy nostalgia
take me back to college fb message spoofing

who cares
crypto is dead now

do they know about ChainLink OP???

fucking retard. go look up mitm

it's not that hard you fucking retard. go and google "police stingray" and do some reading on it. fucking brainlets like you should be gassed, I swear..

Attached: harris-stingray-ft.jpg (1440x720, 83K)

You are retarded for calling someone retarded in affairs you have no clue about. Keep doing your thing, arrogant cunt. OP is trying to help

That's not how shit works. Nice LARP "ITSEC" guy

Nice fud you filthy little kike

Thanks op for the heads up. There’s a special place in Heaven for you

Neck yourself with your mom's lattice and I will throat fuck you with a trail of cum spilling out of your slit neck

If a man is in the middle then yes since your dick will go into his ass.

>ITT
Faggot who thinks Hackers can magically get around 2FA and Sign and Verify Transactions through PIN.

What about an old phone no SIM card WiFi only?

Why would they want access? To steal my shircoins ?

The absolute state of this board. Fucking newfags spreading misinformation because they’re reckless with their 4 figure portfolios. OP isn’t a larper he has nothing to gain out of this.

SSL, nigga

Fpbp
Op is a faggot pajeet nigger

If your mum knew you were posting gay trash about her lettuce she would be soooo angry.