I saw this post this morning on Reddit, a guy’s WealthSimple account had about $4,000 transferred into options and sold immediately. He was logged into the account and watched it all happen and when he followed up with WealthSimple, they essentially ghosted him after a month of trying to get an answer he turned to Reddit.
On the surface it looks like he could just not know what he’s doing and he’s blaming everyone else, or as one commenter wrote; This reads like “somebody shit my pants”. But as I read into more of the comments, a few people pointed out that he was using SMS (texting) as his 2-factor authentication (2FA) method with WealthSimple and today I learned how completely insecure that is.
TL;DR – Go through your 2FA settings and make sure you’re using a Authenticator App (Google Authenticator, Authy, etc.) or a physical token (YubiKey, etc.) instead of SMS, especially for any of your financial accounts, but don’t forget your email account as well as that’s the first line of attack many attackers will take.
Organized crime group waits until they have a decent set of potential credentials through other methods. OP clicking on phishing links/etc. Usually several thousand.
Purchase onto cell network as a reseller, usually about $10K. Think the hookup those cell phone stalls at the mall are issued.
Utilize either Sim Swap or SS7 style attack to intercept or duplicate SMS codes being sent
Hammer the thousands of accounts with automated scripts looking for an any all ways to transfer funds.
Aside from getting access to this users’ WealthSimple account, the other really interesting thing they did was the way they used option trading to flush the money out of the account and pick it up on the market, capitalizing on “anyone stupid enough” to make that option deal. eTransfer or wire or crypto would leave a easier trail to follow.
So, remember how to make a great long password and make sure your Authenticator app is set up and backed up securely.
Leave a Reply