People forget that the cell company is giving you the possibility to recover your account as well through standard practices. I believe what happened to OP is that he used a weak one, that was based on publicly available informations (he states that in article himself) and that is how the attacker got the foothold in the first place. After that was a simple game of playing by the rules all the way to the coinbase account and draining it.
In his learning he is missing the biggest mistake: resetting the email account by sms
2FA and all are secure enough, the problem for him was that his mobile phone number was the only thing needed to gain access because the attacker wad (1) able to reset the password for the mail account by sms and (2) 2fawas sms based.
There should be _absolutely no_ way of resetting the password of your mail account besides some pregenerated tokens you are keeping safe somewhere.
There are two places in Gmail where you might have your phone number. The first is in 2FA options, and it's easy to delete if you add TOTP or a security key.
The second is "recovery phone number" in a different settings pane. That one is easy to miss!
It almost always starts with a phishing attempt to get the original password. These attacks are unfortunately common for those working with cryptocurrency.
The part of the chart for "threat level I should have had based on everything I know now" is way off. It should have been at least yellow with "zero cell coverage" (assuming the author normally has reasonable cell coverage at that location), should have been red at "got popups to log back into google", and should have broken out of the page and come knocking on your door at the "password didn't work".
If I get unexpectedly logged out of my email account, even if I can log right back in, this should already be at "something seriously fishy is going on and I need to investigate immediately", such as checking the account for any activity. Not being able to log in to my email is "check my provider's status page to make sure they're not having a widespread outage, and if they're not, get on the horn with support immediately".
As the author says, your email account is the keys to the kingdom for virtually every other account you have. Anything that threatens it is serious business.
I compare this to driving. We all think we are safe drivers who will not drive when tired, not go too fast in thick fog, and pay attention to our surroundings. In practice, it's hard to live by these rules 24/7.
I thought the author did a good job describing how he rationalized away these warning signals as flakiness, and had a bad mental model of the situation ("SIM card is being weird") that prevented him taking timely action. He also mentioned outside factors (needing to sleep, stress at work) that affected his judgement.
It's easy to say this would never happen to you, but even sophisticated people get caught by this stuff, since we are in the end human. Writing this article in the aftermath of losing so much money was a brave and considerate gesture.
I'm not complaining about the author's description of their timeline, just taking issue with that bar on the right that is described as the threat level they should have had.
> Many of you are thinking, "Jesus, I would never fall for the "the check's in the mail, we had trouble with the wire transfer, the money is coming in from our affiliate in New York, I'll get you the tracking number" routine day after day. But sociopaths are very, very good at this. You don't want to believe you've been conned, you don't want to believe you have to go hire a lawyer and file a lawsuit, you don't want to believe someone can do this to you, you want the income that this transaction promises, and often you don't want to go tell your superiors — so you keep hoping that the money is coming any day now. It can happen to you. It's happened to very smart lawyers I know. It's happened to me. And I used to put these people in jail. So don't judge the victims too harshly. When you find yourself in such a situation, you've got to focus — to convince yourself to bail out and cancel the contract, stop providing services, and file suit if necessary.
Coinbase Pro has address whitelisting feature, which adds a 48 hour wait before a new crypto address can be used for withdrawals. This may have also mitigated the attack.
I wonder if the victim was able to find the transaction of the withdrawal on the blockchain. It may be interesting to see what the hacker did with the coins.
Probably a lot more transactions hard to track along the blockchain and most likely converted to other currencies as well, using the mentioned Coinbase as well, and in the end in a new minted wallet.
22 comments
[ 19.1 ms ] story [ 2083 ms ] thread2FA and all are secure enough, the problem for him was that his mobile phone number was the only thing needed to gain access because the attacker wad (1) able to reset the password for the mail account by sms and (2) 2fawas sms based.
There should be _absolutely no_ way of resetting the password of your mail account besides some pregenerated tokens you are keeping safe somewhere.
The second is "recovery phone number" in a different settings pane. That one is easy to miss!
Here's a direct link, takes one minute to audit yours: https://myaccount.google.com/u/0/security?hl=en
With flow charts and timelines.
Assuming it was a Google account with 2 factor enabled, you aren't allowed to reset the password with an SMS only.
You need two factors. I suspect his original password was leaked, or perhaps he had a recovery email address also broken into?
If I get unexpectedly logged out of my email account, even if I can log right back in, this should already be at "something seriously fishy is going on and I need to investigate immediately", such as checking the account for any activity. Not being able to log in to my email is "check my provider's status page to make sure they're not having a widespread outage, and if they're not, get on the horn with support immediately".
As the author says, your email account is the keys to the kingdom for virtually every other account you have. Anything that threatens it is serious business.
I thought the author did a good job describing how he rationalized away these warning signals as flakiness, and had a bad mental model of the situation ("SIM card is being weird") that prevented him taking timely action. He also mentioned outside factors (needing to sleep, stress at work) that affected his judgement.
It's easy to say this would never happen to you, but even sophisticated people get caught by this stuff, since we are in the end human. Writing this article in the aftermath of losing so much money was a brave and considerate gesture.
> Many of you are thinking, "Jesus, I would never fall for the "the check's in the mail, we had trouble with the wire transfer, the money is coming in from our affiliate in New York, I'll get you the tracking number" routine day after day. But sociopaths are very, very good at this. You don't want to believe you've been conned, you don't want to believe you have to go hire a lawyer and file a lawsuit, you don't want to believe someone can do this to you, you want the income that this transaction promises, and often you don't want to go tell your superiors — so you keep hoping that the money is coming any day now. It can happen to you. It's happened to very smart lawyers I know. It's happened to me. And I used to put these people in jail. So don't judge the victims too harshly. When you find yourself in such a situation, you've got to focus — to convince yourself to bail out and cancel the contract, stop providing services, and file suit if necessary.