Although very sad for this person, his warnings aren't correct. SIM porting is one avenue of attack, but TOTP can also be phished through a http reverse proxy. Push based 2fa is better, U2F based hardware keys are the gold standard today.
SMS should not be used for anything even remotely related to security. If you still need to be convinced, the Reply All episode about it[0] is eye opening while being entertaining.
This is frightening. If you're using texts for 2-factor auth you're at the mercy of your phone service provider's customer service. And they're trying to balance being helpful with security, which can be in opposition. Losing $100,000 with no hope of recovery is the kind of thing that could sink many people's finances.
His summary of how to avoid having this happen to you:
* Use a hardware wallet to secure your crypto
* SMS-based 2FA is not enough
* Reduce your online footprint
* Use Google Voice for 2FA
* Create a secondary email address
* Use an offline password manager
I like this idea, insofar as the Voice number is not vulnerable to the SIM port attack.
But then I worry that it's yet-another-thing I'm to my Google account, which Google could always shut down at a moment's notice, with no explanation, and no recourse.
I would consider that an alarming sign that I need to change investment companies asap (probably after loudly complaining and trying to change it, since Vanguard is somewhat unique).
> Do not leave funds idle on exchanges or fiat on-ramps.
This warning has been publicly repeated hundreds of times since 2010, yet people still insist on ignoring it.
The author didn't lose anything. He gave Coinbase his bitcoin in exchange for a promise to pay it back. That deal backfired.
> I knew the risks better than most, but never thought something like this could happen to me.
There's knowing the risk, and then there's knowing the risk. I'd suggest that the author didn't really know the risk, or he would never have considered leaving such a valuable asset in the care of an organization so ill-equipped to safeguard it.
This is the first analogy that sprang to my mind as well but as they noted Coinbase gets all the upside and you get little in return. When you put your money in a bank typically you earn interest in exchange for the bank having your money.
Coinbase is not regulated like a bank. Just to pick a relevant point, if someone makes an unauthorized withdrawal from your bank account, that is fraud and your liability is limited. The bank has responsibility for making sure they identify you. https://budgeting.thenest.com/banks-liability-there-identity...
Someone please correct me if I'm wrong, but at least in the US banks take on all risk of fraud. If someone starts writing bad checks in your name, that's ultimately the bank's problem rather than yours.
That line of thinking is part of the problem. It's terrible that the author lost his money, but misconceptions only ensure this will happen over and over.
Coinbase != bank.
The banking system has a safety net for recovery of stolen funds. Coinbase has pretty much jack squat in that sense.
True, Coinbase is insured against loss from its hot wallet. But if Coinbase were to suffer a loss from its cold wallet, you'd be left with zilch.
Likewise, Coinbase's terms of service put all of the responsibility for security on you, the user.
Your bank is a different story. It's FDIC insured. It has in place numerous security measure that enable it to claw back any digital theft and make you whole.
And yet if he'd kept it on his own machine there's myriad other vectors from compromised wallets to typos that would separate even the veteran "investor" from their crypto. And we'd be blaming him again, just as you are now, because in the land of Crypto anything bad that happens is your fault, not the insanely problematic technology. This is the fundamental problem with crypto, it's irreversible and decentralized. These aren't features, they're bugs.
If this were real money or real assets, he'd be able to call his bank and be made whole by the close of business, I wager. Instead he's out a down-payment, SFYL.
I can't believe these shenanigans are allowed to play out as though we're all okay with this being the future of currency.
>because in the land of Crypto anything bad that happens is your fault, not the insanely problematic technology
Cars are designed to travel at lethal speeds. If you were reckless and killed someone or yourself, do you also declare it to be an "insanely problematic technology"? The problem here is that people are not aware of the risks associated with cryptocurrencies and so are not taking the required precautions. After all, you can be pretty reckless with your credit card numbers or bank login and still be fine, because the finance system has an undo button for everything.
>This is the fundamental problem with crypto, it's irreversible and decentralized. These aren't features, they're bugs.
I wouldn't call them "bugs", just design decisions or trade offs. Bug implies it's somehow fixable, but if it's not. What if you want to make an irreversible payment, or want to be able to send money to whomever you want without the government stepping in the way, all while being trustless? Is there a way to achieve that, and still being able to hit undo when you make a mistake?
> Cars are designed to travel at lethal speeds. If you were reckless and killed someone or yourself, do you also declare it to be an "insanely problematic technology"?
More aptly though, I would declare it problematic if I couldn't drive 10 feet without someone carjacking me in my ostensibly armored car, or if pressing the button on my radio caused the car to explode. I'd call that 'problematic' because if it were my fault, I'd be in jail, and if not, the automaker would be on the wrong end of a huge lawsuit.
You know who we have to thank for their current level of safety? The DOT, NHTSA and legal system.
> The problem here is that people are not aware of the risks associated with cryptocurrencies and so are not taking the required precautions.
He had his coins on probably the only legitimate exchange in all of crypto. He had 2fac. He had 2fac on his gmail. If this isn't sufficient to keep your money protected, we need to stop blaming the victim. He's probably one of the most competent technical individuals owning crypto. If he can't keep it safe how on earth would your grandmother?
> After all, you can be pretty reckless with your credit card numbers or bank login and still be fine, because the finance system has an undo button for everything.
Isn't that awesome? We've recognized people make mistakes and created for them a path to remedy said mistakes. Pretending they don't happen and that it's the victims fault if they do isn't a replacement.
> What if you want to make an irreversible payment.
Wire transfer. You can opt in to irreversibility, it's not the default, and that's completely reasonable IMO.
> ...or want to be able to send money to whomever you want without the government stepping in the way.
AKA breaking the law. Yes, you shouldn't be able to send money to people on the OFAC list, to terrorists, or to sanctioned countries. That's fine with me, and all your fellow citizens. That's why we have those laws. Let's not mince words, "sending money to people the government doesn't want" is financing international terrorism, narcotics trafficking, human trafficking and so on. No, you shouldn't be able to do that.
> ...all while being trustless?
Again, why do you need this without the illegal use cases? Either way PoW cryptos aren't trustless, Beijing has over 80% of the hash power one strongly worded memo away. Decentralized and trustless are not a feature of Bitcoin or most other cryptocurrencies. They are centralized in the PRC. You would give up sovereign control of your money system to the PRC?
> Is there a way to achieve that, and still being able to hit undo when you make a mistake?
No, you shouldn't be able to break the law. An open challenge to all crypto advocates: Provide me one legal use case better suited to cryptocurrency than the US dollar.
> Surprisingly not everyone overseas is linked with international terrorism as you imply.
Unless you're trying to send money to North Korea that wasn't my implication at all, I have family overseas to whom I manage to send money without crypto or getting overcharged.
There are tons of international remittance services already including Andreesen-backed TransferWise which charges ~0.85% or less to move money internationally. Much less than the sum total of the cost of buying coins on an exchange in one country, paying an on-network transaction fee, risk of huge swings in the asset value and fraud along the way and one more exchange transaction fee in the destination country.
Generally even WU is quite competitive. In markets where they appear pricey the cost is usually to de-risk things like political issues which are all borne by crypto too but opaquely.
For instance, the USD-INR corridor is almost fee-free on all services.
If you've got a ton of money to move, you may be best off opening an Interactive Brokers account and performing the exchange there. They take a commission minimum of $2, or 0.002% ($2000 per million) for the trade. [1] It's a $5.1T per day (legitimate) market after all.
This is not a particularly good example, it's a solved problem.
Uh sorry, Interactive Brokers is so cheap my math was off. They charge 0.2 basis points which is 0.2/100 of 1% (0.002%, minimum $2). So a $100,000 exchange would cost $2.00 and a $1,000,000 would cost $20.00
> Cars are designed to travel at lethal speeds. If you were reckless and killed someone or yourself, do you also declare it to be an "insanely problematic technology"?
Possibly: see the numerous self-driving efforts underway.
How can a mobile carrier operate like this?? No authentication that the request isn't fraudulent?
In Sweden I switched to another carrier, still keeping the number in the same name. To do that I got a text message with a code I had to input to initiate the process.
When I ported my phone number from my father to me within the same carrier when I turned 18 that required the same confirmation to initiate the process and signed request/approval both from me and my father posted to the company, with associated emails about the process.
This isn't even hard? This is just basic steps to prevent identity theft....
This is not about porting the number to a different carrier or even a different owner though. It's more analogous to getting a replacement SIM card.
The last time I had a phone stolen, I went to the carrier's store, they checked my ID, and gave me a replacement SIM. And the things is, if the customer service representative is empowered to do that, they could also be bribed by the attacker.
It's worse than this though. My colleague had his sim replaced by an attacker in October of last year even though his account had a note on it specifically to prevent this without the account holder being present and showing photo id. Not only can the customer service rep at your carriers store do this but so can the phone reps at all the other stores that sell phones for your carrier such as best buy. The bottom line is that SMS/phone numbers shouldn't be an identifying factor for security purposes.
I checked, to get a replacement sim my carrier sends out inactive cards that needs to be activated through their web service using the printed number on the card.
If you don't have an account you need to contact customer service, and to get through there they most likely authenticate you based on your SSN and an already active app on your phone (BankID) where you input your personal password.
This has actually created problems when people get their stuff stolen abroad. The ID application is authenticated using your bank and a device using your physical bank card, a generated number from the webpage and your pin and then the generated number is put into the webpage. So if you get both phone and card stolen it's essentially impossible to get into your accounts until you can get a new one posted to you. Especially fun if your bills end up in a digital mailbox requiring that login....
Using that app is how essentially all identification is done in Sweden since it's based on an already approved physical device and a personal password. With your bank as insurance that the information is correct based on your physical bank card and the account associated to it.
And reading the article everyone was already at the time working on preventing it, because any unauthorized change is illegal.
The prevention seems to be either through BankID authentication or actually calling/texting the number being forwarded to make sure the request is legitimate.
How? I still get a text to my physical phone with the active number being ported and use the code supplied to initiate the process.
Somehow making them change my contact details would just end up with the bills being sent to the wrong place, if you still have paper bills and don't have it automatically paid or goes to a digital mailbox.
> I knew the risks better than most, but never thought something like this could happen to me
This also explains why this article is useless as a warning. Someone who will be hacked like this in the future is reading now this article and saying "hmm, I should be securing my holdings against this, but I don't have time now, and this won't happen to me right away, I'll look into it next week"
It's like the countless articles which appear after backup failures. "I knew I was supposed to test restoring from backup, but...."
Part of the problem here is the lack of fraud insurance from CoinBase/exchanges. If the attacker would have instead stolen from his bank (several US and Canadian banks I know happily allow logins with only a password or are only starting to introduce SMS-only 2fa), it is likely that the bank would have returned the money, whether they could revert the transaction or not, and then pursued the hackers themselves.
Fraudulent transactions made with a regular bank account are pretty irreversible too. There's a whole extra layer of infrastructure on top of the 'core' banking services that allows them (banks) to 'reverse' a fraudulent transaction. But I'd be very very surprised if fraudulent charges are 'reversible' in any other way than the bank reimbursing the account holder.
In other words, crypto-currency exchanges could do the same thing (but then they'd almost certainly have/want to charge for that).
Double-entry bookkeeping is also, ideally, irreversible.
They are generally reversible until they cross borders, then it gets way more complicated. Most of these scammers are outside the US, they immediately make an international wire transfer of the money, then split it apart to a bunch of separate accounts, in order to make reverting impossible
Real banks have been hacked (e.g. full mainframe root access), and the hackers have made international transfers which were reversed.
Sure. When bank accounts get hacked sometimes the bank just eats the cost, but if $100k goes to another bank they'll contact that bank to have the money be clawed back.
Now I say "reversed", but the end goal I mean is "the money was transferred back" because it's traceable and doesn't require the cooperation of the receiving account holder. Not that it gets "undone" in double-entry bookkeeping.
Indeed bank hacks have lost some money when the "reversal" incurred currency fluctuation effects. (which could have gone the other way, too).
Also no, regular bank transfers are very reversible because courts can order it so. The justice system can order accounts frozen. With cryptocurrency the illusion is "math is the ultimate arbiter", but of course "math" can't solve "so what happens if one party broke the law", but is forced to answer "well... I guess they win, then".
Also compare smart contracts. You can make an illegal contract. Say the equivalent of selling yourself into slavery. Smart contracts want there to be no court that says "actually, that's slavery, and this contract is void, also the money must be returned". To think that "math" can provide justice better than a justice system is not just holding low esteem for justice systems in general. It's anarchy, and tyranny by exploitation.
"People" are not lawyers, which is why some things are not allowed in contracts. "People" are not coders, which is why smart contracts are also not a thing that will happen (on a scale cryptocurrency people dream of).
I'd like to see more companies introduce "time locks" into various big aspects of accounts.
Want to port a SIM? I'll put your request in now but it will wait for 5 business days before it happens, and at any point if you or someone claiming to be you calls up to stop it, we stop it, no questions asked.
Want to change 2 factor information for an account? We can put in the request now and it won't take effect for a week while we reach out to you using every communication method we know how to let you know it's happening and give you ample time to stop it if you discover it wasn't actually you that did it.
It seems like a fairly "low cost" way of upping the security quite a bit.
Also, not to make the OP feel worse, but Coinbase even offers a service like this called the "vault". The idea being that withdraws are time-locked for a specific amount of time, and there are multiple ways to stop it during that time lock, even if you got locked out of your account entirely.
And while we are doing PSAs, I'd like to give one piece of seemingly conflicting advice: make sure you have backups of your multi-factor authentication systems.
Sure, having your accounts taken over is awful, and it can happen to anyone, but something just as bad is losing your 2-factor systems and being locked out of accounts with no way to recover them.
Print out 2-factor backup codes, put them somewhere safe, maybe split them in 2 and put half of the codes in one place, and half in another. Think through possible problems. It really sucks to have your house flood, then find out that your phone with the 2-factor app on it was destroyed, and your backup codes ruined as well...
Lots of places do this. Fidelity, for example, blocks withdrawals for a certain amount of time when some specific actions happen on an account. I believe address changes and adding people to your account with a certain level of access trigger the block.
One of those is Microsoft, which requires you to wait a month before changing your email, and there's no way that I can think of to get that expedited.
> And while we are doing PSAs, I'd like to give one piece of seemingly conflicting advice: make sure you have backups of your multi-factor authentication systems.
Yes! Many password managers (at least KeePassXC/KeePass with plugin) can store and create TOTPs. The underlying keys can be manually shown and entered elsewhere if needed, and can be backed up with everything else that's valuable.
> Print out 2-factor backup codes, put them somewhere safe, maybe split them in 2 and put half of the codes in one place, and half in another. Think through possible problems. It really sucks to have your house flood, then find out that your phone with the 2-factor app on it was destroyed, and your backup codes ruined as well...
Off site and offline backups are a good thing to have, especially with fire and water proof lockboxes. (think encrypted external drive lying around at work or at family/friend's house)
There are also tools to allow you to use those TOTPs without having a phone in general. You can always use those methods instead of using SMS or phones.
>Many password managers (at least KeePassXC/KeePass with plugin) can store and create TOTPs.
Personally I don't really like this feature and urge people to avoid it for "high security accounts".
It's not a "second factor" if it's stored and input using the same device and authentication information as your "first factor" (your username and password).
That's not to say it's useless, at the very least it's another layer that attackers have to figure out. But the true benefits of 2FA come from needing multiple devices to access accounts. If all of the factors are stored in one program on one device, then in the situation where that device/program is cracked, the attackers have everything.
Still, if you are going to choose between no 2FA and "2FA stored in your password manager", choose the password manager! And if you are going to choose between SMS-2FA, and the password manager, choose the password manager! But if you really want better security for not much more work, store your 2FA on a different device!
You can back up the Key used to set up the TOTP system. This allows you to re-seed the TOTP generator on a new device without needing to go through setup.
Personally I use Google Authenticator. The lack of a backup is a feature not a con IMO.
Every account I have setup with TOTP I also make sure to print out the recovery codes and put them in a safe, and use them if my device is ever destroyed. When I switch phones (which for me happens maybe once every 2-3 years at most), I go through the shitty process of transferring the TOTP codes over to the new device, but it doesn't really take all that long (it took me an hour to do it for about a dozen accounts last time I did it), and I'd much rather not have any of it uploaded anywhere.
You can print out the QR code or save that somehow during setup and use that to setup TOTP codes on other devices (or the same TOTP on multiple devices), but I tend not to do that as recovery codes work just as well, and they notify you if they are used (unlike a TOTP setup QR code). I did have to store the QR code for one account that doesn't provide recovery codes, but it's overall not that much extra work.
This is good advice. I also have my TOTP set up on at least two devices, my phone, my previous phone, and my iPad. (Both phones because it's fairly common for me to have both my current phone and my iPad with me at the same time. It's spectacularly rare for me to have all three devices with me outside my home.)
Google Authenticator does not help prevent against a compromised device (as all TOTP secrets and seeds are on device) and is truly a pain when working with multiple phones. Personally I use Yubico Authenticator as all the TOTPs live on my Yubikey. That, in combination with a password then clicking on a totp i want and tapping my yubikey provides me with only that code. When I first seed the yubikey with a new TOTP i also backup a copy of the QR code text and save it into my password manager in the unfortunate event of having to swap out yubikeys.
I use pass for my password manager which links to my yubikey that has my gpg key on it. My yubikey has touch enabled which means that even if someone got access to my machine with my yubikey on it and asked me to tap they would only get that single password. As far as TOTP is concerned it's the same thing. The TOTP section of my yubikey has it's password and also requires a tap
I use Authenticator Plus (https://play.google.com/store/apps/details?id=com.mufri.auth...) which has encrypted cloud backup (Google Drive or Dropbox). The encryption is done client-side. When I get a new phone, all I do is set up A+'s cloud sync on the new phone, enter the passphrase I've used previously, and it syncs all my TOTP codes.
As a bonus, the backup is just an encrypted sqlite DB (with dirt-simple schema), so you're not tied to some inscrutable proprietary format, and can easily extract the tokens if you want to use a different app/service.
Even when you authenticate via SMS in multi device mode, the imported tokens still have to be decrypted via a master password. SMS is just your account identifier on Authy, hijacking it will not allow access to your tokens on its own.
When setting up a new TOTP for Google Authenticator for my personal accounts, my standard procedure is to take a screenshot of the initialization QR code, and encrypt that screenshot with my gpg key. That is then stored on my external backup disk (which incidentally uses FDE via luks).
> That's not to say it's useless, at the very least it's another layer that attackers have to figure out. But the true benefits of 2FA come from needing multiple devices to access accounts. If all of the factors are stored in one program on one device, then in the situation where that device/program is cracked, the attackers have everything.
I feel you're not portraying the trade-off accurately so I'll try to clarify.
It's not merely better because it's just "another layer to figure out". That's what you would get with 2 passwords. It's not what you get with 1 password + 1 OTP.
With OTP you're protected against your password being logged and used later on e.g. an untrusted or breached machine (say, at a library). I'd hazard to guess that dealing with a passive adversary who's time-separated from you is FAR more common/likely than having your actual password database stolen or cracked somehow. Meaning it's still quite a significant benefit to having OTP.
> Sure, having your accounts taken over is awful, and it can happen to anyone, but something just as bad is losing your 2-factor systems and being locked out of accounts with no way to recover them.
+1. I lost a phone and with it my Cloudflare 2FA. For some reason, Cloudflare won't let you contact tech support without logging in. There is no contact info for support on their website, AT ALL, so if you can't log in, you're fucked.
> I'll put your request in now but it will wait for 5 business days before it happens
This to me seems to be a complete misunderstanding of the telcos business and motivations. They sell mobile telephony - voice, sms, and data - and their _prime objective_ is to make it as easy as possible for their customer to spend as much money doing that as possible. Making you wait five days to get reconnected to "your number" when you have, for whatever reason, lost control of it is just not going to happen. They'll move mountains to get you back onto your data/voice plan before you've walked out of the store.
Nobody ever advertised their phone/sms plans as "banking grade secure". Telcos have been telling us for years that they are explicitly _not_ secure for that:
Communications Alliance chief executive John Stanton, representing the interests of mobile providers Telstra, Optus and Vodafone, took the extraordinary step of of declaring the technology insecure in the wake of numerous reports of Australians being defrauded via a phone porting scam first uncovered in Secure Computing magazine.
"SMS is not designed to be a secure communications channel and should not be used by banks for electronic funds transfer authentication," Stanton told iTnews this week.
Telcos are not interested in securing that, they get _way_ more complaints from people who lost/broke their phone who want their replacement one to work RIGHT NOW, than they do from people who got defrauded with a sim porting attack. And the first group of people are spending _way_ more money collectively than the second, so of course telcos will continue to make it quick and easy to sim port.
Everybody else needs to deal with that. While sms 2FA is marginally better than not having any 2FA at all, it's not the telco's problem if you choose to use it to "secure" your $100k worth of crypto. In my mind, a large part of the blame here goes to COinbase for even offering it. I'm also looking at your PayPal...
Yes, Paypal is bad, they took away their support for the Symantec 2FA codes and forced users in many countries to use SMS instead.
This is pretty easy for the telco to prevent, though. Your existing telco should simply phone you and ask if you wish to leave them before letting the number get ported out.
Note that all telcos will prevent the number being ported out if you owe them any money on the account.
You appear to be discussing porting a number from one provider to another but the attack in the article (and being discussed in the thread up to this point) is based on moving the number to another SIM within the same provider).
> While sms 2FA is marginally better than not having any 2FA at all
I used to believe this too. Until this morning. Then I realized something and now I'm not so sure: if I don't have SMS 2FA at all, then my phone line is less to become an attack target. Meaning I'm less likely to have to deal with the collateral damage of lost accounts, files, etc. So is it really better to have that SMS 2FA? Especially if you weren't ever having problems securing your stuff before it came along?
Good to know! I feel like it stems from the notion that protecting whatever particular account they want you to protect must be the most important priority in your life. Even security folks don't always seem inclined to think in terms of trade-offs... too often they seem to see things as black and white. If something protects your account or computer better then it must be better and you have to do it. They don't care if you might lose your job or if it might burn down your home as a side effect; that's just not part of their threat models...
> Want to port a SIM? I'll put your request in now but it will wait for 5 business days before it happens, and at any point if you or someone claiming to be you calls up to stop it, we stop it, no questions asked.
Funny because that's exactly what happens in France when you do so. I must have sounded a bit dumb when I asked when my number would be active when I changed from Tello to Verizon. I couldn't believe it was effective right away.
It's been a while since I ported a number but the last time I did it took days here in the UK too. I just assumed it was typical inefficiency by the mobile operators rather than a security thing, however.
It takes days in the UK because we have a crappy system where instead of having a central register of number -> provider, calls are still routed to a ported number via the "donor" network, i.e. the network the number range belongs. So I just ported from O2 to EE, and my calls and texts will still go through o2, and then sent on to EE. Not very efficient.
The „time lock” approach is exactly what Apple is doing if you try to recover your Apple ID (without password and second factor).
Unfortunately, when you search on Twitter, people are going bananas over having to wait a few days to get their Apple account reset... so I definitely get why not more companies are doing this.
2FA has no place over phone networks for account recovery. It's far easier to obtain access to 2FA texts or doing SIM ports like this, than it is to break some gmail account password (even a weak one).
So many people don't seem to understand this - I was trying to use U2F yubikeys on gitlab a while back only to discover they force you to enable 2FA first for account recovery, this completely defeats the purpose of hardware auth, it's not supposed to be for convenience, security is only as strong as the weakest link, 2FA is very weak.
Large tech companies like Google push 2-factor auth to "increase" security, but this article shows that 2-factor auth with SMS verification opens up a huge security hole since the attacker can access your email if they can get your provider to port your SIM over to their device. Am I missing something and if not how did companies like Google not foresee this huge security hole?
Google offers many different 2 factor methods including Google Prompt, TOTP, and security key - all of which are better choices than SMS. The author is right to say that SMS is not enough but he didn't go far enough: only use SMS-based 2FA if it's your only 2FA choice for your critical accounts, and consider alternative services if it's your only choice.
I don't know if that's possible in gmail, but in protonmail you can just disable password recovery altogether, which makes your email account secure against these kinds of attacks.
Stuff like this freaks me out and I'm sure I'm not the only one. Thanks for the wake-up call. It's a terrible amount of money to lose. I hope things get better for this guy in the future (and I don't think anyone would say they're to blame for this.)
Security is becoming so difficult to balance with an every day life... I don't know how anyone can remember everything that they're "suppose" to know about security.
That and Bitcoin is specifically designed to not give you a recourse in case of an attack.
Cryptocurrency designers seem to think that banking was designed as a mistake without anyone thinking. That laws people wanted were just unfortunate side effects.
Bitcoin isn't the problem here. Coinbase is regulated as a "money transmitter". You can get into the same situation if you send money via Western Union, which is also regulated as a money transmitter, and tell them to "waive identification" at the receiving end.[1] That's used as a payment method by some scams.
Coinbase will pay out via PayPal, so someone with access to an account's credentials could pull of this scam without involving cryptocurrency at all.
Now if Coinbase was regulated by the SEC as a "broker/dealer", which is what they really are, they'd be subject to SEC regulations on fraud, and would have SIPC insurance to protect the customer up to $250K.[2]
Coinbase does, in fact, have a New York State "BitLicense", which makes them subject to various New York State regulations.
Among other things, transactions larger than US$10,000 have to be reported to the New York State Department of Financial Services within 24 hours, and Coinbase is subject to rules about cybersecurity, fraud, and its activity as a custodian of the funds of others. You can complain to the New York State Department of Financial Services.
DFS pulled Bittrx's license last month and gave them one day to get out of New York State.
I have a question related to this that someone expert in Bitcoin could answer.
Could the victim monitor where the bitcoin (we assume) went to using the public blockchain record? Then, trace it every step of the way (and in whatever chunks it divides into) until it reaches the account of a publicly identifiable entity? At that point, there might be legal recourse in recouping stolen goods (at least, this is how it works in the UK with stolen physical goods.. even if someone "legitimately" buys them, they can be reclaimed).
Truly big heists like the Mt. Gox collapse have received research attention, yes. There are some firms which will follow the transactions and try to find patterns. However, for a relatively small amount like this it's probably futile. It's trivial (though costly) to run the funds through a public mixer several times, or to trade it for Monero, which has a ledger that's much more difficult to analyze.
Kinda but it's hard and there are measures to counter this. There is one thing called coinjoin which attempts to tumble coins.
Imagine you stole 10 btc and you split it to 10 outputs of 1 btc each. Then you use 2 of them to perform a coinjoin with several other people where in a single transaction 10 inputs of 1 btc (2 of them yours) produce 10 outputs of 1 btc (again 2 of them yours). There is no way to tell which coin is which anymore. Of course this requires some degree of interaction with other people but in other coins such as grin that use the mimblewimble protocol this happens automatically for every block.
Another thing you can do is try to do an atomic swap with someone on another blockchain i.e Litecoin. In this case you send your coins to a specific script address, the other person sends his LTC to another script address and you effectively swap BTC with LTC.
I would think that an online-only MVNO like Ting.com would be harder to fool - even if their call agent fell for the trick, they'd still have to mail a new sim out. But you'd have to log in yourself to swap the sim using the Ting website. As I understand it, attacker would have to fool you and coax you to swap the sim.
That's interesting, I did not know it was possible to have a coinbase acct without working google authenticator.
I found out the hard way it takes over a week of time and multiple verifications and contacts to reset my authenticator when my old phone was broken; as it should be.
Unfortunately many places are actively refusing to work with Google Voice. I got a message from Bank of America saying specifically that they're removing Google Voice support:
> You can't enroll in Zelle with a landline, Google Voice or VOIP (voice over internet protocol) phone number. (Section 3.C.3 Enrolling in the Service)
This follows with some other unnamed (because I don't remember them) services which also refuse to work with Google Voice.
That's really unfortunate because I've been using Google Voice for nearly 10 years without issue until recently (when companies specifically remove support...)
I don't imagine they would know unless they check their service logs. I imagine that interconnectivity with (in my case: Bank of America) would cease. And I'm pretty cynical with tech so I suspect it would quietly cease.
This is frightfully common in South Africa except aimed at banks - they use SMS as their 2FA. ("SIM swap")
Another common tactic to watch out for: Repeated calling of your phone to annoy you enough so that you switch it off/silent it. That can give the attacker enough time where you don't notice the swap.
This is the kind of stuff that convinces me we'll never see mass adoption of cryptocurrency -- or that if we do, it will be only by replicating the existing financial system and slapping a cryptocurrency label on it.
If security engineers at cryptocurrency firms are getting hacked, what hope do mom & pop user have? And once your money is stolen, you have basically zero recourse and no way to reverse the transaction. I know many proponents consider that a feature, but I'm telling you for the average user, it is absolutely a bug.
Sucks to be the OP but storing any crypto in an exchange is idiotic and literally the first thing on any list of "how to secure your crypto" is to not do it. This shows the OP is just being willfully ignorant.
If you have any kind of serious crypto holdings, you should either be using hardware wallets or a PC that you only use for crypto. Nothing else.
* Buy crypto, transfer to your PC, turn off PC.
This is why you do long term holding in BTC or any coin that may take longer to confirm on the chain and the money you are playing/trading with should be in an asset like XLM which transfers in seconds.
Now if the whole thing is tanking and you want to transfer your entire savings to try and ride the wave you are already too late if your money is not already on an exchange and you shouldn't be 100% swing trading anyway.
That’s not really a security issue. It sounds like a speculation issue. Treat custodial services like a porta-potty at a shitty music festival: do your business then GTFO
For Bitcoin you should always aim to use the lowest fee possible, and use replace-by-fee (RBF) if a transaction is taking too long.
Because it covers the use cases of cash but for online. Sometimes you're willing to have no safety guarantees but also not have to deal with paypal etc. Send a small tip to a content creator, pay content creators in small amounts in a patreon-like setting without having to deal with rules against content payment processors don't like (I saw recently this was being launched but I forget the name), lots of use cases.
I really need to call out crypto shill when I see it. As it stands, bitcoin is utterly unusable for micropayments, the transaction fees are way too high for that. There has been attempts at creating micropayment services on top, these all have failed to gain traction.
I still maintain as I did several times here in the past: bitcoin (and in general, crypto"currencies" because they are not currencies) are a scam, a new kind of scam for sure but a scam nonetheless. There are simply no (legit) use cases.
A non-federally controlled pseudo-anonymous currency similar to cash has the positive upside of enabling digital privacy in spite of the blockchain. That's why. There are still trustworthy tumbler services to obfuscate and hold your bitcoins similar to a bank. And with what some claim, inarguably so, of government overreach and corporate over-sharing of your personal data, it's something I can sympathize with.
This person's Google account is likely still vulnerable to the attacker and if they used chrome password sync all of their other accounts are also likely owned. You can recover a google account if you know some basic details such as a previously used password or the creation date of an account. After having a google account owned enrollment in the advanced protection program and ensuring only the strongest recovery methods are enabled are best next steps.
The standard person today isn't capable of managing multiple secure tokens, and actually keeping them separate.
One smashed phone, and truly secure accounts would be lost forever, or require significant resources on the part of the provider to re-verify people's identities.
I was attacked in the same manner this weekend. I'll dump what I know below in the hopes it helps someone.
I lost money when MTGox went under and made some online posts (on reddit, I think) several years ago. Maybe this is what caused me to be targeted?
This weekend a malicious actor posing as the account holder on my account was able to get my number transferred to his phone. At&t fraud says this happened at a store, and the user had the last 4 of one of my family member's social security number, as well as a fake id. I'm not sure I believe this, but will request more info in writing.
I regained access to my account. The attacker came from IP 216.162.42.85 (santa clara california)
They entered my email and according to google activity logs immediately went after my coinbase account. They got in (joke's on them I didn't have anything). Then they searched my email for 'btc', and also made a visit to my bank website. They weren't able to get access.
As far as I can tell, they were in and out within 10 minutes. I wonder if this was related to the author's experience?
This is the reason I have disabled SMS as a recovery option in my gmail/google account. My 2FA for gmail is now my iphone and ipad. THey have to know my password and get one of my devices to hack my account. I also use protonmail and for SMS based 2FA, I plan to use a google voice number from a totally different google account w/c forwards the text to my protonmail account. Google voice numbers cannot be ported out. Hence, avoiding the sim hack. They can port out if they hack my "shadow" google account. The trick is to never use the shadow account for anything. Hence, the attackers have no way to get to your google voice.
250 comments
[ 3.2 ms ] story [ 133 ms ] thread[0] https://gimletmedia.com/shows/reply-all/v4he6k/130-the-snapc...
His summary of how to avoid having this happen to you:
I like this idea, insofar as the Voice number is not vulnerable to the SIM port attack.
But then I worry that it's yet-another-thing I'm to my Google account, which Google could always shut down at a moment's notice, with no explanation, and no recourse.
https://investor.vanguard.com/security/security-keys
https://news.ycombinator.com/item?id=19886705
This warning has been publicly repeated hundreds of times since 2010, yet people still insist on ignoring it.
The author didn't lose anything. He gave Coinbase his bitcoin in exchange for a promise to pay it back. That deal backfired.
> I knew the risks better than most, but never thought something like this could happen to me.
There's knowing the risk, and then there's knowing the risk. I'd suggest that the author didn't really know the risk, or he would never have considered leaving such a valuable asset in the care of an organization so ill-equipped to safeguard it.
People want the convenience of being able to trade while also wanting security. Eat the cost of transferring from a hardware wallet.
The author has to eat the loss, as per the user agreement.
Coinbase != bank.
The banking system has a safety net for recovery of stolen funds. Coinbase has pretty much jack squat in that sense.
True, Coinbase is insured against loss from its hot wallet. But if Coinbase were to suffer a loss from its cold wallet, you'd be left with zilch.
Likewise, Coinbase's terms of service put all of the responsibility for security on you, the user.
Your bank is a different story. It's FDIC insured. It has in place numerous security measure that enable it to claw back any digital theft and make you whole.
If this were real money or real assets, he'd be able to call his bank and be made whole by the close of business, I wager. Instead he's out a down-payment, SFYL.
I can't believe these shenanigans are allowed to play out as though we're all okay with this being the future of currency.
Cars are designed to travel at lethal speeds. If you were reckless and killed someone or yourself, do you also declare it to be an "insanely problematic technology"? The problem here is that people are not aware of the risks associated with cryptocurrencies and so are not taking the required precautions. After all, you can be pretty reckless with your credit card numbers or bank login and still be fine, because the finance system has an undo button for everything.
>This is the fundamental problem with crypto, it's irreversible and decentralized. These aren't features, they're bugs.
I wouldn't call them "bugs", just design decisions or trade offs. Bug implies it's somehow fixable, but if it's not. What if you want to make an irreversible payment, or want to be able to send money to whomever you want without the government stepping in the way, all while being trustless? Is there a way to achieve that, and still being able to hit undo when you make a mistake?
More aptly though, I would declare it problematic if I couldn't drive 10 feet without someone carjacking me in my ostensibly armored car, or if pressing the button on my radio caused the car to explode. I'd call that 'problematic' because if it were my fault, I'd be in jail, and if not, the automaker would be on the wrong end of a huge lawsuit.
You know who we have to thank for their current level of safety? The DOT, NHTSA and legal system.
> The problem here is that people are not aware of the risks associated with cryptocurrencies and so are not taking the required precautions.
He had his coins on probably the only legitimate exchange in all of crypto. He had 2fac. He had 2fac on his gmail. If this isn't sufficient to keep your money protected, we need to stop blaming the victim. He's probably one of the most competent technical individuals owning crypto. If he can't keep it safe how on earth would your grandmother?
> After all, you can be pretty reckless with your credit card numbers or bank login and still be fine, because the finance system has an undo button for everything.
Isn't that awesome? We've recognized people make mistakes and created for them a path to remedy said mistakes. Pretending they don't happen and that it's the victims fault if they do isn't a replacement.
> What if you want to make an irreversible payment.
Wire transfer. You can opt in to irreversibility, it's not the default, and that's completely reasonable IMO.
> ...or want to be able to send money to whomever you want without the government stepping in the way.
AKA breaking the law. Yes, you shouldn't be able to send money to people on the OFAC list, to terrorists, or to sanctioned countries. That's fine with me, and all your fellow citizens. That's why we have those laws. Let's not mince words, "sending money to people the government doesn't want" is financing international terrorism, narcotics trafficking, human trafficking and so on. No, you shouldn't be able to do that.
> ...all while being trustless?
Again, why do you need this without the illegal use cases? Either way PoW cryptos aren't trustless, Beijing has over 80% of the hash power one strongly worded memo away. Decentralized and trustless are not a feature of Bitcoin or most other cryptocurrencies. They are centralized in the PRC. You would give up sovereign control of your money system to the PRC?
> Is there a way to achieve that, and still being able to hit undo when you make a mistake?
No, you shouldn't be able to break the law. An open challenge to all crypto advocates: Provide me one legal use case better suited to cryptocurrency than the US dollar.
Check your privilege, as some might say
Sending money to people overseas without extortionate fees. Surprisingly not everyone overseas is linked with international terrorism as you imply.
Did you even bother to google search them? Here I'll help.
https://www.stellar.org/
https://www.ibm.com/blockchain/solutions/world-wire
Unless you're trying to send money to North Korea that wasn't my implication at all, I have family overseas to whom I manage to send money without crypto or getting overcharged.
There are tons of international remittance services already including Andreesen-backed TransferWise which charges ~0.85% or less to move money internationally. Much less than the sum total of the cost of buying coins on an exchange in one country, paying an on-network transaction fee, risk of huge swings in the asset value and fraud along the way and one more exchange transaction fee in the destination country.
Generally even WU is quite competitive. In markets where they appear pricey the cost is usually to de-risk things like political issues which are all borne by crypto too but opaquely.
For instance, the USD-INR corridor is almost fee-free on all services.
If you've got a ton of money to move, you may be best off opening an Interactive Brokers account and performing the exchange there. They take a commission minimum of $2, or 0.002% ($2000 per million) for the trade. [1] It's a $5.1T per day (legitimate) market after all.
This is not a particularly good example, it's a solved problem.
[1] https://www.interactivebrokers.com/en/index.php?f=1590&p=fx
Possibly: see the numerous self-driving efforts underway.
In Sweden I switched to another carrier, still keeping the number in the same name. To do that I got a text message with a code I had to input to initiate the process.
When I ported my phone number from my father to me within the same carrier when I turned 18 that required the same confirmation to initiate the process and signed request/approval both from me and my father posted to the company, with associated emails about the process.
This isn't even hard? This is just basic steps to prevent identity theft....
The last time I had a phone stolen, I went to the carrier's store, they checked my ID, and gave me a replacement SIM. And the things is, if the customer service representative is empowered to do that, they could also be bribed by the attacker.
If you don't have an account you need to contact customer service, and to get through there they most likely authenticate you based on your SSN and an already active app on your phone (BankID) where you input your personal password.
This has actually created problems when people get their stuff stolen abroad. The ID application is authenticated using your bank and a device using your physical bank card, a generated number from the webpage and your pin and then the generated number is put into the webpage. So if you get both phone and card stolen it's essentially impossible to get into your accounts until you can get a new one posted to you. Especially fun if your bills end up in a digital mailbox requiring that login....
Using that app is how essentially all identification is done in Sweden since it's based on an already approved physical device and a personal password. With your bank as insurance that the information is correct based on your physical bank card and the account associated to it.
Maybe the Tele2 attacks made them finally sort things out.
The prevention seems to be either through BankID authentication or actually calling/texting the number being forwarded to make sure the request is legitimate.
$100k is a lifetime's worth of money in some countries, and it can justify a few months worth of recon.
Somehow making them change my contact details would just end up with the bills being sent to the wrong place, if you still have paper bills and don't have it automatically paid or goes to a digital mailbox.
> I knew the risks better than most, but never thought something like this could happen to me
This also explains why this article is useless as a warning. Someone who will be hacked like this in the future is reading now this article and saying "hmm, I should be securing my holdings against this, but I don't have time now, and this won't happen to me right away, I'll look into it next week"
It's like the countless articles which appear after backup failures. "I knew I was supposed to test restoring from backup, but...."
Because reversibility is a good thing.
In other words, crypto-currency exchanges could do the same thing (but then they'd almost certainly have/want to charge for that).
Double-entry bookkeeping is also, ideally, irreversible.
Sure. When bank accounts get hacked sometimes the bank just eats the cost, but if $100k goes to another bank they'll contact that bank to have the money be clawed back.
Now I say "reversed", but the end goal I mean is "the money was transferred back" because it's traceable and doesn't require the cooperation of the receiving account holder. Not that it gets "undone" in double-entry bookkeeping.
Indeed bank hacks have lost some money when the "reversal" incurred currency fluctuation effects. (which could have gone the other way, too).
Also no, regular bank transfers are very reversible because courts can order it so. The justice system can order accounts frozen. With cryptocurrency the illusion is "math is the ultimate arbiter", but of course "math" can't solve "so what happens if one party broke the law", but is forced to answer "well... I guess they win, then".
Also compare smart contracts. You can make an illegal contract. Say the equivalent of selling yourself into slavery. Smart contracts want there to be no court that says "actually, that's slavery, and this contract is void, also the money must be returned". To think that "math" can provide justice better than a justice system is not just holding low esteem for justice systems in general. It's anarchy, and tyranny by exploitation.
"People" are not lawyers, which is why some things are not allowed in contracts. "People" are not coders, which is why smart contracts are also not a thing that will happen (on a scale cryptocurrency people dream of).
Want to port a SIM? I'll put your request in now but it will wait for 5 business days before it happens, and at any point if you or someone claiming to be you calls up to stop it, we stop it, no questions asked.
Want to change 2 factor information for an account? We can put in the request now and it won't take effect for a week while we reach out to you using every communication method we know how to let you know it's happening and give you ample time to stop it if you discover it wasn't actually you that did it.
It seems like a fairly "low cost" way of upping the security quite a bit.
Also, not to make the OP feel worse, but Coinbase even offers a service like this called the "vault". The idea being that withdraws are time-locked for a specific amount of time, and there are multiple ways to stop it during that time lock, even if you got locked out of your account entirely.
And while we are doing PSAs, I'd like to give one piece of seemingly conflicting advice: make sure you have backups of your multi-factor authentication systems.
Sure, having your accounts taken over is awful, and it can happen to anyone, but something just as bad is losing your 2-factor systems and being locked out of accounts with no way to recover them.
Print out 2-factor backup codes, put them somewhere safe, maybe split them in 2 and put half of the codes in one place, and half in another. Think through possible problems. It really sucks to have your house flood, then find out that your phone with the 2-factor app on it was destroyed, and your backup codes ruined as well...
Yes! Many password managers (at least KeePassXC/KeePass with plugin) can store and create TOTPs. The underlying keys can be manually shown and entered elsewhere if needed, and can be backed up with everything else that's valuable.
> Print out 2-factor backup codes, put them somewhere safe, maybe split them in 2 and put half of the codes in one place, and half in another. Think through possible problems. It really sucks to have your house flood, then find out that your phone with the 2-factor app on it was destroyed, and your backup codes ruined as well...
Off site and offline backups are a good thing to have, especially with fire and water proof lockboxes. (think encrypted external drive lying around at work or at family/friend's house)
Personally I don't really like this feature and urge people to avoid it for "high security accounts".
It's not a "second factor" if it's stored and input using the same device and authentication information as your "first factor" (your username and password).
That's not to say it's useless, at the very least it's another layer that attackers have to figure out. But the true benefits of 2FA come from needing multiple devices to access accounts. If all of the factors are stored in one program on one device, then in the situation where that device/program is cracked, the attackers have everything.
Still, if you are going to choose between no 2FA and "2FA stored in your password manager", choose the password manager! And if you are going to choose between SMS-2FA, and the password manager, choose the password manager! But if you really want better security for not much more work, store your 2FA on a different device!
Authy, from what I understand, requires a phone number as backup, meaning it could be compromised by the same method
Google authenticator can't be backedup, which is royally annoying when you change/lose devices
Lastpass has some security issues, and one well known comment here has recommended no one use it.
I heard someone say they use Duo security: does that let you store codes? When I looked it just seemed to lock various services
Every account I have setup with TOTP I also make sure to print out the recovery codes and put them in a safe, and use them if my device is ever destroyed. When I switch phones (which for me happens maybe once every 2-3 years at most), I go through the shitty process of transferring the TOTP codes over to the new device, but it doesn't really take all that long (it took me an hour to do it for about a dozen accounts last time I did it), and I'd much rather not have any of it uploaded anywhere.
You can print out the QR code or save that somehow during setup and use that to setup TOTP codes on other devices (or the same TOTP on multiple devices), but I tend not to do that as recovery codes work just as well, and they notify you if they are used (unlike a TOTP setup QR code). I did have to store the QR code for one account that doesn't provide recovery codes, but it's overall not that much extra work.
As a bonus, the backup is just an encrypted sqlite DB (with dirt-simple schema), so you're not tied to some inscrutable proprietary format, and can easily extract the tokens if you want to use a different app/service.
Means I don't have to worry about phone upgrades and such, and if the Yubikey were to stop working I still have it on my phone
I have this in case my yubikey ever dies and takes my totp codes with it.
I feel you're not portraying the trade-off accurately so I'll try to clarify.
It's not merely better because it's just "another layer to figure out". That's what you would get with 2 passwords. It's not what you get with 1 password + 1 OTP.
With OTP you're protected against your password being logged and used later on e.g. an untrusted or breached machine (say, at a library). I'd hazard to guess that dealing with a passive adversary who's time-separated from you is FAR more common/likely than having your actual password database stolen or cracked somehow. Meaning it's still quite a significant benefit to having OTP.
+1. I lost a phone and with it my Cloudflare 2FA. For some reason, Cloudflare won't let you contact tech support without logging in. There is no contact info for support on their website, AT ALL, so if you can't log in, you're fucked.
This to me seems to be a complete misunderstanding of the telcos business and motivations. They sell mobile telephony - voice, sms, and data - and their _prime objective_ is to make it as easy as possible for their customer to spend as much money doing that as possible. Making you wait five days to get reconnected to "your number" when you have, for whatever reason, lost control of it is just not going to happen. They'll move mountains to get you back onto your data/voice plan before you've walked out of the store.
Nobody ever advertised their phone/sms plans as "banking grade secure". Telcos have been telling us for years that they are explicitly _not_ secure for that:
https://www.itnews.com.au/news/telcos-declare-sms-unsafe-for...
Communications Alliance chief executive John Stanton, representing the interests of mobile providers Telstra, Optus and Vodafone, took the extraordinary step of of declaring the technology insecure in the wake of numerous reports of Australians being defrauded via a phone porting scam first uncovered in Secure Computing magazine.
"SMS is not designed to be a secure communications channel and should not be used by banks for electronic funds transfer authentication," Stanton told iTnews this week.
Telcos are not interested in securing that, they get _way_ more complaints from people who lost/broke their phone who want their replacement one to work RIGHT NOW, than they do from people who got defrauded with a sim porting attack. And the first group of people are spending _way_ more money collectively than the second, so of course telcos will continue to make it quick and easy to sim port.
Everybody else needs to deal with that. While sms 2FA is marginally better than not having any 2FA at all, it's not the telco's problem if you choose to use it to "secure" your $100k worth of crypto. In my mind, a large part of the blame here goes to COinbase for even offering it. I'm also looking at your PayPal...
This is pretty easy for the telco to prevent, though. Your existing telco should simply phone you and ask if you wish to leave them before letting the number get ported out.
Note that all telcos will prevent the number being ported out if you owe them any money on the account.
Wait really? Is there a way to force yourself to perpetually owe them a small amount of money then? Could be really worth the money.
The comment you replied to appears to be discussing porting a number to a different provider which is very different and doesn't happen same-day.
I used to believe this too. Until this morning. Then I realized something and now I'm not so sure: if I don't have SMS 2FA at all, then my phone line is less to become an attack target. Meaning I'm less likely to have to deal with the collateral damage of lost accounts, files, etc. So is it really better to have that SMS 2FA? Especially if you weren't ever having problems securing your stuff before it came along?
Funny because that's exactly what happens in France when you do so. I must have sounded a bit dumb when I asked when my number would be active when I changed from Tello to Verizon. I couldn't believe it was effective right away.
Unfortunately, when you search on Twitter, people are going bananas over having to wait a few days to get their Apple account reset... so I definitely get why not more companies are doing this.
So many people don't seem to understand this - I was trying to use U2F yubikeys on gitlab a while back only to discover they force you to enable 2FA first for account recovery, this completely defeats the purpose of hardware auth, it's not supposed to be for convenience, security is only as strong as the weakest link, 2FA is very weak.
Security is becoming so difficult to balance with an every day life... I don't know how anyone can remember everything that they're "suppose" to know about security.
Now that's the real problem. Coinbase acts like a bank or a broker/dealer, but isn't regulated like one.
Cryptocurrency designers seem to think that banking was designed as a mistake without anyone thinking. That laws people wanted were just unfortunate side effects.
Coinbase will pay out via PayPal, so someone with access to an account's credentials could pull of this scam without involving cryptocurrency at all.
Now if Coinbase was regulated by the SEC as a "broker/dealer", which is what they really are, they'd be subject to SEC regulations on fraud, and would have SIPC insurance to protect the customer up to $250K.[2]
Coinbase does, in fact, have a New York State "BitLicense", which makes them subject to various New York State regulations. Among other things, transactions larger than US$10,000 have to be reported to the New York State Department of Financial Services within 24 hours, and Coinbase is subject to rules about cybersecurity, fraud, and its activity as a custodian of the funds of others. You can complain to the New York State Department of Financial Services.
DFS pulled Bittrx's license last month and gave them one day to get out of New York State.
[1] https://www.westernunion.com/us/en/fraudawareness/fraud-ques...
[2] https://www.sipc.org/for-investors/what-sipc-protects
Could the victim monitor where the bitcoin (we assume) went to using the public blockchain record? Then, trace it every step of the way (and in whatever chunks it divides into) until it reaches the account of a publicly identifiable entity? At that point, there might be legal recourse in recouping stolen goods (at least, this is how it works in the UK with stolen physical goods.. even if someone "legitimately" buys them, they can be reclaimed).
Imagine you stole 10 btc and you split it to 10 outputs of 1 btc each. Then you use 2 of them to perform a coinjoin with several other people where in a single transaction 10 inputs of 1 btc (2 of them yours) produce 10 outputs of 1 btc (again 2 of them yours). There is no way to tell which coin is which anymore. Of course this requires some degree of interaction with other people but in other coins such as grin that use the mimblewimble protocol this happens automatically for every block.
Another thing you can do is try to do an atomic swap with someone on another blockchain i.e Litecoin. In this case you send your coins to a specific script address, the other person sends his LTC to another script address and you effectively swap BTC with LTC.
something like what CF (and others) are doing with domains
I found out the hard way it takes over a week of time and multiple verifications and contacts to reset my authenticator when my old phone was broken; as it should be.
Unfortunately many places are actively refusing to work with Google Voice. I got a message from Bank of America saying specifically that they're removing Google Voice support:
> You can't enroll in Zelle with a landline, Google Voice or VOIP (voice over internet protocol) phone number. (Section 3.C.3 Enrolling in the Service)
This follows with some other unnamed (because I don't remember them) services which also refuse to work with Google Voice.
That's really unfortunate because I've been using Google Voice for nearly 10 years without issue until recently (when companies specifically remove support...)
Another common tactic to watch out for: Repeated calling of your phone to annoy you enough so that you switch it off/silent it. That can give the attacker enough time where you don't notice the swap.
If security engineers at cryptocurrency firms are getting hacked, what hope do mom & pop user have? And once your money is stolen, you have basically zero recourse and no way to reverse the transaction. I know many proponents consider that a feature, but I'm telling you for the average user, it is absolutely a bug.
Exchanges get hacked or are victims of internal fraud at a level that is far beyond any acceptable risk. https://coinsutra.com/biggest-bitcoin-hacks/
If you have any kind of serious crypto holdings, you should either be using hardware wallets or a PC that you only use for crypto. Nothing else. * Buy crypto, transfer to your PC, turn off PC.
Now if the whole thing is tanking and you want to transfer your entire savings to try and ride the wave you are already too late if your money is not already on an exchange and you shouldn't be 100% swing trading anyway.
Just my opinion on how I handle it.
For Bitcoin you should always aim to use the lowest fee possible, and use replace-by-fee (RBF) if a transaction is taking too long.
I still maintain as I did several times here in the past: bitcoin (and in general, crypto"currencies" because they are not currencies) are a scam, a new kind of scam for sure but a scam nonetheless. There are simply no (legit) use cases.
I'd argue that Bitcoin's lightning network is gaining traction, and it accomplishes a lot of what you are asking for.
It's also a relatively new thing.
People who cry about government overreach seem to rarely ponder why it is there in the first place. Well, TFA shows why.
https://landing.google.com/advancedprotection/
The standard person today isn't capable of managing multiple secure tokens, and actually keeping them separate.
One smashed phone, and truly secure accounts would be lost forever, or require significant resources on the part of the provider to re-verify people's identities.
I lost money when MTGox went under and made some online posts (on reddit, I think) several years ago. Maybe this is what caused me to be targeted?
This weekend a malicious actor posing as the account holder on my account was able to get my number transferred to his phone. At&t fraud says this happened at a store, and the user had the last 4 of one of my family member's social security number, as well as a fake id. I'm not sure I believe this, but will request more info in writing.
I regained access to my account. The attacker came from IP 216.162.42.85 (santa clara california)
They entered my email and according to google activity logs immediately went after my coinbase account. They got in (joke's on them I didn't have anything). Then they searched my email for 'btc', and also made a visit to my bank website. They weren't able to get access.
As far as I can tell, they were in and out within 10 minutes. I wonder if this was related to the author's experience?
I wish more people knew that their entire identity hinges on a store clerk at AT&T.
I hoped so too but someone replied to me that they can:
https://news.ycombinator.com/item?id=19886705
https://support.google.com/voice/answer/1065667?hl=en
Weirdly, you can't port a Gsuite google voice # to a gmail account. (I looked into it when considering canceling my Gsuite account)
sorry - how does that work? what's the platform / messaging service?