250 comments

[ 3.2 ms ] story [ 133 ms ] thread
Although very sad for this person, his warnings aren't correct. SIM porting is one avenue of attack, but TOTP can also be phished through a http reverse proxy. Push based 2fa is better, U2F based hardware keys are the gold standard today.
(comment deleted)
This is frightening. If you're using texts for 2-factor auth you're at the mercy of your phone service provider's customer service. And they're trying to balance being helpful with security, which can be in opposition. Losing $100,000 with no hope of recovery is the kind of thing that could sink many people's finances.

His summary of how to avoid having this happen to you:

  * Use a hardware wallet to secure your crypto
  * SMS-based 2FA is not enough
  * Reduce your online footprint
  * Use Google Voice for 2FA
  * Create a secondary email address
  * Use an offline password manager
Good list, and I would add using multisig for serious amounts.
> * Use Google Voice for 2FA

I like this idea, insofar as the Voice number is not vulnerable to the SIM port attack.

But then I worry that it's yet-another-thing I'm to my Google account, which Google could always shut down at a moment's notice, with no explanation, and no recourse.

There may not be a choice. Vanguard refused to log me in until I configured 2-factor SMS.
I would consider that an alarming sign that I need to change investment companies asap (probably after loudly complaining and trying to change it, since Vanguard is somewhat unique).
Fidelity also only uses SMS-based 2FA :-/
Vanguard can work with Yubikeys now.
(comment deleted)
> Do not leave funds idle on exchanges or fiat on-ramps.

This warning has been publicly repeated hundreds of times since 2010, yet people still insist on ignoring it.

The author didn't lose anything. He gave Coinbase his bitcoin in exchange for a promise to pay it back. That deal backfired.

> I knew the risks better than most, but never thought something like this could happen to me.

There's knowing the risk, and then there's knowing the risk. I'd suggest that the author didn't really know the risk, or he would never have considered leaving such a valuable asset in the care of an organization so ill-equipped to safeguard it.

Honestly, put it into Coinbase's vault (locked for 48 hours).

People want the convenience of being able to trade while also wanting security. Eat the cost of transferring from a hardware wallet.

Do you also keep your cash under your mattress, instead of into a bank account?
This is the first analogy that sprang to my mind as well but as they noted Coinbase gets all the upside and you get little in return. When you put your money in a bank typically you earn interest in exchange for the bank having your money.
Someone please correct me if I'm wrong, but at least in the US banks take on all risk of fraud. If someone starts writing bad checks in your name, that's ultimately the bank's problem rather than yours.
Coinbase is not a bank. It acts like one. It spies on its customers on behalf of federal regulators like one. But it most definitely is not a bank.

The author has to eat the loss, as per the user agreement.

That line of thinking is part of the problem. It's terrible that the author lost his money, but misconceptions only ensure this will happen over and over.

Coinbase != bank.

The banking system has a safety net for recovery of stolen funds. Coinbase has pretty much jack squat in that sense.

True, Coinbase is insured against loss from its hot wallet. But if Coinbase were to suffer a loss from its cold wallet, you'd be left with zilch.

Likewise, Coinbase's terms of service put all of the responsibility for security on you, the user.

Your bank is a different story. It's FDIC insured. It has in place numerous security measure that enable it to claw back any digital theft and make you whole.

And yet if he'd kept it on his own machine there's myriad other vectors from compromised wallets to typos that would separate even the veteran "investor" from their crypto. And we'd be blaming him again, just as you are now, because in the land of Crypto anything bad that happens is your fault, not the insanely problematic technology. This is the fundamental problem with crypto, it's irreversible and decentralized. These aren't features, they're bugs.

If this were real money or real assets, he'd be able to call his bank and be made whole by the close of business, I wager. Instead he's out a down-payment, SFYL.

I can't believe these shenanigans are allowed to play out as though we're all okay with this being the future of currency.

>because in the land of Crypto anything bad that happens is your fault, not the insanely problematic technology

Cars are designed to travel at lethal speeds. If you were reckless and killed someone or yourself, do you also declare it to be an "insanely problematic technology"? The problem here is that people are not aware of the risks associated with cryptocurrencies and so are not taking the required precautions. After all, you can be pretty reckless with your credit card numbers or bank login and still be fine, because the finance system has an undo button for everything.

>This is the fundamental problem with crypto, it's irreversible and decentralized. These aren't features, they're bugs.

I wouldn't call them "bugs", just design decisions or trade offs. Bug implies it's somehow fixable, but if it's not. What if you want to make an irreversible payment, or want to be able to send money to whomever you want without the government stepping in the way, all while being trustless? Is there a way to achieve that, and still being able to hit undo when you make a mistake?

> Cars are designed to travel at lethal speeds. If you were reckless and killed someone or yourself, do you also declare it to be an "insanely problematic technology"?

More aptly though, I would declare it problematic if I couldn't drive 10 feet without someone carjacking me in my ostensibly armored car, or if pressing the button on my radio caused the car to explode. I'd call that 'problematic' because if it were my fault, I'd be in jail, and if not, the automaker would be on the wrong end of a huge lawsuit.

You know who we have to thank for their current level of safety? The DOT, NHTSA and legal system.

> The problem here is that people are not aware of the risks associated with cryptocurrencies and so are not taking the required precautions.

He had his coins on probably the only legitimate exchange in all of crypto. He had 2fac. He had 2fac on his gmail. If this isn't sufficient to keep your money protected, we need to stop blaming the victim. He's probably one of the most competent technical individuals owning crypto. If he can't keep it safe how on earth would your grandmother?

> After all, you can be pretty reckless with your credit card numbers or bank login and still be fine, because the finance system has an undo button for everything.

Isn't that awesome? We've recognized people make mistakes and created for them a path to remedy said mistakes. Pretending they don't happen and that it's the victims fault if they do isn't a replacement.

> What if you want to make an irreversible payment.

Wire transfer. You can opt in to irreversibility, it's not the default, and that's completely reasonable IMO.

> ...or want to be able to send money to whomever you want without the government stepping in the way.

AKA breaking the law. Yes, you shouldn't be able to send money to people on the OFAC list, to terrorists, or to sanctioned countries. That's fine with me, and all your fellow citizens. That's why we have those laws. Let's not mince words, "sending money to people the government doesn't want" is financing international terrorism, narcotics trafficking, human trafficking and so on. No, you shouldn't be able to do that.

> ...all while being trustless?

Again, why do you need this without the illegal use cases? Either way PoW cryptos aren't trustless, Beijing has over 80% of the hash power one strongly worded memo away. Decentralized and trustless are not a feature of Bitcoin or most other cryptocurrencies. They are centralized in the PRC. You would give up sovereign control of your money system to the PRC?

> Is there a way to achieve that, and still being able to hit undo when you make a mistake?

No, you shouldn't be able to break the law. An open challenge to all crypto advocates: Provide me one legal use case better suited to cryptocurrency than the US dollar.

> No, you shouldn't be able to break the la

Check your privilege, as some might say

> Provide me one legal use case better suited to cryptocurrency than the US dollar.

Sending money to people overseas without extortionate fees. Surprisingly not everyone overseas is linked with international terrorism as you imply.

Stellar and IBM's WorldWire are hoping to tackle the remittances issue! Check it out if you haven't.
Neither of those solutions need or benefit from BlockChain.
> Surprisingly not everyone overseas is linked with international terrorism as you imply.

Unless you're trying to send money to North Korea that wasn't my implication at all, I have family overseas to whom I manage to send money without crypto or getting overcharged.

There are tons of international remittance services already including Andreesen-backed TransferWise which charges ~0.85% or less to move money internationally. Much less than the sum total of the cost of buying coins on an exchange in one country, paying an on-network transaction fee, risk of huge swings in the asset value and fraud along the way and one more exchange transaction fee in the destination country.

Generally even WU is quite competitive. In markets where they appear pricey the cost is usually to de-risk things like political issues which are all borne by crypto too but opaquely.

For instance, the USD-INR corridor is almost fee-free on all services.

If you've got a ton of money to move, you may be best off opening an Interactive Brokers account and performing the exchange there. They take a commission minimum of $2, or 0.002% ($2000 per million) for the trade. [1] It's a $5.1T per day (legitimate) market after all.

This is not a particularly good example, it's a solved problem.

[1] https://www.interactivebrokers.com/en/index.php?f=1590&p=fx

Uh sorry, Interactive Brokers is so cheap my math was off. They charge 0.2 basis points which is 0.2/100 of 1% (0.002%, minimum $2). So a $100,000 exchange would cost $2.00 and a $1,000,000 would cost $20.00
Replace by Fee, but its a pretty small window of opportunity.
> Cars are designed to travel at lethal speeds. If you were reckless and killed someone or yourself, do you also declare it to be an "insanely problematic technology"?

Possibly: see the numerous self-driving efforts underway.

How can a mobile carrier operate like this?? No authentication that the request isn't fraudulent?

In Sweden I switched to another carrier, still keeping the number in the same name. To do that I got a text message with a code I had to input to initiate the process.

When I ported my phone number from my father to me within the same carrier when I turned 18 that required the same confirmation to initiate the process and signed request/approval both from me and my father posted to the company, with associated emails about the process.

This isn't even hard? This is just basic steps to prevent identity theft....

This is not about porting the number to a different carrier or even a different owner though. It's more analogous to getting a replacement SIM card.

The last time I had a phone stolen, I went to the carrier's store, they checked my ID, and gave me a replacement SIM. And the things is, if the customer service representative is empowered to do that, they could also be bribed by the attacker.

It's worse than this though. My colleague had his sim replaced by an attacker in October of last year even though his account had a note on it specifically to prevent this without the account holder being present and showing photo id. Not only can the customer service rep at your carriers store do this but so can the phone reps at all the other stores that sell phones for your carrier such as best buy. The bottom line is that SMS/phone numbers shouldn't be an identifying factor for security purposes.
I checked, to get a replacement sim my carrier sends out inactive cards that needs to be activated through their web service using the printed number on the card.

If you don't have an account you need to contact customer service, and to get through there they most likely authenticate you based on your SSN and an already active app on your phone (BankID) where you input your personal password.

This has actually created problems when people get their stuff stolen abroad. The ID application is authenticated using your bank and a device using your physical bank card, a generated number from the webpage and your pin and then the generated number is put into the webpage. So if you get both phone and card stolen it's essentially impossible to get into your accounts until you can get a new one posted to you. Especially fun if your bills end up in a digital mailbox requiring that login....

Using that app is how essentially all identification is done in Sweden since it's based on an already approved physical device and a personal password. With your bank as insurance that the information is correct based on your physical bank card and the account associated to it.

See recent Tele2 attacks. This is a problem in Sweden too.

Maybe the Tele2 attacks made them finally sort things out.

Googled. Is it regarding using social engineering to enable call forwarding last autumn? Can't find anything else.
Yeah. Which is how this guy got hacked, too. Whether it's by forwarding or new sim card is a detail. It's the same social engineering vulnerability.
And reading the article everyone was already at the time working on preventing it, because any unauthorized change is illegal.

The prevention seems to be either through BankID authentication or actually calling/texting the number being forwarded to make sure the request is legitimate.

In your case, a dedicated attacker could socially engineer the carrier into changing you and your father's contact details and then port the number.

$100k is a lifetime's worth of money in some countries, and it can justify a few months worth of recon.

How? I still get a text to my physical phone with the active number being ported and use the code supplied to initiate the process.

Somehow making them change my contact details would just end up with the bills being sent to the wrong place, if you still have paper bills and don't have it automatically paid or goes to a digital mailbox.

This kind of sums up the whole article:

> I knew the risks better than most, but never thought something like this could happen to me

This also explains why this article is useless as a warning. Someone who will be hacked like this in the future is reading now this article and saying "hmm, I should be securing my holdings against this, but I don't have time now, and this won't happen to me right away, I'll look into it next week"

It's like the countless articles which appear after backup failures. "I knew I was supposed to test restoring from backup, but...."

Part of the problem here is the lack of fraud insurance from CoinBase/exchanges. If the attacker would have instead stolen from his bank (several US and Canadian banks I know happily allow logins with only a password or are only starting to introduce SMS-only 2fa), it is likely that the bank would have returned the money, whether they could revert the transaction or not, and then pursued the hackers themselves.
because they can (usually) revert it.

Because reversibility is a good thing.

Fraudulent transactions made with a regular bank account are pretty irreversible too. There's a whole extra layer of infrastructure on top of the 'core' banking services that allows them (banks) to 'reverse' a fraudulent transaction. But I'd be very very surprised if fraudulent charges are 'reversible' in any other way than the bank reimbursing the account holder.

In other words, crypto-currency exchanges could do the same thing (but then they'd almost certainly have/want to charge for that).

Double-entry bookkeeping is also, ideally, irreversible.

They are generally reversible until they cross borders, then it gets way more complicated. Most of these scammers are outside the US, they immediately make an international wire transfer of the money, then split it apart to a bunch of separate accounts, in order to make reverting impossible
Real banks have been hacked (e.g. full mainframe root access), and the hackers have made international transfers which were reversed.

Sure. When bank accounts get hacked sometimes the bank just eats the cost, but if $100k goes to another bank they'll contact that bank to have the money be clawed back.

Now I say "reversed", but the end goal I mean is "the money was transferred back" because it's traceable and doesn't require the cooperation of the receiving account holder. Not that it gets "undone" in double-entry bookkeeping.

Indeed bank hacks have lost some money when the "reversal" incurred currency fluctuation effects. (which could have gone the other way, too).

Also no, regular bank transfers are very reversible because courts can order it so. The justice system can order accounts frozen. With cryptocurrency the illusion is "math is the ultimate arbiter", but of course "math" can't solve "so what happens if one party broke the law", but is forced to answer "well... I guess they win, then".

Also compare smart contracts. You can make an illegal contract. Say the equivalent of selling yourself into slavery. Smart contracts want there to be no court that says "actually, that's slavery, and this contract is void, also the money must be returned". To think that "math" can provide justice better than a justice system is not just holding low esteem for justice systems in general. It's anarchy, and tyranny by exploitation.

"People" are not lawyers, which is why some things are not allowed in contracts. "People" are not coders, which is why smart contracts are also not a thing that will happen (on a scale cryptocurrency people dream of).

I'd like to see more companies introduce "time locks" into various big aspects of accounts.

Want to port a SIM? I'll put your request in now but it will wait for 5 business days before it happens, and at any point if you or someone claiming to be you calls up to stop it, we stop it, no questions asked.

Want to change 2 factor information for an account? We can put in the request now and it won't take effect for a week while we reach out to you using every communication method we know how to let you know it's happening and give you ample time to stop it if you discover it wasn't actually you that did it.

It seems like a fairly "low cost" way of upping the security quite a bit.

Also, not to make the OP feel worse, but Coinbase even offers a service like this called the "vault". The idea being that withdraws are time-locked for a specific amount of time, and there are multiple ways to stop it during that time lock, even if you got locked out of your account entirely.

And while we are doing PSAs, I'd like to give one piece of seemingly conflicting advice: make sure you have backups of your multi-factor authentication systems.

Sure, having your accounts taken over is awful, and it can happen to anyone, but something just as bad is losing your 2-factor systems and being locked out of accounts with no way to recover them.

Print out 2-factor backup codes, put them somewhere safe, maybe split them in 2 and put half of the codes in one place, and half in another. Think through possible problems. It really sucks to have your house flood, then find out that your phone with the 2-factor app on it was destroyed, and your backup codes ruined as well...

Lots of places do this. Fidelity, for example, blocks withdrawals for a certain amount of time when some specific actions happen on an account. I believe address changes and adding people to your account with a certain level of access trigger the block.
One of those is Microsoft, which requires you to wait a month before changing your email, and there's no way that I can think of to get that expedited.
> And while we are doing PSAs, I'd like to give one piece of seemingly conflicting advice: make sure you have backups of your multi-factor authentication systems.

Yes! Many password managers (at least KeePassXC/KeePass with plugin) can store and create TOTPs. The underlying keys can be manually shown and entered elsewhere if needed, and can be backed up with everything else that's valuable.

> Print out 2-factor backup codes, put them somewhere safe, maybe split them in 2 and put half of the codes in one place, and half in another. Think through possible problems. It really sucks to have your house flood, then find out that your phone with the 2-factor app on it was destroyed, and your backup codes ruined as well...

Off site and offline backups are a good thing to have, especially with fire and water proof lockboxes. (think encrypted external drive lying around at work or at family/friend's house)

There are also tools to allow you to use those TOTPs without having a phone in general. You can always use those methods instead of using SMS or phones.
>Many password managers (at least KeePassXC/KeePass with plugin) can store and create TOTPs.

Personally I don't really like this feature and urge people to avoid it for "high security accounts".

It's not a "second factor" if it's stored and input using the same device and authentication information as your "first factor" (your username and password).

That's not to say it's useless, at the very least it's another layer that attackers have to figure out. But the true benefits of 2FA come from needing multiple devices to access accounts. If all of the factors are stored in one program on one device, then in the situation where that device/program is cracked, the attackers have everything.

Still, if you are going to choose between no 2FA and "2FA stored in your password manager", choose the password manager! And if you are going to choose between SMS-2FA, and the password manager, choose the password manager! But if you really want better security for not much more work, store your 2FA on a different device!

What's a good secondary service to store the TOTP codes separate from passcodes?

Authy, from what I understand, requires a phone number as backup, meaning it could be compromised by the same method

Google authenticator can't be backedup, which is royally annoying when you change/lose devices

Lastpass has some security issues, and one well known comment here has recommended no one use it.

I heard someone say they use Duo security: does that let you store codes? When I looked it just seemed to lock various services

You can back up the Key used to set up the TOTP system. This allows you to re-seed the TOTP generator on a new device without needing to go through setup.
Personally I use Google Authenticator. The lack of a backup is a feature not a con IMO.

Every account I have setup with TOTP I also make sure to print out the recovery codes and put them in a safe, and use them if my device is ever destroyed. When I switch phones (which for me happens maybe once every 2-3 years at most), I go through the shitty process of transferring the TOTP codes over to the new device, but it doesn't really take all that long (it took me an hour to do it for about a dozen accounts last time I did it), and I'd much rather not have any of it uploaded anywhere.

You can print out the QR code or save that somehow during setup and use that to setup TOTP codes on other devices (or the same TOTP on multiple devices), but I tend not to do that as recovery codes work just as well, and they notify you if they are used (unlike a TOTP setup QR code). I did have to store the QR code for one account that doesn't provide recovery codes, but it's overall not that much extra work.

This is good advice. I also have my TOTP set up on at least two devices, my phone, my previous phone, and my iPad. (Both phones because it's fairly common for me to have both my current phone and my iPad with me at the same time. It's spectacularly rare for me to have all three devices with me outside my home.)
Google Authenticator does not help prevent against a compromised device (as all TOTP secrets and seeds are on device) and is truly a pain when working with multiple phones. Personally I use Yubico Authenticator as all the TOTPs live on my Yubikey. That, in combination with a password then clicking on a totp i want and tapping my yubikey provides me with only that code. When I first seed the yubikey with a new TOTP i also backup a copy of the QR code text and save it into my password manager in the unfortunate event of having to swap out yubikeys.
Doesn't this mean your password manager is still single factor? Access that, access everything. That's the problem I was trying to avoid.
I use pass for my password manager which links to my yubikey that has my gpg key on it. My yubikey has touch enabled which means that even if someone got access to my machine with my yubikey on it and asked me to tap they would only get that single password. As far as TOTP is concerned it's the same thing. The TOTP section of my yubikey has it's password and also requires a tap
You can use Authenticator Plus, which cloud syncs your 2FA DB on every add/delete/update you make to any of your 2FA accounts.
I use Authenticator Plus (https://play.google.com/store/apps/details?id=com.mufri.auth...) which has encrypted cloud backup (Google Drive or Dropbox). The encryption is done client-side. When I get a new phone, all I do is set up A+'s cloud sync on the new phone, enter the passphrase I've used previously, and it syncs all my TOTP codes.

As a bonus, the backup is just an encrypted sqlite DB (with dirt-simple schema), so you're not tied to some inscrutable proprietary format, and can easily extract the tokens if you want to use a different app/service.

You can disable "multi device" mode in Authy, this prevents adding new devices via SMS auth.
Even when you authenticate via SMS in multi device mode, the imported tokens still have to be decrypted via a master password. SMS is just your account identifier on Authy, hijacking it will not allow access to your tokens on its own.
I use a Yubikey + my phone for storing copies of TOTP codes

Means I don't have to worry about phone upgrades and such, and if the Yubikey were to stop working I still have it on my phone

When setting up a new TOTP for Google Authenticator for my personal accounts, my standard procedure is to take a screenshot of the initialization QR code, and encrypt that screenshot with my gpg key. That is then stored on my external backup disk (which incidentally uses FDE via luks).
Authy let you password encrypt your data with then, so even if someone ports your sim it won't give them access.
Simple solution, have a secondary db for totp.

I have this in case my yubikey ever dies and takes my totp codes with it.

> That's not to say it's useless, at the very least it's another layer that attackers have to figure out. But the true benefits of 2FA come from needing multiple devices to access accounts. If all of the factors are stored in one program on one device, then in the situation where that device/program is cracked, the attackers have everything.

I feel you're not portraying the trade-off accurately so I'll try to clarify.

It's not merely better because it's just "another layer to figure out". That's what you would get with 2 passwords. It's not what you get with 1 password + 1 OTP.

With OTP you're protected against your password being logged and used later on e.g. an untrusted or breached machine (say, at a library). I'd hazard to guess that dealing with a passive adversary who's time-separated from you is FAR more common/likely than having your actual password database stolen or cracked somehow. Meaning it's still quite a significant benefit to having OTP.

> Sure, having your accounts taken over is awful, and it can happen to anyone, but something just as bad is losing your 2-factor systems and being locked out of accounts with no way to recover them.

+1. I lost a phone and with it my Cloudflare 2FA. For some reason, Cloudflare won't let you contact tech support without logging in. There is no contact info for support on their website, AT ALL, so if you can't log in, you're fucked.

> I'll put your request in now but it will wait for 5 business days before it happens

This to me seems to be a complete misunderstanding of the telcos business and motivations. They sell mobile telephony - voice, sms, and data - and their _prime objective_ is to make it as easy as possible for their customer to spend as much money doing that as possible. Making you wait five days to get reconnected to "your number" when you have, for whatever reason, lost control of it is just not going to happen. They'll move mountains to get you back onto your data/voice plan before you've walked out of the store.

Nobody ever advertised their phone/sms plans as "banking grade secure". Telcos have been telling us for years that they are explicitly _not_ secure for that:

https://www.itnews.com.au/news/telcos-declare-sms-unsafe-for...

Communications Alliance chief executive John Stanton, representing the interests of mobile providers Telstra, Optus and Vodafone, took the extraordinary step of of declaring the technology insecure in the wake of numerous reports of Australians being defrauded via a phone porting scam first uncovered in Secure Computing magazine.

"SMS is not designed to be a secure communications channel and should not be used by banks for electronic funds transfer authentication," Stanton told iTnews this week.

Telcos are not interested in securing that, they get _way_ more complaints from people who lost/broke their phone who want their replacement one to work RIGHT NOW, than they do from people who got defrauded with a sim porting attack. And the first group of people are spending _way_ more money collectively than the second, so of course telcos will continue to make it quick and easy to sim port.

Everybody else needs to deal with that. While sms 2FA is marginally better than not having any 2FA at all, it's not the telco's problem if you choose to use it to "secure" your $100k worth of crypto. In my mind, a large part of the blame here goes to COinbase for even offering it. I'm also looking at your PayPal...

Yes, Paypal is bad, they took away their support for the Symantec 2FA codes and forced users in many countries to use SMS instead.

This is pretty easy for the telco to prevent, though. Your existing telco should simply phone you and ask if you wish to leave them before letting the number get ported out.

Note that all telcos will prevent the number being ported out if you owe them any money on the account.

(comment deleted)
> Note that all telcos will prevent the number being ported out if you owe them any money on the account.

Wait really? Is there a way to force yourself to perpetually owe them a small amount of money then? Could be really worth the money.

An attacker could just pay the balance.
Seems like a decent hurdle to make an attacker jump through? Given they'd want the payment to be untraceable etc.
This wouldn't prevent a SIM port attack (which is what occurred in the article). You don't leave your provider so account status isn't a factor.

The comment you replied to appears to be discussing porting a number to a different provider which is very different and doesn't happen same-day.

You appear to be discussing porting a number from one provider to another but the attack in the article (and being discussed in the thread up to this point) is based on moving the number to another SIM within the same provider).
> While sms 2FA is marginally better than not having any 2FA at all

I used to believe this too. Until this morning. Then I realized something and now I'm not so sure: if I don't have SMS 2FA at all, then my phone line is less to become an attack target. Meaning I'm less likely to have to deal with the collateral damage of lost accounts, files, etc. So is it really better to have that SMS 2FA? Especially if you weren't ever having problems securing your stuff before it came along?

Thank you. I've been waiting years now for someone else to notice this as well.
Good to know! I feel like it stems from the notion that protecting whatever particular account they want you to protect must be the most important priority in your life. Even security folks don't always seem inclined to think in terms of trade-offs... too often they seem to see things as black and white. If something protects your account or computer better then it must be better and you have to do it. They don't care if you might lose your job or if it might burn down your home as a side effect; that's just not part of their threat models...
(comment deleted)
> Want to port a SIM? I'll put your request in now but it will wait for 5 business days before it happens, and at any point if you or someone claiming to be you calls up to stop it, we stop it, no questions asked.

Funny because that's exactly what happens in France when you do so. I must have sounded a bit dumb when I asked when my number would be active when I changed from Tello to Verizon. I couldn't believe it was effective right away.

It's been a while since I ported a number but the last time I did it took days here in the UK too. I just assumed it was typical inefficiency by the mobile operators rather than a security thing, however.
It takes days in the UK because we have a crappy system where instead of having a central register of number -> provider, calls are still routed to a ported number via the "donor" network, i.e. the network the number range belongs. So I just ported from O2 to EE, and my calls and texts will still go through o2, and then sent on to EE. Not very efficient.
The „time lock” approach is exactly what Apple is doing if you try to recover your Apple ID (without password and second factor).

Unfortunately, when you search on Twitter, people are going bananas over having to wait a few days to get their Apple account reset... so I definitely get why not more companies are doing this.

2FA has no place over phone networks for account recovery. It's far easier to obtain access to 2FA texts or doing SIM ports like this, than it is to break some gmail account password (even a weak one).

So many people don't seem to understand this - I was trying to use U2F yubikeys on gitlab a while back only to discover they force you to enable 2FA first for account recovery, this completely defeats the purpose of hardware auth, it's not supposed to be for convenience, security is only as strong as the weakest link, 2FA is very weak.

Large tech companies like Google push 2-factor auth to "increase" security, but this article shows that 2-factor auth with SMS verification opens up a huge security hole since the attacker can access your email if they can get your provider to port your SIM over to their device. Am I missing something and if not how did companies like Google not foresee this huge security hole?
(comment deleted)
Google offers many different 2 factor methods including Google Prompt, TOTP, and security key - all of which are better choices than SMS. The author is right to say that SMS is not enough but he didn't go far enough: only use SMS-based 2FA if it's your only 2FA choice for your critical accounts, and consider alternative services if it's your only choice.
The issue is that the forgot/lost device flow allows you to remove your more secure 2FA with only SMS verification.
You can turn off SMS/phone auth fallback, at least in gsuite.
If you use one of those secure options, click the lost your device option, and then you can describe to everyone how secure the recovery process is.
I don't know if that's possible in gmail, but in protonmail you can just disable password recovery altogether, which makes your email account secure against these kinds of attacks.
Stuff like this freaks me out and I'm sure I'm not the only one. Thanks for the wake-up call. It's a terrible amount of money to lose. I hope things get better for this guy in the future (and I don't think anyone would say they're to blame for this.)

Security is becoming so difficult to balance with an every day life... I don't know how anyone can remember everything that they're "suppose" to know about security.

"I treated Coinbase like a bank account and you have absolutely zero recourse in the case of an attack."

Now that's the real problem. Coinbase acts like a bank or a broker/dealer, but isn't regulated like one.

That and Bitcoin is specifically designed to not give you a recourse in case of an attack.

Cryptocurrency designers seem to think that banking was designed as a mistake without anyone thinking. That laws people wanted were just unfortunate side effects.

Bitcoin isn't the problem here. Coinbase is regulated as a "money transmitter". You can get into the same situation if you send money via Western Union, which is also regulated as a money transmitter, and tell them to "waive identification" at the receiving end.[1] That's used as a payment method by some scams.

Coinbase will pay out via PayPal, so someone with access to an account's credentials could pull of this scam without involving cryptocurrency at all.

Now if Coinbase was regulated by the SEC as a "broker/dealer", which is what they really are, they'd be subject to SEC regulations on fraud, and would have SIPC insurance to protect the customer up to $250K.[2]

Coinbase does, in fact, have a New York State "BitLicense", which makes them subject to various New York State regulations. Among other things, transactions larger than US$10,000 have to be reported to the New York State Department of Financial Services within 24 hours, and Coinbase is subject to rules about cybersecurity, fraud, and its activity as a custodian of the funds of others. You can complain to the New York State Department of Financial Services.

DFS pulled Bittrx's license last month and gave them one day to get out of New York State.

[1] https://www.westernunion.com/us/en/fraudawareness/fraud-ques...

[2] https://www.sipc.org/for-investors/what-sipc-protects

(comment deleted)
I have a question related to this that someone expert in Bitcoin could answer.

Could the victim monitor where the bitcoin (we assume) went to using the public blockchain record? Then, trace it every step of the way (and in whatever chunks it divides into) until it reaches the account of a publicly identifiable entity? At that point, there might be legal recourse in recouping stolen goods (at least, this is how it works in the UK with stolen physical goods.. even if someone "legitimately" buys them, they can be reclaimed).

(comment deleted)
Truly big heists like the Mt. Gox collapse have received research attention, yes. There are some firms which will follow the transactions and try to find patterns. However, for a relatively small amount like this it's probably futile. It's trivial (though costly) to run the funds through a public mixer several times, or to trade it for Monero, which has a ledger that's much more difficult to analyze.
Kinda but it's hard and there are measures to counter this. There is one thing called coinjoin which attempts to tumble coins.

Imagine you stole 10 btc and you split it to 10 outputs of 1 btc each. Then you use 2 of them to perform a coinjoin with several other people where in a single transaction 10 inputs of 1 btc (2 of them yours) produce 10 outputs of 1 btc (again 2 of them yours). There is no way to tell which coin is which anymore. Of course this requires some degree of interaction with other people but in other coins such as grin that use the mimblewimble protocol this happens automatically for every block.

Another thing you can do is try to do an atomic swap with someone on another blockchain i.e Litecoin. In this case you send your coins to a specific script address, the other person sends his LTC to another script address and you effectively swap BTC with LTC.

Is there a mobile carrier focusing on security?

something like what CF (and others) are doing with domains

I would think that an online-only MVNO like Ting.com would be harder to fool - even if their call agent fell for the trick, they'd still have to mail a new sim out. But you'd have to log in yourself to swap the sim using the Ting website. As I understand it, attacker would have to fool you and coax you to swap the sim.
That's interesting, I did not know it was possible to have a coinbase acct without working google authenticator.

I found out the hard way it takes over a week of time and multiple verifications and contacts to reset my authenticator when my old phone was broken; as it should be.

Coinbase should not allow your phone number to be used for 2FA.
I don’t think they’ll change it either because doing so would be admitting responsibility.
> Google Voice 2FA

Unfortunately many places are actively refusing to work with Google Voice. I got a message from Bank of America saying specifically that they're removing Google Voice support:

> You can't enroll in Zelle with a landline, Google Voice or VOIP (voice over internet protocol) phone number. (Section 3.C.3 Enrolling in the Service)

This follows with some other unnamed (because I don't remember them) services which also refuse to work with Google Voice.

That's really unfortunate because I've been using Google Voice for nearly 10 years without issue until recently (when companies specifically remove support...)

Same with my bank, and I ported my Voice number to my carrier.
If you ported a previous phone number to google voice, how would they know?
I don't imagine they would know unless they check their service logs. I imagine that interconnectivity with (in my case: Bank of America) would cease. And I'm pretty cynical with tech so I suspect it would quietly cease.
This is frightfully common in South Africa except aimed at banks - they use SMS as their 2FA. ("SIM swap")

Another common tactic to watch out for: Repeated calling of your phone to annoy you enough so that you switch it off/silent it. That can give the attacker enough time where you don't notice the swap.

This is the kind of stuff that convinces me we'll never see mass adoption of cryptocurrency -- or that if we do, it will be only by replicating the existing financial system and slapping a cryptocurrency label on it.

If security engineers at cryptocurrency firms are getting hacked, what hope do mom & pop user have? And once your money is stolen, you have basically zero recourse and no way to reverse the transaction. I know many proponents consider that a feature, but I'm telling you for the average user, it is absolutely a bug.

Sucks to be the OP but storing any crypto in an exchange is idiotic and literally the first thing on any list of "how to secure your crypto" is to not do it. This shows the OP is just being willfully ignorant.

Exchanges get hacked or are victims of internal fraud at a level that is far beyond any acceptable risk. https://coinsutra.com/biggest-bitcoin-hacks/

If you have any kind of serious crypto holdings, you should either be using hardware wallets or a PC that you only use for crypto. Nothing else. * Buy crypto, transfer to your PC, turn off PC.

For any significant crypto holdings you should be using a hardware wallet, and for serious holdings you should also use a multisig setup.
Right but what if the blocks fill up and transactions are taking forever right when you (and others) have the most interest in selling?
This is why you do long term holding in BTC or any coin that may take longer to confirm on the chain and the money you are playing/trading with should be in an asset like XLM which transfers in seconds.

Now if the whole thing is tanking and you want to transfer your entire savings to try and ride the wave you are already too late if your money is not already on an exchange and you shouldn't be 100% swing trading anyway.

Just my opinion on how I handle it.

That’s not really a security issue. It sounds like a speculation issue. Treat custodial services like a porta-potty at a shitty music festival: do your business then GTFO

For Bitcoin you should always aim to use the lowest fee possible, and use replace-by-fee (RBF) if a transaction is taking too long.

Federal laws and the protections/insurances a US bank provides would have you without losses right now. Why do we want a decentralized currency again?
Because it covers the use cases of cash but for online. Sometimes you're willing to have no safety guarantees but also not have to deal with paypal etc. Send a small tip to a content creator, pay content creators in small amounts in a patreon-like setting without having to deal with rules against content payment processors don't like (I saw recently this was being launched but I forget the name), lots of use cases.
I really need to call out crypto shill when I see it. As it stands, bitcoin is utterly unusable for micropayments, the transaction fees are way too high for that. There has been attempts at creating micropayment services on top, these all have failed to gain traction.

I still maintain as I did several times here in the past: bitcoin (and in general, crypto"currencies" because they are not currencies) are a scam, a new kind of scam for sure but a scam nonetheless. There are simply no (legit) use cases.

Bitcoin isn't the only crypto. Dogecoin is great for microtransactions.
I pay all my dogs in Doge
> There has been attempts at creating micropayment services on top, these all have failed to gain traction.

I'd argue that Bitcoin's lightning network is gaining traction, and it accomplishes a lot of what you are asking for.

Who doesn't want to learn the lessons of the last millennia of finance all over again?
A non-federally controlled pseudo-anonymous currency similar to cash has the positive upside of enabling digital privacy in spite of the blockchain. That's why. There are still trustworthy tumbler services to obfuscate and hold your bitcoins similar to a bank. And with what some claim, inarguably so, of government overreach and corporate over-sharing of your personal data, it's something I can sympathize with.
Similar to a bank as in a guaranteed insurance of my funds, like the FDIC in the US?
FDIC is the government overreach the parent was talking about.

It's also a relatively new thing.

People who cry about government overreach seem to rarely ponder why it is there in the first place. Well, TFA shows why.

TFA?
The eFfing Article (as in RTFA, "read the effing article"). I.e. the thing we're all discussing here.
This person's Google account is likely still vulnerable to the attacker and if they used chrome password sync all of their other accounts are also likely owned. You can recover a google account if you know some basic details such as a previously used password or the creation date of an account. After having a google account owned enrollment in the advanced protection program and ensuring only the strongest recovery methods are enabled are best next steps.

https://landing.google.com/advancedprotection/

It's why most of 2FA implementations is BS. It's truly only whoever has access to your number or email can do whatever.
I wouldn't say it's BS. It's just not perfect.

The standard person today isn't capable of managing multiple secure tokens, and actually keeping them separate.

One smashed phone, and truly secure accounts would be lost forever, or require significant resources on the part of the provider to re-verify people's identities.

I was attacked in the same manner this weekend. I'll dump what I know below in the hopes it helps someone.

I lost money when MTGox went under and made some online posts (on reddit, I think) several years ago. Maybe this is what caused me to be targeted?

This weekend a malicious actor posing as the account holder on my account was able to get my number transferred to his phone. At&t fraud says this happened at a store, and the user had the last 4 of one of my family member's social security number, as well as a fake id. I'm not sure I believe this, but will request more info in writing.

I regained access to my account. The attacker came from IP 216.162.42.85 (santa clara california)

They entered my email and according to google activity logs immediately went after my coinbase account. They got in (joke's on them I didn't have anything). Then they searched my email for 'btc', and also made a visit to my bank website. They weren't able to get access.

As far as I can tell, they were in and out within 10 minutes. I wonder if this was related to the author's experience?

This is the reason I have disabled SMS as a recovery option in my gmail/google account. My 2FA for gmail is now my iphone and ipad. THey have to know my password and get one of my devices to hack my account. I also use protonmail and for SMS based 2FA, I plan to use a google voice number from a totally different google account w/c forwards the text to my protonmail account. Google voice numbers cannot be ported out. Hence, avoiding the sim hack. They can port out if they hack my "shadow" google account. The trick is to never use the shadow account for anything. Hence, the attackers have no way to get to your google voice.
This is awesome. Thank you for sharing.

I wish more people knew that their entire identity hinges on a store clerk at AT&T.

I'm fairly certain that any phone number in the US has to be portable by law.
I've ported out my google voice numbers several times.
Porting out GVoice numbers is harder, but it can absolutely be done, I've moved a purely Google Voice number to T-Mobile before.
> My 2FA for gmail is now my iphone and ipad

sorry - how does that work? what's the platform / messaging service?

Authenticator app that generates one-time codes; no messaging (or even being online) required after the initial sync.