Bitcoin Forum

Article at link:

http://www.forbes.com/sites/laurashin/2016/12/20/hackers-have-stolen-millions-of-dollars-in-bitcoin-using-only-phone-numbers/#3e024ad522db (http://www.forbes.com/sites/laurashin/2016/12/20/hackers-have-stolen-millions-of-dollars-in-bitcoin-using-only-phone-numbers/#3e024ad522db)

Lessons learned:
2FA using SMS is badly compromised.
You can't outsource your computer/cryptocurrency security to a 3rd party like your phone carrier. It's a recipe for disaster.
Hackers are targeting prominent bitcoiners - but it's only a matter of time for the rest of us.
Thieves are impersonating prominent bitcoiners, asking friends for "loans" of BTC (etc) - which just means more victims.
It's not just bitcoins - bank accounts and everything else are vulnerable. (And you can't fix those with a Trezor or paper wallet.)

What else?

Definitely. Phone companies are especially vulnerable to social engineering. It has happened to various other people, including linustechtips and even cloudflare's CEO.
The services are vulnerable too. 2FA isn't safe if you use it with your phone number.
Hackers are likely more interested with the people holding a larger amount.
It's weird if a friend asks you for a loan over the phone. Anyone receiving such a request SHOULD verify it physically, especially if its for a large amount.
For the banks I use, the bank account have physical OTP keys and they are much more difficult to compromise.

Bitcoins aren't vulnerable if you choose to secure your coins with a desktop/cold wallet. The reason why Bitcoins are lost through this is because of people storing them in services.

I completely agree with this. You can not trust all your apps blindly, it is a great risk to do that and sooner or later, you will regret it if you do  keep sharing sensitive info with your mobile phone, even the words you type from your mobile phone are recording by your keyboard, how can you be sure they cannot reuse them for harmful reasons?
So try to be as secure as possible and only do it with PC, though it is also not that secure but at least it is way more than the so called smartphone.
 

Guys, read the article. (It is a good read.) The hackers are able to access PC's starting with the phone hacking. Sounds like a very ugly episode when everything - bank accounts, Windows login, desktop wallets, etc. - all get seized in one swoop. Because phone companies still think of themselves as phone companies, and not as gatekeepers to people's financial and personal property on a vast scale. They can't keep screwing up like this.

If the evidence that this operation(s) is based in the Phillipines is right... well, the hackers might not be too happy once Duterte catches up with them. If he treats them like he does drug dealers, they will have a _very_ short life expectancy.

As secure as possible with a pc would mean an isolated box, where your funds/keys are stored. Even if that means  looking over then typing everything individually, better than a possibly compromised USB stick.

I have same case like kenna, fortunately I just lose few bucks. Using 2FA phone number is very vulnerable, it's proved when I lost my money using these features. Although it's keep offline.

Let`s just stop using bitcoins and stop online banking because of the hackers. ;D

Let`s use only gold and silver coins for trading purposes.

Hackers can`t hack gold and silver coins. ;D Just kidding.

Hackers are a serious problem.

Everything is vulnerable as long as they can find your phone number and contact your phone service provider and get your SIM card info.

There is nothing that can especially prevent anything, but phoning up your provider and setting up additional security for something like this can help ease these woes, again, to a certain extent.

There are cases like this for YouTube users as well, so it's not rare or specific.

How about proper training to people that give out personal details of others?

If the people got some training on how to verify better that its the real person, it may become less common. I mean, most companies only ask for publically available information such as address and birth date before they give you whatever you want...

its a good idea but i don't think this could be solve the problem as we can see that many people is not giving their attention for the 2FA phone number. but at least that person know how to solve their problem with 2FA, and i think we can using another security for saving our account so we can prevent of hackers attack.

Ok, explain this to me. Why would a early Bitcoin adopter store 1000's of coins on a hardware device? This smells a bit fishy, to say the least. I never keep all my coins in the same device. I always split my coins over 100's of paper wallets, and I store those in different places. If I need coins, I just grab one paper wallet and sweep it online. < not everything in one go, because that would be VERY stupid >

None of this are proven statements, so they can just publish any shit they want to, to sell papers and get more hits on their news sites. 

A very good hacker knows how to handle you and take information from you. All we have to be very careful with those we're talking to. It's for our safety, not only for our money but for our lives. So people do not give your informations.

Hackers are always step ahead. It's needed to develope the new security mechanisms all the time. But it seems that everything that is considered to be secure in fact it's not. That also happened with 2FA. So, what can we do, what method, mechanism or tool can actualy protect our coins? Is there anything that we can fuly trust?

Thought that 2FA was the safest thing out there. Apparently not! :-[

2FA is actually one of the safest methods of securing your data that exists. The only issue is that hackers can access your SIM card if they know your number and call your phone company, and then make a blank and get the same info you get from your 2FA services.

It's not easy, per say, but it can be done and it is simpler to do than dictionary-attacking a password. It requires a lot of information first though.

How they are going to hack in to the SIM card? Especially if the mobile phone used is a basic variant instead of a smartphone? How they are going to install trojans and other spyware in such a phone?

Nope. Sounds to me like a case of someone who thinks they understand security, but actually don't. The article is unnecessarily long and pretty much useless (doesn't outline ways of protecting yourself well, but rather tells us a story). Here are some semi-easy ways for prevention:

1) Do not use your personal phone number for 2FA. Use SIM cards without contracts.
2) Do not use social networks (they aren't for the brightest anyways).
3) Delete anything you can find online about yourself -> effectively kills social engineering attempts.
4) Disable Javascript, Flash and everything else by default.
5) Do not use any web wallets or online services to keep Bitcoin. If you need to keep them on an online device (for whatever reason), at least make sure that you're talking about a local desktop client.

Alternative:
A) Use a different computer solely for Bitcoin, banking et al. (Note: This does not save you from targeted network intrusion, rootkits and similar).

People need to stop watching hacking in movies.

Quoted you to discuss your first and fifth points.
I just wanted to know that if I use my personal phone number (specifically non-contract sim cards), isn't it still on the edge of getting hacked?
And when you said that we should keep our coins in a local desktop client, say if I am using any web wallets like blockchain, so is it not good to have all my coins be kept there?

That's why you need to download the entire blockchain and wallet and keep your private keys.

use a burner phone not in your name to have your codes texted to. dont even tell you wife.

Your carrier shouldn't be able to revoke a non-contract sim to which no information is actually bound. In that sense, it should not be 'hackable' in a way as described

Your web wallets, and those especially that use 2FA are vulnerable to social attacks. A desktop wallet is only vulnerable to targeted attacks, in which you machine has to be compromised. There's a huge difference in the possible approaches for a malicious individual.

How is 2FA not safe?
There two layers here, the password and the time password or 2FA which I consider the safest way when logging in somewhere.

Yeah, we get the lesson by Kenna experience.
Hackers actually can steal our information, but the most important thing is ourselves as the last defense of our wealth.
Bitcoin is better to save in offline wallet or keep it on an encrypted hard drive and just small amount of the rest on online wallet, I thought that is the best way to be safe.

Kenna’s experience is only one of a spate of recent hackings of high-profile cryptocurrency industry players such as venture capitalists.

I have always been hesitant to use paper wallets because I fear my printer make record everything I print and if my networks gets compromised the private key will be there.  :-[

Every one knows internet is not always safe, always in any sort of case there are security issues no doubt.
But could you tell me how can one simply steal bitcoins by using only a phone number? why not using hardware and or paper wallets no use for securing our funds?
Are you trying to scare away the people with little knowledge about online security from crypto? it seems like it from my point of view.

I don't really think that some hackers can do things like this, tho this kind of method is not impossible, but this is very rare to happen, so everyone must be aware of this type of incident. Everyone must be careful especially to those who have huge funds with their web wallets.

As spoken by him 2FA is not so safe if you use 2FA through SMS verification. Didn't know whether 2FA which use software like google authenticator or similar could be compromised but news above in the main post is a proof that SMS verification could be compromised

Yeah you said some hackers can't do things like this but maybe the hackers which were mentioned in the news are the rest hackers who could

The article is too long and I only read the first half of the article. Anyway, it seem that the hacker is targetting US consumers that have a lot of Bitcoin and uses 2FA verification. I personally don't really use 2FA but I do actually think that 2FA is secure as long as we know how to protect ourself - from the article, Jered Kenna already did his best (it was the service provider that easily accept "faked" request"). I couldn't believe how the "hacker" managed to fake his identity and transfer his phone number to another service provider. That is something that the provider have to help us secure.

That was a very interesting article and I am glad that you showed us it. Wow hey ? That hacker got into 30 accounts and changed his phone number to another service using social media engineering . So the hacker had control of everything.

What can people do to prevent things like this though ? I wonder how exactly the hacker managed to get the guys phone number and then have it change to another company ?

The issue is not with all 2FA, but with 2FA using SMS specifically, so far as this article goes. It is noteworthy that Coinbase just sent out an email pushing people to using Google Authenticator for 2FA - probably due to the issues/incidents in this article.

Seems I've been doing some things right by accident. I use GA already, and on a "tablet" that is a smartphone with no phone contract.

DNA 2FA might work, although they could then just steal some genetic material. 

Or maybe they could use AI to have a conversation for a few minutes with you when you signup, where it asks you some odd questions.  It could then use this info to test to see if your responses later indicate it's really you.  So if you want to port your phone number you'd then have to have another brief convo with the AI to check if it's you.

Hmm or maybe just offer 3FA.. authenticator + phone#sms + password

there HAS to be some inside information for this to work..

first off, someone has to get to know this individual enough to know their phone number, address, and their cell phone provider..

also they need to know their email, and whatever kind of web wallet they used..

this is a long shot to just guess..

so after they "guess" this info, they are supposed to call the cell phone company, and HOPE they send a replacement sim card?
i hate to break it to you, but. ive had to do this, legitimately, and the cell phone company made me to into a store to show id.. so now our "hacker" needs to fake the victims id..

now, once this all happens, the victim is NOT SUPPOSED to figure out his phone stops working?? because  um, once you activate a new sim card the old one deactivates..

now this hacker, is supposed to "guess" the guys email, get them to send the sms text to sign in? and well hope that when this happens the "victim" doesnt notice the sign in attempt that just so happens to get emailed to you?? and if you were smart and used gmail, they email you not only on ONE email but on a BACKUP email..

plus now that the email password is changed.. he is supposed to guess all the other passwords??


sounds far fetched..

blockchain.info has 3fa, or 4fa if you choose to enable it..

you would need to verify the sign in attempt by an email link..
you would need to verify the password..
you would need to verify the 2fa code..
and to send funds you need to verify the secondary wallet password..

i would imagine if you were smart and these weren't simple passwords it would be impossible to guess them.

oh and they dont have a password seed.. so you cant just call them up and say i lost my password please reset it.

Is so unfortunate that hackers are not getting less smart and they also increasing in number daily. That is why we need to equip ourselves as much as possible, educating ourselves on cybersecurity. Internet is not safe, choice of wallet should also be considered. In most cases with identity theft by hacking it is not done by professionals but local meth users, so Inside knowledge/information can mostly make it easy.

I know this article has set off discussions at the phone carriers.  However I don't really know what steps are being taken to address the issues at this point. 

Multifactor authentication (something that you know, something that you are(possibly biometrics, voice print, body scan, retna scan etc), and something you have like an external factor like the Google authenticator, or other similar services would make it far more difficult for thieves in an online context.  The more factors used the harder it is to impersonate someone.  I know people are going to scream that it isn't convenient.  If you have something worth protecting you will take the extra steps to secure it and put up with the inconvenience.  Relying on one or two factors for authentication is going to be too weak.

But as someone else noted if you have money you are trying to protect then offline in paper wallets probably makes sense.  Which really just makes me laugh a little because we are basically saying "cash" is more secure than the online world.  Sadly at the moment that is probably true. 

The other thing that someone said that is very true is limit what someone can know about you.  Search online and see what you can dig up about you and then go scrub it if you can.  Give would be thieves less clues about who you are so they have less chance of piecing together a puzzle that leads them to your personal data and funds. 

There is an advantage for these sort of hackers, when compared to the old school thieves and burglars. Hackers can target an online wallet located in another country, and due to the bureaucracy involved it becomes almost impossible to catch them. Now most of the hackers are coming from countries such as China and Russia. If someone's bank account located in the US is hacked and the funds stolen, then it becomes extremely difficult for the US law enforcement authorities to catch the perpetrator, as they don't have any authority in Russia and China.

We all know where almost all attacks come from. When it is against countries, it is peculiar to some countries. Just lately some countries  had to amend their laws to punish hackers making there territories a hideout. Now when bitcoin is point of discussion on hacking, I need to attend to such big issue, because it is getting to the neighborhood.

Making a screenshot of your private key and printing that one out (so as a graphical file), could circumvent your worries regarding your printer.

In my country employees working for the service providers, work with syndicates to social engineer Sim swaps. The one moment your

phone is working, and then the phone freeze. You reboot and then your Sim card is cloned and swapped. Many people here link their

phone to online banking, so this is the main reason why they are doing this. Everyone just need to remember that this is not Bitcoin's

fault, but a failure on a third party service using Bitcoin. 

How safe would 2FA through Google Authenticator be?
I've considered using this wherever it's available, but I'm not sure if it's a safer option than 2FA via SMS/Text.

paper wallets are the best option

That's what the article is all about -- that SMS 2FA is bad.  Google authenticator is much better they say.  Apparently the main reason SMS is used still is because not everyone has a smart phone to run an authenticator.  But eventually they will phase out most/all SMS 2FA.

First of all - can somebody explain what is 2FA? I have no idea about this slang.
Second is that paper wallets arenot the safest place in the world. The present of stealing money from ordinary wallets are higher than the present of hacked wallets. For now statistic is like that.

When you spend from a paper wallet your private keys are exposed briefly and bitcoin could be stolen if malware is waiting. Many early adopters used to use Armory and two computers for cold storage. That is still probably the most private way to do it and some still swear by it. Using two computers has largely been replaced by hardware wallets like Ledger Nano S and Trezor. There has never been a reported theft of bitcoin from a Trezor or Ledger. As a bonus using Nano S or Trezor you can use your hardware wallet for secure U2F login (http://www.dongleauth.info/) to a number of services like Google, Dropbox, Github, etc.

Then ok but I think that these two things are going together, first we put the phone number as a backup of the 2FA app
I use Authy and I have to give my phone number in case I forget the password or the password of this app (like Google Authenticator)

There are many ways to do a "social engineering" using a burning cell phone and a lotta courage. I'm really astonishing that the "agressive" methods are not in use yet. If few people knew about the benefits, the resources and the "easy way" few cryptocurrencies provides to let people "free", the world would be a completely chaos.

2FA accounts can not hack but still hackers will hack these accounts, I don't know how they will get verification numbers. And I heard as some online casinos were hacked, they will provide heavy security to their accounts but how hackers will hack their account?

The thing is we should secure our accounts to give high securities. Still, our account hacked means it's just our bad luck that's it. 

2FA is acting like a secondary password on your account which means when you tend to log-in your account with your usual password after than it would require 2fa as second layer.Its either  on phone code or an email authorization that's why having 2fa on any account that has funds do really need this security and I don't know how those hackers could able to hack on 2fa.

Yes google authenticator is the safer way to protect your accounts. Howevee while using google authenticator keep ine thing in mind that the device which has authenticator must be safe because if ull change device then 1st you have to disable authenticator. These are the minor things but creates big problems.

It seems they haven't caught any of these hacking groups yet. IMHO they should tighten immigration here in the Philippines. Most of the crime syndicates here are from abroad and using the laxity of immigration to set up crime rings here. Most of the drug manufacturers are from mainland China, most of the ATM hackers are from Bulgaria, etc...

It's really a troubling thought that they would simply get all your bitcoins because the telcos are not doing enough.

The issue is not always on the 2FA or on the AES encryption nor the Https encryption but the implementation.
And here the hackers come and break the system and get the sensitive info, and the forum needs to implement 2FA as soon as possible.

The Bitcoins are traceable it's called IP address

I don't think that always the bitcoin users are tracked when they use bitcoin by the IP addresses.
As far as I know the IP that is shown is not always the client's IP, or is it?

I was wondering when the next big hack would happen. I hope things like this do not affect the price of bitcoin although maybe it is a good thing for bitcoin to go down so we can buy it and wait for it to go up again. ^^

Man this is very scary. The fact they got the phone number can effectively reset all the passwords. Otherwise in 2FA they need to lnow both the passwords and the SMS code in order to enter the account. So only getting the phone would not be enough.

at https://bitaddress.org The url is :-

https://www.bitaddress.org/bitaddress.org-v3.3.0-SHA256-dec17c07685e1870960903d8f58090475b25af946fe95a734f88408cef4aa194.html

I'd expect the Sha256 Hash of the downloaded file to be dec17c07685e1870960903d8f58090475b25af946fe95a734f88408cef4aa194

However, after downloading the file and checking it with a Sha256 CRC it gives a Sha256 Hash of

739DDD62F01F06DDA02E7E69AEA9AF7526AB2349F02372619B92C5A952E02E6B

Where did I make a mistake.

The false assumption that 2FA provides very great security or is impenetrable is a myth that is going on among people which have limited technical knowledge (especially in the Security branch). This includes the majority of the posters in this forum, and almost all of the posters in this thread. There are plenty of different types of penetration for social attacks, e.g. spear phishing is very effective when used among a big number of employees of a certain company.

You will likely be able to trick most services to reset the password if you had a lot of personal information + the phone number used on the account.

Hahaha! It sounds like Breaking Bad. Lol.  ;D

That is a serious problem which bitcoiners are facing. I have many friends whose validated wallets have been penetrated by hackers and withdrawn all of their balance to other wallet address. The only solution for the meantime was to make dummy accounts. Multiple dummy accounts increases your protection from hacking while your official validated wallet must not have zero balance always and must only be used during cashout.