Lauda
Legendary
Offline
Activity: 2674
Merit: 2965
Terminated.
|
|
December 22, 2016, 11:46:03 PM |
|
1) Do not use your personal phone number for 2FA. Use SIM cards without contracts. 5) Do not use any web wallets or online services to keep Bitcoin. If you need to keep them on an online device (for whatever reason), at least make sure that you're talking about a local desktop client.
Quoted you to discuss your first and fifth points. I just wanted to know that if I use my personal phone number (specifically non-contract sim cards), isn't it still on the edge of getting hacked? Your carrier shouldn't be able to revoke a non-contract sim to which no information is actually bound. In that sense, it should not be 'hackable' in a way as described And when you said that we should keep our coins in a local desktop client, say if I am using any web wallets like blockchain, so is it not good to have all my coins be kept there?
Your web wallets, and those especially that use 2FA are vulnerable to social attacks. A desktop wallet is only vulnerable to targeted attacks, in which you machine has to be compromised. There's a huge difference in the possible approaches for a malicious individual.
|
"The Times 03/Jan/2009 Chancellor on brink of second bailout for banks" 😼 Bitcoin Core ( onion)
|
|
|
SmartIphone
Legendary
Offline
Activity: 1204
Merit: 1000
|
|
December 23, 2016, 12:33:32 AM |
|
You can't outsource your computer/cryptocurrency security to a 3rd party like your phone carrier. It's a recipe for disaster.
The services are vulnerable too. 2FA isn't safe if you use it with your phone number. How is 2FA not safe? There two layers here, the password and the time password or 2FA which I consider the safest way when logging in somewhere.
|
|
|
|
CyberKuro
|
|
December 23, 2016, 01:21:10 AM Last edit: December 23, 2016, 01:56:36 AM by CyberKuro |
|
Yeah, we get the lesson by Kenna experience. Hackers actually can steal our information, but the most important thing is ourselves as the last defense of our wealth. Bitcoin is better to save in offline wallet or keep it on an encrypted hard drive and just small amount of the rest on online wallet, I thought that is the best way to be safe.
|
|
|
|
Papa Bear
|
|
December 23, 2016, 01:28:04 AM |
|
Kenna’s experience is only one of a spate of recent hackings of high-profile cryptocurrency industry players such as venture capitalists.
|
|
|
|
0xfff
|
|
December 23, 2016, 01:30:27 AM |
|
I have always been hesitant to use paper wallets because I fear my printer make record everything I print and if my networks gets compromised the private key will be there.
|
|
|
|
digaran
Copper Member
Hero Member
Offline
Activity: 1330
Merit: 899
🖤😏
|
|
December 23, 2016, 01:43:53 AM |
|
Every one knows internet is not always safe, always in any sort of case there are security issues no doubt. But could you tell me how can one simply steal bitcoins by using only a phone number? why not using hardware and or paper wallets no use for securing our funds? Are you trying to scare away the people with little knowledge about online security from crypto? it seems like it from my point of view.
|
🖤😏
|
|
|
x4
|
|
December 23, 2016, 02:55:32 AM |
|
I don't really think that some hackers can do things like this, tho this kind of method is not impossible, but this is very rare to happen, so everyone must be aware of this type of incident. Everyone must be careful especially to those who have huge funds with their web wallets.
|
|
|
|
TastyChillySauce00
Legendary
Offline
Activity: 3178
Merit: 1038
Leading Crypto Sports Betting & Casino Platform
|
|
December 23, 2016, 03:01:50 AM |
|
You can't outsource your computer/cryptocurrency security to a 3rd party like your phone carrier. It's a recipe for disaster.
The services are vulnerable too. 2FA isn't safe if you use it with your phone number. How is 2FA not safe? There two layers here, the password and the time password or 2FA which I consider the safest way when logging in somewhere. As spoken by him 2FA is not so safe if you use 2FA through SMS verification. Didn't know whether 2FA which use software like google authenticator or similar could be compromised but news above in the main post is a proof that SMS verification could be compromised I don't really think that some hackers can do things like this, tho this kind of method is not impossible, but this is very rare to happen, so everyone must be aware of this type of incident. Everyone must be careful especially to those who have huge funds with their web wallets.
Yeah you said some hackers can't do things like this but maybe the hackers which were mentioned in the news are the rest hackers who could
|
..Stake.com.. | | | ▄████████████████████████████████████▄ ██ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ██ ▄████▄ ██ ▀▀▀▀▀▀▀▀▀▀ ██████████ ▀▀▀▀▀▀▀▀▀▀ ██ ██████ ██ ██████████ ██ ██ ██████████ ██ ▀██▀ ██ ██ ██ ██████ ██ ██ ██ ██ ██ ██ ██████ ██ █████ ███ ██████ ██ ████▄ ██ ██ █████ ███ ████ ████ █████ ███ ████████ ██ ████ ████ ██████████ ████ ████ ████▀ ██ ██████████ ▄▄▄▄▄▄▄▄▄▄ ██████████ ██ ██ ▀▀▀▀▀▀▀▀▀▀ ██ ▀█████████▀ ▄████████████▄ ▀█████████▀ ▄▄▄▄▄▄▄▄▄▄▄▄███ ██ ██ ███▄▄▄▄▄▄▄▄▄▄▄▄ ██████████████████████████████████████████ | | | | | | ▄▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄ █ ▄▀▄ █▀▀█▀▄▄ █ █▀█ █ ▐ ▐▌ █ ▄██▄ █ ▌ █ █ ▄██████▄ █ ▌ ▐▌ █ ██████████ █ ▐ █ █ ▐██████████▌ █ ▐ ▐▌ █ ▀▀██████▀▀ █ ▌ █ █ ▄▄▄██▄▄▄ █ ▌▐▌ █ █▐ █ █ █▐▐▌ █ █▐█ ▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀█ | | | | | | ▄▄█████████▄▄ ▄██▀▀▀▀█████▀▀▀▀██▄ ▄█▀ ▐█▌ ▀█▄ ██ ▐█▌ ██ ████▄ ▄█████▄ ▄████ ████████▄███████████▄████████ ███▀ █████████████ ▀███ ██ ███████████ ██ ▀█▄ █████████ ▄█▀ ▀█▄ ▄██▀▀▀▀▀▀▀██▄ ▄▄▄█▀ ▀███████ ███████▀ ▀█████▄ ▄█████▀ ▀▀▀███▄▄▄███▀▀▀ | | | ..PLAY NOW.. |
|
|
|
jacktheking
Legendary
Offline
Activity: 1484
Merit: 1001
Personal Text Space Not For Sale
|
|
December 23, 2016, 03:28:11 AM |
|
The article is too long and I only read the first half of the article. Anyway, it seem that the hacker is targetting US consumers that have a lot of Bitcoin and uses 2FA verification. I personally don't really use 2FA but I do actually think that 2FA is secure as long as we know how to protect ourself - from the article, Jered Kenna already did his best (it was the service provider that easily accept "faked" request"). I couldn't believe how the "hacker" managed to fake his identity and transfer his phone number to another service provider. That is something that the provider have to help us secure.
|
So sad! This profile does not appear as the #1 result (on anonymous) Google searches anymore.
Time to be active on the crypto forums again? Proud to be one of the few Legendary members of the Sparkie Red Dot!
Gonna put this on my resume if I ever join a cryptocurrency/blockchain industry!
|
|
|
JasonXG
|
|
December 23, 2016, 03:55:03 AM |
|
That was a very interesting article and I am glad that you showed us it. Wow hey ? That hacker got into 30 accounts and changed his phone number to another service using social media engineering . So the hacker had control of everything.
What can people do to prevent things like this though ? I wonder how exactly the hacker managed to get the guys phone number and then have it change to another company ?
|
|
|
|
ebliever (OP)
Legendary
Offline
Activity: 1708
Merit: 1036
|
|
December 23, 2016, 04:59:33 AM |
|
The issue is not with all 2FA, but with 2FA using SMS specifically, so far as this article goes. It is noteworthy that Coinbase just sent out an email pushing people to using Google Authenticator for 2FA - probably due to the issues/incidents in this article.
Seems I've been doing some things right by accident. I use GA already, and on a "tablet" that is a smartphone with no phone contract.
|
Luke 12:15-21
Ephesians 2:8-9
|
|
|
monsanto
Legendary
Offline
Activity: 1241
Merit: 1005
..like bright metal on a sullen ground.
|
|
December 23, 2016, 06:24:40 AM |
|
Hackers are always step ahead. It's needed to develope the new security mechanisms all the time. But it seems that everything that is considered to be secure in fact it's not. That also happened with 2FA. So, what can we do, what method, mechanism or tool can actualy protect our coins? Is there anything that we can fuly trust?
DNA 2FA might work, although they could then just steal some genetic material. Or maybe they could use AI to have a conversation for a few minutes with you when you signup, where it asks you some odd questions. It could then use this info to test to see if your responses later indicate it's really you. So if you want to port your phone number you'd then have to have another brief convo with the AI to check if it's you. Hmm or maybe just offer 3FA.. authenticator + phone#sms + password
|
|
|
|
aarons6
Legendary
Offline
Activity: 1736
Merit: 1006
|
|
December 23, 2016, 07:25:30 AM |
|
there HAS to be some inside information for this to work..
first off, someone has to get to know this individual enough to know their phone number, address, and their cell phone provider..
also they need to know their email, and whatever kind of web wallet they used..
this is a long shot to just guess..
so after they "guess" this info, they are supposed to call the cell phone company, and HOPE they send a replacement sim card? i hate to break it to you, but. ive had to do this, legitimately, and the cell phone company made me to into a store to show id.. so now our "hacker" needs to fake the victims id..
now, once this all happens, the victim is NOT SUPPOSED to figure out his phone stops working?? because um, once you activate a new sim card the old one deactivates..
now this hacker, is supposed to "guess" the guys email, get them to send the sms text to sign in? and well hope that when this happens the "victim" doesnt notice the sign in attempt that just so happens to get emailed to you?? and if you were smart and used gmail, they email you not only on ONE email but on a BACKUP email..
plus now that the email password is changed.. he is supposed to guess all the other passwords??
sounds far fetched..
|
|
|
|
aarons6
Legendary
Offline
Activity: 1736
Merit: 1006
|
|
December 23, 2016, 07:29:18 AM |
|
Hmm or maybe just offer 3FA.. authenticator + phone#sms + password
blockchain.info has 3fa, or 4fa if you choose to enable it.. you would need to verify the sign in attempt by an email link.. you would need to verify the password.. you would need to verify the 2fa code.. and to send funds you need to verify the secondary wallet password.. i would imagine if you were smart and these weren't simple passwords it would be impossible to guess them. oh and they dont have a password seed.. so you cant just call them up and say i lost my password please reset it.
|
|
|
|
royalfestus
|
|
December 23, 2016, 07:55:35 AM |
|
Is so unfortunate that hackers are not getting less smart and they also increasing in number daily. That is why we need to equip ourselves as much as possible, educating ourselves on cybersecurity. Internet is not safe, choice of wallet should also be considered. In most cases with identity theft by hacking it is not done by professionals but local meth users, so Inside knowledge/information can mostly make it easy.
|
|
|
|
Longsnowsm
|
|
December 23, 2016, 12:17:17 PM |
|
I know this article has set off discussions at the phone carriers. However I don't really know what steps are being taken to address the issues at this point.
Multifactor authentication (something that you know, something that you are(possibly biometrics, voice print, body scan, retna scan etc), and something you have like an external factor like the Google authenticator, or other similar services would make it far more difficult for thieves in an online context. The more factors used the harder it is to impersonate someone. I know people are going to scream that it isn't convenient. If you have something worth protecting you will take the extra steps to secure it and put up with the inconvenience. Relying on one or two factors for authentication is going to be too weak.
But as someone else noted if you have money you are trying to protect then offline in paper wallets probably makes sense. Which really just makes me laugh a little because we are basically saying "cash" is more secure than the online world. Sadly at the moment that is probably true.
The other thing that someone said that is very true is limit what someone can know about you. Search online and see what you can dig up about you and then go scrub it if you can. Give would be thieves less clues about who you are so they have less chance of piecing together a puzzle that leads them to your personal data and funds.
|
|
|
|
bryant.coleman
Legendary
Offline
Activity: 3766
Merit: 1217
|
|
December 23, 2016, 12:23:54 PM |
|
Is so unfortunate that hackers are not getting less smart and they also increasing in number daily. That is why we need to equip ourselves as much as possible, educating ourselves on cybersecurity. Internet is not safe, choice of wallet should also be considered. In most cases with identity theft by hacking it is not done by professionals but local meth users, so Inside knowledge/information can mostly make it easy.
There is an advantage for these sort of hackers, when compared to the old school thieves and burglars. Hackers can target an online wallet located in another country, and due to the bureaucracy involved it becomes almost impossible to catch them. Now most of the hackers are coming from countries such as China and Russia. If someone's bank account located in the US is hacked and the funds stolen, then it becomes extremely difficult for the US law enforcement authorities to catch the perpetrator, as they don't have any authority in Russia and China.
|
|
|
|
royalfestus
|
|
December 23, 2016, 03:05:41 PM |
|
Is so unfortunate that hackers are not getting less smart and they also increasing in number daily. That is why we need to equip ourselves as much as possible, educating ourselves on cybersecurity. Internet is not safe, choice of wallet should also be considered. In most cases with identity theft by hacking it is not done by professionals but local meth users, so Inside knowledge/information can mostly make it easy.
There is an advantage for these sort of hackers, when compared to the old school thieves and burglars. Hackers can target an online wallet located in another country, and due to the bureaucracy involved it becomes almost impossible to catch them. Now most of the hackers are coming from countries such as China and Russia. If someone's bank account located in the US is hacked and the funds stolen, then it becomes extremely difficult for the US law enforcement authorities to catch the perpetrator, as they don't have any authority in Russia and China. We all know where almost all attacks come from. When it is against countries, it is peculiar to some countries. Just lately some countries had to amend their laws to punish hackers making there territories a hideout. Now when bitcoin is point of discussion on hacking, I need to attend to such big issue, because it is getting to the neighborhood.
|
|
|
|
JessicaG
|
|
December 23, 2016, 03:33:11 PM |
|
I have always been hesitant to use paper wallets because I fear my printer make record everything I print and if my networks gets compromised the private key will be there. Making a screenshot of your private key and printing that one out (so as a graphical file), could circumvent your worries regarding your printer.
|
|
|
|
Kprawn
Legendary
Offline
Activity: 1904
Merit: 1074
|
|
December 23, 2016, 07:34:50 PM |
|
1) Do not use your personal phone number for 2FA. Use SIM cards without contracts. 5) Do not use any web wallets or online services to keep Bitcoin. If you need to keep them on an online device (for whatever reason), at least make sure that you're talking about a local desktop client.
Quoted you to discuss your first and fifth points. I just wanted to know that if I use my personal phone number (specifically non-contract sim cards), isn't it still on the edge of getting hacked? Your carrier shouldn't be able to revoke a non-contract sim to which no information is actually bound. In that sense, it should not be 'hackable' in a way as described And when you said that we should keep our coins in a local desktop client, say if I am using any web wallets like blockchain, so is it not good to have all my coins be kept there?
Your web wallets, and those especially that use 2FA are vulnerable to social attacks. A desktop wallet is only vulnerable to targeted attacks, in which you machine has to be compromised. There's a huge difference in the possible approaches for a malicious individual. In my country employees working for the service providers, work with syndicates to social engineer Sim swaps. The one moment your phone is working, and then the phone freeze. You reboot and then your Sim card is cloned and swapped. Many people here link their phone to online banking, so this is the main reason why they are doing this. Everyone just need to remember that this is not Bitcoin's fault, but a failure on a third party service using Bitcoin.
|
|
|
|
|