ChartBuddy
Legendary
Offline
Activity: 2156
Merit: 1745
1CBuddyxy4FerT3hzMmi1Jz48ESzRw1ZzZ
|
|
December 22, 2021, 05:01:27 AM |
|
|
|
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
shahzadafzal
Copper Member
Legendary
Offline
Activity: 1526
Merit: 2890
|
|
December 22, 2021, 05:13:37 AM |
|
jack the slayer
|
|
|
|
lightfoot
Legendary
Offline
Activity: 3094
Merit: 2239
I fix broken miners. And make holes in teeth :-)
|
|
December 22, 2021, 05:20:32 AM |
|
SMS was NEVER secure form of 2FA, this is the point here. I honestly thought this was common knowledge already, especially within Bitcoin communities. So many stories of this already.
Well, it was acceptable under NIST 800-61 up until about 5 years ago. The complete uselessness of the major phone companies led to porting attacks being accomplished with relative ease (it's not free, so people typically target with it). You're basically trusting your security to AT&T, and more specifically the $5 buck an hour ex Pakistani bricklayer they have doing the porting of numbers. Software based TOTP is much better, but I still would worry that the phone is hacked and the seed is gotten. A hardware based OTP would be optimal but is probably overkill unless you leave a lot on your exchange of choice (I'd recommend not doing this as all of the exchange hacks end with one solution: You lose your shit).
|
|
|
|
Biodom
Legendary
Offline
Activity: 3738
Merit: 3844
|
|
December 22, 2021, 05:23:14 AM |
|
I am not quite sure how they ported the phone.
I suspect they used tracfone had the cell number hoped by getting the email
that the email linked to tracfone and to coinbase was the same
so if they hack just the email
they could try to port the cell to their carrier.
then get into coinbase change password and use 2fa to allow withdraws and alter the email
... Best to buy a burner phone set up google to microsoft auth.
the coinbase account does not know that phone number so no one can port it over to another network.
Sorry that it happened, but I cannot figure it out from your description. coinbase did have some SMS troubles last May or so, maybe it is somehow related. The ported phone would jeopardize both methods (text or Authenticator), wouldn't it? what's the "email linked to tracfone"? why there is such a thing?
|
|
|
|
naim027
|
|
December 22, 2021, 05:27:04 AM |
|
Good Morning Bitcoiners!! Let's say "To the moon" One more time. I know it's not the time yet. I guess we can see another correction before the month's end. I guess there will be a huge volume cash out before Christmas and 31st. Anyways, Hoping for the Best. #ToTheMoon #HoDL
|
|
|
|
dragonvslinux
Legendary
Offline
Activity: 1666
Merit: 2204
Crypto Swap Exchange
|
|
December 22, 2021, 05:41:48 AM |
|
SMS was NEVER secure form of 2FA, this is the point here. I honestly thought this was common knowledge already, especially within Bitcoin communities. So many stories of this already.
Well, it was acceptable under NIST 800-61 up until about 5 years ago. The complete uselessness of the major phone companies led to porting attacks being accomplished with relative ease ... Fair, I'll take your word for it. I wasn't using 2FA 5 years ago admittedly, more like 4.5 years, so to me it's simply always been a no go for any real security since security issues had already emerged by then. Software based TOTP is much better, but I still would worry that the phone is hacked and the seed is gotten. A hardware based OTP would be optimal but is probably overkill unless you leave a lot on your exchange of choice (I'd recommend not doing this as all of the exchange hacks end with one solution: You lose your shit). For sure, I used to trust TOTP on mobile devices, but now realising how vulnerable mobile phones are I went back to device based, Linux specifically, for better security. I'd like to assume the TOTP encrypted seed remains safe on a phone, even if it's hacked, but this would also be completely dependant on the app developers method of encryption I guess. Overall using a separate device (connected to the internet) isn't necessarily more secure it seems, especially if it's a common system like Windows, Android and iPhone where the exploits are the most common (due to their popularity for widespread targeting). Also agree generally keeping any amount on exchanges you can't afford to lose (or willing to lose) is never a good idea. It's been a while since MtGox scenario, but they are always possible, even with the likes of Coinbase. They probably have enough in cold storage to refund customers if it were to happen (and the breach is on their end not the customer), but even so, wouldn't want to risk that insurance policy.
|
|
|
|
lightfoot
Legendary
Offline
Activity: 3094
Merit: 2239
I fix broken miners. And make holes in teeth :-)
|
The ported phone would jeopardize both methods (text or Authenticator), wouldn't it?
Well, if they port your phone they have your SMS number and can respond to challenge codes. However that doesn't give them access to your phone's memory and junk, and that's where the TOTP seed is kept. It's possible to hack your phone (here install this app my good fellow) but that's a bit more complex and more in your control. The other thing they would need is the password, unless coinbase allows account access with only an SMS (which makes it a one factor auth system).
|
|
|
|
JayJuanGee
Legendary
Offline
Activity: 3696
Merit: 10148
Self-Custody is a right. Say no to"Non-custodial"
|
|
December 22, 2021, 05:44:06 AM |
|
Best to buy a burner phone set up google to microsoft auth.
yubi is decent. I ended up selling all the btc on the three paypal accounts. sent money to bank. Hopefully that is not the whole story. If you are in BTC accumulation stage, you should not be selling your bitcoin, so if you do sell, then you replace. I know that paypal does not allow self custody... so if you sell then you replace in another location.. and therefore, your net situation is the same amount of bitcoin (and sometimes if you are going to error you error on the side of buying a little extra BTC just to make sure that you are holding the right asset - so for example, I recall when I was in accumulation stage, especially 2014, 2015 and 2016, I was always nervous about net selling BTC, so for example, even if I sent $5 of bitcoin to a friend, I would replace them within a day or two... or if I bought a membership or any kind of situation in which I might be forced to sell any bitcoin.. for example, I would sometimes do transactions on Local bitcoins, so the replacement would most frequently error on the side of making sure that i was stacking more bitcoin, whether I sold my minimum amount of $300 or if they wanted more, maybe up to $7k or $8k.. I would usually NOT do more than $8k because I did not want to get close to having transactions that were close to $10k. Got very lucky today.
if I was simple 2fa all would have been gone.
Running the business I sometimes have all the coin for all of us. Especially if we are set to buy a lot of gear. I usually keep 90% of my stuff offline in hardware wallets . but it was end of year and we are expanding the mine. so I had a lot in the account.
Holding for others becomes way more stressful.. that's for sure. Oh coinbase did offer me the chance to lock account. and i was on the road no real access.
but i know locking the account without trying to get into it would be a mistake.
since this account is pc based i thought maybe they could not do much. so drove home not telling the wife that we may have lost good money. got home change the email password changed the coinbase password changed the coinbase phone and drained the account. then drained the paypal accounts.
Like I already mentioned, hopefully you did not change the actual allocations of BTC versus dollars, unless it was completely of your own choosing... which it sounds as if all of these actions were triggered by the security breach. The ported phone would jeopardize both methods (text or Authenticator), wouldn't it? what's the "email linked to tracfone"? why there is such a thing?
Porting a phone allows you to receive text messages on that phone, but authenticator is tied to the device itself.. so you would not get the authenticator codes on your phone unless you had some kind of authenticator backup code...so that's part of the reason that some of the guys here are focusing on criticizing SMS 2nd factor specifically.. because the sms messaging mode remains so vulnerable to the sim swap attack.
|
|
|
|
shahzadafzal
Copper Member
Legendary
Offline
Activity: 1526
Merit: 2890
|
|
December 22, 2021, 05:45:10 AM |
|
the cell phone was ported to Verizon {this is impressive as no-one has access to phone)
they had my email with access {impressed with this}
This let them change my coinbase password.
But My coin base withdrawals are not enabled by that cell or email so they could not with draw. Or alter my coinbase email address.
So lots of shit is changed now.
Interesting... looks like a targeted attack. I was lucky I had one more roadblock to stop them.
I wonder if it is inside work with :
a guy at coinbase a guy at tracfone a guy at Verizon
set when coinbase account gets a bit higher say 10k or 20k or a higher level.
of course I now need to alter countless other shit
you are lucky they couldn't withdraw any thing, now you need to do some investigation... for sure someone knew you have bitcoins :p if you find any thing please share with us so we could be more vigilant.
|
|
|
|
JayJuanGee
Legendary
Offline
Activity: 3696
Merit: 10148
Self-Custody is a right. Say no to"Non-custodial"
|
|
December 22, 2021, 05:49:25 AM |
|
The ported phone would jeopardize both methods (text or Authenticator), wouldn't it?
Well, if they port your phone they have your SMS number and can respond to challenge codes. However that doesn't give them access to your phone's memory and junk, and that's where the TOTP seed is kept. It's possible to hack your phone (here install this app my good fellow) but that's a bit more complex and more in your control. The other thing they would need is the password, unless coinbase allows account access with only an SMS (which makes it a one factor auth system). Well you are likely already implying this, but surely one of the ways into any account is to say that you forgot password, and so you then need the password recovery method which could be e-mail and sms.. .. and I suppose that is what you are saying, just saying it differently, no?
|
|
|
|
shahzadafzal
Copper Member
Legendary
Offline
Activity: 1526
Merit: 2890
|
That's why I like triple authentication, and even more measures for withdrawals.
Well except I need to get some corn from Poloniex and they can't match my face with my passport, I need to get a haircut I guess.
Binance have default triple verification enabled on withdrawals Email + SMS + Third Party Authenticator but but but since all these app SMS, Email and even authenticator is usually on the same phone and if your phone is compromised (Android or even iOS Pegasus) these authentications can be hacked. Just yesterday saw this on reddit how this guy lost his 0.6BTC
|
|
|
|
Biodom
Legendary
Offline
Activity: 3738
Merit: 3844
|
|
December 22, 2021, 05:51:57 AM |
|
I was lucky I had one more roadblock to stop them.
I wonder if it is inside work with :
a guy at coinbase a guy at tracfone a guy at Verizon
I am very sorry to say this, but you have to also look at people you deal with often.
|
|
|
|
JayJuanGee
Legendary
Offline
Activity: 3696
Merit: 10148
Self-Custody is a right. Say no to"Non-custodial"
|
|
December 22, 2021, 05:54:48 AM |
|
you are lucky they couldn't withdraw any thing, now you need to do some investigation... for sure someone knew you have bitcoins :p
if you find any thing please share with us so we could be more vigilant.
Hackers might not know in advance whether you have bitcoin for sure, and they might be confused about who you are or various kinds of participation in clubs, but if they get access to one or more of your e-mail accounts, they might be able to see some of your e-mails that could show those kinds of things... so maybe they get into one of your e-mail accounts first and do some exploring.. however, from my earlier experience with my early 2017 sim swap and hacking of various accounts, it seemed pretty clear from me that there was some kind of team behind how fast they had appeared to have been doing various things and I would even get them locked out of some accounts and they would get back in.. .. lasted for quite a while and some weird stuff that I do not even want to talk about... at least not at this time, and it has been nearly 5 years ago.. fuck..
|
|
|
|
eXPHorizon
Full Member
Offline
Activity: 1176
Merit: 132
Precision Beats Power and Timing Beats Speed.
|
|
December 22, 2021, 05:54:55 AM |
|
I was thinking that all you need is a Name of the Person and you can hack him all the time no matter how much security he has ...
|
|
|
|
ChartBuddy
Legendary
Offline
Activity: 2156
Merit: 1745
1CBuddyxy4FerT3hzMmi1Jz48ESzRw1ZzZ
|
|
December 22, 2021, 06:01:36 AM |
|
|
|
|
|
Biodom
Legendary
Offline
Activity: 3738
Merit: 3844
|
|
December 22, 2021, 06:25:14 AM |
|
Here is an interesting case: https://www.yahoo.com/entertainment/employee-embezzled-154-million-sony-165821367.htmlTo me what is interesting is how it was recovered. The link in the text goes to more description and it seems that the perp transferred stolen funds (that he converted to bitcoin) to what they called "offline cryptocurrency cold wallet". Yet, they recovered the funds. I guess it depends on what that "offline cold wallet " means and on the perp cooperation. If he cooperated, that's one story, but if not, than it is completely different and could mean something important.
|
|
|
|
shahzadafzal
Copper Member
Legendary
Offline
Activity: 1526
Merit: 2890
|
|
December 22, 2021, 06:30:07 AM |
|
Here is an interesting case: https://www.yahoo.com/entertainment/employee-embezzled-154-million-sony-165821367.htmlTo me what is interesting is how it was recovered. The link in the text goes to more description and it seems that the perp transferred stolen funds (that he converted to bitcoin) to what they called "offline cryptocurrency cold wallet". Yet, they recovered the funds. I guess it depends on what that "offline cold wallet " means and on the perp cooperation. If he cooperated, that's one story, but if not, than it is completely different and could mean something important. the bitcoin address that held the 3,879 bitcoin tokens — now worth more than $180 million — and seized the funds on December 1. very easy... return their $154 million say sorry it was mistake and keep $26million in BTC. Case closed everyone is happy
|
|
|
|
Richy_T
Legendary
Offline
Activity: 2422
Merit: 2113
1RichyTrEwPYjZSeAYxeiFBNnKC9UjC5k
|
|
December 22, 2021, 06:37:11 AM Merited by JayJuanGee (1) |
|
you are lucky they couldn't withdraw any thing, now you need to do some investigation... for sure someone knew you have bitcoins :p
if you find any thing please share with us so we could be more vigilant.
Hackers might not know in advance whether you have bitcoin for sure, and they might be confused about who you are or various kinds of participation in clubs, but if they get access to one or more of your e-mail accounts, they might be able to see some of your e-mails that could show those kinds of things... so maybe they get into one of your e-mail accounts first and do some exploring.. however, from my earlier experience with my early 2017 sim swap and hacking of various accounts, it seemed pretty clear from me that there was some kind of team behind how fast they had appeared to have been doing various things and I would even get them locked out of some accounts and they would get back in.. .. lasted for quite a while and some weird stuff that I do not even want to talk about... at least not at this time, and it has been nearly 5 years ago.. fuck.. Let's not forget that at least Ledger and this very forum amongst probably many others have been subject to attacks that have leaked email addresses. That likely provides a very fruitful pool to start from.
|
|
|
|
ChartBuddy
Legendary
Offline
Activity: 2156
Merit: 1745
1CBuddyxy4FerT3hzMmi1Jz48ESzRw1ZzZ
|
|
December 22, 2021, 07:01:26 AM |
|
|
|
|
|
AlcoHoDL
Legendary
Offline
Activity: 2352
Merit: 4134
Addicted to HoDLing!
|
|
December 22, 2021, 07:43:47 AM Merited by JayJuanGee (1) |
|
cell phone was cloned almost lost $$$
Wicked. Was it a MFA attack or an attack on the portable wallet? the cell phone was ported to Verizon {this is impressive as no-one has access to phone) they had my email with access {impressed with this} This let them change my coinbase password. But My coin base withdrawals are not enabled by that cell or email so they could not with draw. Or alter my coinbase email address. So lots of shit is changed now. Man, that's nasty. Thanks for sharing/warning us. I like Kraken's way of securing their exchange. Different non-SMS 2FAs for logging-in / funding / trading, account kept in a locked state and only unlocks after a specific number of days, unless you enter a master password that is unrelated to the 2FAs. Never had any issues with hacking in my entire life, and after reading your post I can't help but feel a little worried. Should re-evaluate my security methods ASAP just in case.
|
|
|
|
|