Stealing Bitcoins from online wallets with 2FA

[harizen]

When it comes to mobile nothing is safe. That is why it is always advisable to have hardware or paper wallet instead of mobile or desktop wallet which are connected to internet. Any app or software can be infected to read data from users mobile or desktop that too very easily. I think people hardly read terms and conditions before downloading and simply grant permissions to apps when asked. These all things make mobile vulnerable only.

It's not mobile fault then but users itself. Before mobile became infected, the users did some shitty actions.

In the first place I don't believe in Mobile Virus especially on Android. It's more prone to desktops obviously. Honestly in my years of lurking around Phone Development especially on Android zone, there are only few mobile apps I have seen created with attempt on stealing info but as far as my knowledge is concerned, none of them works. The most common is malware where there will be like XXX app on your mobile phone but that's just it. Above all of this, the users itself is responsible on how they will improved their security whatever platforms they are using.

[1714846486]

1714846486

[1714846486]

1714846486

[1714846486]

1714846486

[1714846486]

1714846486

[1714846486]

1714846486

[O9NpJ9ld1opS]

Keeping coins on exchanges are always vulnerable. I have heard many times that coins are lost from exchanges even with 2FA security. Always transfer your coins to a hardware wallet if possible, else use a paper wallet. Stay safe rather than pointing out that the possibility of being hacked is very less. Money is yours and so is the decision.

[criz2fer]

I see people calling for 2FA as a safety mechanism for their accounts even tho there is a huge vulnerability in the mobile networks known for years now.
2FA just increases the complexity of the attack, it doesn't stop it at all. Here is an article from The Hacker News that came out today about using 2FA on Bitcoin online wallets like Coinbase, although they say that it isn't a vulnerability in Coinbase at all but in the mobile system design flaws instead.

https://thehackernews.com/2017/09/hacking-bitcoin-wallets.html

The conclusion here is that you shouldn't consider a mobile network safe.

I think phishing is the most often attack that occurs in hte forum. Since links are spread here, many of people here in the forum specially newbies, clicking the links without know that the site was a fake that collects data from their log ins. Thats why hackers can change password because of this.

[tramadols]

I think they should be involved even if there are possible constraints on the mobile application system, preferably the coinbase to investigate and experiment to close the loopholes in mobile applications.

[Kprawn]

Google Authenticator (or WinAuth on PC) is secure and does not rely on any network exchange.  Coinbase no longer recommends Authy and tells its users to use Google Authenticator.  If you use one of these programs, be sure to record the QR code (or the secret phrase) so you can recover the authenticators if you need to get a new phone.

Too many people have reported that their coins were stolen when they activated Google Authenticator and 2FA for it to be

secure. I still activate 2FA but I make sure that I keep as little as possible coins in the services that use 2FA. My main hoard

is in paper wallets and hardware wallets. 

[grermezter]

that possibility is just a threat from them.
very difficult to penetrate 2FA because the code is often changed

I definitely know that 2FA account codes change every 20 seconds or 30 and it makes it hard for hackers to gain access to the wallet and we all know that not system is really totally secure and the best we can do to prevent hackers from stealing our bitcoins is to make it harder for them to get to it if they ever get access to it.

[stompix]

Hmmmm.... Ya I don't know they make it sound like it is so easy when its not. What is this ss7 ?

There is a wikipedia article for more information https://en.wikipedia.org/wiki/Signalling_System_No._7

I still don't think it's easy and it is ment to be a second defense not primary. I dont use SMS though I use the authenticator and I'm sure it's very safe.

It is true that it is usually a second defense, although there are often account recovery options using a mobile phone. I am not sure about the authenticator, but if it works when your phone is not connected to the Internet then it is using SMS and the SMS might not be encrypted.

So,

In May 2017, O2 Telefónica, a German mobile service provider, confirmed that cybercriminals had exploited SS7 vulnerabilities to bypass two-factor authentication (2FA) to make unauthorized withdrawals from users' bank accounts. The criminals first installed malware on people's computers, allowing them to steal online banking users' account credentials and phone numbers. Then the attackers purchased access to a fake telecom provider and set up redirects from the victims' phone numbers to lines controlled by them. Finally, the attackers logged into victims' online bank accounts and transferred money from them to accounts of their own. 2FA confirmation calls were made, but had been routed to phone numbers controlled by the attackers.[22]

First step was
- install malware on stupid user computer  (not the fault of 2fa or ss7)
Second which is unclear
- purchasing fake telephone lines  ( there is some bad English here as you can't purchase access to something that is fake).

The point is that unless you download some bitcoin generator or porn movies in rar archives you are safe.
And even then, a long as you don't have your bank credential stored in your computer (I don't )  they can ....

[malikusama]

The explanation in the article shows the real threat, it is true that SS7 protocol has so many flaws and by taking advantage of these flaws hackers can attack on the protocol and can steal your private codes of two-factor authentication by redirecting your messages and phone calls. Still cellular companies did nothing to make it secure and modify the protocol by removing the flaws in it, so we have to be careful.

[xBitHodler]

As you said 2 factor authentication doesn't protect at all. It only helps when someone guesses or steals your password using a keylogger. That's why I use online wallets only when I'm going to a shop which accepts Bitcoin as a payment (there aren't any in my area). The same thing is with Google Auth. There's no way to perform MIM attack but the exchange or online wallet provider can still be hacked.

[bubblebit]

As technology upgraded humans innovate, that’s what this is all about. Vulnerability has been and will always be present on any mobile, desktop and et. al as long as hackers doesn’t have the satisfaction of exploiting it, this is always a threat. Do we need to be worried about this, i don’t think so because only you can solve and prevent this from happening. So take yourself much farther than surfing the internet and using your mobile, learn and teach yourself a way how this will be prevented and avoided. 2fa and any security protocol can be no used when you don’t put an extra effort to it.

[Sirait]

wow this is good news, I'm still a bit hesitant too, is this true, because I think 2FA google authenticor is very safe, because it uses double security from laptop and smartphone ..

[baronious]

2FA isn't impossible to penetrate but it makes it harder to get hacked.  If you want to be safer, invest in a hardware wallet.

[lighpulsar07]

well that's why i didn't use an online wallet/exchange for example coinbase or in my country coins.ph because there is still a possibility that you can still be hacked even the 2fa is enabled. for example in coins.ph there is another way to sign in to your account eventhough by sending 2fa code to your email if your email account is comprimised you will lose your bitcoins.

[Ultegra134]

In most cases, you should be fine using an online wallet with 2FA. It is sufficient to keep any email hijackers away from your wallet.

The chances of having a wallet with 2FA accessed is slim, I wouldn't worry using one, unless you have a significant amount of BTC.

[Razick]

There is a way to do this that is going around and everyone who reads this should read carefully and make sure to avoid it happening to you.

See, it is not hard to buy a domain and clone an exchange to make it look like another one. What is the trick? You must buy a domain which looks similar to the exchange you are targeting, but is actually your site. Then simply record their password and also 2FA text code and use them to login on your end at the same time they are.

[Achargeturry78]

that possibility is just a threat from them.
very difficult to penetrate 2FA because the code is often changed

Agree but if the hackers have the algorithm used into your account maybe they can access it. But before this happen they should have the codes or if it happens I suspect that its an inside job. 2FA is hard to hack as it changed often and also you need to hack first their emails before you have the main target which is the bitcoin wallet.

[viramarket]

that possibility is just a threat from them.
very difficult to penetrate 2FA because the code is often changed

I agree with you. With a code that often changes I think it will still be difficult. and also to get into the wallet, I think there is a mistake made by the user of the wallet itself. eg using a malicious internet connection. A few hours ago I read there was lost about $ 550K in one wallet. and the cause is malicious wi-fi.

It is very interesting that it led to loss of money.Specify the source of information please.

[ivrynx]

there is a possibility but having someone steal your bitcoins when you are using 2FA has a low low chance f happening, since it is much secured. We should do out part on protecting our bitcoins, we must always have back up whenever we need them, do not store you key on the cloud or have anyone know what they are. we must always take caution in this times, since a lot of people already knows the technology and some are even advance, though the technology we use is relatively new, a lot of sites are also phishing sites, they will get your information, every time you log in, so you must at least change you password every now and then. there has also been some breach on the cloud, so i suggest, not to use clouds for storage and do not input your important details there, sooner or late, i think, we might create a newer and far more advance security system for our wallets and be sure that what you download on your phones or desktop will not monitor every movement you do, since that is also a way on how you can be hacked, let;s all be vigilant and not be too careless when it comes o our storage.

[cybersofts]

I see people calling for 2FA as a safety mechanism for their accounts even tho there is a huge vulnerability in the mobile networks known for years now.
2FA just increases the complexity of the attack, it doesn't stop it at all. Here is an article from The Hacker News that came out today about using 2FA on Bitcoin online wallets like Coinbase, although they say that it isn't a vulnerability in Coinbase at all but in the mobile system design flaws instead.

https://thehackernews.com/2017/09/hacking-bitcoin-wallets.html

The conclusion here is that you shouldn't consider a mobile network safe.

Yes, I heard it from "Asian Whales Club" channel on YouTube, saying hackers engineered some tool that helped them bypass 2FA security on POLONIEX.
I think the only solution to get rid of this certain issue is by saving your coins in offline/hardware wallet because that will be more safer than web wallet, since hardware wallets are completely offline and no one can have access to it but you and that makes it unhackable at all. 

[HODL It]

This is only for SMS 2FA and not for apps like Google Authenticator?