It commences with a text message from Verizon
Oh boy. Within seconds, I call the number and get this.
“Hello, welcome to Verizon. Our offices are now closed. Our hours are inbetween 8 and 11pm on the weekdays. ”
I call again and repeatedly tapkast zero to attempt and get an technicus. No dice. A minute straks I get a duplicate text message.
I screenshot and tweet to Verizon Support.
Amazingly anxious minutes go by spil I attempt to reach Verizon. I google “Verizon fraud prevention line” searching for a number to call and get nothing.
11:41 PM — Gmail signs out.
I’m totally ter the dark.
11:42 PM—Coinbase password resets
My session cookie doesn’t kick mij out yet so I witness this ter real time.
11:34 PM—Coinbase Fresh Device Confirmation
11:44 PM—1.Legal BTC sent
11:45 PM—70.96 LTC sent
11:46 PM—16.03 ETH sent
Adios hopes and wishes fund 💸 —$8,000+ is gone ter 15 minutes.
How on earth wasgoed I so blindsided?
Before wij start, its worth mentioning that yes, yesssssssssssssssssssss, I did not have enough protection around my Gmail account. I’ve used Google Authenticator before, for my private account and for various work emails, but I stopped using it at a certain point out of convenience. I deeply regret doing so and you can certainly say, “HA, YOU HAD THIS COMING TO YOU DUDE, MY BITCOIN IS ON AN ENCRYPTED THUMBDRIVE Te A SECRET UNDERGROUND LOCKBOX COLD STORAGE FACILITY.” But there are many coin spectators out there with a similar vulnerability and, spil more novices join, this vulnerability will only become more of a problem.
Of all the things that went down te the factors that lead to this hack, Verizon Wireless is what I wasgoed massively unprepared for. After talking at length with customer service reps, I learned that the hacker did not need to give them my speld number or my social security number and wasgoed able to get approval to takeover my cell phone number with ordinary billing information. This blew my mind and seemed negligent beyond all possible reason but it’s what they do. The main thing that struck mij by the hack wasgoed the extraction speed possible ter the current cryptocurrency ecosystem. $8,000 te 15 minutes is swifter and more lucrative than robbing a suburban handelsbank.
Why I wasgoed targeted
The best working theory for why I wasgoed targeted wasgoed this tweet I made last week about Coinbase.com. A friend of a friend wasgoed hacked on Coinbase and he had not heard back from anyone on Coinbases’s support team for numerous days. Spil a prayer for help, he asked people to help get the word out on Twitter. I did, it got RTed a bunch, and to my incredible naiveté, I had no idea I wasgoed essentially linking a “Rob mij too” sign to my back.
And now, here I am. I attempted to help someone get the attention of Coinbase for fraud, I got screwed, and now I’m attempting to get the attention of Coinbase.com for fraud. The official Coinbase Support twitter has responded once, then a bot emailed, with a disclosure that it could be weeks before I get a single response to my question.
I have never lost money at anywhere near this scale before. I grew up ter a family that is especially conservative when it comes to money and this hits on an emotional level that is hard to wiggle. Like many, I know that there are slew of risks when it comes to cryptocurrency, it’s a gamble, but the one thing you don’t expect to toebijten is to be robbed te seconds on a webpagina with a cleaner user interface vormgeving than Pursue Bankgebouw.
I have no idea if I’ll be able to recover any of this money but I figure the one thing I can do with this feeling of rage/sadness is attempt and unpack the vulnerabilities so others get less screwed.
Things Verizon Wireless can do
- Add extra layers of scrutiny to any person calling ter and requesting to ‘swap phones’. General billing information wasgoed sufficient to transfer my number and I wasgoed floored by this. It is insane that Verizon, and other wireless companies, haven’t made real efforts to toonbank this hack and even more crazy that they haven’t bot sued for gross negligence.
- Make urgent text alerts actionable through SMS. If I received the original oplettend and wasgoed able to text a reply stopping it, or even delaying it, this entire hack would have stopped ter its tracks. Instead I wasgoed told to ‘immediately’ call a number for Verizon that no one wasgoed there to response.
- Make the Verizon Fraud Hotline accessible and visible to your customers. It took 45minutes of irate Twitter DMing before I wasgoed able to get the number I needed to voeling a real person at Verizon. For anyone searching for this te the future, the number is 1-(888) 483–7200.
- Tell your customer what happened with their account. I spent a few hours with Verizon support being bounced from the Fraud Department to the Legal Department to the Consumer Support department. I got very little from anyone, they would not release details of the call unless I hired a lawyer to represent mij.
Things Coinbase.com can do
Dear Heerser Coinbase. Where do wij even start.
- Make enabling Google Authenticator a *requirement* for storing any coins on Coinbase.com. SMS 2FA is violated but deceptively secure, especially to fresh comers.
- Make a 24–7 fraud hotline available to your customers. Twitter and email are violated mechanisms for response when speed is of the essence.
- Significantly limit the number of fresh users you accept on your exchange until you have the support resources to voorkant them. You gained 400,000 users te 30 days, FOUR HUNDRED THOUSAND, and many of thesis users are enormously fresh to security.
- Waterput basic fraud protections ter place when someone logs into an account on a fresh device then attempts to liquidate an account. A one hour delay could have stopped this hack te its tracks.
- Make the default modes for transferring coin significantly more paternalistic for fresh users.
- Create an insurance policy for individual accounts. Yes, this policy would be enormously vulnerable to fraud but this is your core competency, find a way.
Things you can do to secure your coins
Ter the wake of the attack, I reached out to friends with lots of practice te cryptocurrency and thesis are their tips.
- Don’t talk about Bitcoin Club. Don’t talk publicly online, with your real identity, about your trades or the exchanges. I know it’s too late for some (certainly for mij!), and it shouldn’t be like this, but this makes you less of a target. Even if your coins are decently secured.
- If you are going to postbode on reddit, twitter, etc about cryptocurrency, use a far liquidated pseudonym.
- Use a separate, secret email for your coin accounts and do not forward the alerts to your individual email account.
- Use 2FA — SMS doesn’t count. I had no idea how effortless Verizon and others make it for people to swipe your phone with basic information within minutes. Make sure you use GAuth or Authy or something else supporting TOTP tokens, consider a FIDO U2F device spil well for your gmail account.
- If you insist on leaving your money on coinbase.com, then store it ter their “vault”. This will give you a buffer of a duo days before any of your stuff can be touched, at least it won’t be gone instantly.
- Call your cellphone company and tell them you are likely to be targeted for social engineering. Request more scrutiny for making requests.
- Store your coins on a physical wallet. Technically, any money you have ter an exchange isn’t yours — you simply have an IOU from the tegenstoot party. Best practice for keeping your coins safe is with a hardware wallet like the Ledger Nano S. This is only $60 or so and means that someone will need to physically come in a speld and confirm a transaction or steal your backup seed to access your funds.
I’m not providing up on crypto
I joined Coinbase.com te 2015, have had various positions of BTC overheen the years and have seen hype come and go. I think we’re nearing a real inflection point with adoption but we’re ter a dangerous place spil the cost of BTC/ETH skyrockets and noobs succesnummer the market.
Four-hundred-thousand people have joined Coinbase.com te the last thirty days. This group has vastly different security needs and expectations than the original 400,000 who joined Coinbase ter 2012. If this fresh group isn’t protected ter aggregate, lawsuits will fly, financial lives will be ruined, and the wish that bitcoin will eventually kasstuk $50,000 will become a dim fantasy. Check out the Coinbase reddit if you want an extra taste of what’s happening.
Despite this, I’m willing to bet that Coinbase, or someone else, will significantly evolve and eventually figure it out. Many of the problems that lead to my hack on Coinbase are addressable with more paternalistic software, fraud detection and an insider support team reachable 24–7. The beauty of the blockchain is that you can create a consumer suggesting on top of it that operates much more like a canap and it can exist next to an exchange suited for someone buying and selling giant, risky amounts each day.
It’s hard to understand how brutal it is to embark overheen with this level of rapid financial loss unless you’ve bot there yourself. The BTC I had ter my Coinbase wasgoed collected overheen years and the ETH and LTC position were more latest. I blame myself for not doing enough security research and I also know that thesis openings are exceptionally common for others. Unless thick switches toebijten, so many others are likely to get robbed and the reputation of cryptocurrencies, te general, will degrade. The only thing that’s truly around to protect thesis newcomers is the cryptocurrency community itself. Please let my ample misery be a raw warning sign. Inform your friends. Don’t trust Coinbase defaults. Don’t think it won’t toebijten to you. Zekering reading this and secure your coins right now.