It's an extremely odd decision by the author to publish this piece. Port attacks on cryptocurrency accounts is nothing new, and outside of publishing the number ($100k!) there is nothing special about this account of events vs the countless other near identical articles that have been published on Medium on the same old attack.
The reason I say it's odd is that he's an engineering manager at BitGo, which is a leading cryptocurrency custody solution! His job is literally to secure and protect institutional cryptocurrency wallets, and to publicly tell the world how careless he was with his own personal account looks extremely poorly on his employer despite the fact that this was an unrelated incident.
Moreover, why wouldn't he be using his own company's "industry-leading comprehensive secure" wallet solution which he recommends in the article, for his $100K worth of Bitcoin?
It's a reminder that crypto is fundamentally dangerous due to its lack of regulation and compliance requirements, its fundamental irreversibility and lack of authority/censorship. It's a lesson we should all take to heart about what makes for a functional financial system and what doesn't. It's also a lesson about the security of phones.
IMO its great to learn about what goes well but super valuable to learn when people face-plant.
Personal email accounts also tend to leak into having access to employer systems, especially in tech. For example a lot of people use their personal email for Github, so once an attacker has access to your personal email they can move laterally into your employers private code repositories.
BitGo should be treating this as a security incident and verifying the attacker didn’t also target them.
I'd like to see more companies introduce "time locks" into various big aspects of accounts.
Want to port a SIM? I'll put your request in now but it will wait for 5 business days before it happens, and at any point if you or someone claiming to be you calls up to stop it, we stop it, no questions asked.
Want to change 2 factor information for an account? We can put in the request now and it won't take effect for a week while we reach out to you using every communication method we know how to let you know it's happening and give you ample time to stop it if you discover it wasn't actually you that did it.
It seems like a fairly "low cost" way of upping the security quite a bit.
Also, not to make the OP feel worse, but Coinbase even offers a service like this called the "vault". The idea being that withdraws are time-locked for a specific amount of time, and there are multiple ways to stop it during that time lock, even if you got locked out of your account entirely.
And while we are doing PSAs, I'd like to give one piece of seemingly conflicting advice: make sure you have backups of your multi-factor authentication systems.
Sure, having your accounts taken over is awful, and it can happen to anyone, but something just as bad is losing your 2-factor systems and being locked out of accounts with no way to recover them.
Print out 2-factor backup codes, put them somewhere safe, maybe split them in 2 and put half of the codes in one place, and half in another. Think through possible problems. It really sucks to have your house flood, then find out that your phone with the 2-factor app on it was destroyed, and your backup codes ruined as well...
> I'll put your request in now but it will wait for 5 business days before it happens
This to me seems to be a complete misunderstanding of the telcos business and motivations. They sell mobile telephony - voice, sms, and data - and their _prime objective_ is to make it as easy as possible for their customer to spend as much money doing that as possible. Making you wait five days to get reconnected to "your number" when you have, for whatever reason, lost control of it is just not going to happen. They'll move mountains to get you back onto your data/voice plan before you've walked out of the store.
Nobody ever advertised their phone/sms plans as "banking grade secure". Telcos have been telling us for years that they are explicitly _not_ secure for that:
Communications Alliance chief executive John Stanton, representing the interests of mobile providers Telstra, Optus and Vodafone, took the extraordinary step of of declaring the technology insecure in the wake of numerous reports of Australians being defrauded via a phone porting scam first uncovered in Secure Computing magazine.
"SMS is not designed to be a secure communications channel and should not be used by banks for electronic funds transfer authentication," Stanton told iTnews this week.
Telcos are not interested in securing that, they get _way_ more complaints from people who lost/broke their phone who want their replacement one to work RIGHT NOW, than they do from people who got defrauded with a sim porting attack. And the first group of people are spending _way_ more money collectively than the second, so of course telcos will continue to make it quick and easy to sim port.
Everybody else needs to deal with that. While sms 2FA is marginally better than not having any 2FA at all, it's not the telco's problem if you choose to use it to "secure" your $100k worth of crypto. In my mind, a large part of the blame here goes to COinbase for even offering it. I'm also looking at your PayPal...
> Want to port a SIM? I'll put your request in now but it will wait for 5 business days before it happens, and at any point if you or someone claiming to be you calls up to stop it, we stop it, no questions asked.
Funny because that's exactly what happens in France when you do so. I must have sounded a bit dumb when I asked when my number would be active when I changed from Tello to Verizon. I couldn't believe it was effective right away.
> And while we are doing PSAs, I'd like to give one piece of seemingly conflicting advice: make sure you have backups of your multi-factor authentication systems.
Yes! Many password managers (at least KeePassXC/KeePass with plugin) can store and create TOTPs. The underlying keys can be manually shown and entered elsewhere if needed, and can be backed up with everything else that's valuable.
> Print out 2-factor backup codes, put them somewhere safe, maybe split them in 2 and put half of the codes in one place, and half in another. Think through possible problems. It really sucks to have your house flood, then find out that your phone with the 2-factor app on it was destroyed, and your backup codes ruined as well...
Off site and offline backups are a good thing to have, especially with fire and water proof lockboxes. (think encrypted external drive lying around at work or at family/friend's house)
2FA has no place over phone networks for account recovery. It's far easier to obtain access to 2FA texts or doing SIM ports like this, than it is to break some gmail account password (even a weak one).
So many people don't seem to understand this - I was trying to use U2F yubikeys on gitlab a while back only to discover they force you to enable 2FA first for account recovery, this completely defeats the purpose of hardware auth, it's not supposed to be for convenience, security is only as strong as the weakest link, 2FA is very weak.
> Sure, having your accounts taken over is awful, and it can happen to anyone, but something just as bad is losing your 2-factor systems and being locked out of accounts with no way to recover them.
+1. I lost a phone and with it my Cloudflare 2FA. For some reason, Cloudflare won't let you contact tech support without logging in. There is no contact info for support on their website, AT ALL, so if you can't log in, you're fucked.
Lots of places do this. Fidelity, for example, blocks withdrawals for a certain amount of time when some specific actions happen on an account. I believe address changes and adding people to your account with a certain level of access trigger the block.
The „time lock” approach is exactly what Apple is doing if you try to recover your Apple ID (without password and second factor).
Unfortunately, when you search on Twitter, people are going bananas over having to wait a few days to get their Apple account reset... so I definitely get why not more companies are doing this.
In all seriousness folks, as someone who long ago worked for a big wireless carrier, do not use SMS-based two-factor auth for anything. Number porting is a huge and easily performed attack vector, it requires very, very little information, a lot of which can be gathered from publicly available resources... or pretty easily obtained via social engineering. To make matters worse, the information doesn't even need to be entirely accurate.
Once they have your number ported getting it back will take, at least, a few days; during which, they'll have unfettered access to anything that uses your mobile number to authenticate.
Use a dedicated 2FA application on a device you physically control and _write down_ the backup keys somewhere physically safe.
Many services will happily send an SMS account recovery/reset link regardless of how vehemently we refuse to use SMS-based two-factor auth.
An attacker can call support, give them plausibly correct information gleaned from public sources, and nicely claim to have forgotten the answers to your recovery questions ("Oh, it might have been a jumble of letters and numbers... silly me..."). There are enough incorrectly trained support people who will let this through to make the tactic effective on average.
Your point is obviously correct, but everything is so hopelessly broken that it almost doesn't matter in practice.
Not to mention the fact that the carrier can perform these attacks quite easily, as can the governments who have historically found ISPs willing partners. If you have any reason to believe that you might be the subject of a targeted attack, do not use SMS as a second factor!
I was attacked in the same manner this weekend. I'll dump what I know below in the hopes it helps someone.
I lost money when MTGox went under and made some online posts (on reddit, I think) several years ago. Maybe this is what caused me to be targeted?
This weekend a malicious actor posing as the account holder on my account was able to get my number transferred to his phone. At&t fraud says this happened at a store, and the user had the last 4 of one of my family member's social security number, as well as a fake id. I'm not sure I believe this, but will request more info in writing.
I regained access to my account. The attacker came from IP 216.162.42.85 (santa clara california)
They entered my email and according to google activity logs immediately went after my coinbase account. They got in (joke's on them I didn't have anything). Then they searched my email for 'btc', and also made a visit to my bank website. They weren't able to get access.
As far as I can tell, they were in and out within 10 minutes. I wonder if this was related to the author's experience?
This is the reason I have disabled SMS as a recovery option in my gmail/google account. My 2FA for gmail is now my iphone and ipad. THey have to know my password and get one of my devices to hack my account. I also use protonmail and for SMS based 2FA, I plan to use a google voice number from a totally different google account w/c forwards the text to my protonmail account. Google voice numbers cannot be ported out. Hence, avoiding the sim hack. They can port out if they hack my "shadow" google account. The trick is to never use the shadow account for anything. Hence, the attackers have no way to get to your google voice.
Unfortunately many places are actively refusing to work with Google Voice. I got a message from Bank of America saying specifically that they're removing Google Voice support:
> You can't enroll in Zelle with a landline, Google Voice or VOIP (voice over internet protocol) phone number. (Section 3.C.3 Enrolling in the Service)
This follows with some other unnamed (because I don't remember them) services which also refuse to work with Google Voice.
That's really unfortunate because I've been using Google Voice for nearly 10 years without issue until recently (when companies specifically remove support...)
Stuff like this freaks me out and I'm sure I'm not the only one. Thanks for the wake-up call. It's a terrible amount of money to lose. I hope things get better for this guy in the future (and I don't think anyone would say they're to blame for this.)
Security is becoming so difficult to balance with an every day life... I don't know how anyone can remember everything that they're "suppose" to know about security.
This is frightfully common in South Africa except aimed at banks - they use SMS as their 2FA. ("SIM swap")
Another common tactic to watch out for: Repeated calling of your phone to annoy you enough so that you switch it off/silent it. That can give the attacker enough time where you don't notice the swap.
This is frightening. If you're using texts for 2-factor auth you're at the mercy of your phone service provider's customer service. And they're trying to balance being helpful with security, which can be in opposition. Losing $100,000 with no hope of recovery is the kind of thing that could sink many people's finances.
His summary of how to avoid having this happen to you:
* Use a hardware wallet to secure your crypto
* SMS-based 2FA is not enough
* Reduce your online footprint
* Use Google Voice for 2FA
* Create a secondary email address
* Use an offline password manager
How can a mobile carrier operate like this?? No authentication that the request isn't fraudulent?
In Sweden I switched to another carrier, still keeping the number in the same name. To do that I got a text message with a code I had to input to initiate the process.
When I ported my phone number from my father to me within the same carrier when I turned 18 that required the same confirmation to initiate the process and signed request/approval both from me and my father posted to the company, with associated emails about the process.
This isn't even hard? This is just basic steps to prevent identity theft....
This is not about porting the number to a different carrier or even a different owner though. It's more analogous to getting a replacement SIM card.
The last time I had a phone stolen, I went to the carrier's store, they checked my ID, and gave me a replacement SIM. And the things is, if the customer service representative is empowered to do that, they could also be bribed by the attacker.
Large tech companies like Google push 2-factor auth to "increase" security, but this article shows that 2-factor auth with SMS verification opens up a huge security hole since the attacker can access your email if they can get your provider to port your SIM over to their device. Am I missing something and if not how did companies like Google not foresee this huge security hole?
Sucks to be the OP but storing any crypto in an exchange is idiotic and literally the first thing on any list of "how to secure your crypto" is to not do it. This shows the OP is just being willfully ignorant.
If you have any kind of serious crypto holdings, you should either be using hardware wallets or a PC that you only use for crypto. Nothing else.
* Buy crypto, transfer to your PC, turn off PC.
This person's Google account is likely still vulnerable to the attacker and if they used chrome password sync all of their other accounts are also likely owned. You can recover a google account if you know some basic details such as a previously used password or the creation date of an account. After having a google account owned enrollment in the advanced protection program and ensuring only the strongest recovery methods are enabled are best next steps.
> Do not leave funds idle on exchanges or fiat on-ramps.
This warning has been publicly repeated hundreds of times since 2010, yet people still insist on ignoring it.
The author didn't lose anything. He gave Coinbase his bitcoin in exchange for a promise to pay it back. That deal backfired.
> I knew the risks better than most, but never thought something like this could happen to me.
There's knowing the risk, and then there's knowing the risk. I'd suggest that the author didn't really know the risk, or he would never have considered leaving such a valuable asset in the care of an organization so ill-equipped to safeguard it.
SMS should not be used for anything even remotely related to security. If you still need to be convinced, the Reply All episode about it[0] is eye opening while being entertaining.
I wonder how nobody sees the elephant in the room.
2FA by SMS is terribly insecure. Numerous security researchers recommended never using it. Using phone numbers as primary authentication mechanism is insecure and never should be used. Phone numbers can be spoofed, SMS messages can be intercepted, SIM port attacks can and will happen. If your email or banking accounts depend on 2FA by SMS, especially when SMS can be used to reset the password — disable it now. Avoid it like plague.
More than that — if your account has significant value that you absolutely can’t afford to lose, you shouldn’t use _any_ 2FA services linked to your phone, at all, including Google Auth. Your phone can be lost or stolen anytime. Use a dedicated device which you don’t take with you all the time.
This is the kind of stuff that convinces me we'll never see mass adoption of cryptocurrency -- or that if we do, it will be only by replicating the existing financial system and slapping a cryptocurrency label on it.
If security engineers at cryptocurrency firms are getting hacked, what hope do mom & pop user have? And once your money is stolen, you have basically zero recourse and no way to reverse the transaction. I know many proponents consider that a feature, but I'm telling you for the average user, it is absolutely a bug.
I have a question related to this that someone expert in Bitcoin could answer.
Could the victim monitor where the bitcoin (we assume) went to using the public blockchain record? Then, trace it every step of the way (and in whatever chunks it divides into) until it reaches the account of a publicly identifiable entity? At that point, there might be legal recourse in recouping stolen goods (at least, this is how it works in the UK with stolen physical goods.. even if someone "legitimately" buys them, they can be reclaimed).
That's interesting, I did not know it was possible to have a coinbase acct without working google authenticator.
I found out the hard way it takes over a week of time and multiple verifications and contacts to reset my authenticator when my old phone was broken; as it should be.
[+] [-] 2819b|6 years ago|reply
The reason I say it's odd is that he's an engineering manager at BitGo, which is a leading cryptocurrency custody solution! His job is literally to secure and protect institutional cryptocurrency wallets, and to publicly tell the world how careless he was with his own personal account looks extremely poorly on his employer despite the fact that this was an unrelated incident.
[+] [-] odensc|6 years ago|reply
[+] [-] arcticbull|6 years ago|reply
IMO its great to learn about what goes well but super valuable to learn when people face-plant.
[+] [-] dontbenebby|6 years ago|reply
I remember first hearing about them in 2016:
https://www.ftc.gov/news-events/blogs/techftc/2016/06/your-m...
[+] [-] snowwolf|6 years ago|reply
BitGo should be treating this as a security incident and verifying the attacker didn’t also target them.
[+] [-] bouncycastle|6 years ago|reply
[+] [-] StreamBright|6 years ago|reply
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] crististm|6 years ago|reply
[+] [-] Klathmon|6 years ago|reply
Want to port a SIM? I'll put your request in now but it will wait for 5 business days before it happens, and at any point if you or someone claiming to be you calls up to stop it, we stop it, no questions asked.
Want to change 2 factor information for an account? We can put in the request now and it won't take effect for a week while we reach out to you using every communication method we know how to let you know it's happening and give you ample time to stop it if you discover it wasn't actually you that did it.
It seems like a fairly "low cost" way of upping the security quite a bit.
Also, not to make the OP feel worse, but Coinbase even offers a service like this called the "vault". The idea being that withdraws are time-locked for a specific amount of time, and there are multiple ways to stop it during that time lock, even if you got locked out of your account entirely.
And while we are doing PSAs, I'd like to give one piece of seemingly conflicting advice: make sure you have backups of your multi-factor authentication systems.
Sure, having your accounts taken over is awful, and it can happen to anyone, but something just as bad is losing your 2-factor systems and being locked out of accounts with no way to recover them.
Print out 2-factor backup codes, put them somewhere safe, maybe split them in 2 and put half of the codes in one place, and half in another. Think through possible problems. It really sucks to have your house flood, then find out that your phone with the 2-factor app on it was destroyed, and your backup codes ruined as well...
[+] [-] bigiain|6 years ago|reply
This to me seems to be a complete misunderstanding of the telcos business and motivations. They sell mobile telephony - voice, sms, and data - and their _prime objective_ is to make it as easy as possible for their customer to spend as much money doing that as possible. Making you wait five days to get reconnected to "your number" when you have, for whatever reason, lost control of it is just not going to happen. They'll move mountains to get you back onto your data/voice plan before you've walked out of the store.
Nobody ever advertised their phone/sms plans as "banking grade secure". Telcos have been telling us for years that they are explicitly _not_ secure for that:
https://www.itnews.com.au/news/telcos-declare-sms-unsafe-for...
Communications Alliance chief executive John Stanton, representing the interests of mobile providers Telstra, Optus and Vodafone, took the extraordinary step of of declaring the technology insecure in the wake of numerous reports of Australians being defrauded via a phone porting scam first uncovered in Secure Computing magazine.
"SMS is not designed to be a secure communications channel and should not be used by banks for electronic funds transfer authentication," Stanton told iTnews this week.
Telcos are not interested in securing that, they get _way_ more complaints from people who lost/broke their phone who want their replacement one to work RIGHT NOW, than they do from people who got defrauded with a sim porting attack. And the first group of people are spending _way_ more money collectively than the second, so of course telcos will continue to make it quick and easy to sim port.
Everybody else needs to deal with that. While sms 2FA is marginally better than not having any 2FA at all, it's not the telco's problem if you choose to use it to "secure" your $100k worth of crypto. In my mind, a large part of the blame here goes to COinbase for even offering it. I'm also looking at your PayPal...
[+] [-] Fiaxhs|6 years ago|reply
Funny because that's exactly what happens in France when you do so. I must have sounded a bit dumb when I asked when my number would be active when I changed from Tello to Verizon. I couldn't believe it was effective right away.
[+] [-] theandrewbailey|6 years ago|reply
Yes! Many password managers (at least KeePassXC/KeePass with plugin) can store and create TOTPs. The underlying keys can be manually shown and entered elsewhere if needed, and can be backed up with everything else that's valuable.
> Print out 2-factor backup codes, put them somewhere safe, maybe split them in 2 and put half of the codes in one place, and half in another. Think through possible problems. It really sucks to have your house flood, then find out that your phone with the 2-factor app on it was destroyed, and your backup codes ruined as well...
Off site and offline backups are a good thing to have, especially with fire and water proof lockboxes. (think encrypted external drive lying around at work or at family/friend's house)
[+] [-] tomxor|6 years ago|reply
So many people don't seem to understand this - I was trying to use U2F yubikeys on gitlab a while back only to discover they force you to enable 2FA first for account recovery, this completely defeats the purpose of hardware auth, it's not supposed to be for convenience, security is only as strong as the weakest link, 2FA is very weak.
[+] [-] markdown|6 years ago|reply
+1. I lost a phone and with it my Cloudflare 2FA. For some reason, Cloudflare won't let you contact tech support without logging in. There is no contact info for support on their website, AT ALL, so if you can't log in, you're fucked.
[+] [-] zrail|6 years ago|reply
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] ar0|6 years ago|reply
Unfortunately, when you search on Twitter, people are going bananas over having to wait a few days to get their Apple account reset... so I definitely get why not more companies are doing this.
[+] [-] rubyn00bie|6 years ago|reply
Once they have your number ported getting it back will take, at least, a few days; during which, they'll have unfettered access to anything that uses your mobile number to authenticate.
Use a dedicated 2FA application on a device you physically control and _write down_ the backup keys somewhere physically safe.
[+] [-] ohazi|6 years ago|reply
An attacker can call support, give them plausibly correct information gleaned from public sources, and nicely claim to have forgotten the answers to your recovery questions ("Oh, it might have been a jumble of letters and numbers... silly me..."). There are enough incorrectly trained support people who will let this through to make the tactic effective on average.
Your point is obviously correct, but everything is so hopelessly broken that it almost doesn't matter in practice.
[+] [-] puzzlingcaptcha|6 years ago|reply
Does it need to be? Seems most of it could be avoided if the cellular service required a visit at the store with an ID card to clone a SIM card.
[+] [-] foobiekr|6 years ago|reply
[+] [-] debatem1|6 years ago|reply
[+] [-] Reedx|6 years ago|reply
https://authy.com/phones/reset/?proceed=true
[+] [-] TheChaplain|6 years ago|reply
[+] [-] cdiamand|6 years ago|reply
I lost money when MTGox went under and made some online posts (on reddit, I think) several years ago. Maybe this is what caused me to be targeted?
This weekend a malicious actor posing as the account holder on my account was able to get my number transferred to his phone. At&t fraud says this happened at a store, and the user had the last 4 of one of my family member's social security number, as well as a fake id. I'm not sure I believe this, but will request more info in writing.
I regained access to my account. The attacker came from IP 216.162.42.85 (santa clara california)
They entered my email and according to google activity logs immediately went after my coinbase account. They got in (joke's on them I didn't have anything). Then they searched my email for 'btc', and also made a visit to my bank website. They weren't able to get access.
As far as I can tell, they were in and out within 10 minutes. I wonder if this was related to the author's experience?
[+] [-] dbancajas|6 years ago|reply
[+] [-] inetknght|6 years ago|reply
Unfortunately many places are actively refusing to work with Google Voice. I got a message from Bank of America saying specifically that they're removing Google Voice support:
> You can't enroll in Zelle with a landline, Google Voice or VOIP (voice over internet protocol) phone number. (Section 3.C.3 Enrolling in the Service)
This follows with some other unnamed (because I don't remember them) services which also refuse to work with Google Voice.
That's really unfortunate because I've been using Google Voice for nearly 10 years without issue until recently (when companies specifically remove support...)
[+] [-] Uptrenda|6 years ago|reply
Security is becoming so difficult to balance with an every day life... I don't know how anyone can remember everything that they're "suppose" to know about security.
[+] [-] Havoc|6 years ago|reply
Another common tactic to watch out for: Repeated calling of your phone to annoy you enough so that you switch it off/silent it. That can give the attacker enough time where you don't notice the swap.
[+] [-] jaden|6 years ago|reply
His summary of how to avoid having this happen to you:
[+] [-] ikeboy|6 years ago|reply
https://www.silvermillerlaw.com/current-investigations/crypt... comes up on a search and says they'll do contingency in cases like this. Got nothing to lose.
[+] [-] Gwypaas|6 years ago|reply
In Sweden I switched to another carrier, still keeping the number in the same name. To do that I got a text message with a code I had to input to initiate the process.
When I ported my phone number from my father to me within the same carrier when I turned 18 that required the same confirmation to initiate the process and signed request/approval both from me and my father posted to the company, with associated emails about the process.
This isn't even hard? This is just basic steps to prevent identity theft....
[+] [-] jsnell|6 years ago|reply
The last time I had a phone stolen, I went to the carrier's store, they checked my ID, and gave me a replacement SIM. And the things is, if the customer service representative is empowered to do that, they could also be bribed by the attacker.
[+] [-] mayniac|6 years ago|reply
$100k is a lifetime's worth of money in some countries, and it can justify a few months worth of recon.
[+] [-] maxlamb|6 years ago|reply
[+] [-] socialist_coder|6 years ago|reply
Exchanges get hacked or are victims of internal fraud at a level that is far beyond any acceptable risk. https://coinsutra.com/biggest-bitcoin-hacks/
If you have any kind of serious crypto holdings, you should either be using hardware wallets or a PC that you only use for crypto. Nothing else. * Buy crypto, transfer to your PC, turn off PC.
[+] [-] ktsmith|6 years ago|reply
https://landing.google.com/advancedprotection/
[+] [-] apo|6 years ago|reply
This warning has been publicly repeated hundreds of times since 2010, yet people still insist on ignoring it.
The author didn't lose anything. He gave Coinbase his bitcoin in exchange for a promise to pay it back. That deal backfired.
> I knew the risks better than most, but never thought something like this could happen to me.
There's knowing the risk, and then there's knowing the risk. I'd suggest that the author didn't really know the risk, or he would never have considered leaving such a valuable asset in the care of an organization so ill-equipped to safeguard it.
[+] [-] nicolaslem|6 years ago|reply
[0] https://gimletmedia.com/shows/reply-all/v4he6k/130-the-snapc...
[+] [-] atemerev|6 years ago|reply
2FA by SMS is terribly insecure. Numerous security researchers recommended never using it. Using phone numbers as primary authentication mechanism is insecure and never should be used. Phone numbers can be spoofed, SMS messages can be intercepted, SIM port attacks can and will happen. If your email or banking accounts depend on 2FA by SMS, especially when SMS can be used to reset the password — disable it now. Avoid it like plague.
More than that — if your account has significant value that you absolutely can’t afford to lose, you shouldn’t use _any_ 2FA services linked to your phone, at all, including Google Auth. Your phone can be lost or stolen anytime. Use a dedicated device which you don’t take with you all the time.
[+] [-] ForHackernews|6 years ago|reply
If security engineers at cryptocurrency firms are getting hacked, what hope do mom & pop user have? And once your money is stolen, you have basically zero recourse and no way to reverse the transaction. I know many proponents consider that a feature, but I'm telling you for the average user, it is absolutely a bug.
[+] [-] petercooper|6 years ago|reply
Could the victim monitor where the bitcoin (we assume) went to using the public blockchain record? Then, trace it every step of the way (and in whatever chunks it divides into) until it reaches the account of a publicly identifiable entity? At that point, there might be legal recourse in recouping stolen goods (at least, this is how it works in the UK with stolen physical goods.. even if someone "legitimately" buys them, they can be reclaimed).
[+] [-] Animats|6 years ago|reply
Now that's the real problem. Coinbase acts like a bank or a broker/dealer, but isn't regulated like one.
[+] [-] VLM|6 years ago|reply
I found out the hard way it takes over a week of time and multiple verifications and contacts to reset my authenticator when my old phone was broken; as it should be.