Topic: I thought I would never get hacked... - page 2. (Read 1038 times)

The dude is living in the old days even though it is good to read books and acquire knowledge from it the effort needed is like pain in the ass and I am not sure is there anyone willing to give such effort when we have an alternative that does the same job for free via tools such as Grammarly.

If I am not wrong in android, Grammarly is available in the keyboard format alone which is not really helpful because the built-in dictionary is almost available on all keyboards including the stock ones so there is no need to trust another one 3rd party app with our sensitive data.

Grammarly is good when we use it on a PC in the form of an extension so it can only collect the data from that particular browser alone not from the entire device.

Thanks for the suggestion but I don't have a budget to buy these books do you have any free source?
I'm only using Grammarly sometimes when writing some content here or in WP blogs but when typing a password or copying/pasting some important details I always switch it back to the default keyboard(Samsung keyboard).

Please, don't use Grammarly if you want to remain anonymous online under different names on different platforms. They record every sentence that you type, then analyze your writing ability, your writing style, manner, etc.
In order to improve your writing ability and expand your vocabulary, I suggest you to use Cambridge books, personally I love them and Thomas BJ has great books for vocabulary and idioms.

His point was to never say never. Anything can happen to anyone, even unexpected.

apogio
Was antivirus turned on on your smartphone? Was your android rooted? What suspicious apps did you have? Did you enable permission to install 3rd party apps without the Google Play Store? Were you visiting some suspicious websites? I mean websites that load tons of advertisements and open new tabs in your browser. I don't think that it all happened because of Swiftkey, I highly believe that the problem lies somewhere else.

He is just trying to say that you, assuming you are invulnerable to hacks and other potential risks which is lead to financial loss. The good thing is that you acknowledged your mistake so taking the necessary steps to improve is essential to avoid similar pitfalls in the future.

I'd feel the same. But, on the other hand, you could consider it "a cheap warning": early enough to know something was wrong without high costs, and a good moment to re-evaluate your entire OPSEC.

I don't really get your point though. The reason I lost money is because I screwed up. You are saying I have a problem. But in fact I have no problem at all. I will learn from my mistakes and everything will be alright.

There is a good saying that I have heard countless times in American movies that says "assumption is the mother of all fuc*ups", and if you think that something can't happen to you (and it happens to a lot of people every day), then you already have a big problem at the start.

Feeling comfortable and at the same time convinced that you are untouchable is a very dangerous combination.

Knowing best practices doesn't automatically mean we always obey the rules strictly. Me too, I do something stupid until I do it. Hopefully the loss isn't large then. It hurts my pride, I guess yours, too. We have to try hard to learn from such shit, stay more vigilant. It's human to make mistakes, but better don't do them twice or more. You know who's to blame then.
Easier said than done, though.



Sounds like a more safe approach. Monitoring wallets don't really need to get in touch with the recovery words, you can in most cases use only the extended public keys to setup a watch-only monitoring wallet. No risk to loose private keys this way if the monitoring device should get compromised. That's my approach if I want or need to look on my wallet(s) on a more frequently used daily driver or mobile phone.
Casual computing or gaming are another zone and I try to strictly separate this from more serious stuff.

I only kept the amount of money I was "comfortable" losing.  It is definetely true that I made multiple mistakes. In fact, I used to have hot wallets before, but I have never done any of these mistakes. And now, I made them all at the same time.


Definetely true. I have decided to monitor my wallet on my Sparrow desktop app only. I will keep only one device to monitor my wallet. I will avoid using wallets on my mobile phone, except for Zeus wallet which is connected to my lightning node.

Well, it depends. If you coinjoin them and then store the xpubs of your new outputs insecurely again, then you will be back at square one.

Unless the app has its own virtual keyboard like Electrum, then they aren't. You can tell this simply by the fact that your predictive text carries over between apps and software, meaning anything you enter on the generic keyboard is not kept within whatever app you are using but is accessed by the wider firmware and even synced to the cloud to better "learn your writing style" (read: spy on you).

Google were successfully sued a while back because if you turned off location gathering, Google still gathered all this data, they just didn't display it to you in your account when you accessed your location history page. I would not be in the least bit surprised if they still gathered all the sensitive data you enter via your keyboard, they just don't display it to you as an option for predictive text.

Completely agree. As I said above, this is just one possibility and the OP should not assume this is the cause without definitively proof. I was merely pointing out just how easy it is to be careless with your seed phrase, which should never have been entered on any keyboard at all.

It's not a flaw, it's a feature. I'm not an Android programmer but I read a lot about potential security stuff around digital devices. Any Android app can "subscribe" to be notified by system messages (don't pinpoint me on the correct jargon) if e.g. the clipboard changes and likely what is typed on the keyboard. Though I'm not sure if keyboard entries aren't some sort of private for the app that requested the keyboard entry. I wouldn't bet on it (a real Android dev surely knows better).

To boost security an app can and should ask for a private keyboard entry which should always be used for sensitive data. But the keyboard app has to follow this request properly, ie. don't do fancy online stuff and whatnot with that sensitive entry, particularly don't memorize or store the entry in some dictionary or blow it into the digital cloud. Decent keyboard apps should do this, but hell no you have no guarantee a keyboard app actually does it, unless you see and understand the source code or program it yourself.

The keyboard app in Android is a really sensitive and security important spot. There's a reason why e.g. Electrum on Android uses it's own keyboard entry method to enter recovery words. I praise Electrum for this. Unfortunately such security awareness is rare on other Android wallet apps.


I'm not entirely convinced that here the Android phone and the Swiftkey app are the main problem. The OP did some other bad things that he should avoid in the future.

• He handled recovery words on an online device outside of the original app (Bluewallet). Recovery words were fed into another wallet app. Don't do that on online/hot devices, period!
• He used 3rd party keyboard apps for entry of sensitive data. We agree, that's bad and should be meticulously avoided as you have no control whatsoever where your entry data diffuses to.
• He might have taken digital pictures of his recovery secrets. I don't know that, it was not talked about this. Of course, avoid this ever, too!

Recovery words are supposed to be backed up analog only, ie. paper or stamped in metal or similar analog and secure storage.
Maybe there's that went wrong, we don't know.

I can feel your pain. I would be totally pissed if that would happen to me even for the smallest amount that I would ever keep on a mobile phone wallet. I consider mobile phones as completely unsecure simply because a user does a hell of his internet shit on a mobile phone, install maybe questionable apps on it and just don't have much clue about security of such devices, not to mention the questionable update status of most Android devices once they get older.

Thanks, but as I said above, I have 99% of my sats in cold storage and the systems I use don't store anything in memory. As soon as the device is turned off it erases everything it has in memory

If you think that you will be safer that way, it seems that you have not realized how risky it is to store sensitive information, regardless of whether it is a smartphone or a desktop computer. When it comes to a desktop computer, you can also very easily expose your seed if you enter it in another wallet and you have a keylogger on that device.

Devices on which you store private keys should be isolated from all possible risks arising from your daily activities, which means that you need a hardware wallet or an airgapped device. Even then, you should always be on your guard, because being your own bank means you need to be on the lookout for thieves, whether they're online hackers or bad guys in the real world.

Yes, except if I coinjoin them.

That depends on your personal preference for privacy. But even if you move the funds, if they know your current public keys they can follow the money trail.

So today I will factory reset my phone. One question though. I have my xpubs for my multisig vault in my phones storage. Even though nobody can steal my money, if my phone is compromised they could spy on my wallet. Do you suggest I should create a brand new multisig vault and send my funds there?

If a malware infects your device and makes your wallet compromised, your fund will be stolen and it doesn't matter whether your seed phrase includes 12 words or 24 words.


A 12 word seed phrase provides 128 bits of entropy and as already said, it's secure enough.

Thanks for the kind words
I am much better. As I said it wasnt the amount I lost. It was the fact that I wasn't careful enough.


It is android version 12 and I downloaded the app from the playstore.


Hello. I own a multisig vault, created with offline hardware wallets. I also own cold storage where I also use passphrase. But, like everyone else I also had a hot wallet with some small amount in it. And I lost it. I wanna see what I did wrong and get better. The other two wallets are perfectly safe, technically speaking, as long as I also keep the backups safe.

I chose BW instead of Electrum for no obvious reason. Possibly the simplicity and the minimalistic approach. I have only used it for my hoy wallet though. Not for my other wallets.

Sorry about your loss. I hope you will soon find peace of mind.

From what I have read, I cannot tell you where you were not careful enough or how you could have stopped this from happening but I doubt it had nothing to do with 12 word or 24 word seed phrases. Although we all recommend you use 24 word, I doubt somebody brute-forced your seed phrase. I think what happened is that you might have a virus on your device or you stored your seed phrase in an unsafe way and somebody might stolen it without you noticing.

Best thing to do now is to get familiar with wallet security practices. OPSEC!

Everyone is sure that hacking will not affect them and this problem will surely bypass them, creating trouble for others. Anyone but me - this idea is familiar to everyone. It is easy to deceive yourself and end up with losses.

What was the reason for your choice of Bluewallet and not Electrum? Of course, this will not change anything, and most likely it would not have changed even before hacking, because the malicious program would certainly have stolen from the electrum wallet as well. In your situation, only hardware wallet could save the contents or the multi-sig.

Just the mistakes made and poorly built protection are used by attackers. There is only one solution: to minimize errors and try to be as safe as possible.

Blaming yourself will not change anything, but finding your mistakes and finding out where you made a mistake, with their subsequent elimination, will be more beneficial for you.

More likely, having 24 words would make it harder for a malware, but would not save your wallet from being stolen. Surely it would be possible to say if you figure out the attack vector.