Recent Coinbase hacks | Bitcointalksearch.org

acoindr

legendary

Activity: 1050

Merit: 1002

Quote from: DrBitcoin on February 08, 2014, 09:14:19 AM

I am concerned about Coinbase hacks, just like many of you. Websites like The Verge and other mainstream tech sites are running articles about seemingly tech savoy individuals being hacked.

For the record, I have very few BTC. That said, I'd put them all in cold storage, but I like that Coinbase syncs with Mint.com.

Is it reasonable to assume that if an individual does the following, they have covered their bases?

1) uses a strong, unique, random string of letters and numbers for a coinbase password
2) uses two factor authentication (using phone numbers that are unique to their cell phones, NOT google voice)
3) uses a strong, unique, random string of letters and numbers for their backup email password
4) avoid junk mail, phishing scams, never opens attachments, doesn't download altcoin wallet apps.
5) EDIT: Only going to websites that are links stored in my browser

Am I missing anything?

Thanks,

Dr. Bitcoin

Yes you are missing something. I haven't said this in a while, but new people are here so I need to say it again.

If you have more money/coins stored with ANY online service than you can afford to lose you have too much stored there. Period.

Bitcoin is going to teach people hard lessons. There is no FDIC or card company to run to. Whenever you turn over your coins you have questionable chance getting them back. There are numerous ways a service can lose your coins even if they have the most honest intentions. With Bitcoin you are your own bank.

Learn to store the majority of your coins safely yourself in cold storage. I recommend Armory which makes this pretty easy. If you don't trust yourself storing your own coins at the very least spread them among different reputable services so your chance of losing everything when things go wrong is diminished. Eventually we may begin seeing insurance offered with Bitcoin wallets/services. Until then the above applies.

keithers

legendary

Activity: 1456

Merit: 1001

This is the land of wolves now & you're not a wolf

Every company that has a massive amount of users and deals with money will have instances of theft. It is just a fact. Nothing that can be done about that. Bank fraud probably happens thousands if not millions of times a day. It's just the fact that the bitcoin community is still relatively small, so each incident is more scrutinized.

DrBitcoin

sr. member

Activity: 350

Merit: 294

Quote from: ArticMine on February 08, 2014, 11:51:17 AM

Quote from: DrBitcoin on February 08, 2014, 09:14:19 AM

I am concerned about Coinbase hacks, just like many of you. Websites like The Verge and other mainstream tech sites are running articles about seemingly tech savoy individuals being hacked.

For the record, I have very few BTC. That said, I'd put them all in cold storage, but I like that Coinbase syncs with Mint.com.

Is it reasonable to assume that if an individual does the following, they have covered their bases?

1) uses a strong, unique, random string of letters and numbers for a coinbase password
2) uses two factor authentication (using phone numbers that are unique to their cell phones, NOT google voice)
3) uses a strong, unique, random string of letters and numbers for their backup email password
4) avoid junk mail, phishing scams, never opens attachments, doesn't download altcoin wallet apps.
5) EDIT: Only going to websites that are links stored in my browser

Am I missing anything?

Thanks,

Dr. Bitcoin

Yes you have missed something: If you have not done so already, stop using Microsoft Windows and start using GNU/Linux

I use Mac and iOS.

keithers

legendary

Activity: 1456

Merit: 1001

This is the land of wolves now & you're not a wolf

Quote from: Barek on February 08, 2014, 01:12:47 PM

Does Coinbase offer IP-based security, where you can specify which countries may log into your account?

I always thought that was a simple way to get a good bit of extra security.

I believe you can whitelist only specific ip addresses

coastermonger

sr. member

Activity: 367

Merit: 250

Find me at Bitrated

2-factor is useful, but remember that anything can be vulnerable to phishing. If you go to a fake website and give them your username, password, and 2-factor code(s), you're done. Always make sure to check the browser URL when logging in.

Barek

full member

Activity: 168

Merit: 100

Does Coinbase offer IP-based security, where you can specify which countries may log into your account?

I always thought that was a simple way to get a good bit of extra security.

keithers

legendary

Activity: 1456

Merit: 1001

This is the land of wolves now & you're not a wolf

Coinbase just made some changes tonthe security for API key. I would recommend connecting only the devices you really really need to coinbase. There is no reason to connect extra devices and expose yourself to further risk if you are just checking your balances with the additional connected devices. Also make sure to log in and check all active sessions. End all of the ones except the one you are currently using

adeojo

newbie

Activity: 13

Merit: 0

I did all. My coins was stolen. So far they have refused to refund my coins. Some people have been refunded.
They have a security problem (but continue to blame phishing attacks)

I have used same simple pw with No 2FA auth for a bank for the last 10 years. How come I have not been a victim ? I have never lost a cent.

Coinbase prides itself as SAFE and SECURE and supposedly on cutting edge of security, yet all these stories of coins been stolen.
To make matters worse, they do not show their face, no phone nos to call.

if coinbase is not up to the task, they should get out of the way. All, please do not use their service until it is fixed

FYI, this is how it all begain with MtGox.

BCB

vip

Activity: 1078

Merit: 1002

BCJ

Quote from: ArticMine on February 08, 2014, 11:51:17 AM

Quote from: DrBitcoin on February 08, 2014, 09:14:19 AM

I am concerned about Coinbase hacks, just like many of you. Websites like The Verge and other mainstream tech sites are running articles about seemingly tech savoy individuals being hacked.

For the record, I have very few BTC. That said, I'd put them all in cold storage, but I like that Coinbase syncs with Mint.com.

Is it reasonable to assume that if an individual does the following, they have covered their bases?

1) uses a strong, unique, random string of letters and numbers for a coinbase password
2) uses two factor authentication (using phone numbers that are unique to their cell phones, NOT google voice)
3) uses a strong, unique, random string of letters and numbers for their backup email password
4) avoid junk mail, phishing scams, never opens attachments, doesn't download altcoin wallet apps.
5) EDIT: Only going to websites that are links stored in my browser

Am I missing anything?

Thanks,

Dr. Bitcoin

Yes you have missed something: If you have not done so already, stop using Microsoft Windows and start using GNU/Linux

+1

You could even create a dual boot box and conduct you bitcoin activity on the Linux install
(a security expert would have to verify that this would protect you if you also had windows installed on the same machine)

keithers

legendary

Activity: 1456

Merit: 1001

This is the land of wolves now & you're not a wolf

Use 2fa for any size withdrawals

ArticMine

legendary

Activity: 2282

Merit: 1050

Monero Core Team

Quote from: DrBitcoin on February 08, 2014, 09:14:19 AM

I am concerned about Coinbase hacks, just like many of you. Websites like The Verge and other mainstream tech sites are running articles about seemingly tech savoy individuals being hacked.

For the record, I have very few BTC. That said, I'd put them all in cold storage, but I like that Coinbase syncs with Mint.com.

Is it reasonable to assume that if an individual does the following, they have covered their bases?

1) uses a strong, unique, random string of letters and numbers for a coinbase password
2) uses two factor authentication (using phone numbers that are unique to their cell phones, NOT google voice)
3) uses a strong, unique, random string of letters and numbers for their backup email password
4) avoid junk mail, phishing scams, never opens attachments, doesn't download altcoin wallet apps.
5) EDIT: Only going to websites that are links stored in my browser

Am I missing anything?

Thanks,

Dr. Bitcoin

Yes you have missed something: If you have not done so already, stop using Microsoft Windows and start using GNU/Linux

BCB

vip

Activity: 1078

Merit: 1002

BCJ

Also, I understand that most of the resent hacks where a result of this coinbase phishing attack.
https://bitcointalksearch.org/topic/m.4815551

It essentially tricked users into clicking on the google lnk that took you to a fake coinbase site. Once you logged in you gave the hackers access to your account which they would use to log into your account and transfer you coins.

THIS ATTACK DID NOT WORK FOR THOSE ACCOUNTS WITH 2FA.

All the 2FA users had to do when he realized it was a fraudulent site was to log into the real coinbase account with his 2fa and change his password.

[however the phishing attack could have also down loaded a key logger - which I believe this attack did not].

Again, most hackers prey on low-hanging fruit. Which means if you do not understand the security implications of virtual currency you should not be moving or storing large amounts of funds until you do understand it.

BCB

vip

Activity: 1078

Merit: 1002

BCJ

My understanding was that most of these "Hacks" happened as a result of coinbase clients who had activiated an API key to access their coinbase accounts AND had their personal computers compromised.

Coinbase has recently added more granular control for their API keys and explain it here.

http://blog.coinbase.com/post/75936737678/more-security-and-granular-control-with-the-new-api

If you are using API access you should read this. And if you don't understand it you should delete API access for your account until you do.

Also ALWAYS use 2-factor authentication like Google auth. I've never heard of an hack or compromise, in bitcoin, that has defeated 2FA.

rat

sr. member

Activity: 253

Merit: 250

coinbase has one really bad verification option that is a security red flag: they ask for your bank login and password as a verification option.

of course, it's an option; as opposed to allowing them to deposit two small amounts of change for verification, but it's still bad.

and the report that came out after a system security audit proved that they are dropping the ball somewhere on their end.

all of the bitcoin exchanges are using bad practices. all of them.

DrBitcoin

sr. member

Activity: 350

Merit: 294

Quote from: Barek on February 08, 2014, 09:24:17 AM

Be mindful of the URL and server certificate authenticity.

All the passwords and 2FA do you no good if you are supplying that info to the wrong website.

I only go to these websites through my iOS browser link. Good point though.

DrBitcoin

sr. member

Activity: 350

Merit: 294

Quote from: Avalaxy on February 08, 2014, 09:22:30 AM

A strong password is good, but it needs to be unique for coinbase, don't use it for anything else. Also, never use email 2FA, use phone 2FA or google authenticator. Make sure you disable all your API keys, or if you need an API key, be very careful with it and only give it the permissions that it really needs.

Let's be clear. I an using UNIQUE random long passwords with mixed case letters numbers and dashes.

One thing. I am using Coinbase limits to allow for limit orders. This uses an API, and I was ensured by the developer that it is safe, and that if a hacker somehow managed to access it, the most they could do is buy or sell my coins, not make transfers. This would still be terrible.

Coinbase should allow the user to require a text or email to confirm a transaction before it occurs. Like "are you sure you want to send these Bitcoins?" This email can go to a different email of choice, and only be used for that purpose.

That way if a scumbag somehow manages to get into your account, and try's to transfer your Bitcoins, you get an email to this unique email address saying "are you sure you want to transfer 2 BTCs? Click this link to confirm this transfer."

Barek

full member

Activity: 168

Merit: 100

Be mindful of the URL and server certificate authenticity.

All the passwords and 2FA do you no good if you are supplying that info to the wrong website.

Avalaxy

full member

Activity: 149

Merit: 100

A strong password is good, but it needs to be unique for coinbase, don't use it for anything else. Also, never use email 2FA, use phone 2FA or google authenticator. Make sure you disable all your API keys, or if you need an API key, be very careful with it and only give it the permissions that it really needs.

DrBitcoin

sr. member

Activity: 350

Merit: 294

I am concerned about Coinbase hacks, just like many of you. Websites like The Verge and other mainstream tech sites are running articles about seemingly tech savoy individuals being hacked.

For the record, I have very few BTC. That said, I'd put them all in cold storage, but I like that Coinbase syncs with Mint.com.

Is it reasonable to assume that if an individual does the following, they have covered their bases?

1) uses a strong, unique, random string of letters and numbers for a coinbase password
2) uses two factor authentication (using phone numbers that are unique to their cell phones, NOT google voice)
3) uses a strong, unique, random string of letters and numbers for their backup email password
4) avoid junk mail, phishing scams, never opens attachments, doesn't download altcoin wallet apps.
5) EDIT: Only going to websites that are links stored in my browser

Am I missing anything?

Thanks,

Dr. Bitcoin

Topic: Recent Coinbase hacks (Read 1631 times)