Pages:
Author

Topic: Using 2FA to guard against Bitcoin theft. Do you back up your 2FA codes? (Read 1598 times)

legendary
Activity: 1512
Merit: 1011
yes i always backup my 2FA QR. by take a screenshot on it Tongue
because i usually try new ROM in my phone, sometimes bad things happen and i can't access my phone Sad
i recommend you to backup when you set a new 2FA

So you use custom/rooted software to run your phone and keep screenshots of 2FA codes? That basically calls for an accident to happen!
yes i use custom ROM, but i don't use that phone to keep screenshot of QR codes
i use my computer to back it up and store it in encrypted folder
hope it safe there Grin
full member
Activity: 210
Merit: 100
yes i always backup my 2FA QR. by take a screenshot on it Tongue
because i usually try new ROM in my phone, sometimes bad things happen and i can't access my phone Sad
i recommend you to backup when you set a new 2FA

So you use custom/rooted software to run your phone and keep screenshots of 2FA codes? That basically calls for an accident to happen!
legendary
Activity: 1512
Merit: 1011
yes i always backup my 2FA QR. by take a screenshot on it Tongue
because i usually try new ROM in my phone, sometimes bad things happen and i can't access my phone Sad
i recommend you to backup when you set a new 2FA
legendary
Activity: 1789
Merit: 1008
Keep it dense, yeah?
I need to take a back up of some of my 2FA setups. I have become so reliant on it and yet I have only backed up a couple. Losing your device would be a nightmare.

Some people opt for text codes which is particularly useful if you lose your device - you can simply have your number changed over, or remove your SIM card from your phone if it broke.

Has anybody sent their device with Google authenticator (or similar) for repair? What steps did you take to protect yourself?
full member
Activity: 210
Merit: 100
I don't think I need to write any codes down with text 2-factor. If I lose my phone I can get access back to my old number pretty quickly.

We're talking about the Google authenticator, which is an app that creates a new 2FA code every 30 seconds (synced to universal time). You need that code to log into some service. If you lose the secret code needed for Google authenticator to generate those 2FA codes, you're screwed. You can't restore them unless you ask all your services to disable 2FA for you, which is a pain.
sr. member
Activity: 266
Merit: 250
My question is, say someone keylogged the smartphone (is this even possible?) you use to log in to an exchange.  Is there a malware they may use to also get the code from the google authenticator that is also on the phone?
Generally speaking it is not possible to install a keylogger on an iPhone as it is sandboxed. Androids on the other hand, in theory could be keylogged.

I think the question that you should really be asking is can phone automatically capture and send screenshots to an attacker as 2FA displays a "password" to a user who inputs the "password" on the site they are trying to log into.
member
Activity: 66
Merit: 10
You just lost
I don't think I need to write any codes down with text 2-factor. If I lose my phone I can get access back to my old number pretty quickly.
hero member
Activity: 532
Merit: 500
Currently held as collateral by monbux
If you do use 2 factor auth then you should back up your codes no matter what otherwise the app or what ever you are using could be wiped etc and you will not be able to access the account again. 2 factor is really helpful but can be a right pain too.
sr. member
Activity: 406
Merit: 250
That is a pretty cool idea. I often think about what happens if I lose my iPhone and can't access the codes. I keep it backde up in iTunes so I feel pretty secure but it makes me a bit nervous to think about. I keep very little bitcoin online, but I do use 2FA to withdrawal my purchases from coinbase etc.

Are you aware that 2FA codes aren't stored in iTunes backups unless they're set to be encrypted? The 2FA information are stored in the iOS keychain, which isn't stored in unencrypted backups for obvious reasons. So you should either encrypt your backups (checkbox in iTunes) or write your codes down!

I use an iPhone myself and wasn't aware of that. Thanks for the helpful tip. I am doing an encrypted back up right now.
hero member
Activity: 807
Merit: 500
My question is, say someone keylogged the smartphone (is this even possible?) you use to log in to an exchange.  Is there a malware they may use to also get the code from the google authenticator that is also on the phone?
There is nothing technical to prevent malware from capturing clipboard contents or screenshots on computers or mobile phones.  Whether or not such malware exists is always up for debate considering that the best malware can go undetected for long periods of time.  Regarding the second question, it would depend on how Google authenticator works.  For instance, if it uses direct communication over an encrypted channel and a deterministic rolling code, then perhaps there is no malware that can take advantage of that without Google's encryption first being hacked (for instance, by way of a stolen SSL certificate).  On the other hand, based on this:
By the way, those secret codes are stored in plaintext so if you're rooted and install a rogue program - good luck.
I'd say malware that could get the GA codes on a rooted phone could certainly exist (assuming that quote is accurate).  Malware that could get it on an factory phone may exist as well if there are any flaws that allow apps to access data that is supposed to be secured to other apps.
full member
Activity: 210
Merit: 100
That is a pretty cool idea. I often think about what happens if I lose my iPhone and can't access the codes. I keep it backde up in iTunes so I feel pretty secure but it makes me a bit nervous to think about. I keep very little bitcoin online, but I do use 2FA to withdrawal my purchases from coinbase etc.

Are you aware that 2FA codes aren't stored in iTunes backups unless they're set to be encrypted? The 2FA information are stored in the iOS keychain, which isn't stored in unencrypted backups for obvious reasons. So you should either encrypt your backups (checkbox in iTunes) or write your codes down!
sr. member
Activity: 433
Merit: 251
My question is, say someone keylogged the smartphone (is this even possible?) you use to log in to an exchange.  Is there a malware they may use to also get the code from the google authenticator that is also on the phone?
hero member
Activity: 807
Merit: 500
I often think about what happens if I lose my iPhone and can't access the codes. I keep it backde up in iTunes so I feel pretty secure.
I'd think twice about keeping it backed up in iTunes in case this is true on Apple devices, too:
By the way, those secret codes are stored in plaintext so if you're rooted and install a rogue program - good luck.
newbie
Activity: 1
Merit: 0
I think you are over confident about 2FA. If an attacker personally knows you and knows that you control a large amount of bitcoin the they could steal your 2FA device and guess your simple password.

IMO a 2FA device should supplement your password not replace it  

The phone I'd do this on would get airplane mode enabled when it's first turned on, then the phone itself would be encrypted with a strong password. I don't know if you're familiar with Android's phone encryption, but you have to enter a password just to decrypt the phone itself before getting to the lock-screen, where you'd have to enter another combination. That'd be pretty hard to get pass.

I agree with 2FA being a supplement and not a replacement.
It would still be possible to steal your phone when you have it in your hand and unlocked. Or you could let someone borrow it to make a phone call and they steal it from you. Or they simply watch you put in your password when you unlock it

Yes.. But really how likely of a scenario is this / what can be done about it? And for the second two scenarios you mentioned, its as easy as not letting someone borrow it for a phone call and not letting someone easily watch over your shoulder as you put your password in.

I think its a good idea. There may be vulnerabilities, there usually are, I guess its all about acceptable risk.
full member
Activity: 147
Merit: 100
www.secondstrade.com - 190% return Binary option
I think you are over confident about 2FA. If an attacker personally knows you and knows that you control a large amount of bitcoin the they could steal your 2FA device and guess your simple password.

IMO a 2FA device should supplement your password not replace it  

The phone I'd do this on would get airplane mode enabled when it's first turned on, then the phone itself would be encrypted with a strong password. I don't know if you're familiar with Android's phone encryption, but you have to enter a password just to decrypt the phone itself before getting to the lock-screen, where you'd have to enter another combination. That'd be pretty hard to get pass.

I agree with 2FA being a supplement and not a replacement.
It would still be possible to steal your phone when you have it in your hand and unlocked. Or you could let someone borrow it to make a phone call and they steal it from you. Or they simply watch you put in your password when you unlock it
member
Activity: 98
Merit: 10
★☆★Bitin.io★☆★
That is a pretty cool idea. I often think about what happens if I lose my iPhone and can't access the codes. I keep it backde up in iTunes so I feel pretty secure but it makes me a bit nervous to think about. I keep very little bitcoin online, but I do use 2FA to withdrawal my purchases from coinbase etc.
full member
Activity: 121
Merit: 100
I think you are over confident about 2FA. If an attacker personally knows you and knows that you control a large amount of bitcoin the they could steal your 2FA device and guess your simple password.

IMO a 2FA device should supplement your password not replace it  

The phone I'd do this on would get airplane mode enabled when it's first turned on, then the phone itself would be encrypted with a strong password. I don't know if you're familiar with Android's phone encryption, but you have to enter a password just to decrypt the phone itself before getting to the lock-screen, where you'd have to enter another combination. That'd be pretty hard to get pass.

I agree with 2FA being a supplement and not a replacement.
full member
Activity: 121
Merit: 100
2FA only protect your account. The risk of theft usually come from exchange/wallet service or outright scam from these owners.

Very true and there's not much we can do about that except to not have it all on one exchange but multiple to spread risk. For day traders I mean. There's a good amount of exchanges to do this these days.
full member
Activity: 139
Merit: 100
www.secondstrade.com - 190% return Binary option
I think you are over confident about 2FA. If an attacker personally knows you and knows that you control a large amount of bitcoin the they could steal your 2FA device and guess your simple password.

IMO a 2FA device should supplement your password not replace it  
full member
Activity: 213
Merit: 100
2FA only protect your account. The risk of theft usually come from exchange/wallet service or outright scam from these owners.
Pages:
Jump to: