Topic: Wall Observer BTC/USD - Bitcoin price movement tracking & discussion - page 4294. (Read 26713795 times)

Good Morning Bitcoiners!!

Let's say "To the moon" One more time.
I know it's not the time yet. I guess we can see another correction before the month's end. I guess there will be a huge volume cash out before Christmas and 31st.
Anyways, Hoping for the Best.

#ToTheMoon #HoDL

Sorry that it happened, but I cannot figure it out from your description.
coinbase did have some SMS troubles last May or so, maybe it is somehow related.

The ported phone would jeopardize both methods (text or Authenticator), wouldn't it?
what's the "email linked to tracfone"? why there is such a thing?

Well, it was acceptable under NIST 800-61 up until about 5 years ago. The complete uselessness of the major phone companies led to porting attacks being accomplished with relative ease (it's not free, so people typically target with it). You're basically trusting your security to AT&T, and more specifically the $5 buck an hour ex Pakistani bricklayer they have doing the porting of numbers.

Software based TOTP is much better, but I still would worry that the phone is hacked and the seed is gotten. A hardware based OTP would be optimal but is probably overkill unless you leave a lot on your exchange of choice (I'd recommend not doing this as all of the exchange hacks end with one solution: You lose your shit).

jack the slayer

Explanation

yubi is decent.

I ended up selling all the btc on the three paypal accounts.
sent money to bank.

Got very lucky today.

if I was simple 2fa all would have been gone.

Running the business I sometimes have all the coin for all of us. Especially if we are set to buy a lot of gear.
I usually keep 90% of my stuff  offline in hardware wallets . but it was end of year and we are expanding the mine. so I had a lot in the account.

Oh coinbase did offer me the chance to lock account. and i was on the road no real access.

but i know locking the account without trying to get into it would be a mistake.

since this account is pc based i thought maybe they could not do much. so  drove home not telling the wife that we may have lost good money.  got home change the email password
changed the coinbase password changed the coinbase phone  and drained the account.
then drained the paypal accounts.

Do they even ask... they don't give you option its kind a forced and default 2FA option.

There's nothing wrong with 2FA, but email or phone number based 2FA is completely vulnerability (as you probably realise by now). It only provides false sense of security that isn't secure. I'm honestly not trying to rub it in, and glad to hear you didn't lose your ₿ or fiat, but not having secure 2FA with Coinbase was the only issue here. Not 2FA itself that still remains the best form of security.

For example here's my password for CB, you are welcome to it, as it's worthless: yjgO*7rF68oL&tg;8(g. My phone number you can have it, not going to help you either. Without my 2FA private keys that remain encrypted on my system (as well as backed up on external devices), or Coinbase servers being exploited, no-ones stealing any exchange coins or fiat. The only risk remains Coinbase stealing my coins, or going bankrupt, most likely through an exploit.

Open-source 2FA authenticators are always the best, like the "Google-based" ones ironically. TOTP based authenticators to be specific, ones where you own the private keys and no-one has access to them. Then even if someone gains access to your device, they still don't have access to these private keys that are stored with encryption. A one-off TOTP won't really help them either. Goes without saying, but just like BTC private keys, you need to back these up, along with all your other key rings for that matter (PGP, browser-based, etc).

No offence, but honestly shocked to heat that in 2021 there are people still not using TOTP 2FA for exchange accounts, as it remains the ONLY way to secure your accounts.


SMS was NEVER secure form of 2FA, this is the point here. I honestly thought this was common knowledge already, especially within Bitcoin communities. So many stories of this already.


This

Explanation

*nod* Thanks for the attack vector info. Nasty. SMS is no longer a secure MFA solution, even NIST has dropped it for AAC/AAL2 auth.

Anyone who is watching, be warned. Use a secure 2nd form of auth.

I am not quite sure how they ported the phone.

I suspect they used tracfone had the cell number  hoped by getting the email

that the email linked to tracfone and to coinbase was the same

so if they hack just the email

they could try to port the cell to their carrier.

then get into coinbase change password and use 2fa to allow withdraws and alter the email

Shit makes business harder.

2fa with a simple text 6 digits

and cross linked to your email

would have meant me losing over  0.25btc


Best to buy a burner phone set up google to microsoft auth.

the coinbase account does not know that phone number so no one can port it over to another network.

MY name is well known thus the attack was on purpose by such a long list of possibles.

I have sold gear
I have escrowed
I have sold coin
I have traded coin

Many know my real name
Many know my email
Many know my coinbase account email

I could list 100 possibles that would think I may have $$$ on coinbase. Take a shot.

Never mind the PayPal customers ugh.

This will take time to fix.

Sometimes it can be unclear what kinds of shenanigans can be done, even without withdrawal permissions for example.  

I recall in early 2017 when my phone was sim swapped, and sure there were other factors besides just the sim swapping, but one thing led to another and various accounts compromised including e-mails and surely the target was bitcoin or any other shitcoins that might have been present (I don't recall having any shitcoins at that time).  One of the exchanges that they had gotten access was called BTC-e - and they had a policy of freezing withdrawals for 2 days after any password changes, so the hacker that got into my BTC-e account could not withdraw but they could trade, so pretty much what they did was that they maximized the purchase of an illiquid shitcoin called Novocoin (or something like that), and then they used all of the dollars on the account and all of the BTC to buy Novocoin.. and they dumped all of the Novocoin that they had purchased all at once and then they rebought at some point after the dump, and they did that several times for about 1 hour and 20 minutes, and then my account got locked so they were no longer able to engage in that trading.  The account went down about 1/4 in value during that time.  They traded the account to lose 3/4 of its value in about 1 hour and 20 minutes.  I imagine that they somehow profited by being on the opposite side of those trades... so they moved the price of that illiquid shitcoin called Novocoin.

On my Coinbase account, they withdrew from one side of it and they seemed to have overlooked the other side (the coinbase pro side).  So they withdrew all of the bitcoin, which would have ONLY been about 1/3 of the total value of the account.. and so thereafter, there were several attempts to get back into that coinbase account.. and also to use other little tricks with one of my e-mail accounts. that they continued to breach.  Coinbase had actually helped me to migrate that value into another account, and then 6-9months later Coinbased forced me to close my account (whether related or not, who knows?  they did not exactly give me any reasons why they forced me to close that account.. those fucks.)

Since I am on a roll, I may as well tell about a few other accounts that were compromised.  My Bitstamp account sent me an e-mail that said that my password had been changed and if it was not me, then I should click on the button.. which I did.. and supposedly the account was locked.. but the funds were gone when I got access to the account.. they did not even take 15 minutes to drain the account... My Gemini account did not get lose any funds, but it took me a couple of months (maybe even 3 months of uncertainty) to regain access, so I was sure that there was not going to be any value in that account when I got access to the account back.  My Bitfinex account did not lose funds either.... I had a few other accounts that lost funds, and I am not going to disclose more specifics on those... so yeah, it can be quite stressful and frustrating to go through a sim swap situation and quite a bit that can be done with a short time of access to accounts and then even some difficulties to get them out when they have embedded themselves into your identity...maybe there have been some improvements in the past 4-5 years - even though I heard that sim swaps had continued to be a pretty BIG problem.. and likely a quite lucrative business for those with hacking skills..

Regarding extra measures of course the hackers are likely to go for the easiest targets first so various extra measures can be enough to put enough roadblocks to make it quite a bit harder to break into the account rather than the accounts that might have very few security measures, but if they can confirm a kind of high value in a particular account location, there may well be extra incentives to spend more efforts on breaking into that particular account.. so for example, even once I had gotten my coinbase account back, there were frequent efforts for some hacker(s) to continue to try to get into that account, and likely the reason related to already having information about value having had been in that account..so there was likely some consideration that it was a potentially worthy target.



I don't know if the take away should be to NOT use 2fa.. because if you do not have 2fa set up, then the hacker(s) might be able to set 2fa up in your name, and then it could take longer for you to regain access to the account or the hacker(s) might be able to withdraw easier once they set up 2fa in your name...

That also reminds me of some kind of rule that exists in the USA.. I am not sure if it still exists, but one of the frustrations of the phone companies was that if someone comes to the phone company with a phone number and an account number they have to allow them to port the phone.. .. and sometimes they can get the account number that is associated with that phone by getting into the online account.. or they might get it through the e-mail that might have the phone account number if some statement might come by e-mail or through text...so sometimes there can be some additional measures that can be taken to protect the account number, even if the phone number is known but they do not know the account number...sometimes there can be some other ways to protect that account number too.. for example if the account number might be in another person's name... We can infer that hackers spend a lot of times on various kinds of work arounds, especially once they have some information about you, then they can find out other information, and if they have a few pieces to a puzzle, then they can perhaps use those pieces to get other pieces before they even employ the BIGGER attack.. .. such as attacking an account with value and for sure any kind of bitcoin or crypto would be valuable to the extent that there might be some irreversibility once the transaction is sent... so they can work pretty fast once they actually get into an account that holds bitcoin or crypto value.. dollars would not be valuable except that they would trade them into whatever coin they are using to withdraw as quickly as they can before they get locked out.

Note to not-self. Don't EVER use SMS 2FA. NEVER. It is worthless.

Explanation

Pump on the last week?
Carolina here we come?
Or trap for ant bulls?




#haiku

So they have the phone number

they may have hoped a simple 2fa text would have given them full access to the coins and cash at coinbase. And switching the email. But with my security settings not being 2fa linked to the cell associated with coinbase it was a no go.

So don't use 2fa.

Thank god as I had BTC and  $$$ to hurt

https://www.youtube.com/watch?v=H-k_Eg7zXuc

 

That's why I like triple authentication, and even more measures for withdrawals.

Well except I need to get some corn from Poloniex and they can't match my face with my passport, I need to get a haircut I guess.

I was lucky I had one more roadblock to stop them.

I wonder if it is inside work with :

a guy at coinbase
a guy at tracfone
a guy at Verizon

set when coinbase account gets a bit higher say 10k or 20k or a higher level.


of course I now need to alter countless other shit