I just finished reading about a guy named Cody Brown who lost $8k of Bitcoin in 15 minutes from Coinbase.
Cody writes:
"Of all the things that went down in the factors that lead to this hack, Verizon Wireless is what I was massively unprepared for. After talking at length with customer service reps, I learned that the hacker did not need to give them my pin number or my social security number and was able to get approval to takeover my cell phone number with simple billing information. This blew my mind and seemed negligent beyond all possible reason but it’s what they do. The main thing that struck me by the hack was the extraction speed possible in the current cryptocurrency ecosystem. $8,000 in 15 minutes is faster and more lucrative than robbing a suburban bank." -How To Lose $8k Worth of Bitcoin in 15 Minutes With Verizon and Coinbase
How did this happen? Didn’t he have Two-Factor Authentication set up for his Coinbase account?
Yes.
But he had the wrong one: SMS text messaging.
SMS text messaging is very insecure as a Two-Factor Authentication. Hackers nowadays can easily call up your phone provider and pretend to be you. They don’t need to prove any identity. All they need to do is convince the employee that they are you. And some hackers are really good at this. It’s currently the weakest link that exists and regular people still don’t understand the risks involved.
One of the biggest Blockchain VC’s, Bo Shen (one of EOS' investors) had over $300,000 stolen recently by a hacker using this same weak link: SMS text messaging. It’s a huge problem right now that many people are unaware of.
I am not talking about your Steem/Steemit accounts. Leave those alone because we have the option of storing our Steem in Steem Power, which cannot be drained in 15 minutes. Powering down takes days, so in the event your account gets hacked, you can recover it before your funds are drained. This is a compelling reason to store your Steem in Steem Power.
Disconnect your phone from your Gmail, Coinbase and other accounts right now if you have SMS text messages as your 2FA (Two Factor Authentication). I’ll explain what you should do in place of it that is actually secure. To be clear, I am not talking about your Steemit account. I am talking about your Gmail, Coinbase, and all other accounts that are connected to Crypto and banking exchanges. If you use a Gmail account to log into Bittrex, Coinbase, your bank, etc., this is the account that needs to be disconnected from Text Messaging (SMS 2FA). You need to switch to U2F and I'll explain why.
Do
It
Right
Now.
Sometimes a video can explain all of this better than reading text, so please watch this one. In it, the young man uses Yubikey as his U2F, which I have never used. I use a Trezor as my U2F (or physical key) for all my important accounts.
So, what exactly is U2F?
Universal 2nd Factor (U2F) is an open authentication standard that strengthens and simplifies two-factor authentication using specialized USB or NFC devices based on similar security technology found in smart cards.[1][2][3][4][5] While initially developed by Google and Yubico, with contribution from NXP Semiconductors, the standard is now hosted by the FIDO Alliance.[6][7]
U2F Security Keys are supported by Google Chrome since version 40[2] and Opera since version 40. U2F security keys can be used as an additional method of two-step verification on online services that support the U2F protocol, including Google,[2]Dropbox,[8] GitHub,[9] GitLab,[10] Bitbucket,[11] Nextcloud,[12] Facebook[13] and others.[14]
Chrome and Opera are currently the only browsers supporting U2F natively. Microsoft is working on FIDO 2.0 support for Windows 10[15] and the Edge[16] browser, but has not announced any plans to include U2F support. Mozilla is integrating it into Firefox, and support can currently be enabled through an addon -Wikipedia
I’m going to simplify this definition:
U2F is a physical key that you put into a USB port on your computer. You put this in after inputting your password as a second layer of security. Even if someone has your password, they cannot get into your account without your U2F key. The U2F device uses encryption, as it contains a private key that is matched up to your public key in order to unlock your accounts like Gmail and Facebook. Without the physical key, no one can access your account. So, hackers, and even key loggers will not be able to steal your U2F info because the U2F encrypts the data when it is sent. No one can gain access to your accounts without the physical key (U2F).
I use Trezor as my U2F and it works very easily.
There are other cheaper options like the Yubikey that costs $18 from Amazon. I’ve never used Yubikey and only learned of it recently after doing some research. A good idea is to have several U2F devices connected to your account, to ensure you don’t lose access if you lose one of your keys. I'll get one of these Yubikeys and tell you how I like it soon.
It’s overwhelming to do this the first time, but once you do, you will be able to sleep at night. Hackers are just getting more advanced and sneaky over time, so the sooner you get one of these physical U2F keys, the better! Cars and houses need physical keys, so do your accounts!
Here’s a how-to video that shows you how to set up a U2F physical device like Trezor or Yubikey with your gmail account:
Seriously, don't wait til it's too late. Do it now and educate your friends and family about this too. I was shocked to learn that a hacker would pursue someone with only $8,000. I didn't know that would be worth pursuing. I had wrongly thought that they only pursued people with huge accounts, like Bo Shen.
Keep your coins and accounts as secure as possible. You'll be able to sleep better (but if you crypto day trade, you'll not be sleeping much).
Cheers,
Stellabelle