What is U2F? If You Use Text Messaging As Your Two Factor Authentication For Coinbase/Gmail, You Need To Read This Now
I just finished reading about a guy named Cody Brown who lost $8k of Bitcoin in 15 minutes from Coinbase.
Cody writes:
"Of all the things that went down in the factors that lead to this hack, Verizon Wireless is what I was massively unprepared for. After talking at length with customer service reps, I learned that the hacker did not need to give them my pin number or my social security number and was able to get approval to takeover my cell phone number with simple billing information. This blew my mind and seemed negligent beyond all possible reason but it’s what they do. The main thing that struck me by the hack was the extraction speed possible in the current cryptocurrency ecosystem. $8,000 in 15 minutes is faster and more lucrative than robbing a suburban bank." -How To Lose $8k Worth of Bitcoin in 15 Minutes With Verizon and Coinbase
How did this happen? Didn’t he have Two-Factor Authentication set up for his Coinbase account?
Yes.
But he had the wrong one: SMS text messaging.
SMS text messaging is very insecure as a Two-Factor Authentication. Hackers nowadays can easily call up your phone provider and pretend to be you. They don’t need to prove any identity. All they need to do is convince the employee that they are you. And some hackers are really good at this. It’s currently the weakest link that exists and regular people still don’t understand the risks involved.
One of the biggest Blockchain VC’s, Bo Shen (one of EOS' investors) had over $300,000 stolen recently by a hacker using this same weak link: SMS text messaging. It’s a huge problem right now that many people are unaware of.
I am not talking about your Steem/Steemit accounts. Leave those alone because we have the option of storing our Steem in Steem Power, which cannot be drained in 15 minutes. Powering down takes days, so in the event your account gets hacked, you can recover it before your funds are drained. This is a compelling reason to store your Steem in Steem Power.
Disconnect your phone from your Gmail, Coinbase and other accounts right now if you have SMS text messages as your 2FA (Two Factor Authentication). I’ll explain what you should do in place of it that is actually secure. To be clear, I am not talking about your Steemit account. I am talking about your Gmail, Coinbase, and all other accounts that are connected to Crypto and banking exchanges. If you use a Gmail account to log into Bittrex, Coinbase, your bank, etc., this is the account that needs to be disconnected from Text Messaging (SMS 2FA). You need to switch to U2F and I'll explain why.
Do
It
Right
Now.
Sometimes a video can explain all of this better than reading text, so please watch this one. In it, the young man uses Yubikey as his U2F, which I have never used. I use a Trezor as my U2F (or physical key) for all my important accounts.
So, what exactly is U2F?
Universal 2nd Factor (U2F) is an open authentication standard that strengthens and simplifies two-factor authentication using specialized USB or NFC devices based on similar security technology found in smart cards.[1][2][3][4][5] While initially developed by Google and Yubico, with contribution from NXP Semiconductors, the standard is now hosted by the FIDO Alliance.[6][7]
U2F Security Keys are supported by Google Chrome since version 40[2] and Opera since version 40. U2F security keys can be used as an additional method of two-step verification on online services that support the U2F protocol, including Google,[2]Dropbox,[8] GitHub,[9] GitLab,[10] Bitbucket,[11] Nextcloud,[12] Facebook[13] and others.[14]
Chrome and Opera are currently the only browsers supporting U2F natively. Microsoft is working on FIDO 2.0 support for Windows 10[15] and the Edge[16] browser, but has not announced any plans to include U2F support. Mozilla is integrating it into Firefox, and support can currently be enabled through an addon -Wikipedia
I’m going to simplify this definition:
U2F is a physical key that you put into a USB port on your computer. You put this in after inputting your password as a second layer of security. Even if someone has your password, they cannot get into your account without your U2F key. The U2F device uses encryption, as it contains a private key that is matched up to your public key in order to unlock your accounts like Gmail and Facebook. Without the physical key, no one can access your account. So, hackers, and even key loggers will not be able to steal your U2F info because the U2F encrypts the data when it is sent. No one can gain access to your accounts without the physical key (U2F).
I use Trezor as my U2F and it works very easily.
There are other cheaper options like the Yubikey that costs $18 from Amazon. I’ve never used Yubikey and only learned of it recently after doing some research. A good idea is to have several U2F devices connected to your account, to ensure you don’t lose access if you lose one of your keys. I'll get one of these Yubikeys and tell you how I like it soon.
It’s overwhelming to do this the first time, but once you do, you will be able to sleep at night. Hackers are just getting more advanced and sneaky over time, so the sooner you get one of these physical U2F keys, the better! Cars and houses need physical keys, so do your accounts!
Here’s a how-to video that shows you how to set up a U2F physical device like Trezor or Yubikey with your gmail account:
Seriously, don't wait til it's too late. Do it now and educate your friends and family about this too. I was shocked to learn that a hacker would pursue someone with only $8,000. I didn't know that would be worth pursuing. I had wrongly thought that they only pursued people with huge accounts, like Bo Shen.
Keep your coins and accounts as secure as possible. You'll be able to sleep better (but if you crypto day trade, you'll not be sleeping much).
Cheers,
Stellabelle
Upvoted and resteemed, then closed window to go to Trezor's site.
Now waiting by mailbox. Security cameras are installed, but currently have no authentication method to confirm identity of mailperson.
But once that key's setup and in my hands, I'll never let go Jack, I'll never let go, 'cause people going to this much trouble over $8,000 seemed crazy to me until about 17 minutes ago.
Thanks much for the post!
lol i know isnt it crazy how you have to be THIS cautious now? If somene at the the trazor factory tampers with your trezor, u can still reset it yourself,
but yeah its best to have paper wallets, download bitcoin armory, then download bitcoin core and rul your full node, u gtta have 100GB of space and a fast cimputer
then have a paper bitcoin wallet private key that u can have backed up on paper
but yeah trezor will be good too
just get multiple treszors, also nano ledger, get MULTIPLE hardware wallets, split up all your bitcoin between them all!
Yup! Gotta cover all the angles...
your response made my day. And it was by far the best answer of the day. Congratulations. You've just won 5 Steem dollars in the form of my upvotes.
Thanks!
Your article and its resultant commentary really was an eye-opener. No more assuming, on my part, that any neerdowells would probably go after the big fish instead of me.
Better safe than sorry!
Resteeming for the importance of this! It's a little technical for the average person, but definitely worth a read! That's how big YouTubers got their accounts hacked too. Verizon and ATT screwed over a bunch that way :P
Here is a real-life story of a few days ago about the same matter in this article in a step by step horror that happened to a young guy - by using 2 step sms:
https://steemit.com/bitcoin/@sensatus/if-you-have-a-coinbase-account-beware-spread-the-word-fellow-steemians-and-cryptotraders
It is unbelievable. I never knew of a sms phone swap, but seems it is not that uncommon.
Good article. It amazes that pretty much all the (Australian) banks and (Australian) paypal only allow SMS authentication. I'm not even an IT person and I still know this is shit and open to abuse.
Secondly, it's a massive pain in the arse when you're overseas and in a country that doesn't have a roaming agreement with your network (Vodafone - I'm looking at you!). You are therefore locked out of your accounts until you return to a country that you can access SMSs from. This has happened to me numerous times.
However, I now have a follow up question - what are people's thoughts on google authenticator/authy etc?
google authenticator is decent and better than SMS. But it is not as secure as U2F.
I'm dealing with a situation not unlike the one described here. Lost access to my 2FA phone and my number may have been co-opted. I get to wait for Coinbase's glacial support to find out if my account even has a balance left. It has been weeks and cost me tens of thousands. If anyone has a reasonable USD funding alternative to Coinbase that isn't Kraken, I would love to hear it!
use BitPay. You can load this debit card with Bitcoin, then it converts it to USD. I don't use Coinbase anymore....
Does this work in reverse? The BitPay site is a little unclear. What if I want to deposit USD into Steem?
Good warning. I keep my coinbase account as empty as possible. The good news about this revelation is that it is inspiring impetus that much work needs to be done to make computers secure. Computers are built to be hacked so that government can access them. The NSA proves this as do leaks against many of the other agencies. Join COS - the Convention of States as the return of a citizen's financial and personal privacy is a key issue.
This will not change until we force government to obey the law, if we can ever do that - The Constitutional Law.
In the meantime, thanks for your article and enlightment about the hazards that are still out there @stellabelle
I lost around 300 USD value on poloniex a week ago and no reply from them yet. I forgot to set up 2WF , took me a day to figure out how to do it and only with google authenticator. It's a good lesson and thanks god not that much. Thanks for your article. Need to learn more about this issue.
It's honestly going to take them forever to respond.. I'm 4 weeks into a pending ticket....
Wow ! That's crazy
Google authenticator is good, but it's not ultra secure.
You need to get a U2F physical key.
so you mean your account was hacked?
btw, it's U2F
Yes my poloniex account got hacked
omg! I don't know anyone whose account was hacked! And they hacked it for $300?
CRAZY
Yes ordered a withdrawl of BTC only. I didn't have much in it because I keep most in my exodus wallet. I use those amounts for fast trades. Anyways what surprises me that poloniex doesn't reply. I'm so over those exchanges.
I don't like Poloniex....it's too big for my tastes.
I am out of there ....
Somebody, not me ordered a withdraw. No idea how this is even possible
It's all so complicated for "normal" old school people like me agrrrrrrr
well, we're the same age....you just have to learn new things, that's all. If you watch these videos, you will realize it's easy to do.
Are you really 58 haha 😂 I am learning every day and my head dizzy but I manage
ok, i'm not....I thought you were my age!
🙈
Omg! funny thing about a week ago i disabled 2 factor authentication on all my accounts...just didn't feel too safe especially if i lose my phone..things can get really ugly. This post just reassured me that i made the right decision! thanks! @stellabelle
did you set up for U2F? Without a second factor it could be insecure......but text messaging definitely not good!
I use LastPass to store my passwords (for now... once my premium runs out in a few days, I intend to use a open source alternative instead) and have used a Yubikey for the last 2.5 years.
Works pretty well, though Lastpass, as I have come to notice, is useless for mobile phones, as they "can't use U2F" and therefore a simple password is all that's needed.
Which means bypassing LastPass U2F is as simple as installing LastPass app onto a virtual Android or IOS machine XS
I'll look into protonmail. one of my teacher's recommended it too. I just completely forgot about it...
i tried protonmail but it doesn't filter out scam emails. I got too many and couldn't manage the scam emails, so i stopped using it.
I guess the only way to use it efficiently is if you auto-block EVERYTHING not coming from a specific set of addresses. That way you can use it, say, for messages coming ONLY from 1-2 crypto exchanges, ignoring any other messages.
Though such a feature needs to exist, of course.
Important info. Thanks. Maybe I'll dust off my old MTGOX yubikey. I saw a post somewhere about unlocking it and repurposing it.
how much did you lose in MT. Gox?
I sold all my bitcoin to someone on the site who was buying for pennies on the dollar thinking it would all get sorted out. I lost $8000 and the lawsuit added a few hundred for the delay.
ouch
So many good advises in this post, and further comments.
However, one thing keeps me confused, still wondering
There is no 2FA in STEEMIT yet?
Is this right? WHY?
I could not find it anywhere in the settings.
It is unbelievable - all wallets , their funds inside are public.
And NO 2FA ?
Are the devs waiting for the first serious issue to implement it?
we have a multi day lag if funds are removed, so if we get hacked, we can recover our accounts before our funds are stolen.