Getting Hacked, Lessons Learned

I read Cody Brown’s blog post about getting hacked on Thursday of last week. I feel very badly for Cody and plan to send him some BTC once I get access back to my account. His post helped me avoid his fate.

I woke up Friday morning (central european summer time) and saw a bunch of emails in my inbox suggesting that suspicious activities were happening in my personal gmail account, my mobile phone account, and my two factor service.

I immediately thought “that’s the same attack pattern that Cody wrote about” and I was able to get to Coinbase and have them lock down my account immediately. The good news is nothing appears to have been taken from my Coinbase account although I don’t currently have access to it right now and thankfully nobody else does either.

Without getting into the specifics, I would like to tell everyone five things I learned from this awful experience:

  1. Call your cell phone provider and put a “do not port under any circumstances” hold on your phone number. I did this about six months ago and I think it may have saved me. It is way too easy to port a phone number and once a hacker has your number, they have access to two factor codes coming via SMS.
  2. Put two factor on everything you can. I did not have it on my old and dormant gmail account which is partially why it was vulnerable. Obviously I have it on there now.
  3. Check your password recovery settings on all of your accounts (even old and dormant email accounts) and make sure they are secure accounts (locked down phone numbers (#1) and secure email accounts (#2)). Once a hacker has access to one of your old email accounts, they can impersonate you digitally.
  4. Use Google Authenticator for two factor on your phone. I have used SMS and Authy in the past and my research yesterday suggests that Google’s Authenticator is the most secure of the two factor options out there right now.
  5. I keep almost all of my Bitcoin in Coinbase’s vault service which requires 48 hours and multiple approvals to make a withdrawal. If the hacker had gotten into my Coinbase account, they would have been able to take my Ethereum and a small amount of Bitcoin, but not most of it. I believe Coinbase should evolve their vault offering to handle all of the crypto assets they support, or possibly make the two day withdrawal/multi-sig feature available to all of their wallet offerings.

I am still a bit shaken up from the experience and a fair bit more paranoid from it. Which is a good thing I’m sure.

I hope my sharing this with all of you helps you make your online life a bit more secure because there are a lot of bad people out there working hard to hack into your accounts and do bad things.

#life lessons

Comments (Archived):

  1. jason wright

    They probably timed the attempt knowing you are abroad for several weeks and may not always be well positioned to respond.Hard wallet time?It’s about the money, but it’s that sense of ‘ violation’ that really cuts deep. Sorry to hear about this, but don’t let it spoil your trip…dudes.Unhappy Warriors fan? Never short fanatics.

    1. fredwilson

      Yup. The violated feeling is really awful

      1. prankeapple

        This could be the opportunity for a new industry – insurance/custodial services for cryptocurrencies. I’d easily pay JP Morgan (or someone else) $5k/yr to hold onto my cryptocurrencies in a locked down vault on a ledger wallet, with a guarantee to be made whole at market prices if ‘something bad happened’ to the coins.

        1. LE

          So now we have something that is already hard for the general public to understand and we then tell them they need some added level of protection in order to not lose that thing that they thought was questionable that they really needed in the first place.

          1. prankeapple

            When the fastest way to send money abroad is to get on a jet with a suitcase full of hundreds, I’d say it’s a technology that’s needed.

          2. LE

            There is already a way to do that it’s called a bank wire transfer.

          3. prankeapple

            Nope. Most currency pairs take 1-2 days or more, even with SWIFT . Do some reading about it. This will be my last comment on that point – not interested in arguing.

          4. Girish Mehta

            On the subject of things that are easy for the general public to understand -…”Our code didn’t prefix the Hex string with 0x and when we upgraded Geth from 1.5.3 to 1.5.9 on the 24th of May, the SHA3 function call failed and our sweeper process then called the contract with an invalid data payload resulting in the ETH becoming trapped.”

          5. LE

            This all follows a well know pattern. Something is complicated and there are people that will naturally trust and believe and those that are skeptical. And the ones that are cynics and skeptics receive put downs from people who hide behind the complexity. And belittle anyone who ‘does not get it’.Back in the day I remember looking to invest and buy a video store (this was while they were still somewhat popular). I went in for a meeting and began to ask questions. At one point the sellers simply said to me ‘you know this is not for you’. I took it that they realized I was not a simpleton mark that they could just say shit and have believed. So I was kind of complimented. Good operators understanding the type of buyer they needed and cutting their (time) losses.

      2. someone

        Just happened to me for a 2nd time. Un-fun.

      3. JamesHRH

        Your openness as to your where abouts increases your risk profile.Not that I would expect you to change your habits.

  2. CB

    Yes! Agree would be great to have Coinbase vault options for other tokens. With more novices buying cryptocurrencies Coinbase should make 2 factor authentication and offline wallets the default so if people opt out they know what they’re exposing themselves to. The user experience may be a bit more painful but it’s like Swiss banks, their online services require several authentication steps but at least one is sure their money is safe with them.Following this news I did more research on wallet options. The reality is no option is great. Coinbase is probably the best. As a user I want a brand/service that I can trust, which usually means either an already established startup with a track record or one that is backed by investors, companies, or institutions that I already trust. I also looked into hardware wallets but for many it feels too risky to take ownership over something they don’t really understand. It’s eaiser to delegate that responsibility to someone else. For example: what happens if I lose my hardware wallet? What’s a seed phrase for? Am I sure I’ll be able to recuperate my tokens with that phrase? Can I get hacked in the procress? What haplens if the manufacturer goes out of businesses and I need support? Etc. Conclusion: there’s an opportunity to create a better, smoother, and safer wallet service, and whoever does will be a big winner.

    1. Alex

      I can answer these questions for you.If you lose your hardware wallet, you can restore it from your seed. I store my seed on a cryptosteel wallet (Google it).A seed phrase is used to restore the wallet. The private key that allows you access to your coins is derived from a hash of the seed. So your seed can always unlock the key as long as the same derivation pathway is used. There are standards set for derivation now, so you could even restore your key on something that is not a hardware wallet.Yes, you can be certain. If you want to be sure, do a test recovery before you move everything over there. Send 0.001 BTC to the wallet then erase it and try to recover it. If you can do it once, you will be able to do it again.No, you can not get hacked in the process of recovering a seed. It all happens offline on the device. The seed never leaves the device.If the manufacturer goes out of business you can recover your wallet on a different device. As I mentioned above, there are common standards in how to recover a private key from a seed. If you need support then there will be strangers willing to help online.I do agree with your conclusion though. Whilst the hardware wallet is the absolute gold standard in security, it is not for everyone, and if crypto is to become mainstream then there need to be viable alternatives.

      1. jason wright

        Cryptosteel – “The beauty of this backup solution is that you only need to assemble the first 4 letters of each word. Those 4 letters are unique and sufficient to recover the sentence and the entire bitcoin wallet. We did a frequency analysis and determined the minimum set of letters that are needed to create the Cryptosteel.”is this correct?which hardware wallet(s) do you recommend?

        1. Alex

          Yes, that is correct. The first 4 letters will only ever result in a single word. I have recovered my wallet using my cryptosteel before and it worked well.The Ledger Nano S. It is a bit cheaper than the alternatives but works perfectly. I thought it would be fiddly as hell but it isn’t. It does exactly what I need it to do and gives me real peace of mind.

  3. Kevin Chiu

    I lost thousands of Bitcoin in an old Dropbox hack (worth over $4 million today) — for several hours, any password would work! I now use two factor on all accounts that support it, and U2F (universal second factor) on all accounts that support that. U2F was first jointly developed by Google and Yubikey. For more info, please check out this two year study conducted at Google:…I highly suggest upgrading your security to use U2F wherever possible rather than just two factor / OTP. In particular – your email account should be secured with U2F since it’s used as as part of account confirmation / password reset for many services. U2F is immune to phishing unlike two factor.Go get a Yubikey. (I am not being paid to say this, and I don’t get a discount or any free stuff from them.)

    1. JamesHRH

      U2F needs to be expanded for normals Kev.

      1. Kevin Chiu

        I’ve edited the post to include an explanation.

    2. eric berry

      would you recommend buying a YubiKey4 or do you think a FidoU2F security key would suffice?

      1. Kevin Chiu

        Either is probably fine. I have the 4 nano.

  4. Donna Brewington White

    I wonder if using multiple wallets is also part of the solution?Since Coinbase does not include Dash must do this anyway.I will no longer view 2 factor as a nuisance. Ever.

    1. Fernando Gutierrez

      You should go hardware wallet. They are easy to set up and the security is great. You can keep your Dash and Bitcoin in the same wallet. Happy to walk you through if you need help.

      1. Donna Brewington White

        What hardware wallet do you recommend?If I have any problems, will reach out. I know where to find you. :)BTW, thanks again for the intro — having a blast with Dash. I’m now a believer.

        1. Fernando Gutierrez

          I use Trezor because they were the first ones around and I’ve had no reason to switch. It even works as authentication device in many places and their ecosystem is the most mature. The only drawback I see at the moment is that their support for Ethereum is a bit convoluted, but it works, so not really a big deal. $99Another one I would recommend is the Ledger Nano S. It can also store multiple coins. I’ve helped a couple people setup theirs and it was as easy as with Trezor. $69.60Keepkey is also good, but they’ve been out of stock for a while, so I would not consider them for the time being.

          1. Donna Brewington White

            Thanks so much, Fernando.

        2. Fernando Gutierrez

          As for the intro, we are also extremely happy with it 🙂 The recruits you are bringing in are great!

      2. eric berry

        Question Fernando: what hardware wallet would you recommend for “smaller coins” like Factom, Golem, Stratis? If not hardware wallets are available what is a proper alternative?

        1. Fernando Gutierrez

          As far as I know, Ledger Nano S supports Stratis, but I don’t think any hardware wallet supports Factom or Golem. For coins that don’t have a very developed ecosystem I would recommend a separate computer that you only use for that, crazy long random passwords and a ton of backups.

          1. eric berry

            hmm ok, for me unfortunately that is not a realistic option, would a paper wallet be ok?Factom even gives a tutorial:

          2. Fernando Gutierrez

            Paper is ok, but it can be challenging if you are not proficient. In theory it is easy, but I’ve seen generators fail, problems to import the private keys into a wallet when you want to spend. If you go this route, test a lot.As for the dedicated computer, it can be an old one that you have around or that you buy used for $200. In fact, solid state drives fail more than the old moving disks. And you’ll have backups. Of course, you should format and reinstall everything.

  5. Alex

    I’m up to my eyeballs in OpSec, but nothing helps me sleep soundly at night like having everything on a hardware wallet. The Ledger Nano S is my weapon of choice, but I am sure Trezor and KeepKey are good too.

  6. Sebastian Wain

    This immediately teletransported me to a solution we developed back in 2014 and continues to be a need on this space. The service is called Sig3 and is now unmaintained and being closed.Sig3 offered a way to add an automated agent as a copayer in a Bitcoin multi-signature wallet. This agent added rules to automatically or manually approve transactions, set up thresholds, n-factor authentication, etc. Initially this worked with Copay from BitPay because they have one of the best multi-sig implementation (technical details below). We talked with several vendors, including Coinbase, at that time but their multi-sig implementations were incomplete. We also provided another API so third parties can integrate with this system getting keys from the system to integrate in a new wallet.The technical issue with Bitcoin and other multi-sig implementations is the lack of a protocol to integrate copayers, there is no standard way to automatically communicate copayers to build a new wallet and the process has some manual aspects. BitPay added a communication channel to perform this tasks and I think it continues to be something unique. Agreeing in a standard is important because it enables a way to create automated agents and/or wallets with copayers using different apps.

  7. Shawn Swyx Wang

    just got off a DM with Tmobile support. fyi putting a hold on number porting is not possible with tmobile. considering a switch to a diff carrier but they all suck.

  8. Chris

    I have been suspicious that something is going on with my coinbase account. My account is locked down, but coinbase hasn’t responded to support email in 3+ weeks about the incident. Shockingly bad customer support when it comes to security concerns.

  9. Norbert Senf

    I don’t have cellphone service at my house, and therefore don’t have it involved in any authentication schemes. This has the side effect of avoiding the whole cellphone vulnerability thing. However, it does make 2 factor authentication impossible on some services.

  10. Salt Shaker

    Seems like this starts w/ telco porting protocols, or lack thereof, in addition to loopholes in Coinbase’s security/communication. (With BTC and crypto breaches and perceptual concerns, how is this not paramount? Very troubling.) Where does telco liability begin and end? With CC there is protection against fraud and unauthorized use. Lack of strong safety measures makes telcos somewhat complicit. The FCC needs to mandate safeguards re: porting.

  11. Dan Morel

    Note that google auth, authy, sms and all forms of one time password multifactor are no longer considered secure. I’d suggest replacing all of those with a universal second factor yubikey, which will make your life a lot easier for $20. Research paper from google on u2f is here:…Also, remember (according to the press and attorney generals) – this is all your fault. You need to send formal notification to all of the people in your Gmail contact list. Probably need to pay for their credit monitoring services. How dare you! You are scum and should probably lose your job and be vilified for not securing important data. (This is a tongue in cheek representation of the thinking around every breach).

  12. nnutter

    Why do you say Authy is less secure than Google Authenticator? Just because of the backup/sync feature increasing attack surface?

    1. falicon

      I think the idea is that Google Authenticator is tied to one physical device (i.e. only yours), while authy is not specifically tied to only one physical device (though in their support, they do say you can make the app work in this way if you like).If you are not tied to one, specific, hardware device then someone might be able to use the phone number cloning approach mentioned here (and in Cody’s post).If you are tied to one, specific, hardware device then your biggest threat/risk is getting your physical device stolen, lost, or bricked….so reality is, there is always some level of risk in what you do…

      1. nnutter

        In order to access the OTPs on Authy you have to decrypt the data using a password only you know, it isn’t tied to a phone number.I hope Fred clarifies what he learned that made him feel Authy was to much of a security risk.

  13. LE

    Reminds me of why I decided to not have my mother use online banking even though it bothered me that she kept cash in low paying savings and money market accounts. You know the old timers are big on going down to the bank branch and being able to talk to a person directly about their money and receive postal statements of balances.

    1. Salt Shaker

      I had serious identity/online banking theft about 15 yrs ago before 2FA and U2F tools were avail. I subsequently and understandably became paranoid about doing any kind of digital transactions (including ATM withdrawals). I’m now about as careful as one can be today, but not all financial institutions offer the same level of protection. For example, Fidelity offers 2FA, but strangely not on their retirement accounts. Tell me, who is more vulnerable to theft than an older person who likely is far less techno savvy than a younger consumer? Crazy. The playing field, unbeknownst to most, is hardly level. There are not enough regulatory safety mandates and protocols in place today.

      1. LE

        Well the old timer is naturally suspicious and in theory harder to fool because they often (not always) know they are vulnerable.More importantly (like Warren Buffet) they know enough to not put their trust into something that they don’t understand. That said plenty of older people get taken advantage of the traditional way but some of those people don’t have all of their mental skills.Tell me, who is more vulnerable to theft than an older person who likely is far less techno savvy than a younger consumer?I think younger people are vulnerable simply because they think they have most bases covered and can’t be fooled. But they lack the experience to know all the situations where they can be taken and as a result might not take the necessary precautions.

  14. LE

    Fred you know what I think? I think you should skip the show of love for Cody Brown (by kicking him some change) and look pretty hard into why things like this are happening at one of your investments.The official Coinbase Support twitter has responded once, then a bot emailed, with a disclosure that it could be weeks before I get a single response to my question.Maybe you are planning to do that already, but somehow knowing your personality I don’t think you are going to rip them a third asshole or anything close which if all of this is true and I have to stress that you should be doing. Not that it’s your job as an investor. But it is your job given that you attach your name to this.

    1. fredwilson


      1. simone_brunozzi

        Unfortunately – and sorry to use your forum – Coinbase has been very disappointing, from a support perspective. I am only writing here because they failed to respond to most of my requests in the last few months. I am going to abandon them in favor of a different provider precisely because how bad my experience has been. I think you should know.

  15. LE

    All of the steps that you are suggesting are good but keep in mind that if you are a high value target (you are a high value target) there are many ways to roll that make you more susceptible than the average bear.Off the top (and by no means an exhaustive list) someone could go after people that they know that you communicate with (such as employees, friends, family, and in particular partners) and that doesn’t have to even be a full hack of to use the person. The person is just a stepping stone to you.So for example if someone knows that you communicate with Nick Grossman they get access to Nick’s account, study the ways Nick communicates with you (how he writes his emails) and then use that to get Nick to get you to do something that gives them access to you. Nick would not even know this is happening if it was well done.Social engineering is partly about laying the groundwork in advance for some future attack. (That’s not a textbook or seminar definition). So for example if a hacker wants to know the company password, well, he doesn’t try to contact someone and say ‘hey I forgot the company password please help me out!’. That would raise a red flag in anyone’s mind. He (or she) contacts and builds a rapport first (possibly over a long period of time) with the target and then goes for the kill once that rapport and trust has been built. So for example “hey Sally at the Tribeca store here, do you know if we are open on Labor Day I didn’t get the memo??”. Totally believable and most people won’t suspect anything is wrong. (If the right question is asked). Then a bit later they contact (could be next day, week etc.) and ask a more personal question but still nothing to raise eyebrows.

  16. Muneeb Ali

    Glad that Coinbase was able to lock your account in time! Using Google Authenticator instead of SMS/Authy is really important. They’re completely different forms of 2FA (and not just two different products that give you 2FA). Only Google Authenticator gives you true 2FA where secrets are *only* on your device and no third party can mess things up.Also, I highly recommend this post about 2FA security to the AVC community:

  17. Matt A. Myers

    Security is a big concern.In another note, I’m curious about his 8000 coin loss from his ‘dream fund’ was lost. Was that $2000 of money he’s invested into Bitcoin that made its way to a value of $8000?

    1. falicon

      He didn’t say how much he got the coins for, but the current market value for what he said he lost is around the 8k mark (and still going up)

  18. DJL

    This is one of the main reasons that using the phone for two-factor authentication is just plain bad. However, almost every major carrier and web service does this.With regard to Coinbase, did they get hacked? There were some major issues last week and they seem totally unresponsive. As a security person, this site makes me very nervous. It just adds to what seems like a major lack of transparency into crypto-currency.

  19. Scott

    For $100, hardware wallets like Trezor and Keepkey are money well spent and are never at risk of 2FA or similar attacks. Coinbase offers a great online wallet product but as Andreas Antonopolous says “If it’s not your keys it’s not your coin”.

    1. Fernando Gutierrez

      This. Anyone with a significant amount in cryptocurrencies should have a hardware wallet. Besides the described attack, there is a lot of malware around that replaces bitcoin addresses with the attackers one when you are using online wallets. Hardware wallets are also secure against that.

  20. goldwerger

    Fred,First, my deep sympathies. This happened to me couple of months ago (and by pure luck, my gmail account that was hacked was not in regular use, so I just deactivated it).Second, I think everything you mention above is extremely valuable in increasing authentication. These are good pointers for everyone to follow.Third, all of that won’t be enough, for one important reason that most people don’t recognize:A. Authentication, in itself, done properly works. butB. 100% of all fraud is done INSIDE authenticated sessions.So what gives?Bottom line is that hackers use a wide array of very sophisticated methods, and some of them can’t be stopped by increasing your strength of authentication. For example: Social Engineering. You get a call and it’s your bank, or your IT department, you cooperate and bang – the guy on the other side of the line has remote access to your computer or device forever. You log into your bank account, PERFECTLY authenticate yourself (2FA, token, physical biometrics, whatever – you are indeed you). Then, after you have legitimately authenticated yourself, the hacker with remote access just watches in the background, waiting for you to perfectly authenticate before taking over your session (adding payee, wiring money out, whatever… they may even put you for a few seconds on a fake website that shows what you’re supposed to see when you’re logged in, before putting you back inside the proper session, and you’ll never know it happened). No malware to detect, perfect authentication, right IP/device/geo, perfect credentials, 2FA authentication…If you have a human being, you have a weak link, and every person (including me) is susceptible to a sufficiently elaborate scam.And, this can also be done with automated tools, on scale (I’ll spare everyone the anxiety of how).The only solution in the future is CONTINUOUS AUTHENTICATION, which doesn’t rely just on a one-point-in-time authentication, which works, but can be abused or bypassed . You need to constantly make sure that whoever is in the session is the legitimate user.The reality of it is that no matter how high you build a wall, someone will bring a tall enough ladder. You must assume that, and instead of just relying on catching threats at their provenance, you must also detect them in real-time in the session at the destination (post log in), and ASSUME that some threats are going to bypass and climb above (or dig below) whatever wall your erect to stop them.One advanced technology (where I’m involved with my company BioCatch) is Behavioral Biometrics, which knows you by your individual behavior (physical, cognitive) and detects any anomaly to your normal behavior, indicating the wrong human being (or bot) has taking over your account, no matter what method they used to get there.There may be other methods that will develop in the future to provide continuous authentication. But however it it is done, it MUST be continuous. Otherwise, you will never know if the right user remains the right user.Also, the continuous authentication must be frictionless, as users expect simpler and more seamless user interactions, where escalations and step-up authentications should be done seamlessly in the background, without any friction or interruption to users.This isn’t intended to be a promotion of BioCatch (though I’m terribly proud of what we’re doing), but to really make everyone here educated and be aware that perfect authentication can’t exist if it only works perfectly at a point in time (at the start of the session typically), and then assumes you are running solo without the possibility of account take over – we are seeing these scenarios play out every single week with our customers, and everyone should be aware this type of threat exists even when your authentication “works”.So, please, assume that your account can be taken over, because without some form of continuous authentication happening (which you may not know if your online service provider has adopted), you can’t perfectly protect yourself through the authentication methods that are currently available to you as a consumer.But you should absolutely make it harder for hackers and get the statistics on your side, and therefore do what you recommended as a mitigating, but not fail safe, action item that you can take on your own.Eyal

    1. LE

      One advanced technology (where I’m involved with my company BioCatch) is Behavioral Biometrics, which knows you by your individual behavior (physical, cognitive) and detects any anomaly to your normal behavior, indicating the wrong human being (or bot) has taking over your account, no matter what method they used to get there.Assuming this works as you claim this is a good great product and service.One suggestion (I could come up with many) for your website is that you should have the ‘problems we solve’ that is way at the bottom front and center at the top. Much more powerful a message that what you have up there now…. https://uploads.disquscdn.c

      1. goldwerger

        indeed… we are in the process of redesigning our website… 🙂

  21. Frank W. Miller

    So, I’m sorry for anyone that lost anything in this. This is why governance is so important and why IMO fully decentralized architectures will generally not be useful for applications that have any kind of trust required. No matter what you do, there will always be a non-trivial probability that it can be hacked. Because its fully decentralized, when it is hacked its harder to stop it and/or clean it up after it happens.This had led me to hold the view that these blockchains and the apps that are built on top of them must have some sort of governance. Governance in this situation can be modeled by reliability in the presence of failures in distributed systems because whether its an overt attack or a benign error that causes the problem, it looks to the same to the attackee. This means that if you want to have a fully (or close to fully) distrubted architecture, you’re up against at least a Byzantine decision problem at the very minimum (where you assume only one attacker).A more practical approach it to reduce the decentralization in order by introducing spigots in the system that can be used for control. For example, you could have the blockchain managed by an organization (probably a corporation) that was charged with checking any transactions prior to them being applied to the chain. This is the idea with replacing Morgan Stanley/NYSE (yes, all of it) with a single blockchain that is “governed” by a company.Anyway, this is not a “hit em while they’re down” post. Its an attempt to be constructive in talking about what needs to happen to prevent things like this from happening again.

  22. nico

    I have moved all my crypto offline, using a ledgerwallet (or similar). Only way I feel secure today.

  23. JamesHRH

    Webmail services should make deactivating dead accounts easier.Its not like we are in the mode where more account increases valuation.

  24. jdrive

    Note that while all cell providers are vulnerable (even with ‘Do Not Port’), one is slightly better than others. AT&T. I was a Verizon person, but after a hack I found out that much of their call center activity is offshore, where training is more uneven. Hackers know this, and will call during off hours dozens of times. Eventually they’ll get one that doesn’t read the info. This is how my VZW was hacked, even with port restrictions on the account. In AT&T’s case, all call center activities are in the US, and they’re somewhat less succeptible.Also, Authy is non-secure, over-SMS 2FA. Anyone using that should immediately change to Authenticator. It’s not perfect, but it’s better. The btc exchange where I was hacked used Authy. 2 others didn’t. You can guess which one broke.

    1. Techman

      The btc exchange where I was hacked used Authy. 2 others didn’t. You can guess which one broke.Did they use Authy as the Authy API or did they recommend Authy with a generic sha1 TOTP?

  25. Mark Leeward

    Thank you for this. I have 2FA turned on everywhere but this caused me to spend the weekend shifting everything away from SMS to Google Authenticator — at least those accounts that offered that option. And many don’t.Not sure I’d put too much blame on Verizon or any wireless carrier for that matter. They don’t advertise their SMS capability as a 2FA service platform. You should blame the services you use that electe to use that as their 2FA option. SMS was never intended for that purpose.I’m pretty sure that 99.99999% of Verizon Wireless’s customers are looking for convenient account service when they need to get a new device up and running than are looking to protect their bitcoin from an attack that should the bitcoin holder should have never let be possible. Verizon’s business is probably way better served by making number porting easy for customers than it is by protecting a few edge cases of 2FA fraud.Just my thoughts.But again, thanks for the heads up!

  26. James

    Was your decision to leave your BTC/ETH in someone else’s hands (i.e., Coinbase’s) a conscious one?To be honest, I was surprised to read that you weren’t already using cold storage or a hardware wallet. Will you be revisiting your decision to store your investment on an exchange in light of these events?

    1. Fernando Gutierrez

      Fully agree, but Fred’s firm is an investor in Coinbase, his trust in them is quite big 🙂

      1. James

        Ha. Totally forgot about that.Good point, though being invested and then trusting so completely is certainly one way to double-down, and not necessarily in the good way (it’s not clear to me that storing on exchange offers much of an advantage to either oneself or to Coinbase as a business).If I were invested in CB, I’d still use my own off-exchange cold storage solution, at least until such a time that CB has insurance for crypto holdings (not holding my breath on that one coming any time soon).

        1. Fernando Gutierrez

          I definitely prefer to control my own coins, but I also see why some people store them at exchanges. While storing in a hardware wallet is trivial, some people don’t know how to do it or even that they can do it. And between their own computers and someone else’s, sometimes they chose the later because it is easier/more comfortable. I don’t agree with that, but you need to consider too that some users are terrible with security and there are also a lot of lost funds to that.

  27. Hiyito Patada

    Recommended steps taken. Disappointed in Verizon, but not surprised. We can do all we can to secure our accounts, not put our eggs into one basket, etc. But nothing is 100% fail safe. It’s still worth participating in crypto. I don’t think this will endanger its long-term prospects, as this happens with cash or credit. But improvements are obviously necessary.Some lessons are learned or re-learned the hard way. Crypto will be better for it.

  28. Jim

    Some years ago Kraken blogged about the insecurity of SMS-based 2fa. Good article.They advised a special-purpose Google Voice number.Banks must implement time-based 2fa. NIST officially deprecated SMS 2fa.The URL is below, or google something like “kraken 2fa” and don’t click the link.

  29. scottythebody

    Never trusted SMS for second factor. It’s too unreliable and easy to intercept.

  30. LE

    Many reasons for that. One is to try and get your voice recorded for future use.