Posts from personal security

On Saturday, September 9th, the Gotham Gal and I arrived at JFK airport after an eight-hour flight from Paris. While waiting for our luggage, I got pushed a notification in my web3 wallet that there was an NFT drop underway that I could participate in. So I clicked on the link, signed the transaction, and nothing happened (or so I thought). So I tried again. Again nothing happened. Frustrated, I turned my attention to the luggage, retrieved it, got in a car, and headed home. On the way home, I tried again a few times to no avail.

It turns out that each of my failed attempts to mint an NFT was a scam that allowed a thief to eventually take 46 of my most valuable NFTs out of my wallet. I did not realize any of this until I woke the next morning to a text from a friend saying:

did your wallet get compromised? your NFTs from fredwilson.eth were transferred out and sold

That’s when I realized that all of the failed minting activities from the night before were actually me getting scammed.

For much of August, I along with a lot of NFT enthusiasts had been participating in something called “Onchain Summer” which was a rollout of the new Base layer two blockchain from Coinbase. Part of Onchain Summer was a daily NFT drop. You simply clicked on the link in the message in your web3 inbox and went and minted. It was fun and I collected some great NFTs that way.

The message I was scammed with looked exactly like those Onchain Summer messages but was not from the same sender. I should have noticed that but did not. Mistake number one.

The fact that I signed a transaction and nothing happened should have been a sign that something was wrong. Normally when you sign a minting transaction, a new NFT shows up in your wallet. When it did not, I should have sensed something was wrong. I did not. Mistake number two.

The fact that I was signing transactions in the same wallet where I keep my NFTs is also bad practice and I knew it. The best practice is to hold NFTs in a “vault” wallet where you never sign transactions and to have a separate “mint” wallet where you hold nothing but do all of your signing. Mistake number three.

What I was doing by signing those scam transactions was giving the thief access to a number of smart contracts that secured multiple NFTs that I owned. So even though I did not sign 46 scam transactions, the thief was able to take 46 NFTs.

Signing transactions is risky business and needs to be done carefully. I knew that but did not take the required care on the evening of September 9th.

This story has a happy ending. With the help of my USV colleague Nikhil, I have recovered 38 of the 46 NFTs that the thief took from me for a fairly modest sum. As I put it to a friend, it cost me between weeks and months of my personal ETH staking rewards. It was enough to sting and that’s good. It was a lesson that I learned the hard way and it was worth every ETH that it cost me to get them back.

There are a few NFTs that I am not going to try and get back, but I am still trying to buy back these two NFTs that the thief sold to others who are likely unaware that they are holding stolen goods:

Anticyclone #212 currently held by this wallet

WoW #8105 currently held by this wallet

If you recognize those wallets and know who holds those NFTs, I would appreciate an introduction so I can offer to buy them back at their cost.

I do want to thank everyone who sold me back my NFTs (including the thief who we bought quite a few from). Many people sold them back to me at their cost when they heard they were taken from me. I really appreciate that.

I got a new Pixel 7 last week and have started the tedious process of moving over to a new phone.

One of the more painful chores in moving from one phone to another is moving the Google Authenticator app and all of the two factor codes to the new phone.

My partner Nick told me about Yubikey Authenticator and I converted to it while moving phones since I was going to have to get all new codes anyway.

If you use a Yubikey for anything else, switching to Yubikey Authenticator is a breeze.

You download the Yubikey Authenticator app onto your phone, insert your Yubikey and start scanning QR codes (just like Google Authenticator).

Then any time you need a code, you simply insert your Yubikey into your phone and your codes appear in the app.

You can also put the Yubikey Authenticator app on a laptop or a desktop and get the codes that way which is a great backup solution in case you misplace or lose your phone.

And, when it is time to switch phones, you simply put the Yubikey Authenticator app on your new phone and insert the Yubikey and your codes are there.

Even with all of this goodness, I still keep physical copies of my backup codes in a safe. I am also considering setting up a second Yubikey for the two factor codes I use the most just in case I lose my main one.

When it comes to two factor codes, I think you have to have a plan B and a plan C.

If you use a Yubikey already, consider using the Yubikey Authenticator for your two factor codes.

This piece in Recode explains that Cambridge Analytica built an app that 270,000 people used to amass profiles on 50 million people.

That’s not very surprising because we are talking about networks here.

This is a network graph that my colleague Jacqueline made of my twitter network a few years ago:

In our online life, we are connected to a huge number of people.

If I get access to your email inbox, I am going to see emails with thousands of people.

Which is what makes this privacy/data sovereignty stuff so important.

When your data is taken without your knowledge/permission, it is not just your data that is taken.

It is the data of thousands of other people, often the people closest to you.

That sucks.

This is one of the many reasons I am hopeful about an Internet 3.0, a decentralized system with data security and integrity at its core.