In this article you will learn about the most recent hacks in the crypto space and how to protect yourself from them effectively.
Dear Cryptonauts,
it has come to my attention that this month we have had a staggering amount of hacks and cryptos stolen from unprepared users. I would like to discuss what made these hacks possible so that you can double-check you own portfolios and prevent the same fate.
Let's begin.
The common point of failure was always the phone number
The hacker, notices a crypto holder on social media and obtains the associated email address, most likely a Gmail account.
Now the hacker looks for the associated phone number. He might extract it from facebook using a dedicated tool, or find it on LinkedIn. Perhaps you own a domain and he checks the WHOIS registry entry?
Most likely, it will be some odd and harmless directory where you had to enter you phone number before and completely forget about it. Oops.
Next the hacker has to enable forwarding or redirection of your phone number to different Google number that he owns.
This is where many telephone service providers have revealed exploits.
Turns out, that if you are a Verizon customer, the hacker needs only your billing number in order to enable redirection
If you are with Sprint, hackers are able to guess the customer PIN multiple times, then have to take a break - but the account is not locked - and then they are free to try again.
This is possible with auto-dialers configured to test codes automatically.
And of course, last but not least, there is the good ol' social engineering where you obtain the trust of the companies employee and they give you access.
Please be aware that there are many more ways to force the phone redirection, it seems to be a real loophole in account security.
Furthermore, even without redirection, it is possible to interecept SMS-based verification codes to your phone number.
Once the hacker has your phone number he can request the recovery of you gmail account via phone
Next he makes sure to reset the password and lock you out. Now that he has access to you primary email account he goes to all the exchanges like bittrex, binance, polonies, coinbase etc. and requests a password reset. The reset link gets sent to the email account and now he has access to all your coins stored on the exchanges.
Among many users this has happened to Cody Brown, you can read his story here.
And most recently to Kati Zachary, in her case she not only suffered from stolen coins but also identity theft, harassment and extortion. You can read her story here.
What can you do about this?
As you see your phone is the most vulnerable point. Check that the number linked to your primary email account is not publicly available. If it is, change it.
Enable 2FA authentication using a software based solution like Google Authenticate. Best case: use a device that is offline and dedicated only for this. Perhaps you have an old smartphone lying around somewhere?
Never ever ever use SMS based verification method. The exploits for this are now public knowledge in the hacker circles.
Make your password uncrackable: Use a 20 character password with symbols. Here is an example of a good password: T-h@HU5e_Th=at_Ja/ck-)(u!lt?
Another good example is your default steemit password.Make a different password for every crypto account you have.
Use different email addresses as for different accounts, this way you divide the risk.
Last but not least, nothing is as safe as a paper wallet. But a Trezor hardware wallet is the next best thing. Buy it. Use it.
Stay safe out there folks!
More Articles like this:
Do you want to learn how to protect yourself from browser tracking? (Read article)
Do you want to learn how to stake PIVX coins and earn rewards? (Read article)
- Nick ( @cryptonik ) -
