It begins with a text message from Verizon
Oh boy. Within seconds, I call the number and get this.
“Hello, welcome to Verizon. Our offices are now closed. Our hours are between 8 and 11pm on the weekdays...”
I call again and repeatedly tap zero to try and get an operator. No dice. A minute later I get a duplicate text message.
I screenshot and tweet to Verizon Support.
Incredibly anxious minutes go by as I attempt to reach Verizon. I google “Verizon fraud prevention line” searching for a number to call and get nothing.
11:41 PM — Gmail signs out.
I’m completely in the dark.
11:42 PM—Coinbase password resets
My session cookie doesn’t kick me out yet so I watch this in real time.
11:34 PM—Coinbase New Device Confirmation
11:44 PM—1.18 BTC sent
11:45 PM—70.96 LTC sent
11:46 PM—16.03 ETH sent
Adios hopes and dreams fund 💸 —$8,000+ is gone in 15 minutes.
How on earth was I so blindsided?
Before we begin, its worth mentioning that yes, yesssssssssssssssssssss, I did not have enough protection around my Gmail account. I’ve used Google Authenticator before, for my personal account and for various work emails, but I stopped using it at a certain point out of convenience. I deeply regret doing so and you can certainly say, “HA, YOU HAD THIS COMING TO YOU DUDE, MY BITCOIN IS ON AN ENCRYPTED THUMBDRIVE IN A SECRET UNDERGROUND LOCKBOX COLD STORAGE FACILITY.” But there are many coin spectators out there with a similar vulnerability and, as more novices join, this vulnerability will only become more of a problem.
Of all the things that went down in the factors that lead to this hack, Verizon Wireless is what I was massively unprepared for. After talking at length with customer service reps, I learned that the hacker did not need to give them my pin number or my social security number and was able to get approval to takeover my cell phone number with simple billing information. This blew my mind and seemed negligent beyond all possible reason but it’s what they do. The main thing that struck me by the hack was the extraction speed possible in the current cryptocurrency ecosystem. $8,000 in 15 minutes is faster and more lucrative than robbing a suburban bank.
Why I was targeted
The best working theory for why I was targeted was this tweet I made last week about Coinbase.com. A friend of a friend was hacked on Coinbase and he had not heard back from anyone on Coinbases’s support team for multiple days. As a plea for help, he asked people to help get the word out on Twitter. I did, it got RTed a bunch, and to my incredible naiveté, I had no idea I was essentially attaching a “Rob me too” sign to my back.
And now, here I am. I tried to help someone get the attention of Coinbase for fraud, I got screwed, and now I’m trying to get the attention of Coinbase.com for fraud. The official Coinbase Support twitter has responded once, then a bot emailed, with a disclosure that it could be weeks before I get a single response to my question.
I have never lost money at anywhere near this scale before. I grew up in a family that is especially conservative when it comes to money and this hits on an emotional level that is hard to shake. Like many, I know that there are plenty of risks when it comes to cryptocurrency, it’s a gamble, but the one thing you don’t expect to happen is to be robbed in seconds on a site with a cleaner user interface design than Chase Bank.
I have no idea if I’ll be able to recover any of this money but I figure the one thing I can do with this feeling of rage/sadness is try and unpack the vulnerabilities so others get less screwed.
Things Verizon Wireless can do
- Add additional layers of scrutiny to any person calling in and requesting to ‘swap phones’. General billing information was sufficient to transfer my number and I was floored by this. It is insane that Verizon, and other wireless companies, haven’t made real efforts to counter this hack and even more crazy that they haven’t been sued for gross negligence.
- Make urgent text alerts actionable through SMS. If I received the original alert and was able to text a reply stopping it, or even delaying it, this entire hack would have stopped in its tracks. Instead I was told to ‘immediately’ call a number for Verizon that no one was there to answer.
- Make the Verizon Fraud Hotline accessible and visible to your customers. It took 45minutes of irate Twitter DMing before I was able to get the number I needed to contact a real person at Verizon. For anyone searching for this in the future, the number is 1-(888) 483–7200.
- Tell your customer what happened with their account. I spent a few hours with Verizon support being bounced from the Fraud Department to the Legal Department to the Consumer Support department. I got very little from anyone, they would not release details of the call unless I hired a lawyer to represent me.
Things Coinbase.com can do
Dear God Coinbase. Where do we even begin.
- Make enabling Google Authenticator a *requirement* for storing any coins on Coinbase.com. SMS 2FA is broken but deceptively secure, especially to new comers.
- Make a 24–7 fraud hotline available to your customers. Twitter and email are broken mechanisms for response when speed is of the essence.
- Significantly limit the number of new users you accept on your exchange until you have the support resources to cover them. You gained 400,000 users in 30 days, FOUR HUNDRED THOUSAND, and many of these users are extremely new to security.
- Put basic fraud protections in place when someone logs into an account on a new device then attempts to liquidate an account. A one hour delay could have stopped this hack in its tracks.
- Make the default modes for transferring coin significantly more paternalistic for new users.
- Create an insurance policy for personal accounts. Yes, this policy would be extremely vulnerable to fraud but this is your core competency, find a way.
Things you can do to secure your coins
In the wake of the attack, I reached out to friends with lots of experience in cryptocurrency and these are their tips.
- Don’t talk about Bitcoin Club. Don’t talk publicly online, with your real identity, about your trades or the exchanges. I know it’s too late for some (certainly for me!), and it shouldn’t be like this, but this makes you less of a target. Even if your coins are properly secured.
- If you are going to post on reddit, twitter, etc about cryptocurrency, use a far removed pseudonym.
- Use a separate, secret email for your coin accounts and do not forward the alerts to your personal email account.
- Use 2FA — SMS doesn’t count. I had no idea how easy Verizon and others make it for people to swipe your phone with basic information within minutes. Make sure you use GAuth or Authy or something else supporting TOTP tokens; consider a FIDO U2F device as well for your gmail account.
- If you insist on leaving your money on coinbase.com, then store it in their “vault”. This will give you a buffer of a couple days before any of your stuff can be touched, at least it won’t be gone immediately.
- Call your cellphone company and tell them you are likely to be targeted for social engineering. Request more scrutiny for making requests.
- Store your coins on a physical wallet. Technically, any money you have in an exchange isn’t yours — you simply have an IOU from the counter party. Best practice for keeping your coins safe is with a hardware wallet like the Ledger Nano S. This is only $60 or so and means that someone will need to physically enter a pin and confirm a transaction or steal your backup seed to access your funds.
I’m not giving up on crypto
I joined Coinbase.com in 2015, have had various positions of BTC over the years and have seen hype come and go. I think we’re nearing a real inflection point with adoption but we’re in a dangerous place as the cost of BTC/ETH skyrockets and noobs hit the market.
Four-hundred-thousand people have joined Coinbase.com in the last thirty days. This group has vastly different security needs and expectations than the original 400,000 who joined Coinbase in 2012. If this new group isn’t protected in aggregate, lawsuits will fly, financial lives will be ruined, and the dream that bitcoin will eventually hit $50,000 will become a dim fantasy. Check out the Coinbase reddit if you want an additional taste of what’s happening.
Despite this, I’m willing to bet that Coinbase, or someone else, will significantly evolve and eventually figure it out. Many of the problems that lead to my hack on Coinbase are addressable with more paternalistic software, fraud detection and an adept support team reachable 24–7. The beauty of the blockchain is that you can create a consumer offering on top of it that operates much more like a bank and it can exist next to an exchange suited for someone buying and selling huge, risky amounts each day.
It’s hard to understand how brutal it is to start over with this level of rapid financial loss unless you’ve been there yourself. The BTC I had in my Coinbase was collected over years and the ETH and LTC position were more recent. I blame myself for not doing enough security research and I also know that these openings are incredibly common for others. Unless huge changes happen, so many others are likely to get robbed and the reputation of cryptocurrencies, in general, will degrade. The only thing that’s really around to protect these newcomers is the cryptocurrency community itself. Please let my ample misery be a raw warning sign. Inform your friends. Don’t trust Coinbase defaults. Don’t think it won’t happen to you. Stop reading this and secure your coins right now.
Legal. Many have encouraged me to find a lawyer to work through some options in action against Verizon and Coinbase. If you know of a lawer or firm who might be good, please shoot me a DM (my DMs are open). I don’t have many resources to pursue this so any general advice would be helpful.
Class action lawsuit against Verizon and/or CoinBase.com. Apparently there is already a lawsuit in motion (am learning more about it). If you have also been affected by a similar situation at CoinBase, message me, so we can share stories.
Donations. Wow. Some very generous people in the bitcoin community have asked about donating to a tip jar or helping fund a lawsuit. This is awesome of you and massively appreciated.
LTC: LbZnJ8QWc581bm6iu6STpbKVq9RDv1Yqbd (currently at ~$250 USD)
ETH: 0x6877Ae8e428E0A989Aac250A1D09f98463277AbA (currently $40USD)
BTC: 188itMZTQx1PcbuCdpjBkdBLUKjJRcdPoj (currently at ~$280 USD)
Hugggge thanks to @BTCXBTDEV.