How to lose $8k worth of bitcoin in fifteen minutes with Verizon and Coinbase.com
Oh boy. Within seconds, I call the number and get this.
“Hello, welcome to Verizon. Our offices are now closed. Our hours are inbetween eight and 11pm on the weekdays. ”
I call again and repeatedly tap zero to attempt and get an operator. No dice. A minute later I get a duplicate text message.
I screenshot and tweet to Verizon Support.
Exceptionally anxious minutes go by as I attempt to reach Verizon. I google “Verizon fraud prevention line” searching for a number to call and get nothing.
11:41 PM — Gmail signs out.
I’m fully in the dark.
11:42 PM—Coinbase password resets
My session cookie doesn’t kick me out yet so I witness this in real time.
11:34 PM—Coinbase Fresh Device Confirmation
11:44 PM—1.Legal BTC sent
11:45 PM—70.96 LTC sent
11:46 PM—16.03 ETH sent
Adios hopes and fantasies fund —$8,000+ is gone in fifteen minutes.
How on earth was I so blindsided?
Before we begin, its worth mentioning that yes, yesssssssssssssssssssss, I did not have enough protection around my Gmail account. I’ve used Google Authenticator before, for my individual account and for various work emails, but I stopped using it at a certain point out of convenience. I deeply regret doing so and you can certainly say, “HA, YOU HAD THIS COMING TO YOU DUDE, MY BITCOIN IS ON AN ENCRYPTED THUMBDRIVE IN A SECRET UNDERGROUND LOCKBOX COLD STORAGE FACILITY.” But there are many coin spectators out there with a similar vulnerability and, as more novices join, this vulnerability will only become more of a problem.
Of all the things that went down in the factors that lead to this hack, Verizon Wireless is what I was massively unprepared for. After talking at length with customer service reps, I learned that the hacker did not need to give them my pin number or my social security number and was able to get approval to takeover my cell phone number with plain billing information. This blew my mind and seemed negligent beyond all possible reason but it’s what they do. The main thing that struck me by the hack was the extraction speed possible in the current cryptocurrency ecosystem. $8,000 in fifteen minutes is quicker and more lucrative than robbing a suburban bank.
Why I was targeted
The best working theory for why I was targeted was this tweet I made last week about Coinbase.com. A friend of a friend was hacked on Coinbase and he had not heard back from anyone on Coinbases’s support team for numerous days. As a prayer for help, he asked people to help get the word out on Twitter. I did, it got RTed a bunch, and to my incredible naiveté, I had no idea I was essentially fastening a “Rob me too” sign to my back.
And now, here I am. I attempted to help someone get the attention of Coinbase for fraud, I got screwed, and now I’m attempting to get the attention of Coinbase.com for fraud. The official Coinbase Support twitter has responded once, then a bot emailed, with a disclosure that it could be weeks before I get a single response to my question.
I have never lost money at anywhere near this scale before. I grew up in a family that is especially conservative when it comes to money and this hits on an emotional level that is hard to wiggle. Like many, I know that there are slew of risks when it comes to cryptocurrency, it’s a gamble, but the one thing you don’t expect to happen is to be robbed in seconds on a site with a cleaner user interface design than Pursue Bank.
I have no idea if I’ll be able to recover any of this money but I figure the one thing I can do with this feeling of rage/sadness is attempt and unpack the vulnerabilities so others get less screwed.
Things Verizon Wireless can do
- Add extra layers of scrutiny to any person calling in and requesting to ‘swap phones’. General billing information was sufficient to transfer my number and I was floored by this. It is insane that Verizon, and other wireless companies, haven’t made real efforts to counter this hack and even more crazy that they haven’t been sued for gross negligence.
- Make urgent text alerts actionable through SMS. If I received the original alert and was able to text a reply stopping it, or even delaying it, this entire hack would have stopped in its tracks. Instead I was told to ‘immediately’ call a number for Verizon that no one was there to response.
- Make the Verizon Fraud Hotline accessible and visible to your customers. It took 45minutes of irate Twitter DMing before I was able to get the number I needed to contact a real person at Verizon. For anyone searching for this in the future, the number is 1-(888) 483–7200.
- Tell your customer what happened with their account. I spent a few hours with Verizon support being bounced from the Fraud Department to the Legal Department to the Consumer Support department. I got very little from anyone, they would not release details of the call unless I hired a lawyer to represent me.
Things Coinbase.com can do
Dear God Coinbase. Where do we even begin.
- Make enabling Google Authenticator a *requirement* for storing any coins on Coinbase.com. SMS 2FA is violated but deceptively secure, especially to fresh comers.
- Make a 24–7 fraud hotline available to your customers. Twitter and email are violated mechanisms for response when speed is of the essence.
- Significantly limit the number of fresh users you accept on your exchange until you have the support resources to cover them. You gained 400,000 users in thirty days, FOUR HUNDRED THOUSAND, and many of these users are utterly fresh to security.
- Put basic fraud protections in place when someone logs into an account on a fresh device then attempts to liquidate an account. A one hour delay could have stopped this hack in its tracks.
- Make the default modes for transferring coin significantly more paternalistic for fresh users.
- Create an insurance policy for private accounts. Yes, this policy would be utterly vulnerable to fraud but this is your core competency, find a way.
Things you can do to secure your coins
In the wake of the attack, I reached out to friends with lots of practice in cryptocurrency and these are their tips.
- Don’t talk about Bitcoin Club. Don’t talk publicly online, with your real identity, about your trades or the exchanges. I know it’s too late for some (certainly for me!), and it shouldn’t be like this, but this makes you less of a target. Even if your coins are decently secured.
- If you are going to post on reddit, twitter, etc about cryptocurrency, use a far eliminated pseudonym.
- Use a separate, secret email for your coin accounts and do not forward the alerts to your private email account.
- Use 2FA — SMS doesn’t count. I had no idea how effortless Verizon and others make it for people to swipe your phone with basic information within minutes. Make sure you use GAuth or Authy or something else supporting TOTP tokens; consider a FIDO U2F device as well for your gmail account.
- If you insist on leaving your money on coinbase.com, then store it in their “vault”. This will give you a buffer of a duo days before any of your stuff can be touched, at least it won’t be gone instantaneously.
- Call your cellphone company and tell them you are likely to be targeted for social engineering. Request more scrutiny for making requests.
- Store your coins on a physical wallet. Technically, any money you have in an exchange isn’t yours — you simply have an IOU from the counter party. Best practice for keeping your coins safe is with a hardware wallet like the Ledger Nano S. This is only $60 or so and means that someone will need to physically come in a pin and confirm a transaction or steal your backup seed to access your funds.
I’m not providing up on crypto
I joined Coinbase.com in 2015, have had various positions of BTC over the years and have seen hype come and go. I think we’re nearing a real inflection point with adoption but we’re in a dangerous place as the cost of BTC/ETH skyrockets and noobs hit the market.
Four-hundred-thousand people have joined Coinbase.com in the last thirty days. This group has vastly different security needs and expectations than the original 400,000 who joined Coinbase in 2012. If this fresh group isn’t protected in aggregate, lawsuits will fly, financial lives will be ruined, and the wish that bitcoin will eventually hit $50,000 will become a dim fantasy. Check out the Coinbase reddit if you want an extra taste of what’s happening.
Despite this, I’m willing to bet that Coinbase, or someone else, will significantly evolve and eventually figure it out. Many of the problems that lead to my hack on Coinbase are addressable with more paternalistic software, fraud detection and an adept support team reachable 24–7. The beauty of the blockchain is that you can create a consumer suggesting on top of it that operates much more like a bank and it can exist next to an exchange suited for someone buying and selling phat, risky amounts each day.
It’s hard to understand how brutal it is to begin over with this level of rapid financial loss unless you’ve been there yourself. The BTC I had in my Coinbase was collected over years and the ETH and LTC position were more latest. I blame myself for not doing enough security research and I also know that these openings are amazingly common for others. Unless hefty switches happen, so many others are likely to get robbed and the reputation of cryptocurrencies, in general, will degrade. The only thing that’s indeed around to protect these newcomers is the cryptocurrency community itself. Please let my ample misery be a raw warning sign. Inform your friends. Don’t trust Coinbase defaults. Don’t think it won’t happen to you. Stop reading this and secure your coins right now.