Coinbase account holders lose up to $5 million annually to theft by hacking. Here is how the majority of the hacks happen and why the thieves are so hard to catch. We will also give advice on how to protect yourself against these hacks. Some or a combination of these recommendations can be used for your best security practices. We do have security professionals available if you would like personal or corporate security assessments.
Spotting and Assessing
A scammer spots a possible target by searching for the people who work in the blockchain industry or by combing social media for mentions of Bitcoin and Coinbase. For those of who who don’t know, Coinbase happens to be the biggest crypto currency service provider in the world. Attacking Coinbase users is the most profitable target however other exchanges and services are targeted as well depending on the value of the targeted individual. Those who choose to use online providers to store their crypto currency and control their private keys are more vulnerable than those who would store their coins on a cold storage wallet. As we will see this common method of attack would not affect someone with a cold storage wallet.
First the attacker finds the target’s Personal identifiable Information (PII) which can be gleaned by searching the targets social media profiles, comments, posts or previous data leaks. The targets email address and cell phone number are the first two pieces of information needed to begin the heist. Sometimes as easily as befriending the target on social media and then through Social Engineering, the attacker will begin asking the target to text some information to him or text his/her email to communicate in private on a certain subject. Now the email and cell number have been obtained.
How to defend against this:
- As we have discussed in our Swiss Bank Account in Your Pocket article, the best way to handle your crypto currency is to use a cell phone or computer which does not have a cell carrier but operates on Wifi.
- Never use a device which stays online 24/7 to store your crypto currency wallets and always store your crypto currency offline.
- Never give out your PII anywhere, or anytime online to strangers. If email communication is necessary, create a temporary burner email or one specifically for the purpose of communicating with unknown persons.
- Never give your email associated to your bank accounts to anyone. Never give your cell number which is associated to your bank accounts to anyone, as you will see why below.
Send in the Clones!
The next step the scammer contacts the victim’s mobile provider and “ports” or “clones” the phone number to a device under the scammer’s control. This can be done fairly easily with most cell phone providers through Social Engineering. Some may be harder than others and require more work of getting further information of the target from the first step of the attack depending on your providers security protocols.
How to defend against this:
- Find out what account security measures are available from your provider and utilize them, such as 2 factor authentication (2FA), security PIN etc.
- If using security questions, never use questions which could be answered through your personal background history such as: “What is the name of your high school mascot.” Or even your “mothers maiden name”.
- Do not have your active cell phone linked to your crypto currency accounts as stated above.
- Place a “Do Not Port” order on your phone number. Most telecom’s will comply with this request and note this in your account.
Take control of your Email
Gmail accounts often link cell phone numbers as a backup access method. The scammer can now log in and reset the target’s email password and then do the same thing to Coinbase.
How to defend against this:
- Use an email service provider outside of the mainstream email providers, preferably one focused on security rather than pushing you advertisements. A list of our recommended email providers can be found here. Why? Scammers make a living on how to defeat the security of mainstream providers because most everybody uses them.
- Do not link your active cell phone to a backup access method.
- Do not use text messaging as your 2FA, instead use an app like Google Authenticator.
- Do not use your email to store your passwords or private keys for your crypto currency accounts.
Take control of your Coinbase account
Coinbase requires 2FA in addition to a password. That 2FA now gets texted to the thief who now gains access and control of your Coinbase account. You are now PWND.
The thief transfers your coins into his digital wallets under his control. Law enforcement can easily track the movements of the stolen currency because it is recorded on the blockchain but cannot block the transaction. Figuring out who controls the wallets is difficult unless the thief really screws up.
Laundering the Coins
Trying to cover his trail the thief will move the currency to foreign exchanges and/or convert it into other digital currencies that are harder to track such as these we have covered here. He may even send the coins to a “tumbler” or “mixer” service which attempts to obfuscate ownership of coins to wallets on the blockchain. This process will be that last step before converting the washed coins into other assets or cash.
Remember with crypto currency you are your own bank and only you are solely responsible for the security of your coins. There is no government agency there to insure your digital money. So be vigilant and don’t be a soft target. I hope you will use some of these methods to better protect your digital assets. So far there will always be a trade off of security vs. convenience and only you will have to find that balance. I now leave you with this man’s story of how his 111 bitcoins were hacked. As you will see, the attack method used against him was nearly the same one we have warned you about and provided you with suggestions to defend against it.
Another hack example by SMS interception
As always, if you have anything which you might find helpful in the article please post below in the comments.