How I was hacked, and all my cryptocurrencies were stolen!
Because I started playing with cryptocurrencies as a hobby years ago, and for a long time they were not worth much of anything (read Some thoughts on cryptocurrencies), it did not occur to me to treat my crypto holdings more securely than other assets I owned. I assumed that by using very complex passwords, or a password manager like Dashlane, and requiring two-factor authentication with text messages sent to my cell phone, I would be safe.
Boy was I wrong! I did not realize I had a (very) weak link in my security: my cell phone provider. The hackers called T-Mobile pretending to be me. They said I had lost my cell phone and asked T-Mobile to activate another SIM with the same number. As (bad) luck would have it, I was traveling in Europe at the time. I noticed my cell phone lost connectivity, though it still worked through Wifi. I assumed it was just a roaming issue, put my phone on airplane mode (as I do every night) and went to sleep.
When I woke up, I still did not have connectivity, but it was not obvious that something was awry as many normal emails had come through the night. After a few hours, I randomly decided to check my Twitter and realized my password no longer worked. That’s when I became suspicious. I tried to login to my Gmail (which I very rarely use) and that password had also been changed. I checked my regular email address and while send and receive worked with no error, no new external emails had come in for a few hours (which is unusual as I get over 200 emails per day). I tried to login to my domain manager and no longer had access.
The hackers had been very sneaky. After they got control of my cell phone number, they sent themselves a reset password text message at my domain manager to get access to that. They left my existing Exchange mailbox intact, but created a new mailbox and switched the MX record to point to that mailbox. It took a few hours for the MX record change to propagate so I still received emails for a few hours. Also, because they did not reset the password of my Exchange email I did not get an incorrect password message that would have aroused my suspicion. Also, I kept getting internal FJ Labs emails even after the MX record change because those are also on the same Exchange server as my email.
Once the MX record change had propagated, they were able to use their control of my email and access to my cell phone (given that I required text confirmation in addition to control of my email) to reset the password for my Dropbox, Venmo, Twitter, Gmail, Coinbase, Xapo, Uphold and Bitstamp accounts. I did not see any of those reset password messages or any of the text message confirmations because they were going to the new mailbox and phone they setup. They then sent themselves all my BTC to 12LmHubDmhnLTrvPgs82MJ2FTJR68rwrfK.
At this point, it was clear that my phone an email had been compromised. I immediately called T-Mobile which confirmed that they had setup a new SIM for my number. It took a fair amount of time, but I convinced them to restore the original SIM. I then reset the password at my domain manager and noticed the MX record had been changed. They were now pointing to a mailbox hosted by my domain manager. I logged in and saw all the password resets on all my accounts.
It took hours, but I reset all the MX records and the passwords on all my accounts and replied to all the emails I had missed that had been sent to the new mailbox.
As luck would have it, for all their sophistication they stole only 0.01 BTC 🙂 I can take no credit for this, as it was sheer luck. I had fundamentally revised my crypto investment strategy the week before the hack and sold all of my direct crypto holdings. I had also reached my Venmo weekly payment limit, so they could not Venmo themselves money (and I can see they tried). They did not try to make wire transfers from my normal bank accounts, perhaps because that money would have been easier to trace and I require a few more security measures for wire transfers that are more difficult to get around.
This experience made me realize that your security is only as strong as your weakest link. Since then, I implemented several changes to my security protocols. To make any changes to my T-Mobile account by phone or in person, you now need to mention a very complex password with digits and special characters. I recommend that everyone adds a voice authorization password required to make changes to their cell phone account. It also made me realize the perils of using an email address everyone knows and a phone number everyone knows to manage my crypto holdings. The crypto accounts I now use all have email addresses dedicated to them and I use a non-US cell phone for two-factor authentication. No one has that number and I don’t use it for anything other than to authenticate access to my accounts. Also note that if you use an application like Authy for two-factor authentication (which I recommend), you should only allow it to work on one device (it’s the default setting). I like that it takes several days to reset your Authy account even if you are just putting it on a new cell phone with the same number. It adds a layer of security in case someone ends up getting a new phone on your number.
For crypto in particular, once the access to your accounts is secure you must decide whether you should leave your assets on the exchange or be your own custodian. Both come with their own risks.
- Leaving it on an exchange: Your risk here is defined by the probability that this exchange will be hacked or be subject to new regulation. If you decide to go down this path, there are certainly better options than others. I know that the Coinbase team is doing a terrific job at keeping their assets secure. This does come with the drawback of users not being able to participate in certain airdrops, or not having access to new currencies from forks immediately, but I won’t delve into that topic here.
- Being the custodian: Your risk here is defined by the likelihood of your seed phrase been stolen, or all replicas of it being permanently damaged/irrecoverable. Someone could also get the password for your given wallet and steal the hardware from you, in which case, unless you immediately get a new wallet, recover your keys from the passphrase, and transfer all of your assets out, they’ll all be soon gone. You could also lose your passphrase, as well as the password as it infamously happened to Wired writer Mark Frauenfelder in his epic tale of hacking his own wallet.
People should weigh the probability of the exchange being hacked versus the probability of their seed phrase being stolen or lost. For most people with little crypto exposure, I would recommend they leave their crypto on Coinbase as it probably has a lower probability than the risks involved in being your own custodian. In addition, it’s way more convenient to just have your assets there rather than have to deal with the hassle of custody.
If you own a lot of crypto assets, you should avoid leaving coins in exchanges to avoid the risk of those being hacked as it famously happened to Mt. Gox, Bitfinex, and YoBit not so long ago. In 2014, Mt. Gox handled 70% of all Bitcoin transactions worldwide when 850,000 bitcoins belonging to customers were stolen. They subsequently filed for bankruptcy and went out of business. It’s certainly worth your time to learn how to protect yourself against these attacks.
If you choose to go down this path, I would highly recommend you getting your own hardware wallet. The two main companies in this space are Trezor and Ledger. I’m not very familiar with Trezor but can vouch for Ledger. When you first setup your wallet, you will be prompted with a passphrase and a password, the latter being specific to that wallet. Think of the passphrase as your master password for all private-public key pairs you will use in the future. If your wallet is damaged or lost, you can recover all transactions on a new one by having this passphrase. Just as you can be the one recovering these keys, anyone else who gets access to it will be able to do so as well so make sure that you save it in a safe place. Safe means: not on a computer with internet access; not on a hard-drive that’s not encrypted; not on a paper that could be easily stolen. You should also have more than one copy in different places (all of which must have tight security since your system is just as secure as your weakest link) to protect yourself against a potential loss (hard-drive malfunction, fire, a potential robbery, and others). As you are probably thinking by now, being the custodian of your own keys is no easy job.
As a side note, while hardware wallets are certainly great products, if you are an institution or someone who might be likely the target of a personalized attack, this path might also fall short. First, when talking about redundancy and safety, this is not a binary dimension but a spectrum. You could either leave a paper with your passphrase hidden in the closet or store it in a safety box inside of a bank. On top of the steps described above, you should also seriously consider multi-signature security. At a high level, this means that you’d need multiple keys to transfer your funds (e.g. 2-of-4 policy would be mean that there are 4 keys, and you’d need at least two of them). There are already a few companies like Coinbase and Anchor that provide this kind of service.