My Cryptos got HACKED ... learn from my mistake!

Discussion in 'Digital Currencies' started by sammy, Nov 26, 2017.

  1. SilverDJ

    SilverDJ Well-Known Member

    Joined:
    Nov 1, 2014
    Messages:
    3,935
    Likes Received:
    1,297
    Trophy Points:
    113
    Location:
    Australia
    Yes, Youtube search John Mcafee and crypto/mobile security, he has much to say on the topic, and being on the front line of such things he knows more than anyone.
    I don't use my phone for any banking or crypto stuff.
     
  2. SilverDJ

    SilverDJ Well-Known Member

    Joined:
    Nov 1, 2014
    Messages:
    3,935
    Likes Received:
    1,297
    Trophy Points:
    113
    Location:
    Australia
    Are there easy ways to backup Google Authentication?
    This seems to be one way:
    https://www.icontrolwp.com/blog/google-authenticator-backups/
    Anyone using it?
    EDIT: Just found this:
    http://www.newsbtc.com/2017/06/03/coinbase-recommends-users-enable-google-authenticator-ditch-authy/
    Coinbase recommended not using Authy

    EDIT2: It seems that re-enabling your Google Auth codes and then printing out the barcodes is the best way to go to backup.
     
    Last edited: Nov 27, 2017
  3. dozerz

    dozerz Well-Known Member Silver Stacker

    Joined:
    May 21, 2013
    Messages:
    2,248
    Likes Received:
    1,204
    Trophy Points:
    113
    Location:
    straya
    yes printing out your codes is the best way. i also keep a second basic phone in a safe deposit with all codes enabled.

    dont use authy, yes it will work as a backup but means you need to trust them.
     
  4. Soprano16

    Soprano16 Well-Known Member Silver Stacker

    Joined:
    Dec 28, 2016
    Messages:
    1,227
    Likes Received:
    986
    Trophy Points:
    113
    Location:
    Melbourne
    When something like this happens it naturally makes you review how you are doing things in hope that it won't happen to yourself

    Just thinking of myself, I use Exodus as my wallet, on my personal laptop. I have 2FA enabled via 12 secret words which I have saved (screenshot) on an external HDD that isn't plugged in to a computer, it's stored away. I am thinking about getting a Trezor, and will start using MEW soon enough I'm sure

    I have accounts with CoinSpot and Bittrex, and have 2FA via Google Authenticator on both. I don't like the fact that they both required my personal details, drivers licence etc to set up accounts with them (just in case they get hacked and my details with them are jeopardized) but I guess that's just the way it goes

    My laptop has anti-virus etc, and I don't visit suspect sites on it

    Exodus, CoinSpot, Bittrex & MEW. That's it for me.

    I hope that's all good enough to prevent anything bad happening :confused:
     
  5. dozerz

    dozerz Well-Known Member Silver Stacker

    Joined:
    May 21, 2013
    Messages:
    2,248
    Likes Received:
    1,204
    Trophy Points:
    113
    Location:
    straya
    what happens if your house burns down along with your laptop and hdd? unless you have memorised your 12 secret words this is a real risk.
     
  6. Soprano16

    Soprano16 Well-Known Member Silver Stacker

    Joined:
    Dec 28, 2016
    Messages:
    1,227
    Likes Received:
    986
    Trophy Points:
    113
    Location:
    Melbourne
    Sounds a little dramatic

    I'll get around to printing off the 12 words and storing them in my SDB, but other than that I think I am doing everything I can to protect myself as much as possible
     
  7. dozerz

    dozerz Well-Known Member Silver Stacker

    Joined:
    May 21, 2013
    Messages:
    2,248
    Likes Received:
    1,204
    Trophy Points:
    113
    Location:
    straya
    replace burned with stolen or with hard drives failed, these are not unlikely scenarios. get your passphrase somewhere safe and should be fine.
     
    Soprano16 likes this.
  8. Court Jester

    Court Jester Well-Known Member Silver Stacker

    Joined:
    Jul 30, 2012
    Messages:
    3,502
    Likes Received:
    276
    Trophy Points:
    83
    Location:
    Gold Coast QLD
    I use google authentaicor on all my logins where my cryptos are and keys backed up on and offline, though this porting attack has me thinking that my primary bank accounts would be vunerable ( as I uses SMS 2FA thre) hrmmm migh tlook into how to change it.
     
  9. Soprano16

    Soprano16 Well-Known Member Silver Stacker

    Joined:
    Dec 28, 2016
    Messages:
    1,227
    Likes Received:
    986
    Trophy Points:
    113
    Location:
    Melbourne
    Might sound over the top, but is it worth calling your Telco and getting them to put a note on your file saying that if any attempt to port is requested they should contact you first, requiring you see them face to face before proceeding, or something along those lines?

    Sounds extremely over reactive I know, but I use SMS 2FA with CBA too, so maybe it's worth doing?

    Would only take a phone call/shop visit to organise so no real effort
     
    leo25 likes this.
  10. Golightly

    Golightly Well-Known Member Silver Stacker

    Joined:
    Oct 4, 2013
    Messages:
    1,409
    Likes Received:
    57
    Trophy Points:
    48
    Location:
    Newcastle
    Sounds like independent reserve, they offer SMS 2FA Auth, and would be linked to your banks account, A solid company so that really blows.

    if it makes you feel any better losing crypto to a hack, lost wallet.dat, scam or phishing is like a baptism, wear it and carry on
     
  11. Phiber

    Phiber Well-Known Member Silver Stacker

    Joined:
    Nov 21, 2012
    Messages:
    1,588
    Likes Received:
    28
    Trophy Points:
    48
    Location:
    Australia
    Tried this today with my provider.
    They can set your account up to be pin access only, which means when you call for anything they ask for you PIN and if you cannot provide it that's it, nothing can be changed even if it is you and you've forgotten it.
    They also supposedly put a note down to call be in person before any porting can be attempted.
    Better than nothing.

    Thank you to the OP for bringing this to our attention, and hopefully everyone can stay safe out there.
     
  12. Soprano16

    Soprano16 Well-Known Member Silver Stacker

    Joined:
    Dec 28, 2016
    Messages:
    1,227
    Likes Received:
    986
    Trophy Points:
    113
    Location:
    Melbourne
    Having a pin is pretty normal nowadays but it doesn't really do anything with regards to someone porting your number as the new provider you switch to facilitates the port with your current provider, and the password means nothing in that case

    The note on file is better then nothing, but I wouldn't have 100% confidence that a Telco would enforce it when receiving a port request, but let's hope it never gets to this
     
  13. leo25

    leo25 Well-Known Member Silver Stacker

    Joined:
    Jun 8, 2010
    Messages:
    3,585
    Likes Received:
    1,939
    Trophy Points:
    113
    I really hope most of the main carriers will send a txt to the mobile number before the number is ported. It should note when the number will be ported and to what carrier. There should also be a 24hr delay from the time you get the txt, so you have time to stop it from going through.

    If this doesn't happen now, then this major security flaw should be fix very fast.
     
  14. dozerz

    dozerz Well-Known Member Silver Stacker

    Joined:
    May 21, 2013
    Messages:
    2,248
    Likes Received:
    1,204
    Trophy Points:
    113
    Location:
    straya
    not sure the operator in bangalore will read any comments on your account, let alone deviate from the script of porting your number. hopefully there is some sort of secondary validation, i know optus send a txt to say when the change will happen.
     
  15. Phiber

    Phiber Well-Known Member Silver Stacker

    Joined:
    Nov 21, 2012
    Messages:
    1,588
    Likes Received:
    28
    Trophy Points:
    48
    Location:
    Australia
    Yes not ideal but the only thing could do.
    When we recently ported a number from Optus we got an automatic text message from them.
    So hopefully that’s enough to prevent unauthorised porting from happening.
    Not much more than can be done anyway except being vigilant.
     
  16. SilverDJ

    SilverDJ Well-Known Member

    Joined:
    Nov 1, 2014
    Messages:
    3,935
    Likes Received:
    1,297
    Trophy Points:
    113
    Location:
    Australia
    Absolutely trivial to store your code hidden away in PNG format on a cloud somewhere. No one is going to find it unless you label it "here_is_the_2FA_for_my_coinspot_acount.png", and even then buried away in thousands of photos and other images, not going to happen.
    The text can also be hidden anywhere.
    Steganography is your friend.
     
  17. sammy

    sammy Active Member Silver Stacker

    Joined:
    Jul 21, 2015
    Messages:
    340
    Likes Received:
    89
    Trophy Points:
    28
    Location:
    Sydney
    Hi guys, Just a quick update ... most of you guys are probably using an exchange that allows for POLi payments. DON'T USE THIS METHOD OF PAYMENT! The bank does not guarantee them, so if a hacker gets into your exchange account they will have access to you bank account numbers and balance (thanks to POLi), they can then transfer money into your exchange account, buy cryptos and send them to their wallet. And if like me, they've taken your phone number, they just need the banks confirmation SMS to authorise the transaction.

    Make sure that you disconnect your bank account and exchange account so that POLi can't 'see' your bank account. Make this an action step you do immediately. Pay your exchange using direct debit or BPay (which the bank will guarantee) so if there is some funny business, the bank will reimburse you.

    Another lesson learnt the hard way.

    Cheers,
    Sammy
     
    Phiber and Silverling like this.
  18. leo25

    leo25 Well-Known Member Silver Stacker

    Joined:
    Jun 8, 2010
    Messages:
    3,585
    Likes Received:
    1,939
    Trophy Points:
    113
    I was always amazed that some people used POLi, it's such an insecure serves. Unlike credit cards where your money is protected if someone steals it, POLi is an unsupported dodgy service. No one should use it EVER.
     
  19. Soprano16

    Soprano16 Well-Known Member Silver Stacker

    Joined:
    Dec 28, 2016
    Messages:
    1,227
    Likes Received:
    986
    Trophy Points:
    113
    Location:
    Melbourne
    Thanks for the update Sammy

    Can you explain this please?

    How is that POLi's "fault"?

    Sounds like you were hacked (still not sure how) but because you have your bank details and mobile number on your exchange account, they were then able to use that info to get more funds and made the payments via POLi

    POLi might not guarantee payments, but it doesn't sound like they were the reason you got hacked, unless I am missing something blatantly obvious?
     
  20. leo25

    leo25 Well-Known Member Silver Stacker

    Joined:
    Jun 8, 2010
    Messages:
    3,585
    Likes Received:
    1,939
    Trophy Points:
    113
    When you use POLi, you essentially trust that Australian post o_O (owner of POLi) has very high security standards (which they don't). As they have access to your login details. More or less POLi has major security issues and there is a high probability they could be the cause of this issue.

    Here is a quick cut and past run down.
     
    Last edited: Nov 30, 2017
    Soprano16 likes this.

Share This Page