
How to lose $8k worth of Bitcoin in 15 minutes with Verizon and Coinbase.com - jackgavigan
https://medium.com/@CodyBrown/how-to-lose-8k-worth-of-bitcoin-in-15-minutes-with-verizon-and-coinbase-com-ba75fb8d0bac
======
zubat
The two common BTC loss stories:

1\. I left in the hands of other people 2\. I failed to keep it accessible to
myself

It's easy to lean too far in one or the other direction by leaving stuff on a
commercial service or forgotten on a single device without backups. For most
folks, paper wallet and safebox is the appropriate mix since it follows
traditional physical security patterns and ensures some protection from theft
or damage. A strong secondary option is to be online but obscure and not
advertise where your valuable data rests - perhaps your keys exist on a backup
service, but they're tucked away such that an attacker has to think to look
for them, and to do some forensics to track down their location. This buys
time to hear the alarm bells of "your password was reset" and rotate anything
valuable out of the compromised accounts.

Under no circumstances would I keep the money within any of these dedicated
services: even though I use Coinbase and exchanges, it's too easy to employ
social engineering and privilege escalation to get in and take everything, so
any value stored in them has be considered "hot", and I only keep the amounts
I want to trade on them(which at this moment is $0).

~~~
bbcbasic
> safebox

Also don't tell anyone online/offline that you have coins. You might get
intruders.

------
nightcracker
A subtitle from the article that irked me: 'I’m not giving up on crypto.'

Why would you? You were never using it in the first place. Exchanges aren't
bitcoin.

~~~
NetOpWibby
Lol! Truth.

------
i336_
The thing is, Verizon's not _killing_ anybody by this disaster. Upper
management there probably still sees cryptocurrencies as a fad toy. I'm being
pragmatic.

Here is an open idea that I have long wondered about. If you think this would
work, you are welcome to have it and turn it into a startup (it could work as
a free service, it could work on a subscription).

Make a duress system that allows people to open a fast-loading webpage or app,
scroll down to Gmail, and hit " _Fight!_ ". Then they'd scroll to Coinbase and
click/tap the button there too.

This service would then immediately log into your account repeatedly and
change your password, along with your recovery email address and other
information that, if changed, would make logging in a hassle (such as your
security recovery questions). It does this as many times a second as possible,
for I'm not sure how long.

My thinking is that "wat, 42 password resets in 18 seconds" is probably going
to freak most well-designed services out, which will then hopefully lock your
account... possibly saving it.

Better yet (I just realized), the app could lock your account, if the service
allows it, after resetting your password.

\--

The way I envisage the site/app working is that, you input your account
details (your actual password) into a locked tome with a passphrase. When
disaster strikes you unlock the tome, perhaps with your fingerprint. The
reason for this is that service APIs might not universally provide enough
access to "do good", if you will, and there's also the consideration that the
site might be up but the API might be down (a bit like Verizon being closed!).

Also, about changing the email, gmail allows you to do things like
youraddress+alias@gmail.com, so the app could simply change the email to
things like
youraddress+98ea6e4f216f2fb4b69fff9b3a44842c38686ca685f3f55dc48c5d3fb1107be4@gmail.com,
or variants that won't freak gmail out if they have alarms on that sort of
behavior.

~~~
BenjiWiebe
I like your fight idea. But you couldn't use Gmail aliases as new address
because they are only aliases. E.g. Foo+bar@gmail.com equals Foo+foo@gmail.com
equals Foo@gmail.com.

~~~
i336_
DOH.

I was going based on the thinking that the full email string would need to be
known in order for it to be changed. My brain's a bit foggy right now so I
can't properly think it through.

Ouch, that makes things a bit harder... but thanks for letting me know.

------
acastroe
How did the guy get past the first factor authentication?

(e.g. How did he get past the normal password?)

~~~
guiambros
Likewise; can't understand how they got access to his Gmail account. Yeah, it
was a costly learning on the importance of 2FA, but seems OP also needs a
basic password manager.

~~~
URSpider94
Because you can reset your GMail password by sending an SMS to your cell
phone?

Most services assume that your phone is a trusted device, and that SMS is a
trusted delivery service. Neither of which is true if you can get someone to
activate a new phone on your account, or you can hijack SMS.

------
pawadu
Found this depressingly insightful recommendation in the comments:

 _" And consider switching to a non-traditional phone company like Google
Project Fi.. can’t socially engineer them because you can’t even contact them
(and it’s same auth as your gmail)"_

------
pawadu
> Call your cellphone company and tell them you are likely to be targeted for
> social engineering. Request more scrutiny for making requests.

Didn't this have the exact opposite effect when someone else tried? (can't
find the store anymore)

------
totalZero
Verizon really dropped the ball here....it's totally negligent to send a text
with a number nobody will answer. I would sue Verizon.

------
willow9886
Same exact thing happened to my friend who was using T Mobile.

------
bitJericho
Might I humbly recommend my own exchange?
[http://bitcoinsexchange.itmustbetrue.com](http://bitcoinsexchange.itmustbetrue.com)

~~~
davidddavidson
That is an unfortunate URL...

~~~
mrgreenfur
and what a trustworthy homepage! :D

~~~
bitJericho
Low fees!

