
How I was hacked, and all my cryptocurrencies were stolen - imartin2k
https://fabricegrinda.com/hacked-cryptocurrencies-stolen/
======
mancerayder
T-Mobile has a new feature where you have an [edit:] 6-12 digit pin associated
with the account, and it's used in the store or when porting a number. When
activating the pin (which requires calling them), they used an SMS text
message to verify me. I asked if people can change the pin like I just did, he
said that they'd always be sent a text message.

I hope that's true, because if so that'd mean a hacker would need my phone.

I think that guards against the attack whereby someone steals your number by
porting it to another provider. Assuming what T-Mobile is saying is true.

I also use Google Authenticator, but that terrifies me since someone could
steal my phone or I could lose it, and I'd have to find (and I'd better re-
create NOW) printouts of all the words to recover / move Google Authenticator
access tokens.

~~~
Klathmon
IIRC all that pin does is slow things down. Legally they can't prevent you
from porting your number, and if you can verify your identity another way they
will ignore the pin.

There just isn't any way around it, phone numbers are just not secure.

------
zinxq
Why can mobile providers be still so easily social engineered to this day?
Seems like calling them and activating a new SIM (i.e. stealing a number) is
still quite easy.

~~~
mannykannot
It is frustrating, but we have to accept that a phone is not a security
device.

~~~
acct1771
Or strive to fix the issue.

------
relik
Does Google Authenticator provide protection against phone number porting? I
read somewhere that Authy is susceptible to that, but GA is not.

~~~
Klathmon
It "provides protection" by not backing any data up anywhere, so if the phone
it is on is wiped, the codes can't be recovered.

It's a blessing and a curse, but with a bit of work (like backing up all codes
at creation time) it's a non-issue for me that I actually appreciate.

------
joeblow9999
.01 very lucky

