What is U2F? If You Use Text Messaging As Your Two Factor Authentication For Coinbase/Gmail, You Need To Read This NowsteemCreated with Sketch.

in security •  7 years ago 

u2f.jpg

I just finished reading about a guy named Cody Brown who lost $8k of Bitcoin in 15 minutes from Coinbase.

Cody writes:

"Of all the things that went down in the factors that lead to this hack, Verizon Wireless is what I was massively unprepared for. After talking at length with customer service reps, I learned that the hacker did not need to give them my pin number or my social security number and was able to get approval to takeover my cell phone number with simple billing information. This blew my mind and seemed negligent beyond all possible reason but it’s what they do. The main thing that struck me by the hack was the extraction speed possible in the current cryptocurrency ecosystem. $8,000 in 15 minutes is faster and more lucrative than robbing a suburban bank." -How To Lose $8k Worth of Bitcoin in 15 Minutes With Verizon and Coinbase

How did this happen? Didn’t he have Two-Factor Authentication set up for his Coinbase account?

Yes.

But he had the wrong one: SMS text messaging.

SMS text messaging is very insecure as a Two-Factor Authentication. Hackers nowadays can easily call up your phone provider and pretend to be you. They don’t need to prove any identity. All they need to do is convince the employee that they are you. And some hackers are really good at this. It’s currently the weakest link that exists and regular people still don’t understand the risks involved.

One of the biggest Blockchain VC’s, Bo Shen (one of EOS' investors) had over $300,000 stolen recently by a hacker using this same weak link: SMS text messaging. It’s a huge problem right now that many people are unaware of.

sms.jpg

I am not talking about your Steem/Steemit accounts. Leave those alone because we have the option of storing our Steem in Steem Power, which cannot be drained in 15 minutes. Powering down takes days, so in the event your account gets hacked, you can recover it before your funds are drained. This is a compelling reason to store your Steem in Steem Power.

Disconnect your phone from your Gmail, Coinbase and other accounts right now if you have SMS text messages as your 2FA (Two Factor Authentication). I’ll explain what you should do in place of it that is actually secure. To be clear, I am not talking about your Steemit account. I am talking about your Gmail, Coinbase, and all other accounts that are connected to Crypto and banking exchanges. If you use a Gmail account to log into Bittrex, Coinbase, your bank, etc., this is the account that needs to be disconnected from Text Messaging (SMS 2FA). You need to switch to U2F and I'll explain why.

Do

It

Right

Now.

Sometimes a video can explain all of this better than reading text, so please watch this one. In it, the young man uses Yubikey as his U2F, which I have never used. I use a Trezor as my U2F (or physical key) for all my important accounts.

So, what exactly is U2F?

Universal 2nd Factor (U2F) is an open authentication standard that strengthens and simplifies two-factor authentication using specialized USB or NFC devices based on similar security technology found in smart cards.[1][2][3][4][5] While initially developed by Google and Yubico, with contribution from NXP Semiconductors, the standard is now hosted by the FIDO Alliance.[6][7]
U2F Security Keys are supported by Google Chrome since version 40[2] and Opera since version 40. U2F security keys can be used as an additional method of two-step verification on online services that support the U2F protocol, including Google,[2]Dropbox,[8] GitHub,[9] GitLab,[10] Bitbucket,[11] Nextcloud,[12] Facebook[13] and others.[14]
Chrome and Opera are currently the only browsers supporting U2F natively. Microsoft is working on FIDO 2.0 support for Windows 10[15] and the Edge[16] browser, but has not announced any plans to include U2F support. Mozilla is integrating it into Firefox, and support can currently be enabled through an addon -Wikipedia

I’m going to simplify this definition:

U2F is a physical key that you put into a USB port on your computer. You put this in after inputting your password as a second layer of security. Even if someone has your password, they cannot get into your account without your U2F key. The U2F device uses encryption, as it contains a private key that is matched up to your public key in order to unlock your accounts like Gmail and Facebook. Without the physical key, no one can access your account. So, hackers, and even key loggers will not be able to steal your U2F info because the U2F encrypts the data when it is sent. No one can gain access to your accounts without the physical key (U2F).

I use Trezor as my U2F and it works very easily.

There are other cheaper options like the Yubikey that costs $18 from Amazon. I’ve never used Yubikey and only learned of it recently after doing some research. A good idea is to have several U2F devices connected to your account, to ensure you don’t lose access if you lose one of your keys. I'll get one of these Yubikeys and tell you how I like it soon.

It’s overwhelming to do this the first time, but once you do, you will be able to sleep at night. Hackers are just getting more advanced and sneaky over time, so the sooner you get one of these physical U2F keys, the better! Cars and houses need physical keys, so do your accounts!

Here’s a how-to video that shows you how to set up a U2F physical device like Trezor or Yubikey with your gmail account:

Seriously, don't wait til it's too late. Do it now and educate your friends and family about this too. I was shocked to learn that a hacker would pursue someone with only $8,000. I didn't know that would be worth pursuing. I had wrongly thought that they only pursued people with huge accounts, like Bo Shen.

Keep your coins and accounts as secure as possible. You'll be able to sleep better (but if you crypto day trade, you'll not be sleeping much).

Cheers,
Stellabelle

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Upvoted and resteemed, then closed window to go to Trezor's site.

Now waiting by mailbox. Security cameras are installed, but currently have no authentication method to confirm identity of mailperson.

But once that key's setup and in my hands, I'll never let go Jack, I'll never let go, 'cause people going to this much trouble over $8,000 seemed crazy to me until about 17 minutes ago.

Thanks much for the post!

lol i know isnt it crazy how you have to be THIS cautious now? If somene at the the trazor factory tampers with your trezor, u can still reset it yourself,
but yeah its best to have paper wallets, download bitcoin armory, then download bitcoin core and rul your full node, u gtta have 100GB of space and a fast cimputer

then have a paper bitcoin wallet private key that u can have backed up on paper

but yeah trezor will be good too

just get multiple treszors, also nano ledger, get MULTIPLE hardware wallets, split up all your bitcoin between them all!

Yup! Gotta cover all the angles...

your response made my day. And it was by far the best answer of the day. Congratulations. You've just won 5 Steem dollars in the form of my upvotes.

  ·  7 years ago (edited)

Thanks!

Your article and its resultant commentary really was an eye-opener. No more assuming, on my part, that any neerdowells would probably go after the big fish instead of me.

Better safe than sorry!

Resteeming for the importance of this! It's a little technical for the average person, but definitely worth a read! That's how big YouTubers got their accounts hacked too. Verizon and ATT screwed over a bunch that way :P

Here is a real-life story of a few days ago about the same matter in this article in a step by step horror that happened to a young guy - by using 2 step sms:
https://steemit.com/bitcoin/@sensatus/if-you-have-a-coinbase-account-beware-spread-the-word-fellow-steemians-and-cryptotraders
It is unbelievable. I never knew of a sms phone swap, but seems it is not that uncommon.

Good article. It amazes that pretty much all the (Australian) banks and (Australian) paypal only allow SMS authentication. I'm not even an IT person and I still know this is shit and open to abuse.

Secondly, it's a massive pain in the arse when you're overseas and in a country that doesn't have a roaming agreement with your network (Vodafone - I'm looking at you!). You are therefore locked out of your accounts until you return to a country that you can access SMSs from. This has happened to me numerous times.

However, I now have a follow up question - what are people's thoughts on google authenticator/authy etc?

google authenticator is decent and better than SMS. But it is not as secure as U2F.

I'm dealing with a situation not unlike the one described here. Lost access to my 2FA phone and my number may have been co-opted. I get to wait for Coinbase's glacial support to find out if my account even has a balance left. It has been weeks and cost me tens of thousands. If anyone has a reasonable USD funding alternative to Coinbase that isn't Kraken, I would love to hear it!

use BitPay. You can load this debit card with Bitcoin, then it converts it to USD. I don't use Coinbase anymore....

Does this work in reverse? The BitPay site is a little unclear. What if I want to deposit USD into Steem?

Good warning. I keep my coinbase account as empty as possible. The good news about this revelation is that it is inspiring impetus that much work needs to be done to make computers secure. Computers are built to be hacked so that government can access them. The NSA proves this as do leaks against many of the other agencies. Join COS - the Convention of States as the return of a citizen's financial and personal privacy is a key issue.

This will not change until we force government to obey the law, if we can ever do that - The Constitutional Law.

In the meantime, thanks for your article and enlightment about the hazards that are still out there @stellabelle

I lost around 300 USD value on poloniex a week ago and no reply from them yet. I forgot to set up 2WF , took me a day to figure out how to do it and only with google authenticator. It's a good lesson and thanks god not that much. Thanks for your article. Need to learn more about this issue.

It's honestly going to take them forever to respond.. I'm 4 weeks into a pending ticket....

Wow ! That's crazy

Google authenticator is good, but it's not ultra secure.
You need to get a U2F physical key.

so you mean your account was hacked?
btw, it's U2F

Yes my poloniex account got hacked

omg! I don't know anyone whose account was hacked! And they hacked it for $300?
CRAZY

Yes ordered a withdrawl of BTC only. I didn't have much in it because I keep most in my exodus wallet. I use those amounts for fast trades. Anyways what surprises me that poloniex doesn't reply. I'm so over those exchanges.

I don't like Poloniex....it's too big for my tastes.

I am out of there ....

Somebody, not me ordered a withdraw. No idea how this is even possible

It's all so complicated for "normal" old school people like me agrrrrrrr

well, we're the same age....you just have to learn new things, that's all. If you watch these videos, you will realize it's easy to do.

Are you really 58 haha 😂 I am learning every day and my head dizzy but I manage

ok, i'm not....I thought you were my age!

🙈

Omg! funny thing about a week ago i disabled 2 factor authentication on all my accounts...just didn't feel too safe especially if i lose my phone..things can get really ugly. This post just reassured me that i made the right decision! thanks! @stellabelle

did you set up for U2F? Without a second factor it could be insecure......but text messaging definitely not good!

I use LastPass to store my passwords (for now... once my premium runs out in a few days, I intend to use a open source alternative instead) and have used a Yubikey for the last 2.5 years.

Works pretty well, though Lastpass, as I have come to notice, is useless for mobile phones, as they "can't use U2F" and therefore a simple password is all that's needed.

Which means bypassing LastPass U2F is as simple as installing LastPass app onto a virtual Android or IOS machine XS

I'll look into protonmail. one of my teacher's recommended it too. I just completely forgot about it...

i tried protonmail but it doesn't filter out scam emails. I got too many and couldn't manage the scam emails, so i stopped using it.

I guess the only way to use it efficiently is if you auto-block EVERYTHING not coming from a specific set of addresses. That way you can use it, say, for messages coming ONLY from 1-2 crypto exchanges, ignoring any other messages.

Though such a feature needs to exist, of course.

Important info. Thanks. Maybe I'll dust off my old MTGOX yubikey. I saw a post somewhere about unlocking it and repurposing it.

how much did you lose in MT. Gox?

I sold all my bitcoin to someone on the site who was buying for pennies on the dollar thinking it would all get sorted out. I lost $8000 and the lawsuit added a few hundred for the delay.

ouch

So many good advises in this post, and further comments.
However, one thing keeps me confused, still wondering

There is no 2FA in STEEMIT yet?

Is this right? WHY?
I could not find it anywhere in the settings.
It is unbelievable - all wallets , their funds inside are public.
And NO 2FA ?
Are the devs waiting for the first serious issue to implement it?

we have a multi day lag if funds are removed, so if we get hacked, we can recover our accounts before our funds are stolen.

Brilliant post, security now has to be the number 1 priority!

Better yet, don't use gmail for such things, use an end to end encrypted email service such as protonmail.

I use protonmail for confidential business. Their self-destruct messages enable me to send clients private information that they must access within a specified time frame. Never use the same password for accounts, even if you're using U2F, every account should have a different password. Gets hard to remember, but that's what encrypted password managers are for. ;)

Yes. Lastpass has seriously helped in maintaining different passwords I can use across multiple computers and devices.

This post received a 68% upvote from @randowhale thanks to @stellabelle! For more information, click here!

ah cool! This works! Thank you!

nice post, I like this....

Thank you for informing us @stellabelle
I new about those usb stick thingies, but thought to myself "I will never be hacked, this only happens to other people". This made me think again and upgrade my security through your tips. Thanks again!
Have a nice day and remember... GoCoconuts 😉

i remember the coconuts

  ·  7 years ago (edited)

Know about that issue - Coinbase promotes to sue this Google Authenticator - many people might think that is a scam by reading too

wow That's eye opening Thank you very much Man Although I don't have much but bookmarked this page for future references. keep sending them followed you

Great info for a newbie like me and I bet for some of the old hands too 😉 resteemed for others

Great contribution thanks! Sometimes we believe that with simple measures we are safe but we have to do as much as possible to protect our safety

Great article! Question: Would using this device eliminate the need for keeping currency in a offline wallet?

No! Keeping your coins in an offline wallet is a necessity. Most exchanges don't have U2F anyway. Plus, even if they did, I think hackers will find a way to compromise the servers......
holding your private keys to your digital coins is a must.

Thanks for getting back to me on this, I haven't purchased one yet, looking at the Trezor.

This is some timely advice. SMS is what most of use for two factor auth. Thanks for sharing!

Didn't know that could be done even if you have 2FA through sim card.
Thanks for the info!

yes, get rid of SMS now. It's not good.

Thanks for this! Happened to one of my buddys. Keep your accounts safe!

Nice advice ! :)

As an awesome U2F device, may I recommend the Digital Bitbox bitcoin wallet/u2f. Great device, good price, btc wallet and u2f, can't go wrong.

always use text AND email AND 2fa

so i guess that 2 factor authorization done with an cellphone app is not sure either?... What if i don't have access yet to those physical keys? what would be the safest 2 way factor authorization?

Google Authenticator is a better option while you are waiting for your keys

You mean to disable "SMS text messages as your 2FA", not delete your phone number associated with Coinbase (i forgot, but isn't a phone number needed for your Coinbase - as an identity or something?)
Two ways I researched to avoid this issue and keep your phone:

  1. Get a pre-paid phone (not associated with any identity)
  2. Google Voice number
    if someone knows more about the subject, please feel free to comment...

Another thing to add.. It seems that nowadays everyone is using Gmail. Ok, i wonder, don't people use paid email providers? (like if you have your own domain ) or maybe in cryptoland that's way more transparent...
..... Now all other story is if you lose your phone or that physical key breaks (or is lost).......

Very good recipe, greetings know. @tantawi

Security is number one... as soon as you have considerable amount of coins in your account. Secure it as what @stellabelle detailed here. Very good information. Upvoted and resteemed.

and here I was feeling all safe and secure with my 2 factor verification via text message. That is really scary. Please follow up with info about the other keys. Would be very interested in what you find out.

ok...i haven't yet, but your text sms 2fa is not secure.

very good . thank you to open my eyes ,