TL;DR: Confessing he is “equal parts embarrassed, hurt, and deeply remorseful,” BitGo engineer Sean Coonce decided to share what he has learned since being SIM port hacked, which eventually led to the attacker gaining access to his Coinbase account and draining it of more than $100,000 in a 24 hour period. “In an effort to raise awareness,” he details how it happened.
BitGo Engineer’s Coinbase Account Hacked for More Than $100K
Just as in prison everyone is innocent, and it’s just one giant misunderstanding, cryptocurrency is plagued by geniuses: no one has ever lost money, and no one has made grave, avoidable errors. For at least these reasons, Coonce’s admittal is at once an education but also terribly refreshing.
“I lost north of $100,000 last Wednesday,” he revealed. “It evaporated over a 24 hour timespan in a ‘SIM port attack’ that drained my Coinbase account. It has been four days since the incident and I’m gutted. I have zero appetite; my sleep is restless; I am awash in feelings of anxiety, remorse, and embarrassment.”
Calling it “the single most expensive lesson of my life,” he’s taking his woe and channeling it into being proactive. “This is still very raw (I haven’t even told my family yet); please reserve judgement with regards to the naive security practices laid out in this post,” he asked. For the most part, community reaction has been sympathetic. Of course, some have quibbled with his charting of events, and others have expressed shock he kept more than $100K on an exchange.
We’re All Vulnerable
Coonce first attempts to explain how unknowingly vulnerable we all are online, which include primary email accounts connected to still other online accounts and services, for example. Nearly all of us also have a mobile phone. The combination avails certain attack vectors, one of which involves SIM card porting. Such portability allows users to keep their phone numbers while switching to a new phone.
The SIM port attack puts that information into a phone of their choosing. “The attacker then initiates the password reset flow on your email account,” Coonce explains. “A verification code is sent from your email provider to your phone number — which is intercepted by the attacker, as they now control your SIM card.”
Controlling that primary email account, the attacker is likely able to access all accounts managed under it, including locking you out. “Take a moment to consider the sheer volume of sensitive information tied to a single Google Account,” he urges. Address, birth date, photographs, calendar, correspondence, search history, contacts, etc. You get the idea.
“I probably deserved to get hacked — I get it.”
Coonce gets downright candid, real, admitting, “I treated Coinbase like a bank account and you have absolutely zero recourse in the case of an attack. I knew the risks better than most, but never thought something like this could happen to me. I intensely regret not taking stronger security measures with my crypto.” He urged everyone to move their crypto onto a cold wallet, hardware wallet when not transacting.
He believes 2FA is not enough, and though he appreciates service such as Google Authenticator, he recommends getting a YubiKey, a device “you physically control and cannot be spoofed.” He’s also keen in reducing one’s online footprint. Our tendency to overshare location, birthdays, and so on create a nexus easily exploitable. Other suggestions include Google Voice 2FA, a secondary email address, and an offline password manager.
“I can’t stop thinking about the small, easy things I could have done to protect myself along the way,” he concluded. “My thoughts are clouded with what-ifs and alternate timelines.” He even beats himself up a bit, “Given my naive security practices, I probably deserved to get hacked — I get it.” And if a BitGo engineer can be hacked, it might be a good idea to learn from his experiences and make the necessary changes in your life.
DISCLOSURE: The author holds cryptocurrency as part of his financial portfolio, including BCH.
CONTINUE THE SPICE and check out our piping hot VIDEOS. Our podcast, The CoinSpice Podcast, has amazing guests. Follow CoinSpice on Twitter. Join our Telegram feed to make sure you never miss a post. Drop some BCH at the merch shop — we’ve got some spicy shirts for men and women. Don’t forget to help spread the word about CoinSpice on social media.