The part of the chart for "threat level I should have had based on everything I know now" is way off. It should have been at least yellow with "zero cell coverage" (assuming the author normally has reasonable cell coverage at that location), should have been red at "got popups to log back into google", and should have broken out of the page and come knocking on your door at the "password didn't work".
If I get unexpectedly logged out of my email account, even if I can log right back in, this should already be at "something seriously fishy is going on and I need to investigate immediately", such as checking the account for any activity. Not being able to log in to my email is "check my provider's status page to make sure they're not having a widespread outage, and if they're not, get on the horn with support immediately".
As the author says, your email account is the keys to the kingdom for virtually every other account you have. Anything that threatens it is serious business.
I compare this to driving. We all think we are safe drivers who will not drive when tired, not go too fast in thick fog, and pay attention to our surroundings. In practice, it's hard to live by these rules 24/7.
I thought the author did a good job describing how he rationalized away these warning signals as flakiness, and had a bad mental model of the situation ("SIM card is being weird") that prevented him taking timely action. He also mentioned outside factors (needing to sleep, stress at work) that affected his judgement.
It's easy to say this would never happen to you, but even sophisticated people get caught by this stuff, since we are in the end human. Writing this article in the aftermath of losing so much money was a brave and considerate gesture.
> Many of you are thinking, "Jesus, I would never fall for the "the check's in the mail, we had trouble with the wire transfer, the money is coming in from our affiliate in New York, I'll get you the tracking number" routine day after day. But sociopaths are very, very good at this. You don't want to believe you've been conned, you don't want to believe you have to go hire a lawyer and file a lawsuit, you don't want to believe someone can do this to you, you want the income that this transaction promises, and often you don't want to go tell your superiors — so you keep hoping that the money is coming any day now. It can happen to you. It's happened to very smart lawyers I know. It's happened to me. And I used to put these people in jail. So don't judge the victims too harshly. When you find yourself in such a situation, you've got to focus — to convince yourself to bail out and cancel the contract, stop providing services, and file suit if necessary.
I'm not complaining about the author's description of their timeline, just taking issue with that bar on the right that is described as the threat level they should have had.
In his learning he is missing the biggest mistake: resetting the email account by sms
2FA and all are secure enough, the problem for him was that his mobile phone number was the only thing needed to gain access because the attacker wad (1) able to reset the password for the mail account by sms and (2) 2fawas sms based.
There should be _absolutely no_ way of resetting the password of your mail account besides some pregenerated tokens you are keeping safe somewhere.
There are two places in Gmail where you might have your phone number. The first is in 2FA options, and it's easy to delete if you add TOTP or a security key.
The second is "recovery phone number" in a different settings pane. That one is easy to miss!
Coinbase Pro has address whitelisting feature, which adds a 48 hour wait before a new crypto address can be used for withdrawals. This may have also mitigated the attack.
People forget that the cell company is giving you the possibility to recover your account as well through standard practices. I believe what happened to OP is that he used a weak one, that was based on publicly available informations (he states that in article himself) and that is how the attacker got the foothold in the first place. After that was a simple game of playing by the rules all the way to the coinbase account and draining it.
It almost always starts with a phishing attempt to get the original password. These attacks are unfortunately common for those working with cryptocurrency.
I wonder if the victim was able to find the transaction of the withdrawal on the blockchain. It may be interesting to see what the hacker did with the coins.
Probably a lot more transactions hard to track along the blockchain and most likely converted to other currencies as well, using the mentioned Coinbase as well, and in the end in a new minted wallet.
The part of the chart for "threat level I should have had based on everything I know now" is way off. It should have been at least yellow with "zero cell coverage" (assuming the author normally has reasonable cell coverage at that location), should have been red at "got popups to log back into google", and should have broken out of the page and come knocking on your door at the "password didn't work".
If I get unexpectedly logged out of my email account, even if I can log right back in, this should already be at "something seriously fishy is going on and I need to investigate immediately", such as checking the account for any activity. Not being able to log in to my email is "check my provider's status page to make sure they're not having a widespread outage, and if they're not, get on the horn with support immediately".
As the author says, your email account is the keys to the kingdom for virtually every other account you have. Anything that threatens it is serious business.
I compare this to driving. We all think we are safe drivers who will not drive when tired, not go too fast in thick fog, and pay attention to our surroundings. In practice, it's hard to live by these rules 24/7.
I thought the author did a good job describing how he rationalized away these warning signals as flakiness, and had a bad mental model of the situation ("SIM card is being weird") that prevented him taking timely action. He also mentioned outside factors (needing to sleep, stress at work) that affected his judgement.
It's easy to say this would never happen to you, but even sophisticated people get caught by this stuff, since we are in the end human. Writing this article in the aftermath of losing so much money was a brave and considerate gesture.
This reminds me of Popehat's "Don't judge the victims too harshly" paragraph from Chapter 5 from his "Anatomy of a Scam" (https://www.popehat.com/2011/09/18/anatomy-of-a-scam-investi...):
> Many of you are thinking, "Jesus, I would never fall for the "the check's in the mail, we had trouble with the wire transfer, the money is coming in from our affiliate in New York, I'll get you the tracking number" routine day after day. But sociopaths are very, very good at this. You don't want to believe you've been conned, you don't want to believe you have to go hire a lawyer and file a lawsuit, you don't want to believe someone can do this to you, you want the income that this transaction promises, and often you don't want to go tell your superiors — so you keep hoping that the money is coming any day now. It can happen to you. It's happened to very smart lawyers I know. It's happened to me. And I used to put these people in jail. So don't judge the victims too harshly. When you find yourself in such a situation, you've got to focus — to convince yourself to bail out and cancel the contract, stop providing services, and file suit if necessary.
I'm not complaining about the author's description of their timeline, just taking issue with that bar on the right that is described as the threat level they should have had.
In his learning he is missing the biggest mistake: resetting the email account by sms
2FA and all are secure enough, the problem for him was that his mobile phone number was the only thing needed to gain access because the attacker wad (1) able to reset the password for the mail account by sms and (2) 2fawas sms based.
There should be _absolutely no_ way of resetting the password of your mail account besides some pregenerated tokens you are keeping safe somewhere.
First thing I did after reading the article was to check the recovery options of my gmail account.
Here's a direct link, takes one minute to audit yours: https://myaccount.google.com/u/0/security?hl=en
I just tried and confirmed Gmail requires a recover phone number or email for standard set up. And Gmail gives you an option to recover with SMS =\
There are two places in Gmail where you might have your phone number. The first is in 2FA options, and it's easy to delete if you add TOTP or a security key.
The second is "recovery phone number" in a different settings pane. That one is easy to miss!
Coinbase Pro has address whitelisting feature, which adds a 48 hour wait before a new crypto address can be used for withdrawals. This may have also mitigated the attack.
OP is just an idiot
Seems like you have a valid law suit against the phone company that ported your sim.
What law did the phone company break? Breech of contract? I wouldn't be surprised if they indemnified themselves in the TOS for your phone plan.
Regardless of what is written in a contract, if enough money is involved there can be a lawsuit that might result in a settlement or award.
People forget that the cell company is giving you the possibility to recover your account as well through standard practices. I believe what happened to OP is that he used a weak one, that was based on publicly available informations (he states that in article himself) and that is how the attacker got the foothold in the first place. After that was a simple game of playing by the rules all the way to the coinbase account and draining it.
Very good walk-through of the experience of being the victim of a SIM (cell phone service porting) attack.
With flow charts and timelines.
Similar story from two years ago - https://medium.com/@CodyBrown/how-to-lose-8k-worth-of-bitcoi...
Something's up here...
Assuming it was a Google account with 2 factor enabled, you aren't allowed to reset the password with an SMS only.
You need two factors. I suspect his original password was leaked, or perhaps he had a recovery email address also broken into?
It almost always starts with a phishing attempt to get the original password. These attacks are unfortunately common for those working with cryptocurrency.
And those working with cryptocurrency seem to be very ill-equipped for protecting their wealth. Seems like a natural filter.
I wonder if the victim was able to find the transaction of the withdrawal on the blockchain. It may be interesting to see what the hacker did with the coins.
Probably a lot more transactions hard to track along the blockchain and most likely converted to other currencies as well, using the mentioned Coinbase as well, and in the end in a new minted wallet.
what kind of an idiot leaves that much on coinbase?