This story popped up on my Facebook timeline.
It’s a Wall St. Journal article that will probably disappear under paywall. If you have a blockchain or bitcoin account, you will want to pay for the Wall St. Journal subscription and read this.
Here is a Wired article with some more details.
The key to how 24 million in cryptocurrency was lost comes down to this from the WSJ Article.
Within minutes, the hackers began trying to take over his Gmail accounts, using Google’s “Forgot password?” account reset feature. With access to his phone number and email, they were quickly able to steal millions in cryptocurrency from digital wallets Mr. Terpin believed to be secure.
Actually it comes down to one word: Gmail. Gmail is free and convenient. What it is not is secure. Especially when somebody has acquired your phone, or even your Sim codes. What happened here was domino chain of vulnerabilities that led to Mr. Terpin losing access to his bitcoin wallets and the wallets bein taken over by persons unknown. Once the hackers were inside, there was nothing stopping them from taking everything.
The irony is that Mr. Terpin’s phone had been hacked once already and that he had gone to his service provider to enhance his phone security. Here’s some of what he did.
Here is the really scary part: Mr. Terpin had been SIM-swapped seven months earlier. He got lucky and didn’t lose any money that time, but had taken serious steps to prevent it from happening again. He had consulted with security professionals. He had gone to an AT&T store and added a security feature to his account that required a secret six-digit PIN to make any changes. He removed text-message authentication where he could, replacing it with Google Authenticator.
All good things. None of which helped. The key thing is that he didn’t do two things. The first is that he did not set up an email account that was not from google and on a secure server. Second, he did not compartmentalize. The fact is that putting your life on a smartphone is very convenient. perhaps too convenient if you like to constantly look at investments and what not. I imagine that Mr. Terpin was constantly watching his money, on his phone.
The problem with that is that in order for that convenience to be available the phone has to talk to all those accounts and it is all too easy to just let the phone handle things like account authentication. That is convenient. What it is not, is in any way secure. Once the Hackers were inside, however they got there, all they had to do was ask Google for a password change. If a phone call was required, the call would be to the same number that was hacked. So Terpin was locked out of his accounts and anything connected to them.
If you have serious money, like Mr. Terpin, I would make sure that any transactions go through a discreet and secure email account that does not save email on the phone once they are read. If you have to, set your email to autodelete, on the phone. You can keep your picture on the phone, but your finances should never be accessible directly from the phone with out a separate access. Frankly at Mr. Terpin’s level, it would have paid to have his own server at an IT outfit that provides such services on a separate phone, that Mr. Terpin should not have used for anything else other than his money.
The fact is that any device that talks to the net is not secure. The only truly secure device is one that is turned off. But there are steps that one can take, such as compartmentalizing things like finances and investments to help keep yourself out of the eyes of the people that took Mr. Terpin’s bitcoins away.