Over the last month, a half dozen people I know have been targets of account takeover attacks and unfortunately, a few of those attacks were successful. Most of these account takeover attacks were aimed at Coinbase accounts.
I have written blog posts every time I have been hacked and explained how it happened to me and the mistakes I made and how others can avoid what happened to me.
This post is a bit different because I have not been the target of an account takeover in the last month. But because so many people I know have been, I feel like writing on this topic again.
First and foremost, we should never ever give anyone, even a Coinbase employee or an employee of another financial institution, our account login credentials. The hackers are doing a great job of masquerading as employees and we are easily fooled. AI will only make this easier for hackers. But rule number one is never give anyone your account login credentials, even someone who appears to be an employee of the institution that holds your assets.
My second rule is to have most of your assets in a "vault" which is an account with withdrawal limits. I like a 48-hour withdrawal limit and also a multiple signer requirement. Many people don't want their assets tied up for 48 hours. In the event of a massive price decline or some other event, they want to get their funds out. So that is the purpose of the multiple signer requirement. It could be two signers out of three or three signers out of five. The idea is to introduce some friction into the asset send/withdrawal process so the hackers cannot simply move your assets out when they take over your account.
A modification of this approach is to whitelist certain addresses you can send to immediately and put friction on everything else. I use that approach as well, but not in lieu of the 48 hour and multi-signer requirements. I like to have a lot of friction on our family's assets.
My third rule is to use two-factors on your login credentials. I prefer a hardware two-factor device like a Yubikey or a Thetis device. The reason this is so important is that if you have a hardware two-factor device on your accounts, you can be certain that nobody has access to your accounts, even when you are told someone does. Time and time again, when being socially engineered, I have taken a deep breath and thought "they can't have my hardware key" and I ignored the attack.
A new attack vector that has emerged recently is users are fooled into entering a seed phrase given to them by an employee of an institution into a self custody wallet and then they send their assets to that new wallet. Not everyone realizes that a seed phrase is the key to self custody wallet. A seed phrase is, effectively, the wallet. We should never ever enter a seed phrase given to us by someone into our self custody wallet. That is like leaving your door wide open because a thief instructed you to. The really perverse thing about this attack vector is the hackers use the word "vault" to encourage users to do this. Don't ever "vault" your assets in your self custody wallet using a seed phrase given to you.
You need to have a setup that:
1. allows you to comfortably ignore all of these attacks
2. protects you from yourself in the case you do succumb (whitelisting + multisig + 2fa)
There are certainly other rules that you can follow, but if you follow these, I believe you can keep your assets safe.
I hope you will take the time today or this week to set your accounts up correctly. Too many people are getting their accounts taken over and wiped out. We need to protect ourselves.
Disclosure: I am on the Board of Coinbase and our family is a large shareholder in Coinbase.
