Over the last month, a half dozen people I know have been targets of account takeover attacks and unfortunately, a few of those attacks were successful. Most of these account takeover attacks were aimed at Coinbase accounts.

I have written blog posts every time I have been hacked and explained how it happened to me and the mistakes I made and how others can avoid what happened to me.

This post is a bit different because I have not been the target of an account takeover in the last month. But because so many people I know have been, I feel like writing on this topic again.

First and foremost, we should never ever give anyone, even a Coinbase employee or an employee of another financial institution, our account login credentials. The hackers are doing a great job of masquerading as employees and we are easily fooled. AI will only make this easier for hackers. But rule number one is never give anyone your account login credentials, even someone who appears to be an employee of the institution that holds your assets.

My second rule is to have most of your assets in a "vault" which is an account with withdrawal limits. I like a 48-hour withdrawal limit and also a multiple signer requirement. Many people don't want their assets tied up for 48 hours. In the event of a massive price decline or some other event, they want to get their funds out. So that is the purpose of the multiple signer requirement. It could be two signers out of three or three signers out of five. The idea is to introduce some friction into the asset send/withdrawal process so the hackers cannot simply move your assets out when they take over your account.

A modification of this approach is to whitelist certain addresses you can send to immediately and put friction on everything else. I use that approach as well, but not in lieu of the 48 hour and multi-signer requirements. I like to have a lot of friction on our family's assets.

My third rule is to use two-factors on your login credentials. I prefer a hardware two-factor device like a Yubikey or a Thetis device. The reason this is so important is that if you have a hardware two-factor device on your accounts, you can be certain that nobody has access to your accounts, even when you are told someone does. Time and time again, when being socially engineered, I have taken a deep breath and thought "they can't have my hardware key" and I ignored the attack.

A new attack vector that has emerged recently is users are fooled into entering a seed phrase given to them by an employee of an institution into a self custody wallet and then they send their assets to that new wallet. Not everyone realizes that a seed phrase is the key to self custody wallet. A seed phrase is, effectively, the wallet. We should never ever enter a seed phrase given to us by someone into our self custody wallet. That is like leaving your door wide open because a thief instructed you to. The really perverse thing about this attack vector is the hackers use the word "vault" to encourage users to do this. Don't ever "vault" your assets in your self custody wallet using a seed phrase given to you.

You need to have a setup that:

1. allows you to comfortably ignore all of these attacks

2. protects you from yourself in the case you do succumb (whitelisting + multisig + 2fa)

There are certainly other rules that you can follow, but if you follow these, I believe you can keep your assets safe.

I hope you will take the time today or this week to set your accounts up correctly. Too many people are getting their accounts taken over and wiped out. We need to protect ourselves.

Disclosure: I am on the Board of Coinbase and our family is a large shareholder in Coinbase.

I wrote the email below to a founder doing his first board meeting.

Board meetings can provide a leadership team with a perspective on the business that can be very helpful.

But many Board meetings are simply reporting sessions. That is a wasted opportunity in my view.

So setting them up right and getting feedback in real time makes all the difference.

Here's what I suggested to him:

Send out a pre-read that allows everyone to come into the meeting knowing all of the important stuff. I would try to send that out at least two or three days before the meeting so that everyone has time to read it before the meeting

I would include all of this in the pre-read

- sales update, pipeline, key accounts, projections for wins in the next 3-6 months

- technology update, key priorities, key things shipping in the next 3-6 months

- manufacturing update, key partners and progress on them

- financial update - balance sheet, P&L, cash forecast for the rest of the year

- people update, key hires made, key hires planned, any departures

there are probably other key things to include but these are the most typical

The number one thing I hear from people who want to write online more is that they struggle to publish incomplete ideas and unpolished compositions.

What I have learned from writing online regularly for over twenty years is that writing online is a conversation.

What I mean by that is that you are not trying to publish complete ideas. You are engaging in a conversation with the world and you are a participant in that.

Here's an example from back in 2006:

I was seeing a lot of startups using a business model where they gave their service away for free with hopes of converting some of the users to subscribers. I wanted to give that business model a name. So I wrote about it and asked the folks who were reading my posts to suggest some names.

One reader suggested "freemium" and I loved it and wrote another post stating that we now have a name for that business model.

That's a conversation.

Here's another example:

My colleague

Over the last month, a half dozen people I know have been targets of account takeover attacks and unfortunately, a few of those attacks were successful. Most of these account takeover attacks were aimed at Coinbase accounts.

I have written blog posts every time I have been hacked and explained how it happened to me and the mistakes I made and how others can avoid what happened to me.

This post is a bit different because I have not been the target of an account takeover in the last month. But because so many people I know have been, I feel like writing on this topic again.

First and foremost, we should never ever give anyone, even a Coinbase employee or an employee of another financial institution, our account login credentials. The hackers are doing a great job of masquerading as employees and we are easily fooled. AI will only make this easier for hackers. But rule number one is never give anyone your account login credentials, even someone who appears to be an employee of the institution that holds your assets.

My second rule is to have most of your assets in a "vault" which is an account with withdrawal limits. I like a 48-hour withdrawal limit and also a multiple signer requirement. Many people don't want their assets tied up for 48 hours. In the event of a massive price decline or some other event, they want to get their funds out. So that is the purpose of the multiple signer requirement. It could be two signers out of three or three signers out of five. The idea is to introduce some friction into the asset send/withdrawal process so the hackers cannot simply move your assets out when they take over your account.

A modification of this approach is to whitelist certain addresses you can send to immediately and put friction on everything else. I use that approach as well, but not in lieu of the 48 hour and multi-signer requirements. I like to have a lot of friction on our family's assets.

My third rule is to use two-factors on your login credentials. I prefer a hardware two-factor device like a Yubikey or a Thetis device. The reason this is so important is that if you have a hardware two-factor device on your accounts, you can be certain that nobody has access to your accounts, even when you are told someone does. Time and time again, when being socially engineered, I have taken a deep breath and thought "they can't have my hardware key" and I ignored the attack.

A new attack vector that has emerged recently is users are fooled into entering a seed phrase given to them by an employee of an institution into a self custody wallet and then they send their assets to that new wallet. Not everyone realizes that a seed phrase is the key to self custody wallet. A seed phrase is, effectively, the wallet. We should never ever enter a seed phrase given to us by someone into our self custody wallet. That is like leaving your door wide open because a thief instructed you to. The really perverse thing about this attack vector is the hackers use the word "vault" to encourage users to do this. Don't ever "vault" your assets in your self custody wallet using a seed phrase given to you.

You need to have a setup that:

1. allows you to comfortably ignore all of these attacks

2. protects you from yourself in the case you do succumb (whitelisting + multisig + 2fa)

There are certainly other rules that you can follow, but if you follow these, I believe you can keep your assets safe.

I hope you will take the time today or this week to set your accounts up correctly. Too many people are getting their accounts taken over and wiped out. We need to protect ourselves.

Disclosure: I am on the Board of Coinbase and our family is a large shareholder in Coinbase.

I wrote the email below to a founder doing his first board meeting.

Board meetings can provide a leadership team with a perspective on the business that can be very helpful.

But many Board meetings are simply reporting sessions. That is a wasted opportunity in my view.

So setting them up right and getting feedback in real time makes all the difference.

Here's what I suggested to him:

Send out a pre-read that allows everyone to come into the meeting knowing all of the important stuff. I would try to send that out at least two or three days before the meeting so that everyone has time to read it before the meeting

I would include all of this in the pre-read

- sales update, pipeline, key accounts, projections for wins in the next 3-6 months

- technology update, key priorities, key things shipping in the next 3-6 months

- manufacturing update, key partners and progress on them

- financial update - balance sheet, P&L, cash forecast for the rest of the year

- people update, key hires made, key hires planned, any departures

there are probably other key things to include but these are the most typical

The number one thing I hear from people who want to write online more is that they struggle to publish incomplete ideas and unpolished compositions.

What I have learned from writing online regularly for over twenty years is that writing online is a conversation.

What I mean by that is that you are not trying to publish complete ideas. You are engaging in a conversation with the world and you are a participant in that.

Here's an example from back in 2006:

I was seeing a lot of startups using a business model where they gave their service away for free with hopes of converting some of the users to subscribers. I wanted to give that business model a name. So I wrote about it and asked the folks who were reading my posts to suggest some names.

One reader suggested "freemium" and I loved it and wrote another post stating that we now have a name for that business model.

That's a conversation.

Here's another example:

My colleague