Yeah and those PINs were exposed in the hack. I changed mine.
But I have a feeling even if you show up in the store and say you forgot your PIN, you can give them a bunch of other information instead.
I don’t think their store employees are prepared for this in any way. And some of them may even be in on it. My friend who got hacked is in Florida, which seems to be a hotbed for this kind of thing.
Like walk me through the steps how losing my cell phone or having my sim card spoofed gets my binance account hacked? The only way that is possible is extreme negligence of the user.
Password reset. I checked my bank and all I need is to send a code to my SMS on file to reset my password (which I have since removed).
I don’t know coinbase or binance but he says that’s what happened.
You can’t just reset a binance account that way. I’ve been banned from coinbase long enough that I have no idea what is possible there but I would be stunned if there weren’t at least security questions or something.
You shouldn’t be 2FAing anything with significant consequences through SMS. That’s my point. It’s moronic.
My best guess is you are missing some critical information. How did they know to hack this one specific moron’s crypto wallets? Are they spoofing every sim card that exists?
Agreed. But it’s not like people just know that from birth. One assumes (wrongly) that if a bank lets you reset your password over SMS, then SMS must be pretty hard to spoof.
Are you sure you have to give phone number? I have lots of extra accounts with no phone number verified. I just can’t join/talk in certain discords with those accounts.
Same - I signed up for the free MacAfee virus protection from the T-mobile hack and got like 20 times my information has been hacked and shown up on the dark web. I’ve just put new super secure passwords on everything that matters and removed SMS as a password reset source.
Sometimes banks won’t even let you remove SMS apparently. So people get around it by getting a burner number and then throwing it away.
I have a large amount of crypto at this point and I am 99.9% sure I could give you my wallet password OR my phone sim card and you would have no chance to get any of it. Most people who tell stories about being hacked got compromised through an email/discord scam and are too embarrassed to admit it.
He’s given a ton of details which he’s posted in this thread. He got the super secret T-mobile fraud protection setting, which I was just denied because it can only be added after a fraud protection has been opened. He definitely got SIM-swapped.
https://www.thestreet.com/investing/crypto-explosion-leads-to-hacker-interest
On Monday, the Wall Street Journal told the story of Rosa Maguina, who saw her Binance and Coinbase crypto accounts emptied to the tune of $80,000 shortly after noticing that her phone temporarily lost a signal earlier this year.
I think Suzzer’s point is that 99% of people don’t know this. Like everyone assumes 2FA is safe, I know I did. I use Google authenticator for some crypto exchanges but I bet my bank account is setup for 2FA, need to take a look at that.
Yeah I had 2FA on my bank was too. But in adding a text for 2FA, I also opened a huge security hole in setting a recovery phone for resetting password - a single point of failure. Although I think it might have asked some security questions too.
According to most commenters on hackernews - strong password is better than strong password + SMS 2FA/password recovery.
I’m skeptical you can get coinbase/binance compromised just through SMS 2FA also. Somehow a person doing this knows you have crypto assets and where at a bare minimum.
You can probably try pinging Binance and Coinbase with the person’s email (obtained in the hack) to see if they have an account or not. Even if sites don’t explicitly say the account exists, if there’s a time difference in response for existing account vs. no account - hackers use that.
Either that or they have some other way of knowing who has crypto and who doesn’t. Of the three other people my friend talked to who had this happen (all T-mobile, all in the last few weeks), 2 had crypto accounts, and one he didn’t say for sure.
Don’t they still have to have a phone number/email match? It isn’t as simple as just plugging in all the phone numbers/emails on binance and trying this.
There are hundreds of people per day crying on discord about getting scammed. Most times it’s falling for very traditional CLICK MY LINK FOR FREE XYZ AND CONNECT YOUR WALLET TO WIN stuff.
I mean hell I have been scammed twice that I can think of. Was it clever enough to fool me, yes. But ultimately my own stupidity is also part of the problem.
Yeah it might be. I don’t know how Binance login or password recovery works. But I do know that if hackers take over your account good luck ever getting control of it again.
Just go try now with Binance - say you lost your password or your 2FA device or whatever and see what happens. How does it work if you lose your phone that has the 2FA app and can’t remember your password?
I have a binance account that I had a phone with my google auth be unusable because my phone broke and I was too dumb/careless to save the recovery key. It doesn’t work anything like your friend says it does.
I literally had to send a picture of myself with a piece of paper with the date on it and my passport to do the first step of the recovery process.
I called T-mobile to get the super SIM-swap protection my hacked friend now has. As mentioned, they said I can’t get it unless I open a fraud investigation. But they were able to put a note on my account: “Do not swap SIM unless this person shows up in the store with ID. Also try to call phone number before swapping.”
Now I have to decide if that’s good enough to keep me from switching carriers. I have no faith in store or phone employees to actually follow that. But that + I have no crypto might be good enough.
Yeah I guess he didn’t have google auth set up. So you’re probably good.
I read about another attack where they took over the gmail, but then realized the target’s Coinbase went through google auth (or similar) and gave up.
Yes, apparently once you’ve been tagged as sus they won’t let you do anything until you’ve verified your #. Having tried with multiple browsers, email addresses and VoIP numbers, I think I’m pretty thoroughly tagged at this point. There are plenty of people complaining about how strict it is now.
Maybe if I get super motivated later I’ll retry by tethering to my phone for a different IP. Not even going to bother trying VPN.
This helped me on the Gas fees: