I just finished reading about a guy named Cody Brown who lost $8k of Bitcoin in 15 minutes from Coinbase.
How did this happen? Didn’t he have Two-Factor Authentication set up for his Coinbase account?
But he had the wrong one: SMS text messaging.
SMS text messaging is very insecure as a Two-Factor Authentication. Hackers nowadays can easily call up your phone provider and pretend to be you. They don’t need to prove any identity. All they need to do is convince the employee that he is you. And some hackers are really good at this. It’s currently the weakest link that exists and regular people still don’t understand the risks involved.
One of the biggest Blockchain VC’s, Bo Shen had over $300,000 stolen recently by a hacker using this same weak link: SMS text messaging. It’s a huge problem right now that many people are unaware of.
Disconnect your phone from your accounts right now if you have SMS text messages as your 2FA. I’ll explain what you should do in place of it that is actually secure.
Do It Right Now.
Sometimes a video can explain all of this better than reading text, so please watch this one. In it, the young man uses Yubikey, which I have never used. I use a Trezor as my U2F (or physical key).
So, what exactly is U2F?
Universal 2nd Factor (U2F) is an open authentication standard that strengthens and simplifies two-factor authentication using specialized USB or NFC devices based on similar security technology found in smart cards. While initially developed by Google and Yubico, with contribution from NXP Semiconductors, the standard is now hosted by the FIDO Alliance.
U2F Security Keys are supported by Google Chrome since version 40 and Opera since version 40. U2F security keys can be used as an additional method of two-step verification on online services that support the U2F protocol, including Google,Dropbox, GitHub, GitLab, Bitbucket, Nextcloud, Facebook and others.
Chrome and Opera are currently the only browsers supporting U2F natively. Microsoft is working on FIDO 2.0 support for Windows 10 and the Edge browser, but has not announced any plans to include U2F support. Mozilla is integrating it into Firefox, and support can currently be enabled through an addon -Wikipedia
I’m going to simplify this definition:
U2F is a physical key that you put into a USB port on your computer. You put this in after inputting your password. The U2F device uses encryption, as it contains a private key that is matched up to your public key in order to unlock your accounts like Gmail and Facebook. Without the physical key, no one can access your account. So, hackers, and even key loggers will not be able to steal your passwords because the U2F encrypts the data.
There are other cheaper options like the Yubikey that costs $18 from Amazon. I’ve never used Yubikey and only learned of it recently after doing some research. A good idea is to have several U2F devices connected to your account, to ensure you don’t lose access if you lose one of your keys.
It’s overwhelming to do this the first time, but once you do, you will be able to sleep at night. Hackers are just getting more advanced and sneaky over time, so the sooner you get one of these physical U2F keys, the better! Cars and houses need physical keys, so do your accounts!
Here’s a how-to video that shows you how to set up a U2F physical device like Trezor or Yubikey with your gmail account: