Bobos & Wojaks

Get rich or die tryin

How Your Exchange Account Could Be Hacked And What You Can Do To Avoid It

Flat young hacker programmer with laptop hacks programms and site. Concept modern man character, network security. Vector illustration.

Many users are holding their funds on an exchange. That’s not as safe as many think. Here I will show you how your account can get hacked. This requires that you use “Google Authenticator 2FA”.

 

  1. Get your Email and Phone number – your Email and Phone number can be found on the leaked Ledger database, BitcoinTalk database, YahooMail database, and the coinmarketcap database and many more. Most of them are sold in the darknet
  2. Determine the phone carrier – There are many tools on the Internet that can be used to find out the provider
  3. SIM Swap your phone number – This is not always easy. Usually, the attaker either has to take a part-time job with a mobile carrier or bribe a friend who works there. But there are reports that a SIM swap can be bought in the darknet for less than $20
  4. Claim “lost password” on Email account – In most cases, the attacker causes the email provider to send a one-time password to the stored phone. Thus, the attacker now has access to your email address through SIM swapping. Also, in some cases, the user database leak, like with YahooMail, will include the password.
  5. Get the userid of the exchange – Most users like [email protected] use the same user name “WRoss” for their Exchange account
  6. Claim lost password on Exchange – With the guessed user ID, the attacker can submit a lost password request. Exchanges then send a link to the lost password to your email address. Since the attacker has access to your email he can change your password , however he still needs the 2FA to get full access.
  7. Claim lost phone (2FA) on Exchange – On some exchanges, users can simply remove Authenticator 2FA from their account by specifying “2FA lost”. This triggers a confirmation email, but since the hacker already has access to your email, they can simply confirm the email.

 

This all takes effort, however here are a few tips on how to prevent this from happening:

  • Do not use the same user ID and always use a different password for each application. If WRoss had not reused her username for gmail and the exchange, the attacker would not be able to get into her exchange account
  • Do not use the same email for your exchange and forums. If WRoss did not use the same email on CoinMarketCap and his exchange, the hacker could not access his account
  • Tighten your email account security – Some email providers allow you to disable the “Lost Password” and “Lost 2FA” features for your email account. That is, if you lose your email password or 2FA, give them permission to delete your account. Many attackers do not guess your password, but simply claim to be you and that the password was lost or forgotten
  • Use better 2FA – Ultimately, miserable “lost password / 2FA” workflows are not your fault and cannot be avoided, but sometimes better 2FA can help. If you use hardware 2FA, they often have different workflows than the “lost phone” workflow. Basically, you want it to be as difficult as possible to manage a lost password or 2FA. So choose the option that is the most difficult to reset
  • Don’t keep funds on the exchange – The problem with exchanges is that you trust them to maintain some semblance of sanity. Unfortunately, when exchanges receive thousands of lost password tickets every day, they are often tempted to relax password reset requirements. Often at the behest of the customers they are actually trying to protect. If you just stop trusting exchanges to hold your funds week after week, you can (sometimes) better secure your accounts outside of an exchange. That way, you’re the only one you have to trust, not an support employee resetting your password
  • Regular check if your Email and Password are leaked on haveibeenpwned.com

Ideally, the exchanges would block accounts for weeks if someone pretending to be you claimed to have lost their phone with all 2FA data. But the world isn’t perfect. Coinbase recently admitted that their “lost secret” workflow was flawed.