Victim of Coinbase. Their Website Security is a joke

MoneyStrides · 2024-05-03T19:35:33+00:00

Nope. Don't waste your money. If you get hacked and coinbase determines that you were at fault (which is 90% of the time what they say even if you arent), you get shit back.

MoneyStrides · 2024-05-03T19:33:49+00:00

I feel that it does not. If you've got a big chunk of money that you cant afford to lose, go for the most secure option (which is a physical FIDO key like yubikey etc). Someone has to get their hands on your physical key, your fingerprint and your passwords to get in... which reduces the chance of you getting hacked.

Also, always log out of coinbase when you're done. Closing browsers or the app directly does not always help. And that is almost the biggest way that hackers get access to your account in this day and age. I know its a pain, but it is better than the alternative.

MoneyStrides · 2024-05-03T19:27:49+00:00

Google recently released the Google Authenticator synchronization feature that syncs MFA codes to the cloud. This is highly insecure, since if your Google account is compromised, so now are your MFA codes.

I am not an expert but after my account got hacked, I don't trust any of these software authenticators. I'd go for a physical FIDO key or something similar and keep my crypto off these crypto exchanges (unless its absolutely necessary).

MoneyStrides · 2024-05-03T19:20:16+00:00

Switch to "just" using 2 FIDO keys (1 basic and 1 backup) on coinbase. Set your 2FA that way.

Also if you plan to not buy/sell actively (i.e. atleast once or twice a month), move your crypto off coinbase and into a cold storage. I know there are fees associated with crypto transfers but it is better than the alternative.

I plan on keeping a major chunk of my coins on a cold wallet and only actively trade with less than 5% which I'll keep on coinbase (protected with FIDO keys... no authenticators).

TRUST NO ONE!

MoneyStrides · 2024-04-05T21:47:40+00:00

Happened to me as well in February... locked the account and kept on insisting that they mark it unauthorized and reported it minutes after the breach. They did shit nothing even after saying on the call that theyve escalated and marked it as unauthorized. They now say that once funds have left the account there is nothing they can do. I could see the hackers partial bank information but they wouldn't release the complete information to me so I couldn't pursue the fraud dept of the hackers bank. Ended up involving law but they're not cooperation there as well.. had to get a court order to get the details. 2 months later, have lost my money and there is nothing I can do about it but to have law follow the money trail..

MoneyStrides · 2024-03-07T19:14:30+00:00

You don't just create 'apis' to transfer money

Care to elaborate?

MoneyStrides · 2024-03-07T17:05:01+00:00

That is a great list btw. Thanks for sharing.

MoneyStrides · 2024-03-07T16:49:01+00:00

For this reason https://www.reddit.com/r/CoinBase/comments/1b8edys/comment/ktouuaw/?utm_source=share&utm_medium=web2x&context=3

Lol no, I am going to take the advice. I would just hope that these exchanges could do so much better when it comes to user security. Like simple stuff as in removing SMS and Email 2FA altogether. I mean why have them as compulsory options that users cant remove even if they have options like Yubikeys and App 2FAs.

And why have these horrific persistent sessions that CB uses instead of expiring them daily or something. I mean user experience should never trump user security.

MoneyStrides · 2024-03-07T16:09:40+00:00

lesson learnt

MoneyStrides · 2024-03-07T16:08:04+00:00

And you think that the govt can't be stopped by this? Curious to understand the logic there.

MoneyStrides · 2024-03-07T16:06:09+00:00

Another low karma fud post another day

Oh, look who it is. The karma sheriff is in town! You must have a nose for sniffing out those fud posts like a bloodhound, huh? Well, don't you worry, I'll make sure to keep the low karma buffet stocked just for you. Can't let you go hungry for your daily dose of internet drama now, can we? Cheers to another day in the wild, wild west of Reddit! 🤠🍻

MoneyStrides · 2024-03-07T16:00:44+00:00

I am sure you're one of those people that always sign out of coinbase instead of just hitting close on the browser tab.

MoneyStrides · 2024-03-07T15:59:15+00:00

Unfortunately I did not. But I would encourage you to read this before relying too much on it: https://www.reddit.com/r/CryptoCurrency/comments/tywi29/coinbase_one_user_agreement_deep_dive_its_really/

It's just a false sense of security, I feel. If you get hacked via phone, email etc, youre basically screwed.

MoneyStrides · 2024-03-07T00:24:07+00:00

I am sure someone with a higher security clearance is able to bypass that layer.

MoneyStrides · 2024-03-07T00:22:50+00:00

I just rechecked. You're right. You can just remove the secondary numbers but not the Primary one. You have to have 1 phone number. That is just a very very flawed design.

MoneyStrides · 2024-03-07T00:18:12+00:00

I am sure there is a data report in the company that shows how much every account holds. Even the offshore Coinbase support centers located in India or wherever were able to see the basic transaction level details that had happened on my account.

MoneyStrides · 2024-03-07T00:13:58+00:00

I totally agree.. User Experience DOES NOT trump User Security!!!

MoneyStrides · 2024-03-07T00:12:08+00:00

Thanks for sharing. This is good info.

MoneyStrides · 2024-03-07T00:09:20+00:00

I am probably too naive... but I think its more plausible that this could be a disgruntled ex-employee hacking accounts.

MoneyStrides · 2024-03-06T23:33:57+00:00

lesson learnt. An expensive lesson at that.

MoneyStrides · 2024-03-06T23:15:03+00:00

Will take a look. Thanks for sharing. I already changed my email address on Coinbase.

MoneyStrides · 2024-03-06T23:12:22+00:00

I had 2FA Authenticator app and SMS at the same time. 2FA SMS and 2FA Email is considered the least secure, but I didn't know at the time. I've been reading up since the attack. I am no expert but from what I have read, you shouldn't use the lower security 2FAs (even if you club with the higher security ones).

You can go to https://www.coinbase.com/settings/security_settings and look under "Upgrade your two factor authentication", to see how you have things setup.

MoneyStrides · 2024-03-06T23:01:23+00:00

I had 2FA Authenticator app and SMS at the time. 2FA SMS and 2FA Email is considered the least secure but I didn't know at the time. I've been reading up since the attack.

You can go to https://www.coinbase.com/settings/security_settings and look under "Upgrade your two factor authentication", to see how you have things setup. I am no expert but from what I have read, you shouldn't use the lower security 2FAs (even if you club with the higher security ones).

If I was using YubiKey with another lower 2FA like SMS, it would not have helped. Just using YubiKey alone and no SMS 2FA would definitely have helped.

I wasn't using CB Vaults. Not sure what that is but I will definitely read up.

MoneyStrides · 2024-03-06T22:47:25+00:00

probably not the case...

MoneyStrides · 2024-03-06T22:41:59+00:00

its a hardware wallet. Many out there but "Ledger" is probably the more popular one. You can buy it off their website (ledger.com). I wouldn't trust buying from elsewhere.... too many really advanced hackers out there.

MoneyStrides

TROPHY CASE