@csoghoian @kristovatlas However, I’d argue that SMS-based account recovery / password reset is worse than nothing.
@zofrex And depending upon your threat model, sending 2FA codes in cleartext is terrible practice.
@zofrex Best to assume most users stick to the default settings - IIRC Google uses SMS for account recovery.
@zofrex Services supporting SMS 2FA often also allow password reset via SMS or email. Phone port attackers often compromise email accounts.
@javisobr just a fun poem suggesting that people hold their coins in cold storage rather than on a custodial service / exchange.
@publictorsten Because he set a PIN to protect his account and then it was transferred out of his control by an unknown entity.
@sandpiled @leahmcelrath Switch to @projectfi?
@BitcoinBelle @Codiox @bitcoinkeepkey @verizon From what I’ve seen, @projectfi is most secure against phone porting attacks
@leahmcelrath Unfortunately it’s going to be different for every service you use
@leahmcelrath @bascule @csoghoian @bitcoinkeepkey if it’s based on your phone number, it’s actually a weakness. https://t.co/Rec0xW2a4m
@bascule Also remove any phone number based account recovery mechanisms.
TIL @zcashco intends to eventually switch elliptic curves in a year due to this attack. https://t.co/H9EOgGb1FJ
.@bitcoinkeepkey’s account remains compromised. They will post a signed message from it to prove that control has been regained.
Can only draw one conclusion: @verizon is not secure against phone porting attacks, likely due to flawed procedures. https://t.co/rrJxF3kqub
Founder of @bitcoinkeepkey confirms successful phone porting attack against @verizon number despite PIN protection. https://t.co/nzeL284bPH
@michaelfolkson @RiskBazaar Just found https://t.co/LUQuxay1ye
Computer security specialists can’t rest - attackers prefer to strike when they think your guard is down during holidays / while you sleep.
FYI: @bitcoinkeepkey’s Twitter & email accounts compromised. Also seeing a suspicious new @KeepkeyIO Twitter & site. https://t.co/mXTvrZFWMo