The below is an off-site archive of all tweets posted by @lopp ever

December 26th, 2016

@csoghoian @kristovatlas However, I’d argue that SMS-based account recovery / password reset is worse than nothing.

via Twitter Web Client in reply to csoghoian

@zofrex And depending upon your threat model, sending 2FA codes in cleartext is terrible practice.

via Twitter for Android in reply to zofrex

@zofrex Best to assume most users stick to the default settings - IIRC Google uses SMS for account recovery.

via Twitter for Android in reply to zofrex

@zofrex Services supporting SMS 2FA often also allow password reset via SMS or email. Phone port attackers often compromise email accounts.

via Twitter for Android in reply to zofrex

@javisobr just a fun poem suggesting that people hold their coins in cold storage rather than on a custodial service / exchange.

via Twitter for Android in reply to javisobr

@publictorsten Because he set a PIN to protect his account and then it was transferred out of his control by an unknown entity.

via Twitter for Android in reply to publictorsten

@BitcoinBelle @Codiox @bitcoinkeepkey @verizon From what I’ve seen, @projectfi is most secure against phone porting attacks

via Twitter for Android in reply to BitcoinBelle

@leahmcelrath Unfortunately it’s going to be different for every service you use

via Twitter for Android in reply to leahmcelrath

@bascule Also remove any phone number based account recovery mechanisms.

via Twitter for Android in reply to bascule

TIL @zcashco intends to eventually switch elliptic curves in a year due to this attack. ellipticnews.wordpress.com/2016/05/02/kim…

via Twitter for Android

.@bitcoinkeepkey’s account remains compromised. They will post a signed message from it to prove that control has been regained.

via Twitter for Android

Can only draw one conclusion: @verizon is not secure against phone porting attacks, likely due to flawed procedures. twitter.com/lopp/status/81…

via Twitter for Android

Founder of @bitcoinkeepkey confirms successful phone porting attack against @verizon number despite PIN protection. reddit.com/r/Bitcoin/comm…

via Twitter for Android

Computer security specialists can’t rest - attackers prefer to strike when they think your guard is down during holidays / while you sleep.

via Twitter for Android

FYI: @bitcoinkeepkey’s Twitter & email accounts compromised. Also seeing a suspicious new @KeepkeyIO Twitter & site. reddit.com/r/Bitcoin/comm…

via Twitter for Android