>That post has since been taken down, but many comments included criticism for leaving such a large amount of Bitcoin accessible on a phone.
Not to victim blame, but it really is odd to me that someone would leave any amount of BTC on their phone, let alone millions of dollars worth.
>The Hamilton teen faces charges of theft over $5,000 and possession of property or proceeds of property obtained by crime
I've always wondered why the line is drawn at $5,000. It's mildly interesting that stealing $46M and stealing $5,000 result in equivalent charges.
The SIM swap attack was used to access an online service where the BTC was stored.
I know the classic cryptocurrency trope is that Bitcoiners will move money to a paper wallet and then store the passphrase securely somewhere, but in reality that's about as attractive as cashing it out as 46 x (hypothetical) $1 million dollar bills and storing it in a safe.
In other words: Most people who have that kind of money really don't want to do anything like that. Most people who don't have that kind of money really overestimate how easy it is to safely and securely store something like that.
But that's beside the point. We could debate all day about storing paper wallets in bank safety deposit boxes or using Shamir's Secret Sharing or any other number of increasingly complex scenarios, but in practice most with that kind of wealth aren't really interested in locking it away and not touching it. If they want to make an investment, trade, or purchase, do they jump through all of the hoops to unlock and move some of the money and then securely store it all away again? Surely someone might, but in practice most people want it somewhere that that can trade, invest, transfer, and access with reasonable security.
This inevitably turns into one of those internet OpSec debates where people on the sidelines imagine scenarios where they are smarter than the victim (with the benefit of hindsight, of course), but in reality there are many, many people out there storing vast amounts of wealth accessible by 2FA with their phone and it's rarely ever a problem. Cryptocurrency makes this more complicated because the transactions are irreversible, fast, and (somewhat) easy to hide.
So if you happen to be internet famous for bragging about your Bitcoin wealth, definitely take steps to make it impossible for people to access it via phones or anything else. But you also probably want to obscure your physical location and invest in personal security, because in-person attacks are the next step. But in reality, a huge number of people have access to a lot of funds via digital access without such problems on a regular basis. It's fun to fantasize about ultimate OpSec, but in practice most people want the money accessible and tradeable on short notice.
A dead-simple soft-wallet, which requires about 2 steps to setup and 2 more to transfer and hold your millions of dollars in, would have prevented this. Roughly 15 minutes of time, at most.
You don't need to be the NSA to secure your crypto, as you seem to be implying.
I'm speaking neither hypothetically nor in hindsight since I pre-ordered the first hardware wallet back in the day and have never lost coins.
That's very hypothetical, though. There are a few key differences:
1. Moving money to a paper wallet is not difficult in practice. Ideally, yes, you would generate the private key in an air-gapped computer running a secure operating system and print out the private key and the Bitcoin address, then incinerate the computer, storing away a second identical computer that doesn't have the wallet on it yet, and that would have a similar level of difficulty to buying and installing a safe. In practice, you can probably get better security than a physical safe just by generating a new wallet in Electrum, writing down the seed phrase, and deleting the wallet from Electrum. When you need to spend some of the coin you can reanimate the wallet, sign a transaction, and delete it from Electrum again. If your cellphone is backdoored then the thieves can loot your wallet at reanimation time, but that's probably harder than drilling a safe, most of the time.
2. As you point out, million-dollar bills are hypothetical. The largest US dollar denomination ever printed was US$10k, and the largest in circulation since 01969 is US$100. So, in practice, you're talking about a safe containing 460,000 US$100 bills, which will be very difficult to either acquire or dispose of without getting robbed.
3. The dollar inflates, by design, so it's a terrible investment. It's lost 96% of its value since the end of the gold standard in 01971, and an additional 6.2% over the last year. That's the reason why a safe full of dollar bills is a total failure for wealth preservation. Bitcoin suffers from a lot of volatility but it's structurally designed to not suffer from secular inflation, and in fact one of the principal criticisms of Bitcoin is that it's inherently deflationary. It seems to have returned an average of about 150% per year over the last 10 years: https://bitcoincharts.com/charts/bitstampUSD#tgSzm1g10zm2g25..., and while that trend surely must be nearly over (it can't continue for more than another 5 years and might already be over), it also clearly hasn't been suffering from inflation. In this sense, the most important difference, the dollar and Bitcoin are opposites.
Yes, it's true that there are people who like to gamble by day-trading cryptocurrencies, but most people who do that end up losing all their money. Investing wealth doesn't require your assets to be "accessible and tradeable on short notice"; it requires rebalancing asset classes every three months. Berkshire Hathaway makes a few dozen transactions per year. You don't need to make more transactions than Berkshire Hathaway.
You say, "there are many, many people out there storing vast amounts of wealth accessible by 2FA with their phone and it's rarely ever a problem," and in a sense that's true; it's relatively unusual to have a meltdown like the Argentine collapse of 02001 (where all bank depositors lost all the dollars they had in the banks), Mt. Gox in 02014 (where all Bitcoin depositors lost all their Bitcoin, about 850,000 BTC or US$450M), Bitfinex in 02015 (where their depositors lost about 1500 BTC), the Greek banking system in 02015 (where Greeks were prohibited from carrying more than 3000 euros out of the country and could only withdraw a limited amount of cash from their bank accounts for three years), and Bitfinex in 02016 (where their depositors lost 119,756 BTC).
But it would be a terrible mistake to conclude that, just because an event like this happens only about once every four years, it is unlikely to happen to you. It's true that it's "rarely ever a problem", but when it is a problem, it's a problem for millions of people, sometimes hundreds of millions. Hosted wallets do not and cannot offer "reasonable security".
Today I see a lot of people who are "trading Bitcoin" but actually holding Tether in Binance accounts (which has replaced LocalBitcoins as the retail hosted wallet of choice here in Argentina).
Tether has historically been backed by fraud, and it's operated by Bitfinex, which (as noted above) has a history of its customers' money mysteriously disappearing, and which is locked out of the world banking system.
Binance is banned in the US and UK, is being criminally investigated by both governments, and has had to move its headquarters from China, to Japan, to Malta, which also says they're investigating it. It's also being prosecuted in Thailand.
Without casting any aspersions on the integrity of Binance's people, it's clear they're at significant risk of having their assets confiscated, at which point all of their depositors would lose their deposits. And Tether is at significant risk of collapsing, either due to fraud or to mismanagement. So these people are dancing on a tightrope, and most of them don't even know it.
So, run a wallet on your own hardware. At least a thin wallet like Electrum. Or get a Trezor.
One would think with any significant amount of crypto that you store it somewhere non-network accessible (at the very least, not holding it all in a single online exchange).
Most exchanges did not have proper 2FA until the sim-swath-swoop of 2018-2020.
A lot of those lines are drawn completely arbitrarily, and might be very old and haven't been updated to reflect inflation/rising prices.
A classmate of mine copped a felony property damage charge as the threshold was set at a mere $500 at the time, for a typical senior year high school rivalry prank and it really fucked up his life.
There's an interesting effect where law makers can pass a law with static dollar amounts that seems reasonable at the time, but the force of inflation covertly expands the scope of the state's authority deeper and deeper into the society without any further action or political risk by present lawmakers.
A great example of this is the Bank Secrecy Act, which requires reporting of transactions greater than $10,000 to the federal government. At the time it was passed in 1970, $10k was the equivalent of ~$70k in 2021 dollars. $70k actually seems like a pretty reasonable amount as that's a very large transfer that the average person does very rarely for mostly legitimate reasons, like buying a house. It's easy to justify why the feds could use this data to investigate large scale criminals and money laundering. But as inflation has stripped away the value of the dollar, more and more people and activities are falling into that $10k limit.
Basically, the surveillance state gets to sneakily expand when laws are pegged to a currency that's constantly inflating by design.
The reason for the differentiation is not to make a $5k theft and a $46m theft equivalent. There is a threshold because, for instance: stealing some pocket change is not a serious crime, and stealing large amounts of money is serious.
I'm curious if you actually think that I wasn't aware of this? I don't think many people need that pointed out to them.
My comment was on the arbitrariness of the line, or why there is a single line at all (opposed to a gradient, or multiple "theft over x" categories, etc.).
It's bad and all and he is f'd, but "stole $46m" does sound like a pretty bad ass line item on a teen's wrap sheet.
I was charged with theft under 5 when I was 14 after stealing two candy bars and a drink from Walmart. Same charge as I would of had if I stole a 70" flatscreen TV, or a top of the line computer.
To really secure bitcoins, a hardware wallet or a passphrase in a safe deposit box are both pretty simple options that nontechnical people use all the time. Neither is expensive and both are widely known.
I haven't used a hardware wallet - I suspect they solve the transferring problem. But what's the risk my hardware wallet still works a year from now? 10 years from now?
I decided trusting Coinbase in 2021 is the most reasonable option for the amount I have. (Different calculus back in 2016). I admit I don't know what I'd do with 8-figure balances though.
_If_ you can get a safe deposit box in your bank, that is. My local bank (Chase) is always sold out of boxes. Sure, you'll next say: change your bank. But the other one (BoA) is also out.
My point is, it's not such an easy option as you're making it out to be.
I'd say that ~97%-99% of the people in the US and Europe have no idea how to use a hardware wallet. The vast majority have no idea what a hardware wallet is. You're very far off the mark in your estimate.
Bitcoin is at the adoption stage where the general public is only beginning to use services like Coinbase. They do not know how to use a hardware wallet, most of them do not know that such a thing exists.
We need to decentralize our communication infrastructure.
That's easy. Regular folks don't have $46M to store. Also being rich doesn't mean you always take the best decisions.
Given how incredibly likely people are to trust these untrustworthy organizations, not much hope regular folks can be safe.
"What hope is that for regular folks could make safe use of said USD?"
SMS "2FA" is not actual 2FA
SS7/PSTN are horribly broken. People need to stop using them entirely, whenever possible, and stick to that as a firm principle. For the same reason why scam calls and fake caller ID are epidemic. Just disregard the existence of the PSTN, even if your phone has a DID, never give it to anyone or use it for anything. I say this as someone who's worked in telecom for 20 years.
Social engineering mobile phone operator customer service departments to execute a SIM swap attack is trivially easy if you already possess some basic personal info about the target.
You should never rely on having something important that's only protected behind a SMS-based password reset/login authentication module.
1. For large swaths of the population, hardware key-based 2FA or TOTP-based 2FA are too difficult to use, and they can also be more difficult to remediate if the user loses the hardware key or TOTP secret.
2. SMS 2FA is much better than nothing for most people. The bigger problem is when SMS can be used as just a single factor in account recovery scenarios.
3. There is a push to make telecoms more responsible for sim-swapping fraud: https://krebsonsecurity.com/2021/10/fcc-proposal-targets-sim...
This doesn't mean software providers should not offer the ability to use TOTP instead of SMS. This irritates me to no end when applications force me to establish MFA using SMS before I can also establish TOTP.
In those cases I keep a google voice number. It’s also the same number I use to give to anyone/any company and it’s just on do not disturb 24/7. If I need to deal with a company on that number I just turn off DND. This practice of never giving out my actual number has drastically decreased the number of “car warranty” trash calls to my actual phone. They all go to that and generally a message is never left, and the phone doesn’t ring. Sometimes I get a voicemail of 3 seconds of dead air but that’s it.
I know a lot of people de-google but my thought is this isn’t a normal PSTN endpoint, and it’s not nearly as easy to sim swap, if not impossible but still works as a second factor. And I’m not aware of another service that can do it better and like it or not, google is a big target so I trust their auth over some other fly by night competitor.
This cuts down on 99% of your car's extended warranty and IRS scam calls.
> SMS "2FA" is not actual 2FA
That's not correct. I mean, of course it is. If you have SMS authentication as one factor and a password as the other, you're safe from compromise even if the carrier hands your phone number over to someone else. That's the whole idea behind 2FA, and it works here. A "SIM swap attack" is, contra the article and your points, not sufficient to compromise a working 2FA environment.
You need something else, like a crypto wallet system that uses SMS as a single factor, which seems plausibly to have been the case here.
> Social engineering mobile phone operator customer service departments to execute a SIM swap attack is trivially easy
True, but that's a hole in that one system that can be patched, and it's not something specific to the PSTN network at all (literally everything can be human engineered, including the customer service departments of authentication providers like Google/MS/Apple!). For example, require physical mail as a second (third) factor as an authentication mechanism and the whole problem goes away. This is already implemented for e.g. address changes, and it works fine.
Don't take a specific hole in one system as evidence that the system needs to be replaced or redesigned. That's generally a recipe for creating new security bugs, not fixing them.
Why?
Also, do banks carry any liability if you are sim swapped? If so - wonder if the banks can get scammed that way instead?
Phone numbers are like social security number or at least a parallel identity where I live, Banking to vaccine happens through 2FA auth(Often only through it). Recently banks have started to advise SIM-locking to prevent SIM jacking; My cries to support hardware tokens have been in vain so far.
What's funny is SIM-locking was quite common during pre-smartphone era, I think the Nokias of those time even asked for a SIM-PIN with each reboot; Even then the customer service would just reset it when you said you forgot it. I don't think it would be any different now, after-all they just ask your name & address to confirm identity.
It feels like SMS based 2FA + Oligopoly Telecoms are a disaster waiting to happen.
Unfortunately, some orgs, and even more unfortunately, some banks, still require/force SMS mfa.
Might need a bit more elaboration there. You want people to turn off 2fa?
We are all the bitcoin multi-millionaires storing their coins? It seems like in an ideal world, you would use https://trezor.io and put that in a safety deposit box, or maybe use Coinbase Vault, but I am generally curious what is the current consensus on the safest ways to store these piles of digital money.
https://www.lopp.net/bitcoin-information/security.html
Look, e.g. at the Cold Storage section,
If you are truly paranoid, then follow this protocol:
Generate a new seed phrase on a hardware wallet. Encrypt the seed phrase using https://github.com/FiloSottile/age and print out the encrypted seed. Store the paper in a safety deposit box. Keep the hardware wallet at home in a safe.
Write down the encryption key and the hardware PIN in an envelope to be opened in the event of your death.
All that said, this particular example is vulnerable in that you could be held at gunpoint and lose everything. So next we start talking about cold wallets vs hot wallets...
Now you're depending on the random number generation of a hardware wallet. And (possibly) depending on its method of deriving multiple private keys from a single seed phrase.
Edit: Alternatively, you could upload transactions via images (airgapped laptops) and sign them with your trezor (on the airgapped laptop). That should give the most security.
Make that wallet have a split private key, such that say there are 13 keys, and any 9 are required to access the funds.
Distribute those 13 keys, on paper, in sealed envelopes, to 13 different locations. Make each location have at least basic access control - either a door lock, or held by someone you trust with specific instructions about who is allowed to access the paper.
Distribute instructions to trusted friends on where to find the 13 things, and what conditions are needed to access them. For example "Hand over to londons_explorer only. If you know he is dead, hand the key to XYZ person. If you cannot contact XYZ for over 5 years, destroy the envelope."
I bet he bought an xbox gamertag from the most recent exploit.
These kids really do think the 3 letter agencies arent watching, no matter how many of their close friends get v&.
The blockchain is forever, and the statue of limitations no longer applies.
That verizon/att employee from 2018 will get caught, he will give up an alias, and the feds are interested, now that the coins have value.
and assuming the feds arent dirty (they are), you have 5 years to run. If the fed assigned to your case decides he wants the coin personally, you have 5 monthes.
https://www.justice.gov/usao-ndca/pr/former-federal-agents-c...
Also, Josh Jones, the founder of DreamHost? wow. heh
Edit: Sorry, because I read it on outline/archive I didn't see the glaring Hamilton Spectator logo at top and related Canada nav. Thanks
He also created bitcoinbuilder.com, which among other things, brokered the sale of people holding Mt. Gox bitcoin after it collapsed. If you held bitcoin on Mt. Gox, you could sell it to him and he then resold those rights.
Now that it looks like there is a settlement coming next year, he is still sitting on a mountain of coin.
Pretty amazing that he got hacked. He is super technical. In other words, it can happen to the best of us.
> Jones first reported the theft to the Los Angeles FBI, who then brought in other U.S. and Canadian agencies as the investigation grew.
The hard part is cashing it out. As Breaking Bad used to say, what criminals want is to pay taxes on their criminal proceeds.
Your guide basically says use Binance/OTC, a fake ID and this bank.
And you have zero stuff about actual money laundering - ie, justifying $46 mil suddenly appearing in your name.
Can bitcoins be tracked?
There should be a rule against regurgitating talking points without adding to the discussion, but I'll humor you.
I invest solely in crypto because the banks and federal reserve have scammed the common people more than any sole individual.
The government prints money knowing full well the common person will bear the burden of inflation.
"A SIM swap attack [...] gives the hacker access to the victim’s phone"
Is it just me or this article massively misrepresenting what a SIM swap attack actually does? Unless there's more to the story, no one got access to Jones' phone. They intercepted 2FA SMSes so they could get access to a wallet service or whatever.
Better to claim incompetence than it is to actually steal.
Says the biggest known victim of a crypto heist in a private person.
Ain't this ironic.
I guess I should spell out that centralization is a feature?
