Crypto Market Commentary 

27 August 2019

Doc's Daily Commentary

Look for the new “Options for Income Masterclass” which is now live!

The 8/21 ReadySetLive session with Doc and Mav is listed below.

Mind Of Mav

Don’t Trust Your Phone: The Attack Vector Hackers Are Increasingly Using

SIM swapping is on the rise
These targeted attacks are on the rise. Either through social engineering, where they find people like myself who works in the blockchain industry who speaks and writes publicly about cryptocurrency. Once they track your number, they have all they need to proceed.
In August 2018, T-Mobile was hacked and the billing information of 2.5 million customers was stolen. All of those accounts are vulnerable.
During the same week of my attack, dozens of my peers were attacked as reported by ZDNet. There is an open FBI investigation.
 
How to avoid SIM swapping scams
Frankly, there is no perfect way to protect yourself. But you can make it harder.
  • Disable iCloud, especially for your passwords. While encrypted for outside traffic, it is the easiest way to provide carte blanche to every account and horrifyingly be able to see clear text passwords.
  • Avoid SMS-based two-factor authentication (2FA) for any online accounts. This is especially important for your cryptocurrency exchanges and wallet services. Other 2FA methods like Google Authenticator are OK but consider obtaining a universal second-factor (U2F) device like YubiKey, Google Titan Key, Thetis, or Kensington for greater safety.
  • Set up an account PIN with your carrier. This will be required to set up a new SIM on any phone, though there does seem to be ways around this as well.
  • Set up a SIM PIN with your mobile carrier. This will lock bad actors from using your SIM when they steal it. They get three chances to guess your code. SIM PPIN is found under your cellular section in your phone, and is completely different than your normal passcode to access your phone. When setting your SIM PIN note that your SIM will come with a default PIN set by your mobile carrier. This will vary by carrier, but for Sprint and T-Mobile, it should be 1234, for AT&T and Verizon, try 1111. If you guess the wrong one, you could end up locking yourself out of your phone and need to call support. I’ve also heard 0000 is the number for some carriers.
  • Consider switching to Google Fi or Google Voice for 2FA. You can set up a phone number which will forward to the one provided by your cellular carrier. If you publish this number and use this number for accounts, it makes it impossible for bad actors to identify your number to steal.
  • Disable your phone number as a tool for account recovery. Use a different way.
  • Reduce your online footprint by leaving as little personal information online as possible. Strangers do not need to know your birth date or other personally identifiable information. Most importantly, don’t brag about your crypto holdings. Hard to do if it is your job, but no one can target you for attacks if they can’t identify you as a target in the first place.
  • Create a secondary email for 2FA. Use this for critical online identities only such as bank accounts, social media, crypto exchanges, and similar services.
  • Use multi signature or offline wallet to store your private keys. In “hot”, or online wallets keep only those funds that are needed for your daily activities. The most popular cold wallets include devices by Ledgeror Trezor.
  • Use an app to block spam calls. You can also download an app like AT&T Call Protect, that blocks callers from phishing you as a valid number. And of course, an independent 2FA like Google Authenticator where it is an option is ideal. But if you lose your phone, its non-recoverable, so you’ll have to go through a manual review to get back into your account again and set up a new one.
How we can do better
First, Face ID gives false security. Any security like it today, including thumb prints attach only at the phone level.
Yet, biometrics are the ideal way forward to account authentication. Applications need to connect directly to the Face ID or biometric scan, ideally through an immutable record on a public blockchain.
 
Recovery needs to be tied to biometrics, always. Trivia, like your mother’s maiden name, or secondary authentication to a compromised device is inherently flawed and vulnerable. Coincidentally, true biometrics would also serve the wider blockchain and crypto communities who need a better way to remember private keys.
 
Also, there needs to be some accountability and coordination from the phone companies. They have no obligation to report these hacks to the FCC, and could stand to do a better job of educating their call center agents to detect social engineering attacks — or better yet, provide better AI support to learn and adapt with these attacks in real-time.

 

Press the "Connect" Button Below to Join Our Discord Community!

Please DM us with your email address if you are a full OMNIA member and want to be given full Discord privileges.

An Update Regarding Our Portfolio

RSC Subscribers,

We are pleased to share with you our Community Portfolio V3!

Add your own voice to our portfolio by clicking here.

We intend on this portfolio being balanced between the Three Pillars of the Token Economy & Interchain:

Crypto, STOs, and DeFi projects

We will also make a concerted effort to draw from community involvement and make this portfolio community driven.

 

Here’s our past portfolios for reference: 

 

 

RSC Managed Portfolio (V2)

 

 [visualizer id=”84848″] 

 

RSC Unmanaged Altcoin Portfolio (V2)

 

 [visualizer id=”78512″] 

 

RSC Managed Portfolio (V1)