How Important Is Your Online Security?

Guys, this morning I received an email notification from the Coinbase Security team alerting me to the fact that my account had been compromised, and before we discuss, I'd like to share three screenshot images that comprise a portion of that email with you.

The Notification

What had happened was...

To be honest, my friends, the above notification comes as little surprise to me.  As I mentioned in previous articles, Coinbase was one of the first exchanges I opened an account with when beginning to navigate the crypto-sphere, and as a newbie, I made quite a few mistakes.  As I began to delve a bit deeper, however, and as I began to create wallets and join other exchanges, I quickly learned that in the world of crypto, a password is never just a password. 

And so, my friends, I had known for sometime that this particular password had been compromised, but because I almost never use Coinbase, because I had a flimsy back up phone verification system in place...

... and  because I practically never store funds on any exchange, let alone this one, I didn't revisit the account, though I acknowledge I should have, because now there's this email.

This situation highlights an important issue that I don't think we discussed before on this blog, and that is the importance of password security and the value of two factor authentication.

At the end of the day, my friends, even if it were a regular bank account, you would be advised to protect your pins and passwords and ensure that no one has access to them, right? I mean, if there's one thing that mainstream finance and the crypto-verse can agree on, it's that when it comes to securing your coin, you can never be too careful. 

Okay, guys, let's discuss, but before we do, let me just hurry on over and change those passwords on Coinbase just in case, and then we can sit down for a chat, all right? 

Have I Been Pwned?

Now, my friends, before we proceed, I want to be clear that this article does not endorse any of the sites promising password protection or security. I'm simply bringing them to you and we're examining them together, okay? If you should decide to use any of these sites on your own, I'd suggest that you spend a bit more time conducting your own detailed research.

With that said, there are a number of ways you can check to determine if your account has been compromised. There's the site, Have I Been Pwned which promises to check across multiple data breaches to see if your email address or phone number was compromised. This site was created in 2013  by Australian web security consultant, Troy Hunt who's also been affiliated with Microsoft. 

According to a Forbes article published in 2019, the site "is, by far, the biggest and most popular way to find out if your password has been stolen."

How it Works

You  enter your email address or the international format of your phone number, and within seconds, you are provided with details of any data breaches involving these credentials. You can also run a check to see if your actual passwords have been compromised, and the Forbes article reassures: "Thanks to the use of a mathematical property called k-anonymity and the help of Cloudflare, you don't have to be concerned about entering your real password into the search box."

Truth be told, my friends, this is actually how I learned about the breach involving my password sometime now.

Other Password Checking Sites

Avast Hack Check also promises to investigate password leaks.

DeHashed is a third site which really does a deep dive, not just checking your password, but also delving into searches for your username, IP address, name, address, phone number, etc. This site appears more targeted to organizations than individuals, however, with paid plans covering real time monitoring etc.

Protecting your Passwords

I think that we can all agree that when it comes to creating accounts across multiple exchanges, there's sometimes quite a bit of passwords to remember, and it can be difficult to keep abreast of tons of different passwords. That's why sometimes people are tempted to reuse the same passwords over and over for convenience, right? It isn't the smartest thing to do, to be sure, but I'll wager that a lot of people still do this even when they are aware of the risks.

We have also been advised that one of the worst things to do is to screenshot passwords or store them in an email, right? And we're told that writing them down on bits of paper mightn't be that clever because sometimes papers get lost and with them the passwords. So what then?

Well, you might have noticed that sometimes when you key in a password to an account, your web browser pops up with a friendly offer to manage them all, right? It happens with Chrome for sure, and also with Safari and Firefox. Personally, I don't trust them, but that's just paranoid me.

Some folk also recommend password managers.

A Look at Password Managers

According to Malwarebytes Labs, a password manager is "a software application designed to store and manage online credentials."

According to CNET: "A password manager is an online service that stores your passwords as well as other data like credit card numbers, bank account information and identification documents in an environment secured via military-grade encryption."

In addition to storing your passwords, a password manager also helps to detect and fights against phishing scams. Pretty cool, right? 

And just in case you're concerned about protection from the password manager itself, CNET assures that, "the top password managers use a zero-knowledge approach to securing your passwords and other information you store with them -- meaning that even the password manager itself can't access your passwords or other data, because everything is encrypted before it leaves your device."

Some well known password managers include LastPass, KeePassXC, BitWarden and 1Password. There are quite a few others, but for this article, we'll just look at these four. 

Last Pass is one of the most well known, most trusted, and widely used password managers out there. It offers free and paid individual and family plans as well as business plans and gives you the ability to store and sync your passwords, login info and credentials across browsers and mobile devices. Might be key to note though that they have been breached in the past. There was a 2015 breach, and then in 2019, the Google Project Zero team reportedly identified a credential leak. Last year, some users were also reporting unauthorized log in attempts, though the Last Pass team maintained that this was no breach but just a technical error.

KeePassXC is free and open sourced, is available on Windows, MacOS, Android and iOS. It comes highly recommended, but it has a very high learning curve and is really more geared towards advanced users. 

BitWardenalso enjoys an excellent security reputation. It's also open source and offers an unlimited free and paid versions and works with Windows, MacOS, Linux, Android,  and iOS devices while offering browser extensions for Chrome, Firefox, Safari, Edge, Opera, Vivaldi, Brave and Tor. 

Beyond an introductory 14 day trial, there's no free pass with 1Password, though with packages started at $2.99 a month, it's relatively affordable. This password manager works with Windows, MacOS, Linux, Chrome OS, Android, iPhone and iPad. Browser extensions for Chrome, Firefox, Safari, Edge and Opera. 

What About Two Factor Authentication?

2FA is another measure one can consider when it comes to account protection, though I must confess that it isn't the wisest decision to simply rely on authentication by SMS as a fall back measure since your numbers can be spoofed. And to go back to the opening topic, yes, I concede, the Coinbase issue was truly careless on my end.

There are third party authenticators such as Google Authenticator and Microsoft Authenticator, which can be installed on your devices and which are very effective. Some exchanges actually require that you set up 2FA third party authenticators if you're gonna use their services. Here's a breakdown on how that works.

How Secure Are You?

And so, my friends, with so much of our lives and so many of our transactions conducted online, my question to you is this: how important is security for you?

How concerned are you about persons having access to your passwords, emails, or even- in the case above- your accounts on a crypto exchange? When moving money between wallets and exchanges, what process do you use to ensure that your funds and your information is protected?

I'd love to get your feedback on this one, guys. I took the opportunity to share this personal journey with you because I believe that we should truly work together to support each other in our growth in this evolving space, particularly since when it comes to security,  since many persons moving into the cryptosphere may not have the technical know how and expertise of other advanced users in this space.

In my case, it was just a faux pas detected on an inactive account that had no funds, but it could have easily been another more distressing tale, and I'd hate it if any of my readers were so compromised. And so, my friends, let's help each other grow.

With that said,  I'm off again. I think I'd spend some time this morning reviewing the security of my accounts before I head off in search of another story. As always, please remember to be safe.

Arrivederci!

This article was first posted to my Publish0x account as "My Coinbase Account was Compromised- Time to Strengthen those Passwords" where I write under the pseudonym- I-HODL.

Resources

1. https://www.usatoday.com/story/tech/tips/2022/04/03/how-to-know-if-you-were-hacked/7245424001/

2. https://www.forbes.com/sites/daveywinder/2019/12/12/has-your-password-been-stolen-how-to-find-out-crime-hacking-tutorial-tech-help/

3. https://www.cnet.com/tech/services-and-software/why-you-seriously-need-a-password-manager/

4. https://www.malwarebytes.com/what-is-password-manager

5. https://www.theverge.com/2021/12/28/22857485/lastpass-compromised-breach-scare

6. https://blog.lastpass.com/2015/06/lastpass-security-notice/

7. https://www.forbes.com/sites/daveywinder/2019/09/16/google-warns-lastpass-users-were-exposed-to-last-password-credential-leak/

8. https://uniserveit.com/blog/authenticator-app-microsoft-or-google