In light of the recent Coinbase “hack”, lets clear a few things up. The exchange was not hacked, USERS were hacked.
- Users are the easiest attack vector.
- Users reuse password/email combinations
- Users fall for phishing scams
- Users give away their passwords and private keys to shady websites
- Users do not make use of the available resources exchanges provide for users to protect themselves – eg 2 factor authentication, KYC and trusted withdraw addresses
- Users don’t check web addresses or security certificates
- Users forsake proper operational security for ease-of-access
While exchange hacks do sometimes happen, 99% of the time the fault lies with the user. The onus of exchanges is to complete requests for the authenticated users, the level of authentication is set through the security factors the user chooses to set up.
Users need to stop blaming exchanges for their own lack of operation security
What is Operation Security
Opsec is a term coming from the military, meaning “operational security”. In short, it describes the security precautions and attitudes that users should adopt to ensure they are operating/trading/transacting in a secure manner.
Some examples of opsec practices could include:
- Don’t re-use passwords between websites.
- Check your email address at https://haveibeenpwned.com to view historic privacy breaches
- Never copy paste your private keys/seed words on a computer you are not familiar with.
- Complete regular anti-malware scans on your computer.
- Do not store your private keys/seed words on the internet (email/dropbox etc)
- Use a hardware wallet (ledger/trezor).
- Never click on links in emails without checking the signed-by address
- When clicking links on the internet (even Google), double check the address & the security certificate are correct.
- If you use Gmail, use +label (eg myemailaddress+Coinbase@gmail) so you can identify leak origins in the future.
- Never give out personal information over the phone.
- Never respond to personal messages from users on reddit / discord / telegram etc.
If you aren’t going to take responsibility for the security of your investment, don’t try and shift the blame to others.