Binance conviene? [Scopri tutta la verità prima di ...

Posted this on Coinbase and someone recommend it also be posted here. The information below on an attempted SIM swap attack was pieced together through a combination of login and security logs, recovering emails initiated by the attacker that were deleted and then deleted again from the trash folder, and learning from AT&T’s fraud representatives. The majority if this is factual, and we do our best to note where we are speculating or providing a circumstantial suspicion. TLDRs at the bottom.
The full story:
We were going about our business and received a text from AT&T that says “…Calls & texts will go to your new phone/SIM card. Call 866-563-4705 if you did not request.” We did not request this, and were suspicious that the text itself could be a phishing scam since we searched the phone number and it wasn’t overtly associated with AT&T. Thus, we tried calling AT&T’s main line at 611 but all we hear is beep beep beep. The phone number is already gone. We use another phone to call AT&T and at the same time start working on our already compromised email.
While we didn’t see everything real time, this is what the recovered emails show. In less than 2 minutes after receiving the text from AT&T, there is already an email indicating that the stolen phone number was used to sign into our email account associated with Coinbase. 2 minutes after that, there is an email from Coinbase saying:
"We have received your request for password reset from an unverified device. As a security precaution, an e-mail with a reset link will be sent to you in 24 hours. Alternatively, if you would like your password reset to be processed immediately, please submit a request using a verified device.
This 24 hour review period is designed to protect your Coinbase account."
This is where Coinbase got it right to have a 24 hour review period (actually a recovery period) before allowing the password to be reset. However, the attackers knew this and planned to steal the second email from Coinbase by setting email rules to forward all emails to a burner address and also have any emails containing “coinbase” re-routed so they don’t appear in the Inbox. 5 minutes later, they request a password reset from Gemini and the password was reset to the attacker’s password within a minute after that. The next minute they target and reset DropBox’s password followed immediately with Binance. Less than 2 minutes later, an email from Binance indicates that the password has been reset and another email arrives a minute later indicating a new device has been authorized.
It’s at this point that we begin locking the attacker out by (1) removing the phone number as 2FA (2) changing the email password, (3) and three forcing a logout of all sessions from the email. There was a bit of back and forth where they still had an active login and re-added the stolen phone number as 2FA.
They added only one more password reset to a gaming account that was not deleted. I can only suspect that was a decoy to make it look like the attack was directed at gaming rather than finances.
The Gemini and Binance accounts were empty and effectively abandoned, with no balances and inactive bank accounts (if any), and no transactions in 1-3 years. DropBox had no meaningful files (they probably look for private keys and authenticator backups) and the phone number they stole from us was suspended, so as far as the attacker is concerned, there is no meat on this bone to attack again… unless they had inside information.
This is where I suspect someone internal at Coinbase receiving wire deposits has been compromised in tipping off ripe accounts – accounts with new and somewhat large balances. We had completed a full withdrawal of funds from Coinbase earlier in the year, and had a balance of less than $20 heading into May. Deposits to Coinbase staggered in to get above six figures through mid-May then stopped. The attack occurred 7 days after the last large wire deposit was made to Coinbase.
From the perspective of an attacker that had no inside information, we were a dead end with abandoned Gemini and Binance accounts with zero balances and stale transactions, no DropBox information, and the suspended phone number access. Our Coinbase deposits were known to no one except us, Coinbase, and our bank. We were also able to stop the hacker’s email forwarding before Coinbase’s 24 hour period to send the password reset, so this one didn’t work out for the attackers and it would make sense for them to move on to the next rather than put efforts into a second attack only for Coinbase - for what would appear to be a zero-balance Coinbase account based on the other stale accounts.
Then…23 hours and 42 minutes after the first attack, another message from AT&T “…Calls & texts will go to your new phone/SIM card. Call 866-563-4705 if you did not request.” Here we go again. We had been confident in AT&T’s assurances that our account had been locked and would not be SIM swapped again, so we unwisely added the phone number back to our email account as a backup (it’s now removed permanently and we use burner emails for account recovery like we should have all along).
Upon seeing that our phone number had been stolen again I knew they were after the Coinbase reset email that was delayed by 24 hours from Coinbase as part of their security. We did 4 things within 2 minutes of that text: (1) removed the phone number again from the email account – this time for good, (2) market sell all Bitcoin on Coinbase, (3) withdraw from Coinbase, (4) have AT&T suspend service on the phone line.
In speaking with AT&T, they were floored that our SIM would be transferred again in light of all the notes about fraud on the account and the PIN being changed to random digits that had never been used by us before. Based on the response of disbelief from AT&T on the second port, I suspect that this attack also involved a compromised AT&T employee that worked with the attacker to provide timely access to the Coinbase password reset email. Apparently, this has been going on for years: https://www.flashpoint-intel.com/blog/sim-swap-fraud-account-takeove
with phone carrier employees swapping SIMs for $80s a swap.
Remember that most of this was hidden in real time, and was only known because we were able to recover emails deleted from Trash by the attacker.
Since we require any withdrawals to use Google Authenticator on Coinbase, our funds may have been secure nonetheless. However, under the circumstances with attackers that were apparently working with insiders to take our phone number twice in attempts to steal Bitcoin, and it being unknown if they had additional tools related to our Google Authenticator, we decided it was safer on the sidelines. The coins were held on the exchange for a quick exit depending on whether Bitcoin was going to break up or down from $10,000. A hardware wallet is always safest, but we were looking to time the market and not have transaction delays.
For some some security recommendations:
AT&T: If you are going to send a text saying that calls and texts are moving to a new number, provide a 10 minute window for the phone number to reply with a “NO” or “STOP” to prevent the move. This can escalate the SIM dispute to more trusted employees to determine who actually owns the line. Don’t let entry level employees swap SIMs.
Coinbase: Do not default to phone numbers as 2FA. Also, if someone logs in successfully with the password before the 24 hours are up, the password is known and there is no need to send the password reset email again for attacker to have forwarded to them. At least have an option to stop the password reset email from being sent. We did not tag our account at Coinbase with fraud because of the stories of frozen funds once an account is tagged. I’m not sure what the solution is there, but that is another problem.
Being a trader, it would be nice to think of Coinbase as any other type of security brokerage where your assets are yours (someone can’t steal your phone number and transfer your stocks to their account). We fell into that mindset of security, yet this experience has reminded us of the uniqueness of cryptocurrency and the lack of custodial assurance and insurance from exchanges because of the possession-is-everything properties of cryptocurrency.
As many have said before, 2FA with a phone number quickly becomes 1-factor authentication as soon as that phone number is associated with password recovery on your email or other accounts. Our overall recommendation is to avoid having a phone number associated with any recovery options across all your accounts.
TLDR on the process:
Scammers will steal your phone number (in our case twice in 24 hours) and use your phone number to access your email and accounts. They will use your email to reset passwords at financial accounts and file hosting such as DropBox. They will then use that combination to transfer any assets they can access from your accounts to theirs. They will do their best to hide this from you by
(1) not resetting your email password so as to raise suspicion,
(2) immediately delete any password reset emails you may receive from financial accounts to hide them from you,
(3) attempt to forward all emails sent to your address to a burner email, and
(4) set email rules to forward emails containing “coinbase” to an email folder other than your Inbox so that you don’t see the transactions and password reset emails that arrive to your inbox.
TLDR on defense tips: If your phone stops working or you receive a text of your number being ported do the following as soon as possible:
(1) log into your email account(s) associated with your financial accounts and remove your phone number as 2FA immediately
(2) change your email password,
(3) force a logout of all sessions from your email (at this point you have locked them out), then
(4) check your mail forwarding settings for forwards to burner addresses,
(5) check your mail rules for rerouting of emails from accounts such as Coinbase, and
(6) call your carrier to have them suspend service on your lost phone number and ask them to reinstate your SIM or get a new SIM. This will require a second phone because your personal phone number has been stolen.
We hope this helps some others be safe out there in protecting their coins. The more we know, the more we can protect ourselves. Wishing you all the best!

The information below on an attempted SIM swap attack was pieced together through a combination of login and security logs, recovering emails initiated by the attacker that were deleted and then deleted again from the trash folder, and learning from AT&T’s fraud representatives. The majority if this is factual, and we do our best to note where we are speculating or providing a circumstantial suspicion. TLDRs at the bottom.
The full story:
We were going about our business and received a text from AT&T that says “…Calls & texts will go to your new phone/SIM card. Call 866-563-4705 if you did not request.” We did not request this, and were suspicious that the text itself could be a phishing scam since we searched the phone number and it wasn’t overtly associated with AT&T. Thus, we tried calling AT&T’s main line at 611 but all we hear is beep beep beep. The phone number is already gone. We use another phone to call AT&T and at the same time start working on our already compromised email.
While we didn’t see everything real time, this is what the recovered emails show. In less than 2 minutes after receiving the text from AT&T, there is already an email indicating that the stolen phone number was used to sign into our email account associated with Coinbase. 2 minutes after that, there is an email from Coinbase saying:
"We have received your request for password reset from an unverified device. As a security precaution, an e-mail with a reset link will be sent to you in 24 hours. Alternatively, if you would like your password reset to be processed immediately, please submit a request using a verified device.
This 24 hour review period is designed to protect your Coinbase account."
This is where Coinbase got it right to have a 24 hour review period (actually a recovery period) before allowing the password to be reset. However, the attackers knew this and planned to steal the second email from Coinbase by setting email rules to forward all emails to a burner address and also have any emails containing “coinbase” re-routed so they don’t appear in the Inbox. 5 minutes later, they request a password reset from Gemini and the password was reset to the attacker’s password within a minute after that. The next minute they target and reset DropBox’s password followed immediately with Binance. Less than 2 minutes later, an email from Binance indicates that the password has been reset and another email arrives a minute later indicating a new device has been authorized.
It’s at this point that we begin locking the attacker out by (1) removing the phone number as 2FA (2) changing the email password, (3) and three forcing a logout of all sessions from the email. There was a bit of back and forth where they still had an active login and re-added the stolen phone number as 2FA.
They added only one more password reset to a gaming account that was not deleted. I can only suspect that was a decoy to make it look like the attack was directed at gaming rather than finances.
The Gemini and Binance accounts were empty and effectively abandoned, with no balances and inactive bank accounts (if any), and no transactions in 1-3 years. DropBox had no meaningful files (they probably look for private keys and authenticator backups) and the phone number they stole from us was suspended, so as far as the attacker is concerned, there is no meat on this bone to attack again… unless they had inside information.
This is where I suspect someone internal at Coinbase receiving wire deposits has been compromised in tipping off ripe accounts – accounts with new and somewhat large balances. We had completed a full withdrawal of funds from Coinbase earlier in the year, and had a balance of less than $20 heading into May. Deposits to Coinbase staggered in to get above six figures through mid-May then stopped. The attack occurred 7 days after the last large wire deposit was made to Coinbase.
From the perspective of an attacker that had no inside information, we were a dead end with abandoned Gemini and Binance accounts with zero balances and stale transactions, no DropBox information, and the suspended phone number access. Our Coinbase deposits were known to no one except us, Coinbase, and our bank. We were also able to stop the hacker’s email forwarding before Coinbase’s 24 hour period to send the password reset, so this one didn’t work out for the attackers and it would make sense for them to move on to the next rather than put efforts into a second attack only for Coinbase - for what would appear to be a zero-balance Coinbase account based on the other stale accounts.
Then…23 hours and 42 minutes after the first attack, another message from AT&T “…Calls & texts will go to your new phone/SIM card. Call 866-563-4705 if you did not request.” Here we go again. We had been confident in AT&T’s assurances that our account had been locked and would not be SIM swapped again, so we unwisely added the phone number back to our email account as a backup (it’s now removed permanently and we use burner emails for account recovery like we should have all along).
Upon seeing that our phone number had been stolen again I knew they were after the Coinbase reset email that was delayed by 24 hours from Coinbase as part of their security. We did 4 things within 2 minutes of that text: (1) removed the phone number again from the email account – this time for good, (2) market sell all Bitcoin on Coinbase, (3) withdraw from Coinbase, (4) have AT&T suspend service on the phone line.
In speaking with AT&T, they were floored that our SIM would be transferred again in light of all the notes about fraud on the account and the PIN being changed to random digits that had never been used by us before. Based on the response of disbelief from AT&T on the second port, I suspect that this attack also involved a compromised AT&T employee that worked with the attacker to provide timely access to the Coinbase password reset email. Apparently, this has been going on for years: https://www.flashpoint-intel.com/blog/sim-swap-fraud-account-takeove with phone carrier employees swapping SIMs for $80s a swap.
Remember that most of this was hidden in real time, and was only known because we were able to recover emails deleted from Trash by the attacker.
Since we require any withdrawals to use Google Authenticator on Coinbase, our funds may have been secure nonetheless. However, under the circumstances with attackers that were apparently working with insiders to take our phone number twice in attempts to steal Bitcoin, and it being unknown if they had additional tools related to our Google Authenticator, we decided it was safer on the sidelines. The coins were held on the exchange for a quick exit depending on whether Bitcoin was going to break up or down from $10,000. A hardware wallet is always safest, but we were looking to time the market and not have transaction delays.
For some some security recommendations:
AT&T: If you are going to send a text saying that calls and texts are moving to a new number, provide a 10 minute window for the phone number to reply with a “NO” or “STOP” to prevent the move. This can escalate the SIM dispute to more trusted employees to determine who actually owns the line. Don’t let entry level employees swap SIMs.
Coinbase: Do not default to phone numbers as 2FA. Also, if someone logs in successfully with the password before the 24 hours are up, the password is known and there is no need to send the password reset email again for attacker to have forwarded to them. At least have an option to stop the password reset email from being sent. We did not tag our account at Coinbase with fraud because of the stories of frozen funds once an account is tagged. I’m not sure what the solution is there, but that is another problem.
Being a trader, it would be nice to think of Coinbase as any other type of security brokerage where your assets are yours (someone can’t steal your phone number and transfer your stocks to their account). We fell into that mindset of security, yet this experience has reminded us of the uniqueness of cryptocurrency and the lack of custodial assurance and insurance from exchanges because of the possession-is-everything properties of cryptocurrency.
As many have said before, 2FA with a phone number quickly becomes 1-factor authentication as soon as that phone number is associated with password recovery on your email or other accounts. Our overall recommendation is to avoid having a phone number associated with any recovery options across all your accounts.
TLDR on the process:
Scammers will steal your phone number (in our case twice in 24 hours) and use your phone number to access your email and accounts. They will use your email to reset passwords at financial accounts and file hosting such as DropBox. They will then use that combination to transfer any assets they can access from your accounts to theirs. They will do their best to hide this from you by
(1) not resetting your email password so as to raise suspicion,
(2) immediately delete any password reset emails you may receive from financial accounts to hide them from you,
(3) attempt to forward all emails sent to your address to a burner email, and
(4) set email rules to forward emails containing “coinbase” to an email folder other than your Inbox so that you don’t see the transactions and password reset emails that arrive to your inbox.
TLDR on defense tips: If your phone stops working or you receive a text of your number being ported do the following as soon as possible:
(1) log into your email account(s) associated with your financial accounts and remove your phone number as 2FA immediately
(2) change your email password,
(3) force a logout of all sessions from your email (at this point you have locked them out), then
(4) check your mail forwarding settings for forwards to burner addresses,
(5) check your mail rules for rerouting of emails from accounts such as Coinbase, and
(6) call your carrier to have them suspend service on your lost phone number and ask them to reinstate your SIM or get a new SIM. This will require a second phone because your personal phone number has been stolen.
We hope this helps some others be safe out there in protecting their coins. The more we know, the more we can protect ourselves. Wishing you all the best!

Note: the URLs below are intentionally not links, because reddit blocks posts with some links; copy & paste the URL into a new browser window. Let me know if one of the offers is expired; I can probably get a new one.
American Express Platinum, or any other Amex card: refer.amex.us/STEPHGa64I
That's a universal Amex link; click "View all Cards with a Referral Offer" or "Explore other options" to see all the cards; or see direct links below.
Chase Freedom Unlimited or Chase Freedom Flex: referyourchasecard.com/18f/9J0WMSJMOF
Discover It: refer.discover.com/s/aajw3s
Discover It Miles: refer.discover.com/s/discoverp
Service Credit Union $75 bonus: servicecu.royalreferralcenter.com/register?token=5fa459925bc23&via=tw (first join ACC (use code "SERVICE" to waive $5 fee) to be eligible: americanconsumercouncil.org/membership.asp)
One Finance (savings accounts, get $20 when deposit $100, $5 when install app, $5 when use debit card first time): share.onefinance.com/invite/StephenG/c826f427
SoFi Money: sofi.com/invite/money?gcp=4c18ffe3-fa7c-4d78-8683-d6376e8fa364
SoFi student loan refi, or personal loan: sofi.com/share/3156511
Yotta Savings: withyotta.page.link/akhdD5RZ2QYsnyBx5 code: STEPHEN8
PrizePool Savings: links.getprizepool.com/Nq6wtv7Wvab code: MB13B (gives you 10% bonus on winnings; enter the code in the app when creating an account, on the page that asks for your date of birth)
Fluz: joinfluz.app.link/FLUZ77
Chase Checking account: accounts.chase.com/raf/share/355088785
Plastiq: try.plastiq.com/1048197
DCU (Digital Federal Credit Union): send me a message with your email address
E*TRADE brokerage: refer.etrade.net/etrade7
Webull brokerage app: act.webull.com/promotion/invitation/share.html?inviteCode=GtykbApaHMKm
Robinhood: share.robinhood.com/stepheg643
Firstrade brokerage (get a free stock): share.firstrade.com/StephenVKOZ
Juno Bank: bankonjuno.com/referral/STEPsLeD
Schwab Brokerage: schwab.com/public/schwab/nn/promo/refer-prospect.html?refrid=REFER3S78B or code: REFER3S78B
TurboTax Online 20% off: fbuy.io/qv59t76z
tastyworks brokerage: start.tastyworks.com/#/login?referralCode=ZHB8MT9VT4
Instacart: inst.ct/Y3BSZzgzb3FQ or code: IUSER54F18E
Uber: uber.com/invite/pezyj or code: pezyj
Uber Eats promo code ($7 off first order): eats-pezyj
Lyft: sg1234567
Square Cash (Cash App): cash.me/app/XXTBXJR (get $15 when you send $5 to someone)
Away (luggage): refer.awaytravel.com/v/away_11
​
Brinks prepaid mastercard & 5% savings account: brinksprepaidmastercard.com/get-a-prepaid-card/?aid=B_RAF_1&site_id=RAF_OAC_URL&uref=9079942135
ACE Elite prepaid card & 5% savings account: aceelitecard.com/get-a-prepaid-card/?aid=ACE_RAF_1&site_id=RAF_OAC_URL&uref=8304960094
Netspend prepaid card & 5% savings account: mynetspendcard.com?uref=1394182596
​
Personal Capital: share.personalcapital.com/x/XD87nM
TradingView: tradingview.com/chart?offer_id=10&aff_id=13733
​
Pei app: getpei.com/invite enter code: imkbip
Dosh app: link.dosh.cash/STEPHEG1 or code: STEPHEG1
Drop app: b.ewd.io/code?c=0us2i or code: 0us2i
Ibotta app: ibotta.com/az36ka or code: az36ka
Checkout 51 app: checkout51.app.link/OhdB48ik8Q
Fetch Rewards app: fetchrewards.com code: J5BCY (enter in app)
Shopkick app: getsk.co/cool014385 or code: COOL014385
ReceiptPal app: app.adjust.com/oqlq9t9?label=8RT7PR2
Grubhub: fbuy.me/kT5Mu
DoorDash: drd.sh/CFo8LW/
Freshly: send me a message and I'll give you a link
OhmConnect: ohm.co/ohmg1
​
BeFrugal: befrugal.com/referral/?ref=GASGOAF
Affinityy: affinityy.com/?ref=MTY2ODM=
TopCashBack: topcashback.com/ref/sgt7
Extrabux: extrabux.com/5cb27229d7
MrRebates: mrrebates.com?refid=484053
Rakuten / Ebates rakuten.com/717813?eeid=28187
Giving Assistant: givingassistant.org/?rid=QjGx2mHU9l
iConsumer: iconsumer.com/tkJgfiO or code: tkJgfiO
Swagbucks: swagbucks.com/refesg77
SimplyBestCoupons: simplybestcoupons.com/?refid=60199
rebatesme: rebatesme.com/refer?uid=134250
Fuel Rewards (Shell): fuelrewards.com/fuelrewards/welcome.html?RefId=e7908f3dce4d47f39bbd46ff4e38acb6
GoCashBack: www.gocashback.com/1860530 or code JBYYVF
Fold: use.foldapp.com/Cv9HMujj (buy gift cards and get bitcoin back)
Lolli: lolli.com/ref/PjzxLWQJNg (portal that pays bitcoin)
Goodshop (cashback portal): www.goodshop.com/invite/4505068 (gives you a bonus based on cashback that people you refer earn)
Groupon: groupon.com/visitor_referral/h/4d0155fb-db60-413e-87ac-4fc26ef7fe05
Zola (create a registry and buy $50 from it, get $50 credit): www.zola.com/invite/zola20200414031329708
AwardWallet: awardwallet.com/?refCode=3cdbq14qs7
​
Supercuts (we each get $5 off): supercutsrewards.com/short.php?code=1H1F
DraftKings: draftkings.com/sgdrk
Ace Rewards (Ace Hardware): acehardwareapp.page.link/Fc9u
Dropbox: db.tt/OQV2OLnKdR
Boxed: boxed.com/invite/6IG3R
simplehuman.com ($10 off $20): rwrd.io/hi6ci9l?c
Purple mattress: share.purple.com/x/pGCY9k
PlushBeds: refer.plushbeds.com/Stephen6
​
Gemini exchange: gemini.com/share/o24jdk
Coinbase: send me a message
Coinbase Earn (free EOS): coinbase.com/earn/eos/invite/pm1695kv
Coinbase Earn (free XLM): coinbase.com/earn/xlm/invite/vr821z4m
Voyager: go.onelink.me/4gTreferral?af_sub5=STESS7 or code: STESS7 (crypto broker; trade $100 and both people get $25 in BTC)
LVL exchange ($10 free bitcoin): lvl.co/qswwx6qb or invite code qswwx6qb
bitFlyer exchange (no bonus for you, gives me a small bonus): bitflyer.com/en-us?affi=n5sshohk
Binance.US exchange (for US residents): binance.us/?ref=35012844 or Referral ID: 35012844
ShapeShift: signup.shapeshift.com/?mwr=8589-e0bb8d9b
Bittrex exchange (no bonus for you, gives me 10% of your commissions): bittrex.com/Account/Register?referralCode=FYS-2DK-G23 or code FYS-2DK-G23
Paxful (trade bitcoin for discounted gift cards, etc): paxful.com/?r=VX5Ywx44LkA
Purse.io: purse.io/?_r=5MyAl0 (discounts at amazon if pay with bitcoin; referral bonus $5 if spend $100)
p2pb2b exchange: p2pb2b.io/referral/1a955c5a-7f08-43f5-8367-bfa524c4bd88
freebitcoin (faucet / dice game): freebitco.in/?r=9293862
TREZOR hardware wallets: shop.trezor.io/?offer_id=10&aff_id=1230
Ledger hardware wallets: ledger.com?r=4ef2e7aeee27
​
Or if you just want to send me a donation:
BTC: 3G4JZx3KgT7djgGk6KUbUn7cZ31BbtYf2r
LTC: LR6hgNSy2ZkS7PHtAm1xcJmPy6YyQJha7d
ETH: 0x6fb827db4969d762b62345168ef559CF8194680B
XMR: 48WwtRnERgMA3pHjDVp1PpZn1eDs4tYL2adghbBJ8zdp3MjoyMZtTXQ2dKAq465jVgJdQvDp5eShkbnCmfj8vJB1MqJmPRZ
​
Card-specific American Express links (also see universal Amex link above, if one of these doesn't work):
Personal Amex cards:
Amex Blue Cash Preferred
Amex Blue Cash Everyday
Amex Cash Magnet
Amex Everyday
Amex Everyday Preferred
Amex Gold
Amex Platinum
Amex Delta Gold SkyMiles
Amex Marriott Bonvoy Brilliant
Amex Green
Amex Delta Platinum SkyMiles
Amex Hilton Surpass
Amex Hilton Honors Aspire
Amex Hilton Honors
Amex Delta Blue SkyMiles
Amex Delta Reserve
Business Amex cards:
Amex Business Gold Rewards
Amex Business Platinum
Amex Blue Business Plus (BBP)
Amex Blue Business Cash
Amex Business Green Rewards
Amex Delta Platinum Business
Amex Delta Gold Business
Amex Delta Reserve Business
Amex Hilton Honors Business
Amex Plum
Amex Lowe's Business Rewards
Amex Marriott Bonvoy Business
Amex Amazon Business Prime (I no longer have this card open, but the link still shows a bonus for you)