If You Use Google for Everything, Make Sure You’re Super Locked Down — Especially Coinbase

00:01 Hey everyone, I wanted to talk about a 00:03 specific attack vector that I think is 00:05 greater introduces greater vulnerability 00:08 than just about any other with regard to 00:10 having cryptocurrency attacked or hacked 00:13 or etc. And that is if you are using 00:16 Google for everything including your 00:18 email address, your password manager and 00:21 your two-factor authentication. So um 00:24 here's what that means. if uh this is 00:26 especially a problem if you are using a 00:28 password for your Google email account 00:31 that you've used anywhere else. So let 00:34 me tell you how a hacker would do this. 00:35 So hackers are constantly uh finding 00:38 data leaks, right? I mean you know 00:40 everything every random company from 00:41 Men's Warehouse to you know the major um 00:45 credit ratings agencies they're they're 00:47 constantly getting data leaks that are 00:49 leaking you know email addresses and 00:51 sometimes passwords. Well, the very 00:53 first thing an attacker is going to do 00:55 anytime they can find a data leak that 00:57 involves uh email addresses and uh 01:00 passwords is they're going to go try 01:02 those same user uh that same uh first 01:05 they're going to go through and they're 01:06 going to look at all the Gmail 01:07 addresses. Anybody who's got a Google 01:08 email account and they're going to try 01:10 all of the different passwords that they 01:12 can find that are associated with that 01:14 email address to see if they can gain 01:16 access to the Google account itself. Uh, 01:19 now if you have two-factor 01:20 authentication enabled on your Google 01:22 account, meaning you have to get a, you 01:24 know, a text message texted to you, then 01:26 you're probably good because they're not 01:28 going to be able to compromise your 01:29 Google account. Although, well, they 01:30 they just have to jump through a bunch 01:32 of extra uh steps to try to compromise 01:34 your cell phone. Uh, they do that with 01:36 something called SIM swapping, which is 01:38 they basically go to AT&T or Verizon or 01:41 wherever and try to sweet talk them into 01:43 porting the number to a new phone 01:44 claiming to be you. And if they're 01:47 successful in doing that, of course, the 01:48 two-factor authentication codes uh that 01:51 you get will come to them instead of to 01:53 you. And that's a problem. But that's a 01:55 lot more work. So let's assume that they 01:56 are not going to go through that much 01:58 work. Okay? So, if if they gain access 02:00 to usern to email addresses and 02:03 passwords, then they're going to go 02:04 through all the Gmail uh email addresses 02:07 and they're going to try the passwords 02:09 on Gmail hoping that you do not have 02:12 two-factor authentication enabled on 02:14 your Google account, which you should. 02:16 Everything needs two-factor 02:17 authentication, meaning in addition to a 02:19 username and password, you are texted a 02:22 code or you use an authenticator app to 02:25 uh to get a code. Um but anyway, so but 02:28 uh so they're going to try. It doesn't 02:30 matter what the compromise was. It 02:32 doesn't matter if it's a, you know, a a 02:34 loyalty account for Pokemon, you know, 02:37 trading cards. They're going to try that 02:38 account. If it's a Gmail account, 02:40 they're going to try that and hope that 02:42 you use the same password for Pokemon Go 02:46 as you did for your Google account. So 02:49 rule number one is never, never, never 02:51 reuse passwords. Use a password manager. 02:54 Um there's a bunch of them. Last Pass, 02:56 one password. Uh Google has a built one 02:59 built in. Microsoft has one built in. 03:01 Anyway, uh Apple has one built into, you 03:03 know, the the core operating system, but 03:05 use a password manager. You should never 03:06 be using the same passwords across 03:08 different sites because that way if one 03:10 of those passwords is compromised on one 03:13 site, uh they can use it to log into 03:15 other sites. And the one that attackers 03:17 really want to get a a hold of is your 03:20 Google account. They want your Google 03:22 email address uh password. That is very 03:24 important to them. The reason for that 03:26 is the hackers are hoping that you are 03:28 using the Google password manager which 03:31 means if they can compromise your email 03:33 address, your email address login, then 03:36 that also gives them access to your 03:37 password manager and all of the 03:39 passwords you have stored in there which 03:40 are bank accounts, Coinbase, whatever 03:42 else you got in there. And the other 03:44 thing too is for two-factor 03:45 authentication, a lot of these websites 03:48 have uh two-factor authentication and 03:50 they recommend Google Authenticator. 03:52 Well, by default, Google Authenticator 03:54 backs up to the Google Cloud, which 03:57 means if an attacker has access to your 03:59 Google account, they have access to your 04:01 Google passwords and they have access to 04:03 your Google authenticator login uh 04:06 backup, which of course means they have 04:07 access to two-factor authentication, 04:09 which basically gives them access to 04:11 everything. Um, so how do you mitigate 04:14 this risk? One, make super sure that 04:17 two-factor authentication is enabled for 04:19 your Gmail account. If you are using a 04:21 Gmail account or any email address 04:23 associated with Google, uh, which I 04:25 think is basically just Gmail, make sure 04:27 you have two-factor authentication 04:29 enabled on that email address so that a 04:32 hacker who does not get who gets a hold 04:34 of your password for Google cannot get 04:36 in just with your password. Second, 04:38 don't ever reuse the same password for 04:42 any websites, but especially your Google 04:44 email login. you definitely need to make 04:46 sure you're not using the same password 04:48 for your Google login to Gmail that 04:51 you're using uh for your other website 04:53 loginins. Otherwise, again, if one of 04:55 those other passwords gets compromised 04:57 by definition, they'll be able to get 04:58 access to your Google account. Um, 05:00 third, it's it's more complicated, but 05:03 you can also turn off the automatic 05:05 backup in two-factor authentication in 05:08 the Google Authenticator app. But the 05:09 problem is then if you change phones and 05:11 you forget to move it over, you're going 05:13 to have a royal pain time uh trying to 05:16 get logged back into all the different 05:17 websites that require two-factor 05:18 authentication. So, a lot of people are 05:21 reluctant to turn off the cloud backup 05:24 on the Google authenticator app because 05:26 if they forget to port it over when they 05:28 change phones or if they lose their 05:30 phone, then they're going to have to, 05:32 you know, a lot of work to get logged 05:33 back into all those websites. It'll be 05:35 worth it because it's more secure, but 05:37 still it's a lot of work. Um, so what's 05:39 the easiest thing you can mitigate do to 05:41 mitigate all of this? Well, store the 05:43 majority of your Bitcoin. Well, the easy 05:45 things are make sure your Gmail account 05:48 password is different than any password 05:50 you're using anywhere else. And second, 05:52 um make sure that two-factor 05:54 authentication is enabled on your Gmail 05:57 account. Those are the two absolute 05:59 lowhanging fruit, easy to do, no reason 06:01 not to things. Um, other than that it 06:04 gets more complicated because uh if you 06:06 turn off cloud backup on Google 06:08 authenticator again then you don't have 06:10 a good backup of it unless it's 06:11 replicated uh to a loved one's phone or 06:14 something like that. But even if you do 06:15 that then if you add new two-factor 06:17 authentication in the future it's not 06:19 backed up by default unless you go 06:21 manually back it up to uh the phone of a 06:24 of a loved one or something like that. 06:25 Uh but the easy solution here is buy the 06:27 bit key device. So, this video is not 06:30 about BitKey, but Bit Key does solve all 06:32 of these problems. The beautiful, 06:34 incredible secure architecture of BitKey 06:37 keeps any of those bad things from 06:39 happening. And none of the attack 06:41 vectors that can be used for the other 06:44 uh avenues, none of them work with 06:46 Bitkey. Bitkey is just way more secure. 06:49 So if you get a bit key then if your 06:51 account does get compromised somehow it 06:54 doesn't matter that much because only 06:56 you know a small percentage of your 06:57 total Bitcoin is subject to that 06:59 compromise. So Bitkey is the magic 07:01 solution to all of this. Um, I've talked 07:04 before about uh Coinbase Vault, which is 07:06 really good. But if somebody compromises 07:08 your Gmail account, uh the Coinbase 07:10 Vault doesn't do you very much good 07:12 because if they have control of your 07:13 email address, then they are just going 07:15 to delete the emails from Coinbase Vault 07:17 that tell you that the vault's being 07:19 unlocked. So, if they have access to 07:21 your your your uh you know, your your uh 07:23 Coinbase account or your Gmail account, 07:26 then they can uh run that exploit. So, 07:28 let me let me walk through how the 07:30 hackers exactly would run that exploit 07:31 just so you can see. All right. So, 07:33 first of all, they're going to go on the 07:35 dark web and they're going to look for 07:37 email addresses and passwords. They're 07:39 going to they're going to down select 07:40 that to only only Gmail accounts. 07:43 They're going to take all of the Gmail 07:44 accounts they have access to uh and all 07:47 the passwords that were leaked that are 07:49 associated with those Gmail accounts for 07:51 all sorts of different random websites 07:53 and they're going to try all of those to 07:55 see if they can get them to work as your 07:57 Google password. They are hoping that 07:59 you have the same password set for your 08:01 Gmail account uh as you do for some 08:03 other random website that got hacked and 08:06 then they're hoping you don't have 08:07 two-factor authentication turned on for 08:08 your Gmail account. So, let's assume 08:11 that they are successful that you know 08:14 some random hack on men's warehouse ends 08:16 up being the same uh you know the same 08:19 password as your Gmail account and that 08:22 you don't have two-factor authentication 08:23 set up on Gmail. If that's the case, 08:25 then the username and password of your 08:27 Gmail account and the password from 08:29 men's warehouse, which is the same one 08:30 that you used, you know, for your when 08:32 you set up Gmail is going to get them 08:35 into your your Google account. The first 08:37 thing they're going to do when they log 08:38 into your Google account is go to your 08:39 Google passwords to see what passwords 08:41 they have access to. Any sort of 08:43 financial, especially cryptocurrency, 08:45 they're going to immediately turn around 08:47 and use your password uh manager to try 08:49 to log into those accounts. as soon as 08:52 they get hit with two-factor 08:53 authentication, they are not going to 08:55 have access automatically to your phone. 08:57 Um, I presume I don't know how this 08:59 works on Android phones. Uh, certainly 09:01 on an iPhone, they would not have access 09:03 to your uh twofactor or so, you know, to 09:05 codes that are sent to your phone. I 09:06 don't know how that works on Android, 09:08 but on iPhone, they would not. Um but 09:10 they would uh they would uh look for 09:14 something where the login you know they 09:16 can use your password manager to log 09:18 into your Coinbase account hoping that 09:20 you are using Google authenticator as 09:22 your two-factor authentication which of 09:24 course if they've compromised your 09:25 Google account then they not only have 09:27 access to your Google passwords but they 09:29 also have access to the backup of your 09:31 Google authenticator which would then 09:33 give them access to everything. So um 09:36 that is what a hacker will do. They will 09:37 try to uh they are hoping you're reusing 09:40 a password on your Gmail account. They 09:42 will use that to compromise your Gmail 09:43 account if you don't have two-factor 09:45 authentication enabled. And then they 09:47 will use your password manager and your 09:49 two-factor authentication uh from Google 09:51 authenticator if that's backed up to 09:53 your Google account. They will use all 09:55 of that to uh to compromise your 09:58 accounts and try to drain your accounts. 09:60 So the magic answer to all of that is 10:01 Bitkey. Bit Ty.World world w 10:06 bit key is the magic solution to all of 10:08 that. If you're not ready to go down 10:09 that road yet, uh the second best 10:12 solution is just making sure your Google 10:13 account is super locked down. Make sure 10:15 that the password you're using to log 10:17 into your Google uh Gmail account is 10:19 different than you than anything you use 10:21 anywhere else. Make sure that you've 10:23 never never used that password before 10:24 for anything else. uh and make sure 10:26 two-factor authentication is turned on 10:29 um for your Google account so that uh 10:31 there's no way they can just get in with 10:33 just a password. Um so that's the quick 10:36 primer on this. The real solution is Bit 10:38 Key, but you can at least make yourself 10:40 a lot more secure making sure that 10:42 two-factor authentication is turned on 10:44 and that the password you use to access 10:46 your Gmail account is not used anywhere 10:48 else. Otherwise, if it's compromised 10:49 somewhere else, it will automatically be 10:51 immediately used to try to gain access 10:53 to your Google account. But again, the 10:55 right solution for the long term is Bit 10:57 Key because it's amazing and it's super 10:59 easy to use and people are intimidated 11:00 by new things and I totally get that. 11:02 Um, but if you're willing to, you know, 11:04 spend $99, uh, Bit Key is by far the 11:08 most elegant secure way of securing your 11:10 Bitcoin in a way that hackers and 11:12 scammers will never gain access to it. 11:14 And it's just super slick, super 11:16 straightforward, super elegant. It's 11:18 just it's a brilliantly, brilliantly, 11:20 brilliantly divi designed device. and it 11:22 works really amazingly amazingly well. 11:25 Um, so uh good luck on your journey. 11:28 Happy to answer any questions as always.