Over the past few days, there has been a series of hacks into stock market accounts on a massive scale. The vast majority of cases are the result of a lack of two-factor authentication (2FA).
Over the past few days, there has been a series of hacks into stock market accounts on a massive scale. The vast majority of cases are the result of a lack of two-factor authentication (2FA).
What is 2FA and why do I need it?
When using online banking, you enter your login and password to log in to your account, but when you make a transfer, the bank requires additional authentication in the form of an SMS code, a one-time password from the password list, or a hardware token. Thanks to this, even if our password falls into the wrong hands, a third party will not be able to make a transfer without the one-time password. This is two-level authentication. It is mandatory in banks, but in the case of stock exchanges, it is unfortunately still an option that many people do not use!
In December 2017, the world was informed about the leak of 1.4 billion mailbox passwords. There are 10 million Polish mailboxes on the list!
If an unauthorized person with a database of emails with passwords enters our mailbox and deduces from the emails that we use cryptocurrency exchanges, they will be able to use the password recovery function on the exchange via email without any problems (of course, unless we use double authentication). In a situation where we do not have 2FA enabled, a hacker who has access to our mailbox also has access to our funds on the exchange!
Manually browsing 10 million mailboxes would be time-consuming for hackers, but they can use bots that automatically log into mailboxes and browse emails looking for phrases with the name of well-known exchanges. Everyone who uses exchanges has emails from these exchanges, e.g. received upon registration or with a request to confirm a transfer. Identifying exchange users is therefore trivially simple. Thanks to bots, hackers will have a list of users and emails from the list assigned to them at a given time.
Maybe you are on this list too! Enable 2FA now!
Also remember to NEVER use the same password on different sites, and certainly not on those that determine the fate of your money! Often, databases of emails and passwords leak from many sites. If you use the same password in different places, sooner or later a tragedy will happen. If not because of the exchange itself, then because of the site where you used the same password.
If you use your stock market password on another website CHANGE THEM NOW!
How to set up 2FA
Currently, most exchanges in the world (if not all) have an additional 2FA security option. Usually through the Google Authenticator application, which generates temporary one-time codes, valid for a minute. Download the mobile application to your phone/smartphone (the safest is an old smartphone restored to factory settings – for security freaks). After downloading the application, scan the QR Code that the exchange will provide you with. It is also worth remembering to write down (preferably on a piece of paper) your private key, in case you lose your phone. From now on, when logging in to the exchange, it will additionally ask for a 6-digit one-time code generated by the application on your mobile device. Even if a hacker breaks into your mailbox and uses the password recovery function, they will not be able to do anything without the one-time code.
It’s not just leaky mailboxes that are to blame for hacking. We can also have a Trojan/keylogger on our computer that can intercept our password. However, with 2FA, a hacker won’t be able to use the password (unless we also have a virus on our phone, which is less likely).
If you’ve made it to the end of the article and don’t have 2FA on the stock exchange/stock exchanges, check now if you still have funds on them. If you do, fate is very kind to you, but don’t tempt it and set up 2FA now! If your mailbox has a 2FA option, use it as well.
If you want, you can check if your email password has been leaked here: haveibeenpwned.com, but remember that the list may be incomplete/outdated.
