If You Use Google for Everything, Make Sure You’re Super Locked Down — Especially Coinbase

00:01 Hey everyone, I wanted to talk about a
00:03 specific attack vector that I think is
00:05 greater introduces greater vulnerability
00:08 than just about any other with regard to
00:10 having cryptocurrency attacked or hacked
00:13 or etc. And that is if you are using
00:16 Google for everything including your
00:18 email address, your password manager and
00:21 your two-factor authentication. So um
00:24 here’s what that means. if uh this is
00:26 especially a problem if you are using a
00:28 password for your Google email account
00:31 that you’ve used anywhere else. So let
00:34 me tell you how a hacker would do this.
00:35 So hackers are constantly uh finding
00:38 data leaks, right? I mean you know
00:40 everything every random company from
00:41 Men’s Warehouse to you know the major um
00:45 credit ratings agencies they’re they’re
00:47 constantly getting data leaks that are
00:49 leaking you know email addresses and
00:51 sometimes passwords. Well, the very
00:53 first thing an attacker is going to do
00:55 anytime they can find a data leak that
00:57 involves uh email addresses and uh
01:00 passwords is they’re going to go try
01:02 those same user uh that same uh first
01:05 they’re going to go through and they’re
01:06 going to look at all the Gmail
01:07 addresses. Anybody who’s got a Google
01:08 email account and they’re going to try
01:10 all of the different passwords that they
01:12 can find that are associated with that
01:14 email address to see if they can gain
01:16 access to the Google account itself. Uh,
01:19 now if you have two-factor
01:20 authentication enabled on your Google
01:22 account, meaning you have to get a, you
01:24 know, a text message texted to you, then
01:26 you’re probably good because they’re not
01:28 going to be able to compromise your
01:29 Google account. Although, well, they
01:30 they just have to jump through a bunch
01:32 of extra uh steps to try to compromise
01:34 your cell phone. Uh, they do that with
01:36 something called SIM swapping, which is
01:38 they basically go to AT&T or Verizon or
01:41 wherever and try to sweet talk them into
01:43 porting the number to a new phone
01:44 claiming to be you. And if they’re
01:47 successful in doing that, of course, the
01:48 two-factor authentication codes uh that
01:51 you get will come to them instead of to
01:53 you. And that’s a problem. But that’s a
01:55 lot more work. So let’s assume that they
01:56 are not going to go through that much
01:58 work. Okay? So, if if they gain access
02:00 to usern to email addresses and
02:03 passwords, then they’re going to go
02:04 through all the Gmail uh email addresses
02:07 and they’re going to try the passwords
02:09 on Gmail hoping that you do not have
02:12 two-factor authentication enabled on
02:14 your Google account, which you should.
02:16 Everything needs two-factor
02:17 authentication, meaning in addition to a
02:19 username and password, you are texted a
02:22 code or you use an authenticator app to
02:25 uh to get a code. Um but anyway, so but
02:28 uh so they’re going to try. It doesn’t
02:30 matter what the compromise was. It
02:32 doesn’t matter if it’s a, you know, a a
02:34 loyalty account for Pokemon, you know,
02:37 trading cards. They’re going to try that
02:38 account. If it’s a Gmail account,
02:40 they’re going to try that and hope that
02:42 you use the same password for Pokemon Go
02:46 as you did for your Google account. So
02:49 rule number one is never, never, never
02:51 reuse passwords. Use a password manager.
02:54 Um there’s a bunch of them. Last Pass,
02:56 one password. Uh Google has a built one
02:59 built in. Microsoft has one built in.
03:01 Anyway, uh Apple has one built into, you
03:03 know, the the core operating system, but
03:05 use a password manager. You should never
03:06 be using the same passwords across
03:08 different sites because that way if one
03:10 of those passwords is compromised on one
03:13 site, uh they can use it to log into
03:15 other sites. And the one that attackers
03:17 really want to get a a hold of is your
03:20 Google account. They want your Google
03:22 email address uh password. That is very
03:24 important to them. The reason for that
03:26 is the hackers are hoping that you are
03:28 using the Google password manager which
03:31 means if they can compromise your email
03:33 address, your email address login, then
03:36 that also gives them access to your
03:37 password manager and all of the
03:39 passwords you have stored in there which
03:40 are bank accounts, Coinbase, whatever
03:42 else you got in there. And the other
03:44 thing too is for two-factor
03:45 authentication, a lot of these websites
03:48 have uh two-factor authentication and
03:50 they recommend Google Authenticator.
03:52 Well, by default, Google Authenticator
03:54 backs up to the Google Cloud, which
03:57 means if an attacker has access to your
03:59 Google account, they have access to your
04:01 Google passwords and they have access to
04:03 your Google authenticator login uh
04:06 backup, which of course means they have
04:07 access to two-factor authentication,
04:09 which basically gives them access to
04:11 everything. Um, so how do you mitigate
04:14 this risk? One, make super sure that
04:17 two-factor authentication is enabled for
04:19 your Gmail account. If you are using a
04:21 Gmail account or any email address
04:23 associated with Google, uh, which I
04:25 think is basically just Gmail, make sure
04:27 you have two-factor authentication
04:29 enabled on that email address so that a
04:32 hacker who does not get who gets a hold
04:34 of your password for Google cannot get
04:36 in just with your password. Second,
04:38 don’t ever reuse the same password for
04:42 any websites, but especially your Google
04:44 email login. you definitely need to make
04:46 sure you’re not using the same password
04:48 for your Google login to Gmail that
04:51 you’re using uh for your other website
04:53 loginins. Otherwise, again, if one of
04:55 those other passwords gets compromised
04:57 by definition, they’ll be able to get
04:58 access to your Google account. Um,
05:00 third, it’s it’s more complicated, but
05:03 you can also turn off the automatic
05:05 backup in two-factor authentication in
05:08 the Google Authenticator app. But the
05:09 problem is then if you change phones and
05:11 you forget to move it over, you’re going
05:13 to have a royal pain time uh trying to
05:16 get logged back into all the different
05:17 websites that require two-factor
05:18 authentication. So, a lot of people are
05:21 reluctant to turn off the cloud backup
05:24 on the Google authenticator app because
05:26 if they forget to port it over when they
05:28 change phones or if they lose their
05:30 phone, then they’re going to have to,
05:32 you know, a lot of work to get logged
05:33 back into all those websites. It’ll be
05:35 worth it because it’s more secure, but
05:37 still it’s a lot of work. Um, so what’s
05:39 the easiest thing you can mitigate do to
05:41 mitigate all of this? Well, store the
05:43 majority of your Bitcoin. Well, the easy
05:45 things are make sure your Gmail account
05:48 password is different than any password
05:50 you’re using anywhere else. And second,
05:52 um make sure that two-factor
05:54 authentication is enabled on your Gmail
05:57 account. Those are the two absolute
05:59 lowhanging fruit, easy to do, no reason
06:01 not to things. Um, other than that it
06:04 gets more complicated because uh if you
06:06 turn off cloud backup on Google
06:08 authenticator again then you don’t have
06:10 a good backup of it unless it’s
06:11 replicated uh to a loved one’s phone or
06:14 something like that. But even if you do
06:15 that then if you add new two-factor
06:17 authentication in the future it’s not
06:19 backed up by default unless you go
06:21 manually back it up to uh the phone of a
06:24 of a loved one or something like that.
06:25 Uh but the easy solution here is buy the
06:27 bit key device. So, this video is not
06:30 about BitKey, but Bit Key does solve all
06:32 of these problems. The beautiful,
06:34 incredible secure architecture of BitKey
06:37 keeps any of those bad things from
06:39 happening. And none of the attack
06:41 vectors that can be used for the other
06:44 uh avenues, none of them work with
06:46 Bitkey. Bitkey is just way more secure.
06:49 So if you get a bit key then if your
06:51 account does get compromised somehow it
06:54 doesn’t matter that much because only
06:56 you know a small percentage of your
06:57 total Bitcoin is subject to that
06:59 compromise. So Bitkey is the magic
07:01 solution to all of this. Um, I’ve talked
07:04 before about uh Coinbase Vault, which is
07:06 really good. But if somebody compromises
07:08 your Gmail account, uh the Coinbase
07:10 Vault doesn’t do you very much good
07:12 because if they have control of your
07:13 email address, then they are just going
07:15 to delete the emails from Coinbase Vault
07:17 that tell you that the vault’s being
07:19 unlocked. So, if they have access to
07:21 your your your uh you know, your your uh
07:23 Coinbase account or your Gmail account,
07:26 then they can uh run that exploit. So,
07:28 let me let me walk through how the
07:30 hackers exactly would run that exploit
07:31 just so you can see. All right. So,
07:33 first of all, they’re going to go on the
07:35 dark web and they’re going to look for
07:37 email addresses and passwords. They’re
07:39 going to they’re going to down select
07:40 that to only only Gmail accounts.
07:43 They’re going to take all of the Gmail
07:44 accounts they have access to uh and all
07:47 the passwords that were leaked that are
07:49 associated with those Gmail accounts for
07:51 all sorts of different random websites
07:53 and they’re going to try all of those to
07:55 see if they can get them to work as your
07:57 Google password. They are hoping that
07:59 you have the same password set for your
08:01 Gmail account uh as you do for some
08:03 other random website that got hacked and
08:06 then they’re hoping you don’t have
08:07 two-factor authentication turned on for
08:08 your Gmail account. So, let’s assume
08:11 that they are successful that you know
08:14 some random hack on men’s warehouse ends
08:16 up being the same uh you know the same
08:19 password as your Gmail account and that
08:22 you don’t have two-factor authentication
08:23 set up on Gmail. If that’s the case,
08:25 then the username and password of your
08:27 Gmail account and the password from
08:29 men’s warehouse, which is the same one
08:30 that you used, you know, for your when
08:32 you set up Gmail is going to get them
08:35 into your your Google account. The first
08:37 thing they’re going to do when they log
08:38 into your Google account is go to your
08:39 Google passwords to see what passwords
08:41 they have access to. Any sort of
08:43 financial, especially cryptocurrency,
08:45 they’re going to immediately turn around
08:47 and use your password uh manager to try
08:49 to log into those accounts. as soon as
08:52 they get hit with two-factor
08:53 authentication, they are not going to
08:55 have access automatically to your phone.
08:57 Um, I presume I don’t know how this
08:59 works on Android phones. Uh, certainly
09:01 on an iPhone, they would not have access
09:03 to your uh twofactor or so, you know, to
09:05 codes that are sent to your phone. I
09:06 don’t know how that works on Android,
09:08 but on iPhone, they would not. Um but
09:10 they would uh they would uh look for
09:14 something where the login you know they
09:16 can use your password manager to log
09:18 into your Coinbase account hoping that
09:20 you are using Google authenticator as
09:22 your two-factor authentication which of
09:24 course if they’ve compromised your
09:25 Google account then they not only have
09:27 access to your Google passwords but they
09:29 also have access to the backup of your
09:31 Google authenticator which would then
09:33 give them access to everything. So um
09:36 that is what a hacker will do. They will
09:37 try to uh they are hoping you’re reusing
09:40 a password on your Gmail account. They
09:42 will use that to compromise your Gmail
09:43 account if you don’t have two-factor
09:45 authentication enabled. And then they
09:47 will use your password manager and your
09:49 two-factor authentication uh from Google
09:51 authenticator if that’s backed up to
09:53 your Google account. They will use all
09:55 of that to uh to compromise your
09:58 accounts and try to drain your accounts.
09:60 So the magic answer to all of that is
10:01 Bitkey. Bit Ty.World world w
10:06 bit key is the magic solution to all of
10:08 that. If you’re not ready to go down
10:09 that road yet, uh the second best
10:12 solution is just making sure your Google
10:13 account is super locked down. Make sure
10:15 that the password you’re using to log
10:17 into your Google uh Gmail account is
10:19 different than you than anything you use
10:21 anywhere else. Make sure that you’ve
10:23 never never used that password before
10:24 for anything else. uh and make sure
10:26 two-factor authentication is turned on
10:29 um for your Google account so that uh
10:31 there’s no way they can just get in with
10:33 just a password. Um so that’s the quick
10:36 primer on this. The real solution is Bit
10:38 Key, but you can at least make yourself
10:40 a lot more secure making sure that
10:42 two-factor authentication is turned on
10:44 and that the password you use to access
10:46 your Gmail account is not used anywhere
10:48 else. Otherwise, if it’s compromised
10:49 somewhere else, it will automatically be
10:51 immediately used to try to gain access
10:53 to your Google account. But again, the
10:55 right solution for the long term is Bit
10:57 Key because it’s amazing and it’s super
10:59 easy to use and people are intimidated
11:00 by new things and I totally get that.
11:02 Um, but if you’re willing to, you know,
11:04 spend $99, uh, Bit Key is by far the
11:08 most elegant secure way of securing your
11:10 Bitcoin in a way that hackers and
11:12 scammers will never gain access to it.
11:14 And it’s just super slick, super
11:16 straightforward, super elegant. It’s
11:18 just it’s a brilliantly, brilliantly,
11:20 brilliantly divi designed device. and it
11:22 works really amazingly amazingly well.
11:25 Um, so uh good luck on your journey.
11:28 Happy to answer any questions as always.