Nick’s Note: Last week, a hacker broke into the accounts of world-renowned cryptocurrency expert Teeka Tiwari. And although Teeka had defenses in place, the hacker was still able to get around them.
In today’s interview, Teeka tells me how he kept his crypto funds safe, despite the hacker’s sophisticated attempts to steal them…
By Nick Rokke, analyst, The Palm Beach Daily
Nick: T, last week, a hacker tried to break into your crypto accounts and steal your funds. Can you tell us what happened?
Teeka: Yes, I was the victim of a hack—and it was a fairly sophisticated one.
Now, this type of hack has happened to friends of mine before… Somebody calls your phone company pretending to be you. Then, they port your phone number to another phone…
Once they do that, they can use the new phone to reset the passwords on any email accounts you have on the old phone. And when they have access to your email accounts, they can reset your crypto account passwords and attack your crypto funds.
With my cell phone service, I have a special code that you must use if you want to make any changes to my phone. But apparently what happened—and this is what my phone company told me—is that somebody called them and impersonated me.
They didn’t have the code, but they had my Social Security number. And I’ve told my company, “Don’t let anybody make any changes unless they have that code.”
But they ignored my request. And since this person had the last four digits of my Social Security number, they were able to port my number.
Nick: How did they get your Social Security number?
Teeka: Look, there’s no such thing as digital privacy. It’s just a fact of the world we live in today. If someone has $20 worth of Monero [an anonymous digital currency] and a Tor web browser, they can access the dark web and get just about anybody’s Social Security number.
Social Security numbers aren’t safe. They’re not secure. You have to assume your Social Security number is known. And clearly, this person knew mine.
And my phone company didn’t do what I told them to do, so the hacker was able to port my phone number.
Nick: Did they get into any of your crypto accounts?
Teeka: They managed to get into a few of my crypto accounts—but weren’t able to pierce some of the others.
I have two-factor authentication on all my accounts that aren’t directly tied to my phone. And I don’t know yet how they were able to overcome that security feature with some of my accounts. I’m still trying to figure that out.
But the thing is—regardless of how good you think your security is—there will always be somebody who can get around it. So if they do get around your defenses, you want to make sure there’s nothing there for them to take.
Had I kept my coins on exchanges, this would be a very different interview…
Nick: How so?
Teeka: Even though the hacker was able to get into a few of my crypto accounts, there was nothing there for them to take because I don’t keep my crypto funds on exchanges.
Just recently, some wonderful, hard-working folks—including some subscribers of mine—lost millions of dollars by keeping their crypto funds on the now-defunct Canadian exchange, QuadrigaCX.
When you keep your crypto funds on an exchange, you don’t have full control over them. And you can lose access to them, too.
That’s why you should always self-custody your crypto funds when possible.
Nick: Can you tell readers what you mean by self-custody?
Teeka: The beauty about cryptocurrency is that you can control your digital assets.
Each crypto account comes with a “private key.” Private keys allow you to send and access your crypto holdings. So it’s important you maintain possession of them.
As long as you have custody of your private keys, no one can access your digital assets. So you have to protect them.
Nick: What steps can people take to secure their crypto funds?
Teeka: It bears repeating: Don’t keep your crypto funds on exchanges. Move them to a digital or hardware wallet in which you have control of the private keys.
Also, don’t store your private keys on the internet. Don’t store them in your iCloud, your Evernote, or your Microsoft OneDrive accounts. Those were the first places where this hacker went hunting for my crypto keys.
You can write your passwords and private keys in a physical form and then store the documents in a bank, safety deposit box, or safe in your house. And you can keep another digital copy on an encrypted flash drive.
If you store physical and digital copies offline, then they’re unhackable.
Sure, anybody can go rob a bank and rip open your safety deposit box to get at your documents. But what do you think is more likely to happen? Someone breaking into a bank to get your private keys… or someone hacking into your computer to get them?
Nick: Are there any other steps we can take?
Teeka: When you set up on online accounts, use an email address that’s not tied to your phone in any way. If you can’t do that, then use a recovery email not tied to your phone.
And if your financial institution or cryptocurrency exchange wants a phone number, then it might be worth getting a second phone—like a prepaid one that isn’t tied to your name. The phone number shouldn’t be listed anywhere. It shouldn’t be linked to you in any way, shape, or form.
This way, you’ll be able to use that phone for your two-factor authentication if you want to. Or if you want to use Google authenticator on that phone, you can use that as a contact number. It should be a phone that’s completely separate from your identity.
Nick: That seems like a lot of work.
Teeka: Yes, it’s a bit of a pain in the neck to custody your own coins. But while it’s not super easy, it’s not rocket science, either.
The alternative to spending just a few extra minutes to make some backup copies of your passwords and keys—and to move your coins off exchanges into your wallet—is getting hacked, having an exchange go out of business, or having somebody in an exchange steal your money.
There’s no FDIC in the crypto game, so your funds aren’t insured like the money in your bank account is. There might be crypto insurance at some point, but not yet—which means you’re on your own. So please take that to heart.
Moving forward, I’m going to be honest with myself and examine the weakness that got exploited. For me, it was having recovery email addresses and recovery phone numbers linked to the phone that I use all the time.
It’s the same phone number I’ve had for 20 years. Almost everybody knows what my phone number is. It’s not hard to find. Clearly, I’m not using that phone number anymore, which is a bummer since I’ve had it for a long time.
But what I can tell you is that it’s a huge pain in the neck once your identity’s been compromised. You have to make a lot of changes, and it’s not fun.
Unfortunately, we’re in the crypto world… and in a crypto world, it can be a little lawless.
Again, the good news of the story is that I didn’t keep any coins on exchanges. My coins are safe. So I would strongly urge you to do the same and keep your coins safe. Self-custody them and think about the idea of having a phone that’s separate from your name and your identity.
Nick: It’s unfortunate you had to go through this ordeal, T. But I’m glad you didn’t lose any of your crypto funds. As always, thanks for the advice.
Teeka: You’re welcome.
Nick’s Note: If Teeka’s story has helped you in any way, please let us know right here…
Did you watch former money manager E.B. Tucker’s investing summit?
Thousands of people tuned in to hear what E.B. believes is the perfect way to escape the woes of today’s volatile market—and potentially make a small fortune this year.
In fact, longtime PBRG friend and legendary speculator Doug Casey has even used this method in the past to make millions. And now, you can get all the details right here…