Domenic Iacovone received an unusual phone call from Apple last Friday. Earlier, he had received several messages asking him to reset his Apple ID password, so he suspected a scam. But the phone call on his iPhone showed the name of Apple Inc. with a number associated with Apple’s online store. He felt confident and called back. The person at the other end of the line told her that her account had been compromised and that she needed the one-time code that Apple had sent to her iPhone to ensure he was the owner of the account. Domenic Iacovone provided the information. Two seconds later, he says in a Twitter thread, his cryptocurrency wallet was empty. About $ 650,000 worth of cryptocurrencies and NFTs disappeared in an instant.
Among the assets the victim claims were stolen from his MetaMask wallet were Ether worth at least $ 160,000, an NFT Mutant Ape Yacht Club worth about $ 80,000 and $ 100,000 in Ape Corner. There would also be $ 250,000 worth of Tether, a stable currency pegged to the US dollar.
MetaMask password was saved in iCloud
How could access to iCloud allow a hacker to remove a victim’s cryptocurrency wallet? When you create a crypto wallet, you receive a secret recovery phrase consisting of 12 words, which is required to access the wallet on new devices. The rule of thumb is therefore to protect this at all costs. In the case of Domenic Iacovone, the passphrase was stored in iCloud.
A crypto-security expert calling himself Serpent has
discovered that the MetaMask app for iPhone automatically saves a file that contains the restore statement on iCloud. MetaMask responded to the discovery of this security flaw by giving users instructions on how to disable iCloud backups.
Always use a cold purse to store your valuables. Never give verification codes to anyone
recommends Snake. ”
Protect your information, do not give your phone number or personal email address. Call information is easy to falsify. Companies like Apple will never call you
This incident highlights the main disadvantage of decentralized financing, namely the absence of central authorities to undo or reimburse damages. Blockchain transactions cannot be undone, which means that MetaMask or any other company cannot refund lost assets. OpenSea, the largest marketplace for NFTs, can do little more than mark Domenic Iacovone’s account as “suspicious” for discouraging the purchase of his stolen NFTs. It was a little too late when Mutant Monkey, stolen from his wallet, was quickly sold for $ 80,000 (26.5 ether).
Let’s get MetaMask to update its Terms of Service and App to make it clear that it shares your restore statement with iCloud
“, tweeted Domenic Iacovone.”
If we can save one person from this situation, it will all be worth the effort
he ends philosophically.
CNET.com article customized by CNETFrance
Image: WorldSpectrum / Pixabay