It's completely ridiculous for a service to offer 2FA with SMS and also password recovery via SMS to the same phone number. It sounds like that's how this guy got hacked. He was effectively using more like half-a-factor authentication. He probably didn't realize because his email service didn't clearly show him how it will grant access.
It would be great if online services showed a clear matrix of authentication methods so you can see which combinations are sufficient and necessary to access your account. Simply adding a 2nd factor is a bad idea because it means if you lose either one, you're locked out of your account, so you also need a 3rd factor to protect you from yourself. I personally have 4 factors for my gmail account - regular SMS 2FA, a friend's phone number for password recovery and paper backup codes. This way, I can lose almost any two factors and still have access. If I forget my password and also lose access to my friend's phone for password recovery, then perhaps I'll be in trouble but Google doesn't make it clear if they'll let you in using only your backup codes and 2nd factor phone number.
It's even more ridiculous for a telco CSR to transfer his number to another provider without doing any sort of proper validation beforehand. A simple callback to ensure that the person calling was indeed the owner of the number would have prevented all of this.
I've been doing this to get by SMS based two factor in pen tests for years. The only time it didn't work is when I'd forgotten part of the auto process so I'd hang up and try again
Because support teams aren't coordinated with call attempts you can essentially brute force the process
Also the online portals for number transfer are notoriously weak. There was one MVNO i used for years because their website did no server side auth and I could transfer numbers to new SIMs at will
SMS as an authentication transport is beyond useless - nobody should be implementing it
Does the provider that currently holds the number need to release the number when it's transfered? Or can any random provider port out my number from my current provider?
Most countries have number portability laws now that say the current provider has to release the number.
They can't even hold it over an unpaid debt. Worse, a lot of these laws have government SLAs in them that say x% of transfers have to happen within 2-3 hours (usually 90-99%)
There is zero incentive from any party to add friction to the process for authentication purposes
It really got easy when I noticed the process was automated by a lot of providers a few years ago. I really don't think there was any human oversight on many of these transfers (perhaps a rubber stamp from a cheap offshore pair of eyes for compliance purposes)
The last time I transferred my mobile number, the telco wanted to have the IMSI as well. Then what my phone reported was not what they wanted, so it took a while to sort that out.
But it seems secure enough. It is not easy to get an IMSI for a random phone number.
> It is not easy to get an IMSI for a random phone number
This is easy if you have an SS7 network connection. Comparable to the difficulty of resolving a DNS name to an IP address using an internet connection.
Don't forget number porting is recently new. The FCC started requiring carriers do it in 2003. Since the telco's were forced to do it, you think they are going to put any effort into it unless legally required to do so? They don't care.
There has literally been hundreds of cases reported in the media in the last few years where the phone company ported a phone number either without verification or with "verification" (easily found information) and the victim had their accounts stolen. This has been a documented problem.
Phone companies seem to be starting to take the issue more seriously as of the last few months due to the aforementioned bad press. Verizon just forced me to create a PIN by Jan 24th, 2017. So I didn't have a PIN until less than a month ago.
Landline & VOIP providers rarely have a PIN or security question on file, and CLECs like Level 3 (who supplies Twilio and many others) will approve nearly any port since their customers don't keep customer service records for each number on file with them.
Legally there isn't much you can do beyond a snapback either, depending on how the line is classified you have to complete a simple port within 24hrs if the CSR (customer service record) matches.
Generally, if the CSR partially matches what the new provider gives, the port will be approved as the old CLEC doesn't want any escalation of a port.
It's completely ridiculous for a service to offer 2FA with SMS and also password recovery via SMS to the same phone number
Why is this ridiculous? Isn't this the same thing that Gmail offers for your own account? If you lose your password, Gmail will only send the recovery info to your friend's phone?
The problem happens if the password can be recovered with the same phone number as used for 2FA since then anyone who steals the phone/phone account can get both the password reset and the 2FA SMS. However, using two different numbers means a hacker has to hack two phone accounts instead of one. At least I hope that's what they have to do.
This happened to me about a year and a half ago, luckily I only lost a couple bitcoins that I had in coinbase, it could have been a lot worse.
The major crux of this article is the paragraph where it talks about how regulations essentially allow phone carriers to do whatever they want, with no guarantees of security, no indemnity, and if anything goes wrong there's no repercussions whatsoever.
There is literally nothing you can do to prevent this, any kind of "flags" or "extra security" you request are entirely enforced at the whim of individual call center personnel, and it only takes one person to ignore them. My case was similar to the article, I had some basic security flags enabled on the account but they were buried in notes from calls years ago and obviously no CS rep is going to read through years of notes on every call.
In my case the attackers called Sprint customer service over 100 times over a 5 day span. On the day I was breached they called 12 times within 3 hours before a weak link allowed them to transfer my number. No alerts to myself or the account holder, no notifications, nothing. The first rep I called after this occurred gave me great detail into the calls and what they had asked, apparently some of the numbers even came from different European countries. I immediately tried to escalate to their fraud department and was stonewalled hard. The fraud people denied any pattern of calling into their support lines, denied any transfer of my number (even though reps later happily helped transfer it back from Google Voice), and denied any action on the part of Sprint that caused this to happen.
Lawyers essentially told me I was out of luck, there was no recourse unless I was willing to go to war in the courtroom and unfortunately I don't have _that_ many old BTC.
It is absurd that such telecommunications backbones have such lax policies, much less no repercussions when they screw up. This will continue to be an attack vector until we force some sort of regulation that requires extraordinary damages to be paid per case... something tells me even low fines and slaps on the wrist won't incentivize the telecoms to provide actual customer service.
> The major crux of this article is the paragraph where it talks about how regulations essentially allow phone carriers to do whatever they want
So, in a word, phone carriers are actually unregulated when it comes to the relevant facts in here.
Isn't that a paradox then? Using bitcoin in order to deregulate the financial system and then ask more regulation for phone carriers in order to protect your unregulated bitcoin?
Anti "regulation" people are usually pretty big on contracts being enforced. The phone company giving away a number in a world where numbers are used to verify identity is a big deal along those terms.
"Real" bitcoining doesn't use services like coinbase; the coins are on your computer which you have to secure yourself. At least this is what you get told in cryptocurrency forums when one of the exchanges get hacked.
No it's true. Exchanges are prime targets, so it's risky. Wallets on desktops come in a variety of flavours, and can be secured. Getting root access to your device is trickey, let alone they would not know you have your bitcoin.
Beyond that, the pros and experts who have a lot do cold storage. Putting the keys offline.
Oh ok, then it's the other way 'round. "Security is not easy, if you can't handle it better leave your btc on the exchanges." Either way, it's all by design, if you lose your money it's your fault.
Another thing to keep in mind is that most phones will display the content of SMS messages on the lock screen, even if the phone is locked. That means that if your phone is stolen, hackers can easily take control of accounts such as PayPal that use SMS verification as the only way of establishing one's identity.
Agreed. It's usually buried in the device settings and also in Messenger and Hangouts. Signal gives you a few different options as well. But it should be more visible to all users, not just those of us that dig through settings.
True, but possession per se, even if unauthorized, is what a "something you have" factor is all about. Adding a knowledge or biometric factor on top (your phone's unlock mechanism) is a bonus.
Granted, the unauthorized porting issue makes it a faulty possession factor in the first place.
How was the hacker able to port the victim's number to another provider?
In the UK, the first step in porting a number is to request a 'Porting Authorisation Code' from your current provider. They don't give you that over the phone, but send you an SMS. So AFAIK you need to be able to receive SMS on the number already, in order to transfer the number to another provider.
So, was this hack enabled by a weakness in the US number porting process?
(In China, where I live, number porting isn't possible. Getting a new SIM requires you to physically present yourself and your passport or national ID card. If passport, the passport number must match the passport number they have on file, so a replacement passport wouldn't get around this requirement.)
I thought the story sounded familiar - Jered Kenna - this story's lead, claimed to have lost 800 BTC in 2013 (1)
That story got him quite significant press at the time, I found thousands of deviations of the original Bloomberg story - people LOVE the "darwin award" story category.
I was going to crack a joke about this being a Paul Graham submarine strategy (2) but it's just too sad and I believe him, 2FA is a mess.
I agree, but it's worse than that, with SMS widely used for account recovery.
> But 2FA via SMS is ubiquitous because of its ease of use. “Not everyone is running around with a smartphone. Some people still have dumb phones,” says Android security researcher Jon Sawyer. “If Google cut off 2FA via SMS, then everybody with a dumb phone would have no two-factor at all. So what’s worse — no two-factor or two-factor that is getting hacked?”
The thing is, SMS is worse than a reasonably good password. So it's a bit annoying that Google strongly encourages me to register my phone number with my gmail account for recovery.
And many services, including Google, make it difficult or impossible to enable TOTP without first registering a phone number. They really really push the SMS route. Brings up the average security level for the average person, I'm sure. Very annoying for me.
Not only dumb phones, but all regular Android users in China. They don't have the Play store app on their phones and can't sideload it because it's not a simple apk file. Even if they managed to hack that, it's blocked through the great firewall anyway. Whatever Android 2FA app an email service used would probably only be available via the Play store and thus cut off all Chinese users, and even people from China who moved to another country and brought their old phone with them.
No connectivity is required, it's TOTP on a 30-second interval. The tl;dr: is that you have a shared secret (so if this ever gets leaked to an attacker, yes, you're vulnerable) which is used in conjunction with current time (give or take a few seconds) to generate a code you can use to confirm authentication.
This may sound silly, but keep in mind that TOTP requires that both ends agree on the current time. I learned this the hard way when my authenticator stopped working consistently.
Apparently I had disabled my device's (the one with the authenticator app) "automatically set time from NTP" feature. Over time this resulted in my device's clock drifting X seconds away from the providers' clock(s), which in turn resulted in my occasionally using codes that were already X seconds expired.
The counter based OTP is actually more secure, but Google doesn't go for them with end-users, because they can go out of sync (eg if your kid is idly flicking through a lot of them on your phone) and then have to be reset.
I have an original iPad. It doesn't get connected to the net. So, no way to get the app on there, and it probably wouldn't work for iOS ~5.1.1 anyway. ;)
That being said, it hadn't clicked that a non mobile (eg laptop/desktop) version of it could exist.
The wikipedia page for it says it's strictly mobile only[1], as does the Google install info page[2].
Well, you can generate TOTP codes on your laptop, using oathtool, if someone has a "dumb" phone. One of the downsides is then you need to have your laptop always with you...
He had a 30 character password on his wallet. How the hell did they get past that??
How the hell did they even get on his him computer in the first place? I don't see how 2FA breaches could accomplish that.
edit: apparently you can have Microsoft make your online Microsoft cloud password be tied to your machine login. That's such a bad idea. One Microsoft customer support moron can effectively kill you computer. Also, even if they got this guy's computer password, how the hell did they get into it remotely? He made his computer visible for remote login on the Internet. I can't believe that.
pretty insane he was making 50 btc for mining in a day....he must've had a sizable sum.
I really do not condone ripping people off or hacking but I have to admire the tenacity of these hackers, nothing is out of bounds, every opportunity to steal or rip people off is a naked call option where only their time is the currency that can be lost with a failed heist.
It's the new bank robbers of our age but without films or hollywood glamourizing it (yet) the same bank robbers.
Crime does pay but it's a shame smart talent is being used to destroy not build. We can't point fingers at specific regions or countries with a depressed economy and expect them to find honest work-they may not exist there when government corruption has already robbed their citizens of the livelihood they were owed. This is not a justification for criminal action but a mere observation of the structural environment giving rise to such behaviours.
I don't see how to stop it though. For areas of the world with few economic opportunities, and little resources to chase you...the risk/reward profile is just too tempting.
bizarre and an extremely brutal way of extorting money from people. The mob used to ask for protection money, if you refused, they'd fuck your store up.
but this is just fucked up and repulsive. it's sad how poverty can dehumanize people into doing inhuman things for money.
You are very right, but there is _something_ to the theory that the availability of good jobs is a big factor. I've read a lot of cases where the FBI will capture Eastern European hackers by pretending to be an old friend of theirs, claiming to have been MIA for a while because they found a good legitimate job, and then inviting the target to apply. The target sends a passport scan as part of the application process and then gets arrested.
I think one of the biggest factors is culture. If you live in this "skype scam city" and all of your friends are doing it, then no one is judging you and you won't have too much trouble sleeping at night. On the other hand if you're in a very moral place you probably wouldn't do it.
Certainly, but again, ethically dysfunctional cultures are to be found at all levels. Lehman Brothers employees were in an environment where dishonesty and malfeasance was acceptable, so they felt OK about helping destroy an economy for personal gain. As will the Wall St financiers who create the next financial crisis ..
I remember reading online that to bait the valve half life 2 leaker/hacker to come to the US for authorities to capture, valve sent the hacker a phoney job offer. At the end of the day, all these smart tech workers want is to get paid for their skills.
For the hacker types there are things like bug bounty programs where they could make money in a legitimate way. The story I linked to though is just regular extortion artists with no discernible skills. I'm not sure how you address that.
man I really got a new perspective on Gabe. Blatantly deceiving the German guy to cause tremendous harm to his life by colluding with the Gestapo even when Half Life 2 was a tremendous success and none of his precious monies were lost in the process, in fact the leak only raised the profile for Half Life 2 resulting in more sales.
I definitely won't be buying Half Life 3.
TIL Gabe Newell is actually very narrow minded and not a nice guy. Hacking and leaking is also bad but it's not clear that the action led to losses when Half Life 2 was a phenomenal success. It's the deceptive tactic of pretending to offer an olive branch and going back on your word. He should be fucking ashamed of himself.
Say someone broke in to your house, rifled through your stuff, and put pictures of your personal things on instagram. Would you not want to press charges?
I'm sure you can see the night and day differences. Gabe just got free PR exposure. He should've kept his fucking word and gave the guy a job but instead he got soft.
Tony Montana said it the best: all you really have at the end of your life is your word and your balls and how well you kept them.
This post [1] from Kraken covers how to protect yourself from this kind of attack. It's quite thorough. Interesting even if this isn't a concern for you directly.
Because storing encrypted online is both harder to do right and if your computer has malware on it then no amount of encryption will save you because at some point you will need to decrypt your keys. Not to mention that someone can still try to guess your encryption phrase.
With a hardware wallet your private keys never touch your computer so they can't be stolen. Even if you are the kind of person that can't resist clicking on every piece of malware you encounter your Bitcoins can't be stolen from a hardware wallet.
Bottom line hardware wallets are easy to get right.
A hardware wallet allows you to spend coins without exposing the private keys. To spend e.g. a paper wallet, you have to swipe the keys on a computer. Yes, that can be offline, but a HW wallet reduces the amount of possible mistakes in this process.
Speaking of Trezor: "a recovery seed is generated when the device is initialized. In case TREZOR gets lost or stolen, all its contents can be recovered using this seed (private keys, bitcoin balance and transaction history) into a new device or another BIP 0039/BIP 0044 compatible wallet." [1]
See also the "Security threats" chapter from the official documentation. [2]
Yes, in the case of the Ledger Nano S for example when you set it up for the first time it gives you a 24 word recovery seed that you write down and keep in the safe place. The seed is created according to a Bitcoin standard (BIP39) If anything happens to your hardware wallet you just buy a new hardware wallet that supports BIP39 and you are back in business.
If you want to be really secure you can engrave your recovery seed into a piece of metal that won't melt in typical house fire temps like brass.
Thanks for the detailed answer, exactly what I needed! Would you recommend the Ledger Nano S? It seems like it's half the price of Trezor for some reason.
I have a nano, it does the job. Build quality feels cheap but like you said it is half the cost of trezor. Keep key is a trezor clone trezor was first in the space and I think there build quality is better
Of course, macOS and Windows 10 both still give you the option of creating user accounts independent of an Apple ID or MS account, which is what I do on my macOS and Windows 10 systems.
But there's good reason these OSes tie local logins to online accounts. The average user is more likely to get frustrated forgetting or not understanding why their email password is not their login password, than the (comparatively) rare scenario that someone will compromise the one-account-to-rule-them-all and wreck all their data. My grandmother confuses her Gmail login with every other online account because they all use the email address as a username.
Also, I'm continually amazed how little normal people care about the data on their computers. I still have all my files from when I was 5 years old on my main machine, but most people only care about bringing over whatever they're currently working on when they get a new machine.
Just manage your account on your device yourself. It seems stupid to me to trust apple or microsoft with owning my password auth on my own device. I am shocked any dev does that.
I know hindsight is 20/20, but with a wallet that valuable, it would have been prudent to split that into smaller encrypted wallets of, say, $1000 apiece, and only mount what was necessary (partition the external HD).
And this is why Bitcoin is doomed to fail as a genuine currency. Imagine if your bank said they had lost your money and tough luck on you. Or you bank emails you to say they have been hacked and all your money is gone. Or the bank just disappears offline and your money is gone. Or you forget a password and so your bank says sorry, but that means all your money is gone forever.
Except that you wouldn't get much legal protection if someone runs off with your bitcoin. A bitcoin transaction is irreversible and unfreezable, so there is not a lot the bank or legal system can do to try and retrieve stolen funds. And there is less of a trace to who the thief is.
As a result you probably aren't going to get the government failure guarantees on bitcoin as you would for fiat. Let alone governments wont want you using a different currency that they can't print.
No one can "freeze" cash, either, which is what currency is. A number in a bank account can represent us dollars, bitcoin or whatever else. You're talking about two different things here.
I agree with your point about government failure guarantees, however.
If you can protect your nude photos from getting on the net, you can protect your private key from getting on the net. Browsing the internet used to require the command line.
The only way to protect it is to not have it on a computer that is connected to the internet. There are schemes involving throwing dice to generate a key, writing it on paper, using a python script or suchlike to generate an address from the dice throws etc. Something like that would be pretty secure, as long as no one breaks in to your house to get the key (or you can remember it).
I hate the forbes.com website, but a great story. Guy's phone number got hijacked, then they reset his other accounts by sending codes to his phone number on file. Maybe we need 3FA?
Seems like he was very much targeted. Someone knew this guy and knew he had a LOT of bitcoin. If they actually remoted into his computer, waited until he mounted some external drive with the wallet and then acted. It's clear this was a targeted act. Poor guy.
One of the accounts that ended up being compromised using his compromised email accounts was his Microsoft account, which he used to log in to Windows 10. Presumably the attackers were able to connect remotely, or maybe download his files out of the cloud, or something. They had the keys to the kingdom.
That's the WTF for me here. I don't store anything valuable on the Windows 8 PC I run at home, but when I set it up, I remember feeling quite uneasy about the way the Microsoft account and the local user login apparently are one and the same. I assumed that surely it's just convenience and gaining access to the MS account isn't sufficient to give access to my PC - that would be insane, right?
Is this being reported correctly? This sounds completely nuts.
Changed my user account to local just now. Good thing I always assumed this computer is a sieve. I still have a hard time believing every single modern Windows OS is essentially intentionally backdoored. That's just completely, incredibly unacceptable.
From what the article said, I understood the hard drive the wallet was on was encrypted. Once mounted, the wallet would be accessible to anyone with login access to the OS.
I don't understand how they got into his computer in the first place. No amount of 2FA breaching could possibly get somebody into my Windows machine remotely. And not having a password for his wallet makes nonsense whatsoever. I'm thinking Forbes has something wrong.
Going by the article, gaining access to his Microsoft account was enough to provide access to his Windows machine. I'm not sure I'd trust Forbes to get this right, but a quick googling indicates that having access to the MS account the main Windows user is linked to will let you recover the admin password.
If they knew what they had there (and the balance of the wallet was in the blockchain, they probably knew exactly who they were targeting here), you could throw an awful lot of resources at bruteforcing the password. (Lets face it, they had this guy's bank accounts and PayPal - I wonder how much of his own money they spent on AWS cracking his wallet password?)
Sure, depending on what you actually mean by "has randomness".
"correct horse battery staple"
is 29 characters, but it's _much_ more likely to fall to hashcat than
"OckivpykophshifcuvTocJorj%opAd"
I've only got 4 truly random passwords stored solely in my head, and they're all down at 12 chars because I need to write them down much above that instead of being reliably able to remember them (and yeah, I've got stuff I no longer have access to because I've forgotten the password...). There's a serious tradeoff to be made with a password for "millions of dollars worth of bitcoin" - where do you balance the "it's super secure" against the "Shit! I forgot the password!" (And if your first answer is "that's what password safes are for", then you've just moved the problem to the password safe's password...)
(With a reasonable dictionary, "correct horse battery staple" will probably pop out from hashcat in under a second on a Raspberry Pi! ;-) )
Many (most?) of the online wallets have 2-factor auth, though maybe that wouldn't come into play if the login appeared to be coming from a familiar computer.
Lloyds isn't getting involved unless they have an incredibly high degree of satisifaction in security processes, in fact they stripped Elliptic of their first ever "vault" insurance shortly after awarding claiming they didn't like the "publicity".
I'm not sure where you got this impression but it's very wrong. Coinbase does hold insurance but it does _not_ apply to the scenario described in this Forbes article where individual user's security is compromised.
This Coinbase support article[0] succinctly describes what they are insured against. Important points are that only about 2% of their total Bitcoin deposits are insured, those that they keep "online". The insurance does _not_ apply to losses suffered due to an individual's account being compromised.
If you use coinbase, you don't own your bitcoins. Coinbase does, and they pinkie promise to give them back when you ask.
Get a mobile wallet like Mycelium. It's very simple, and you back up your wallet forever with a short string of words. You also retain control of your private keys.
Coinbase unilaterally decided to hold my coins hostage until I submitted a bunch of ID papers to them. This is for coins already in my wallet, not about buying more or selling them and getting cash to my bank account.
I already had 2FA - they force it IIRC. They also refused to delete any of my documents. It was related to connecting with my bank account. (Which they removed, as my Canadian passport somehow means I am not allowed to use banks in the US as a permanent resident.)
Why would you go through the rigamorole of encrypting something if it can be undone with a text message?
If you want to store Bitcoin, use (in order of preference) a reasonably secure computer (not an obviously poorly secured windows machine), a secure cell phone (not a $50 backdoored Chinese android phone), or a hardware wallet. Don't use cloud services, web wallets, or anything else that very obviously sucks from a security perspective.
I would be more than willing to trust, say, $50,000 in Bitcoin to an iPhone with a good passcode, running an SPV wallet. Above that and you probably ought to put in the modest investment for a hardware solution.
This is of course why bitcoin is a bad choice for most people, except for beer money amounts. Despite a lot of security precautions from a savvy user, someone made off with this stash.
Shame he didn't keep them in an exchange. Oh wait...
I always thought had I got in early in bitcoin I'd plan to sell off in tranches at $1, $10, $100 value etc. Then at least when the coins get stolen or worthless I'd have something to show for it.
My prediction: Bitcoin will become worthless in the long term once the crypto is cracked by mathematics, a backdoor or quantum computing
> This is of course why bitcoin is a bad choice for most people, except for beer money amounts.
It places users in the position of either having to provide their own bank-level security, or to leave their bitcoin with a BTC bank (the exchanges). The latter has had a few issues.
Bitcoin is secured by relatively simple algorithms, mostly relying on the SHA-256 hash. If this is broken, the internet has far bigger problems than bitcoin becoming worthless.
I'm guessing greed plays a factor. You see the price go up by a magnitude several times. Then why sell at 1k per coin when 10k might be round the corner.
That means quantum computers won't speed up mining, but it's public key crypto that protects your coins from getting stolen. If QCs become a thing we'll need to transition to post-quantum algorithms.
He had the bitcoins stored in an external encrypted hard drive. Then he plugged the hard drive in, and they somehow stole them. They were encrypted with a 30 character password. You can't do a password resent on encryption. I'm asking how did they get the file from his external hard drive, and how did they decrypt it?
Couldn't somebody make a phone company with better security? It seems stories about accounts being stolen via the phone company as weak link have been around for several years now.
Why would you want to trust the phone company? This is a solved problem, use IP and SSL. Of course you can't implement the really dumb "half factor" SMS authentication this way (because it's shown for what it is.)
When you consider the array of different exploits the thieves had to use to steal this guy's bitcoins, I think that this is a rare case where they are accurately described as hackers. But in the more common cases, such as Podesta's email account getting spearphished, you're correct that calling the perpetrators hackers is an insult to hackers.
Just put it in a ZIP file with AES-256 encryption. Upload that ZIP file to multiple locations, email it to yourself. If you're extra paranoid, you can also PGP-encrypt it.
If it's a large amount, do it on a cleanly installed Linux, and then secure-erase the partition after you're done.
Yes and yes. All wallet software that I know of has encryption. Or you can use a brainwallet that is never stored in a file at all (although you might want to keep a paper backup in case your brain has data loss).
> Or you can use a brainwallet that is never stored in a file at all
This is an incredibly bad idea. This publishes an unsalted, unhardened hash of your password to the blockchain to be cracked by anyone. There are bots with large precomputed tables that will instantly steal from especially weak ones.
Blockchain.info has excellent authentication. First a random identifier, then an email to confirm you're logging in, then the actual account password, then a 2fa code via Authy.
It's more or less correct, though I think it may only count nodes with forwarded ports.
Running a full node takes 100GB of disk space and some dozens of GB in bandwidth every month. It consumes a lot of ram as well, and if you are running a heavy OS you will often notice your computer is slower.
The cost of running a full node is one of the major reasons people oppose a bigger block size. Most wanting bigger blocks don't run their own full nodes.
I regularly get aggravated about the sensitivity of my bank's fraud screening. I have to call them constantly just to spend my money. But, I am at least reassured about how difficult it is to siphon money from the account.
It would be great if online services showed a clear matrix of authentication methods so you can see which combinations are sufficient and necessary to access your account. Simply adding a 2nd factor is a bad idea because it means if you lose either one, you're locked out of your account, so you also need a 3rd factor to protect you from yourself. I personally have 4 factors for my gmail account - regular SMS 2FA, a friend's phone number for password recovery and paper backup codes. This way, I can lose almost any two factors and still have access. If I forget my password and also lose access to my friend's phone for password recovery, then perhaps I'll be in trouble but Google doesn't make it clear if they'll let you in using only your backup codes and 2nd factor phone number.