The recent lawsuit against Coinbase has sparked a conversation within the crypto community about the security of SMS two-factor authentication (SMS 2FA). Most community members are generally doubtful that the lawsuit will be successful. However, it highlights the vulnerabilities of SMS 2FA and the need for more robust security measures.
A Coinbase customer filed a lawsuit claiming to have lost 90% of his life savings after falling prey to SIM swapping. That method enables fraudsters to gain control of a phone number and bypass any SMS 2FA on an account. In addition, the thieves allegedly confirmed the withdrawal of $96,000 from the customer’s Coinbase account after gaining control of his phone number.
Coinbase denied responsibility for the hack and stressed that customers are responsible for the security of their accounts. That includes their email, passwords, 2FA codes, and devices. The exchange also encourages using authenticator apps for 2FA, which it describes as a more secure option than SMS.
Crypto community members have expressed skepticism about the lawsuit’s chances of success. They also pointed out that SMS 2FA is the least secure form of authentication. Some have even suggested that this authentication method should be banned altogether.
Blockchain security firm CertiK has warned about the dangers of SMS 2FA and highlighted its vulnerabilities. According to CertiK’s security expert Jesse Leclere, SMS verification is better than nothing but is currently the most vulnerable form of 2FA.
Cryptocurrency platform Coinbase has revealed the account takeover rates for user accounts in an effort to encourage customers to upgrade their security settings. The stats(Opens in a new window) say about 95% of Coinbase’s customers are enrolled in SMS-based two-factor authentication—the weakest 2FA method available. These same users made up 95.65% of all account takeovers Coinbase had experienced as of November 2022.
Coinbase requires all users to protect their accounts with two-factor authentication. This forces anyone logging in to supply both the correct password and a one-time passcode generated on their phone, thereby making it much harder to break in.
The only problem? Not all two-factor authentication setups are equal. By default, Coinbase secures user accounts with an SMS-based 2FA system, which can still be vulnerable to hacking. This is because the one-time passcode is sent to the user’s phone through their cellular provider. (An authenticator app, on the other hand, cuts out the cellular provider and generates the one-time passcode directly on the device.)
Over the years, hackers have shown they can intercept SMS-based two-factor authentication codes by tricking cellular providers into cloning a victim’s mobile phone number to a new SIM card, which they can then place in their own phone. These so-called SIM-swapping attacks can involve the hacker resorting to identity theft or bribing cellular employees for such access.
The results can be devastating for victims. SIM-swapping attacks have helped cybercriminals steal cryptocurrency and even infiltrate major tech companies, including Reddit and Twitter.
In 2021, Coinbase itself disclosed that hackers stole cryptocurrency from at least 6,000 users, likely through a combination of phishing emails and SIM swapping. The heists have caused a growing number of consumers to file class-action lawsuits(Opens in a new window) against the cryptocurrency industry and cellular providers for failing to protect their accounts from SIM-swapping attacks.