A flaw in Coinbase’s configuration of SMS-based MFA allowed attackers to compromise a large number of accounts.
Security experts keep telling us to use multi-factor authentication whenever possible to better secure our online accounts and credentials. But what they don’t always point out is that the type of MFA you adopt makes a difference in whether or not you are truly protected. And that lesson was hammered out by a recent phishing attack that stole money from Coinbase customers.
SEE: Secure Your Data with Two-Factor Authentication (Free PDF) (TechRepublic)
Coinbase is the world’s second largest cryptocurrency exchange, holding accounts for approximately 68 million users in over 100 countries around the world.
In a recent blog post and a e-mail to affected customers, the company revealed that a phishing campaign observed between April and early May 2021 gained unauthorized access to the accounts of at least 6,000 clients. The attackers were able to transfer funds from Coinbase to their own accounts, thereby stealing a huge amount of money in the form of cryptocurrency.
Impersonating Coinbase, one of the phishing messages told the user that someone else may have had access to their account, prompting Coinbase to lock it down. To unlock their account, the user had to pass a security test. A Coinbase spoof phishing page then appeared asking the person to log in with their login credentials.
After gaining access to the victim’s inbox and Coinbase account, attackers in some cases used this information to impersonate the user, obtain a two-factor authentication code via SMS, and gain access to the the person’s Coinbase account. From there, it was easy for the cybercriminal to recover the funds from the victim’s account.
To hijack a customer’s account, attackers had to know the person’s email address, password, and phone number, as well as access their inbox. Coinbase said it found no evidence that the attackers obtained this information from the company. On the contrary, phishing attacks were the most likely source.
SEE: How to Manage Passwords: Best Practices and Security Tips (Free PDF) (TechRepublic)
Coinbase added that after learning of the attack, the company began working with external security providers to remove the domains and websites used in the phishing campaign. He also alerted the email service providers most affected by the attack.
In its email to affected customers, Coinbase said it would deposit funds into their accounts equal to the value of the stolen currency. The company has also set up a dedicated phone number, 1-844-613-1499, which affected customers can call with any questions or concerns regarding the attack. Additionally, Coinbase said it will offer free credit monitoring to those affected.
Although the attack worked by fooling users with a phishing message, Coinbase carries a critical level of responsibility.
“As complicated as this hack may sound and be, it is even more astonishing how lax the security protocols were,” said Purandar Das, president and co-founder of the encryption-based security provider. Sotero. “Whether it’s letting hackers operate for months on end, letting them steal customer credentials, or bypassing the MFA, it doesn’t seem like much has been done right from a Security. ”
To log into their Coinbase accounts, customers are asked to set up a specific two-factor authentication method. Choices include an SMS text message, an authenticator app, or a physical security key. But those who have opted for texting have made the wrong choice. In its article, Coinbase admitted to a flaw in its SMS account recovery process, a flaw that attackers were able to exploit to gain access to certain accounts.
Among the different variants of MFA or 2FA, SMS authentication is considered the least secure and the easiest to thwart. For this reason, Coinbase is now urging people to adopt one of the other methods,
“A lot of people choose to use 2FA SMS because it is tied to a phone number rather than a specific device and is generally the easiest to set up and use,” Coinbase said. “Unfortunately, this same level of convenience also makes it easier for persistent attackers to intercept your 2FA codes. We strongly encourage anyone currently using SMS as a secondary authentication method to upgrade to more powerful methods like Google Authenticator or a key. security wherever it is supported. “
Beyond switching to a stronger authentication method, all Coinbase users are encouraged to change their passwords if they haven’t already.