Coinbase made everyone whole, and the attackers stole the credentials (not because of Coinbase's fault) ahead of time, and the attackers had to perform a "SIM swap" type attack on the users. "Breach" may be the required term for the Californian government, but this wouldn't qualify to most people as a traditional breach (i.e., compromise of Coinbase's infrastructure).
> ... the attackers had to perform a "SIM swap" type attack on the users
Minor nitpick: I find your framing problematic as it transfers "burden of security" to the end-users over a process that did not involve them: this was not an attack on the users - it was an attack on the telecoms infrastructure.
I have a similar gripe against "identity theft", which really ought to be "fraud against corporation X, using false identity" - however, that framing is necessary to make consumers accept, by default, the burden of clearing debts they were never party to simply because the defrauded party did not have adequately verify perpetrators identity.
I agree. From Coinbase's perspective, they ought to defend their infrastructure against fraud, whether that is a direct attack on the users, an attack on the users' telcos, or insider activity directly.
From the telco's perspective, they have a responsibility to stop SMS and SIM fraud, and our regulations have failed to properly hold them accountable in this domain.
I would add that the users have some responsibility for losing their emails/passwords, but my initial framing insufficiently demands responsibility for the service providers in this instance. The service providers should be expected to take all reasonable steps to prevent fraud on their platforms, and that should include extra scrutiny of SMS-based authentication mechanisms (e.g., identity verification). This is why Coinbase paid them back, accepting some responsibility for the fraud.
I fully agree that users are not absolved of all responsibilities or vigilance (e.g. over passwords/devices). I think the legal framework has to be overhauled to clarify the culpability of all parties involved, rather than the current "Sucks to be you" attitude towards consumers, who are the least powerful, and have the least agency in these issues.
Telcos have no responsibility to stop SIM fraud. Telcos have communicated the last 30 years SMS is not secure (travels as plain text) and should not be used for 2FA. If companies have ignored this advise then it is on them.
SIM swapping also allows you to intercept voice calls, which are encrypted and supposed to be secure. The idea that telcos have no responsibility to stop people from taking over the telephone number that customers pay for is completely absurd. Moreover, often the SIM swapping is done by employees of the Telco itself using company infrastructure.
No you are not correct. The whole underlying mobile phone network infrastructure is based on (failed) trust and is not secure. Though it is slowly being replaced.
The incumbent telcos would love a regulatory framework where they must store address info and other personal data of their clients: Clients would then be much less likely to switch.
International tourists will also be less likely to get a local SIM card and then pay exorbitant roaming charges.
(Here in South Africa, clients must provide proof of their residential address. Some telcos even insist on verifying the thumbprints of their clients)
Don't see how that's relevant to the thread at hand. The problem here is that the Telco has an existing paying customer for a number, and has systems that allow other malicious actors to take over that number instead. It's not about verifying the absolute identity of the account owner, they only need to verify that the new SIM using a number has permission from the person who rightfully owns the account. In many cases, this fraud is being committed by employees of the carrier (e.g. at it's retail locations). That means the carrier clearly doesn't have adequate controls to prevent abuse.
This isn't really true. Google Voice numbers are managed by bandwidth.com and have been taken by attackers submitting fraudulent number portability requests in the past.
Coinbase and other sites (especially those that deal in money) should stop using SIM cards as a form of authentication. While carriers should probably do more to secure SIMs and phone #s, it has always been known that the system was never designed to be used as a security mechanism, and Coinbase using it as such is a security flaw that they are responsible for.
Okta architect here. It's hard enough getting MFA to work in a large organization where technically illiterate people are surrounded by coworkers to ask who have all figured out their RSA tokens or Okta Verify enrollment. Trying to manage this for the general public would be an incredible undertaking.
The cost benefit analysis probably does not make sense for a gazillion low balance users. It may make sense to enforce strong factors for high balance users. You have to balance that against them taking their business elsewhere.
In Europe all banks are using 2FA, and it's usually based on TOTP (and enrolling the first phone is a pain usually requiring QR codes and whatnot). 17 years ago some were using smartcards as 2FA. It's doable and secure, to the point that identity theft is almost unheard of (and usually used more as a synonym of catfishing than in the American sense).
SMS is handy but it should be a last resort rather than the main second factor.
I bank with a major European bank, and they still rely on SMS for 2FA for every online transaction, except for logging into their website. They offer 2FA through their app, but that only works with iOS or Android with full Google Play services---for non-Google folks running LineageOS or /e/ OS, they're stuck with SMS 2FA.
Yeah what I meant is that companies should propose other methods than SMS.
SMS can be good enough to confirm a password reset link that was sent by email (so you will not really do anything without access to an account's linked email address), but not as the main second factor for login.
This. Nerdy people don’t understand how much people struggle with this.
RSA enrollment is probably the single most challenging end user issue our IT folks deal with. After password reset it’s the #2 call, and lots of time, training and engineering effort has been expended to improve the experience. (And those efforts were very effective!)
So to sum up, an organization promising to take people's money and keep it safe can't afford to do it except for people with a great deal of money. However, they're still going to accept smaller amounts of money. Did I get that right?
Depends on how you define "keep it safe". If I give you $100 to keep safe, I don't care how many times you get robbed as long as I get $100 back when I want it. If I can get my money, it's safe.
When I went looking for an online brokerage in the USA with a reasonable login process (i.e. 2FA, not by SMS ever) it seemed pretty hard to find one. (Maybe that's changed?) These brokerages handle amounts much greater than a software engineer's retirement savings.
I think the difference for me is the extent to which transactions are traceable, revertable, and regulated. The median reaction to theft in the cryptocurrency world is somewhere between "caveat emptor" and "ha ha, buddy, you fucked up".
For traditional finance, it's pretty different. E.g., "If fraudulent electronic withdrawals are made from your bank or credit union account but your ATM or debit card is not lost or stolen, you are not liable if you write to let the bank or credit union know about the error within 60 days of when they send you the account statement showing the fraudulent withdrawals." https://ovc.ojp.gov/sites/g/files/xyckuh226/files/media/docu...
But could one simply take the secret when initializing the app and stick it in another, like andOTP? My employer told us that the corporate intranet required we use Google Authenticator, but when I try other OTP apps, it still works.
A decent point. It scares me to imagine all the security checks that would be required to make SMS actually secure against these kind of attacks, and then getting everyone to actually follow them.
> I have a similar gripe against "identity theft", which really ought to be...
... bank robbery by unknowing proxy. If we reframed the narrative, I bet banks and financial institutions would bust their asses to make things better.
They already do for the most part though right? That is, they lose a huge amount of money to "identity theft" and have ample incentives to stop/prevent it.
It was not a simswap/simjack attack, they exploited an oversight in coinbase's password-reset 2fa to send the challenge code for one user to another user's phone number.
Yes! From the linked pdf that came from Coinbase[1]:
"However, in this incident, for customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account"
The key part being: "a flaw in Coinbase’s SMS Account Recovery"
I haven't been able to verify these sort of claims any more than I've been able to speculate it was blanket telco Letters-of-Authorization (LoAs) [0][1] or classic SIM swaps that resulted in the account takeovers. I'm not claiming you're wrong, but given the timing of the LoA fraud and the attacks, it seemed likely to me that this was not an actual web vulnerability.
What makes you believe a specific exploit like that existed against Coinbase's 2FA? And if it existed, then why wasn't that caught in a routine pentest?
With only the pdf to go on, I address the "flaw" in more detail in these comment threads [0] [1]. In short, I believe the "flaw" is likely to be "we used SMS for identity verification, without additional necessary scrutiny."
The technical barrier to entry for accruing and using breach databases is near-zero [2], same with the barrier to SMS fraud. Both are routine and easy methods for criminal groups with no special technical abilities, and therefore they are likely. Since the onus is on Coinbase to do identity verification in account recovery, a large number of successful takeovers would be a "flaw" in their process, even if it's not a technical flaw (which I would expect to be expressed in language like "vulnerability").
Accepting untrusted, unauthenticated user input as a SMS verification number would be a serious login-related flaw, and certainly Coinbase pentests their login pages. Any competent pentester would discover such a flaw. So between "Coinbase shipped a critical and obvious login flaw to prod" and "a routine and common criminal tactic was employed successfully against them," I find the latter more likely.
I find your take on this very strange. Given that, again, Coinbase themselves called this "a flaw in Coinbase’s SMS Account Recovery process", it would be bizarre that this was just "standard" run-of-the-mill SIM-swapping, because of course SIM-swapping is always an inherent danger with SMS 2 factor.
Coinbase is very clear in the breach notification that attackers had already acquired users' (a) emails, (b) passwords, and importantly (c) already have access to the users' primary email accounts. At that point, the only thing left preventing account takeover would be the 2FA challenge, and since Coinbase said there was "a flaw in Coinbase’s SMS Account Recovery process" I find it a bizarre conclusion to think that flaw was just a standard SIM-swap.
Edit: Actually, pretty positive it was not just a standard SIM-swap given that, if it were, Coinbase would not have specifically called out "a flaw in Coinbase’s SMS Account Recovery process". If it were just normal SIM-swapping bad guys would have just used that to defeat 2FA during the login process - there would have been no need for them to mess with the account recovery process. That's actually not that uncommon a bug, where 2FA works great to protect login, but there is an oversight that makes it not required during the account recovery process (by definition you're letting people into an account during the recovery process even if they're missing one of their authentication methods) that makes the whole 2FA moot.
If they use that wording, though, they are putting themselves on the hook to fix the "flaw". That's why I'm skeptical that it was just simjacking. I don't see a way that Coinbase could implement SMS 2FA in a way that doesn't have that "flaw".
>As soon as Coinbase learned of this issue, we updated our SMS Account Recovery protocols to prevent any further bypassing of that authentication process
How is it possible to update the SMS recover protocol to prevent sim swapping?
No, I don't think they have. The document says they will, not that they have. I personally know someone who was had 2FA and tends to be security knowledgeable and was struck by this on 6/7, which is well past their claimed date, so either they are lying or the hacking continues undetected. He has had no ability to get anyone on the phone who will help with the issue. He lost less than $2,000, but it is ridiculous how crypto currency combines the worst of the wild west with the worst of banking with the worst of crappy customer service.
Some exchanges have good customer service, but Coinbase isn't one of them. They went the route of minimizing customer support staff that many tech companies do.
Big difference! I have personal experience of Coinbase emailing me (in writing!) that I’d get a bank overdraft fee refunded from their system-wide mistake of double-charging cryptocurrency orders. This happened right before their IPO.
Long story short, I was never refunded despite raising two support tickets. :(
> but it is ridiculous how crypto currency combines the worst of the wild west with the worst of banking with the worst of crappy customer service.
Crypto's value is because it is the wild west. Otherwise, it'd be gold: custodians holding the commodity for owners, most of it locked in cold storage, fully regulated, and governments pursuing theft whenever reported.
Eventually, the end state desired will be reached (regulation, customer service, insurance, pursuit of value theft, etc), it's just taking time for governments and Big Finance to catch up.
Bitcoin is a self custody asset just like gold, and IMHO that and it's de-centralized exchange is actually where all the value comes from if it has any. People do own gold and store it on their own property as well.
Gold owners also use responsible custodians when they don't store the gold themselves. I think bitcoin owners do not do the same because they want to have easy access to trading and there aren’t companies that both operate trading and are either responsible custodians or make it easy to use a different custodian for storage.
They already support other forms of 2FA, so I guess you mean they should turn off support for SMS. Keep in mind that for many users the alternative is no 2FA at all (they don't browse HN and Krebs), which is much, much worse.
Coinbase should continue doing what they are doing, which is to support SMS, and educate and encourage users where possible to use something else instead.
What they should be doing, is to subsidise YubiKeys to their high-value customers.
Not just to lock down the logins to Coinbase, but to also secure their customers' email, Twitter accounts, and as many other online systems as would support hardware backed WebAuthn. Hell, PokerStars did this with RSA tokens back in 2008 so it's not like it's a new idea.
Yes. You need NFC chipped phone and and NFC model YubiKey.
That also solves a major usability issue: instead of trying to juggle between a mobile application and a TOTP authenticator (on the same device!), or plugging in a USB adapter for authentication needs, you just quickly tap/wave your keyring next to the phone. Or take your phone quickly by your pocket when you need the second factor.
Which works fine until they buy a new phone and trade in or reset the old one without transferring the private keys -- and now you're locked out of your own account because you lost your second factor.
> and now you're locked out of your own account because you lost your second factor.
To verify someone's identity ("Identity Proofing") using Stripe Identity [1] costs ~$2. They support IDs from 33 countries, and have implemented fraud detection in the flow. If you were so paranoid as to defend against someone stealing your government issued ID (used in the proofing process), you could paper mail a OTP to physical address on file.
Does it suck and its the cost of no digital ID infrastructure in the US? Yes. Is it insurmountable? Not at all. At the end of the day, people are the weakest link, and we must fallback to meatspace trust anchors (in this case, possession of government provided ID that can be provided on demand with robust fraud detection mechanisms). You are who you are, and own what you own, not because of key material but because of the law.
Emergency single-use codes. They can be printed and stored in a safe. Not every service with 2FA has this feature, I have no idea why. How hard could it possibly be?
But then bad guy just logs in to Authy with the same stolen credentials because most normal people will probably use the same credentials for everything, including Authy. And arguably, the smartest tech-savvy folk wouldn't be storing their 2FA keys in the cloud like Authy anyway.
If your cloud account is protected by 2FA that's also in the cloud... it's turtles all the way down.
I'm not entirely familiar with coinbase, so is it really 2fa or is it 1fa in that you can use SMS as a recovery method when you don't know your password?
Wait, why should they accept customer funds if they don't think they can keep them safely? If somebody is saying, "Let me hold on to your money for you," it seems like a minimum bar is them being pretty sure it's not going to go anywhere.
You can change your phone number by re-validating your identity. During the 2FA step when logging in, you can click on "I need to change my phone number" (or similar).
Coinbase does allow SMS to be turned off. I did that on my account. When SMS is turned off, and when a U2F security key is the only 2FA you configured, if you lose the security key the only way to recover the account is to contact their support department and provide a photo of yourself holding your ID.
I don't know about you, but in the days of smartphones, login + mail + sms seems pointless. The only lock is the pin code / fingerprint on your phone, since when that is unlocked, the attacker gets to trigger all validation steps.
The important part is having physical access to the phone. A targeted attack against you now requires a physical element, rather than being entirely online.
Agree with everything you say, but add to that a lot of sms 2fa exploits are sim or redirection attacks. It’s possible to get access to a phone number without access to the phone.
Here’s an old story of a friend who had a weird talk with someone who had redirected their phone:
In the linked PDF, Coinbase does not claim to have knowledge of a vulnerability in their system (edit: though it does note "the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process," I interpreted that as "we supported SMS account recovery at all" which is inherently broken [0]). The requisite two-factor bypass is detailed in the linked pdf:
> Even with the information described above, additional authentication is required in order to access your Coinbase account. However, in this incident, for customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account.
My guess is, because funds were stolen from users' accounts, the CA breach notification laws apply and this needed to be disclosed as such. However, that doesn't necessarily mean that Coinbase was technically "breached," only that customer accounts were compromised.
If the attacker controls your personal email associated with Coinbase, accompanying passwords, and phone number, and you use SMS 2FA, then your funds were stolen. Otherwise, they were safe. That's my reading of the article.
They also say "we updated our SMS Account Recovery protocols to prevent any further bypassing of that authentication process". What did they update if it wasn't due to a weakness on their side?
EDIT: on reading some of their docs, recovery is supposed to be followed by the user submitting ID documents etc before they get full access back - maybe that's the part they didn't do before or that could somehow be circumvented? (which is a flaw, but still requires intercepting the SMS to use?)
I bet that control of email address + SMS 2FA was sufficient, alone, to recover the Coinbase account password. Lots of systems permit this kind of recovery, and while I may tell a technical crowd "if you use SMS for 2FA, that's on you" less technical users may not have the requisite background to understand the security tradeoff they make in doing so.
The "flaw," in my reading of it, was to support SMS-based account recovery at all. But I'm not necessarily right here, and open to alternatives.
Looking at his other comments, he's speculating. The document talks about obtaining an SMS verification token, they say "we updated our SMS Account Recovery protocols to prevent any further bypassing of that authentication process", and have not removed SMS as an authentication option. I see no reason to think this vulnerability was a SIM swap. Him stating it as if it's a fact in his original comment is very misleading.
It doesn't matter who techinically is at fault Coinbase wants to stay ahead of the potential bad press and people pulling all their funds from the platform. Probably just figured this was cheaper.
I'm in no way arguing that they shouldn't notify people/replace money/..., I just wonder where the confidence for the claim that it was just SIM swapping comes from.
These days in infosec circles simply having SMS-based 2FA enabled is now considered a no-no because of the notoriously bad (and inconsistent) security measures at large mobile carriers.
There is some speculation in another comment that their SMS verification server may have actually had a technical flaw, and the issue was not a lack of separate identity verification on SMS [0].
However, around the time of the breach date (March - May 2021), there were a number of "B2B" services that offered a "type in any SMS number and you will get all text messages to that number," type feature intended for customer support teams to use for shared SMS access. Those systems often had privileged access to telcos and were regularly exploited by attackers to break 2FA without even a SIM swap [1]. With those tools, stealing all SMS to a number required only intent, not conversations with telco support personnel.
Even though I stopped using coinbase, I appreciate the company compared to others because:
1) They had a reasonable account recovery process after I lost my phone and therefore google authenticator. Binance's process was needlessly annoying and pointless, kucoin straight up decided this was a good opportunity to just block my account completely and steal my money, even after email verification, as well as me supplying all emails they sent me about account activity.
2) They were the most transparent about new requirements about identity verification than others, and still allow withdrawals without verification.
>the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process
Your speculation and conjecture dismisses you from any and all future discussions on this matter. You have demonstrated that your are unfit to comment.
Edit: California, not Canada. My bad.