Coinbase has a security flaw, 2FA using a cell phone is not safe. Don't use a phone for 2FA!

in #cybersecurity3 years ago (edited)

A close friend of mine may be out $30,000 USD due to a flaw in Coinbase's security policy.

image.png

The Story:

My friend is not a "Tech Guy", but I convinced him to invest with Coinbase, (something I now regret, deeply). My friend is not rich, just a regular guy investing whatever he could out of every pay check to try and put his children through college one day. Like many people, he used his phone for his Two Factor Authentication (2FA). Like many people he figured that a hacker would have to crack his password and steal his phone, but much to his surprise he was wrong.

Apparently Hackers can use basic information to Social Engineer most phone companies to convince them to give the hacker a duplicate of your SIM card and that's it. When I first learned about SIM card attacks, I thought the hacker had to have access to a persons physical phone but I was mistaken. All an attacker would need is your basic information and a convincing story, this part is the fault of the phone company, but they are not the only ones at fault here...

My friend Carlos Menduina who lives in NJ had his SIM card copied at a MetroPCS branch in Arizona. He filed a claim with Coinbase (claim# 07355331), on 9/5/2021 and this is the only response he received is this:

C3TZR1g81UNaPs7vzNXHueW5ZM76DSHWEY7onmfLxcK2iPUfmTCQ5PVATXBp972zg59yvBYCZoH1LUkW86CLvbXtJ768HmC5RZs68CMmD7XsL58xvzETH9Q.png

Carlos doesn't even know if his money is gone, he can't log into his account and no one from Coinbase will tell him anything.

Two days after all of this happened, and after Carlos was informed over the phone that his account has been frozen, the Hackers tried to purchase another $3,500 in Bitcoin from his linked bank account. Carlos called the bank and they stopped the purchase, this money will be replaced by the bank in a few weeks.

The How

Personal information was mined from social media using applications that read the HTML and look for key words. Once a profile is created for someone who might have a significant crypto holdings they find the cell phone carrier. Next is, they social engineer the phone company and convince them to give them a duplicate SIM card. Or, an employee of the company does it for themselves or for a partner in crime. Or, they hack an employee of the phone company to obtain their credentials (this is what happened to Carlos). Lastly, they use your credentials to get access to your email and 2FA. Once they have this they simply open Coinbase and click "Forgot Password". The password reset is sent to the stolen email and boom, they are in. At this point they can easily convert everything to Bitcoin, send the bitcoin to a wallet that they created while using Tails (https://tails.boum.org/) and the Tor browser (https://www.torproject.org/download/). Then they have many options. They can send money to Bitcoin ATMs a little at a time and withdraw wearing a mask (Thanks Covid-19). Or they can send the Bitcoin to a Decentralized exchange and convert the money to Monero (https://www.getmonero.org/), then send it to their own Monero wallet, convert it to cash on an exchange and cash out free and clear. Or they can sell the Bitcoin Peer to Peer at LocalBitcoin.com. Once it has been moved off Coinbase it easy for them to get away with it, even with Bitcoin being very tracible. Remember, they only have to raise enough plausible deniability to not lose in court. So if the Bitcoin is moved to a few wallets in pieces before ending up in a wallet that cashes it out, the person who cashes it out can simply say he bought something or traded something for the Bitcoin in question.

What Coinbase should have done to prevent this (opinion)

  • Coinbase should not allow anyone to withdraw funds for 24 hours if the password, email or any 2FA has been changed.
  • Coinbase have a team who is able to deal with situations like this and at the bare minimum, have the ability to freeze accounts until they have the time to manage the situation. At best they should be able to freeze trading and withdrawals for the owner if they call and provide: Bank account number, last transaction amount, name, last 5 of social, email, address, mom's madden name, and produce a photo of their license. This should be done immediately.
  • Coinbase should recommend people use an authenticator app and warn users about the dangers of using a cell phone.
  • But most of all Coinbase should have someone respond to such situations in a timely manner.

As someone who owns a signification amount of COIN shares (Coinbase's ticker symbol on the stock exchange), this article might negatively affect the value of my holdings. And I am well aware of the fact that Coinbase is growing so fast that they can't hire people fast enough to keep up with demand, but the changes that I am proposing aren't cumbersome and can be implemented without too much time spend. Coinbase's failure to act is hurting the price of Bitcoin which will ultimately hurt the value of their company. Furthermore if Coinbase doesn't do something soon the SEC will be forced to step in https://www.cnbc.com/2021/08/24/coinbase-slammed-for-terrible-customer-service-after-hackers-drain-user-accounts.html.

How to protect yourself.

  • Use facial recognition for 2FA.
  • Use an email account that you use for nothing else to open crypto accounts.
  • Never open spam emails or click links.
  • Keep your phone close by.
  • Tell your phone company that you do not authorize changes or duplicates to your SIM card without a verbal password.
  • Use an Authenticator app for 2FA.
  • *****Best of all use a hardware key for 2FA, no one can access your account without the hardware key.

image.png

UPDATE

Today my friend received the following response from Coinbase and to be clear they have done nothing to help him, he doesn't even know for sure if his account has been cleaned out at this point (although it likely has unfortunately).

image.png

No one will talk to him on the phone and his help ticket was closed with nothing resolved.

The views herein are the opinions of the author and are as accurate as the information that he received. Please invest at your own risk.