The accounts of at least 6,000 Coinbase customers were robbed of funds after attackers bypassed the cryptocurrency exchange’s multi-factor authentication (MFA).
Coinbase suspects phishing led to attackers getting personal details needed to access wallets but also blamed a defect in its SMS-based 2FA.
According to a notification letter (PDF) Coinbase sent to affected customers & filed with the California state Attorney General’s office, the theft happened between March & May 20, 2021.
Account Recovery Process
The attacker(s) used a flaw in Coinbase’s account recovery process to seize the SMS 2-Factor Authentication tokens needed to break into customers’ accounts & transfer funds to crypto wallets un-associated with Coinbase.
In order to do this, the culprits 1st needed access to victims’ email addresses, passwords, phone numbers & personal email inboxes. Coinbase doesn’t know exactly how the 3rd parties gained access to all that, but the exchange doesn’t think it’s to blame:
“We have not found any evidence that these 3rd parties obtained this information from Coinbase itself,” according to the exchange’s breach notification.
Coinbase noted that such information is often gained through phishing attacks or other social engineering techniques that trick victims into disclosing their login credentials.
Attacks Are Rising
Earlier this week, on Mon., Coinbase warned that phishing attacks are on the rise, both in terms of volume & success rates.
Between April & early May 2021, its security team saw a “significant increase” in Coinbase-branded phishing messages that targeted users of a range of commonly used email service providers: attacks that “demonstrated a higher degree of success” at bypassing spam filters of certain older email services.
Clearly, cryptocurrency thieves are nothing if not creative, & understandably so: They’re going after a lucrative target. While they’re considered a secure place for users to store their cryptocurrency assets, researchers in 2018 proved that wallets such as Ledger & Trezor are vulnerable to a number of cyber-attacks.
Subsequent events proved the point: In July 2020, an unauthorised 3rd party accessed Ledger’s e-commerce & marketing database, which held email addresses as well as contact & order details including 1st & last name, postal address, email address, & phone number.
Following the July attack, researchers discovered widespread campaigns spreading malicious browser extensions that were abusing Google Ads & well-known cryptocurrency brands including Ledger to lure victims & eventually steal their cryptocurrency wallet credentials.
Other wallets targeted in the campaign included Electrum, Exodus, Jaxx, KeepKey, MetaMask, MyEtherWallet & Trezor.
As well, the rise of cryptocurrency has made compromised crypto accounts hugely valuable in Dark Web marketplaces, according to the 2021 Dark Web price index from Privacy Affairs.
“Due to the skyrocketing prices of Bitcoin & other cryptocurrencies, hacked accounts may hold large sums of coin-based currency & cash, protected by relaxed security measures after the initial verification process,” according to the report, which listed the average price for a hacked Coinbase-verified account to be $610.
SMS 2FA Authentication Defect
TL;DR: There are a lot of ways that the attackers could have gotten Coinbase users’ personal details.
Beyond the personal information they needed to crack victims’ accounts, the thieves needed more. For customers who use SMS texts for 2-Factor Authentication (2FA), the unauthorised 3rd parties had to leverage what Coinbase called a flaw in its SMS account recovery process, in order to receive an SMS 2FA token so as to gain access to accounts.
Coinbase didn’t go into detail about the matter: It only stated that as soon as it learned about the issue, it “updated our SMS Account Recovery protocols to prevent any further bypassing of that authentication process.”
In a guide on securing accounts, Coinbase recommends enabling MFA authentication using security keys or Time-based One Time Passwords (TOTP) with an authenticator app. Verification via SMS text messages is listed as an option, but with caveats: This verification is, after all, subject to SIM-swap or phone-port attack.
SIM swapping is a form of fraud that allows criminals to bypass SMS-based 2FA & crack online banking or other high-value accounts such as cryptocurrency wallets.
In a typical scenario, an attacker would start by phishing personal & banking information – often via SMS phishing, which has the added benefit of confirming that a victim’s cell phone number is an active line.
Next, an attacker calls the victim’s mobile carrier – easily discovered with an online search & convinces a service rep to port the line to a different SIM card/device.
Can We Ditch SMS-Based 2FA?
Experts agree that we should stick a fork in SMS-based 2FA: It’s clearly toast.
Roger Grimes, author of “Hacking Multifactor Authentication” & data-driven defence evangelist, for KnowBe4, stated that this has got to be at least the 3rd or 4th time that Coinbase customers have been compromised. While all MFA solutions can be hacked multiple ways, SMS-based MFA are “among the most hackable MFA solutions,” he explained.
It isn’t exactly today’s news. In 2017, the NIST Digital Identity Guidelines observed that SMS-based MFA was very weak & shouldn’t be used to protect valuable data & content, going so far as to reserve the right to remove it as an allowed MFA solution completely in the future.
In spite of this “SMS-based MFA is probably the most used MFA solution on the internet today,” Grimes observed. He blames vendors who force users to rely on SMS-based MFA because that’s what the vendor uses.
“Almost all the users that do use SMS-based MFA do not know how easily it is hacked,” Grimes contended, which is an issue with all MFA solutions.
“Users are not told how each type can still be hacked, abused & bypassed, sometimes easily so, & this leads to most users thinking they are being super secure because they are using MFA & far less hackable, when that is absolutely not the case.”
Grimes thinks that the MFA solution lies in making sure “that all stakeholders (e.g., management, buyers, implementers, sysadmins, users, etc.) understand what the potential weaknesses are for their particular type of MFA, & everyone is educated about possible attacks & how to avoid them.”
Chris Clements, VP of Solutions Architecture for Cerberus Sentinel, added that it’s incumbent on cryptocurrency users to understand that they’re constantly being targeted by cyber-criminals attempting to rob them.
When those funds are gone, they’re gone for good, Clements outlined. “The decentralised nature of most coins means that if criminals are successful in stealing them, there’s very little chance you will be able to recover your losses,” he maintained.
“As such, it’s important that users of cryptocurrency study up & implement appropriate opsec to protect themselves from the inevitable attacks, including ensuring that any computing devices or smartphones are hardened & up to date with the latest security patches & implementing strong unique passwords as well as multi-factor authentication controls such as TOTP or hardware security keys like FIDO.
Finally, cold wallets kept completely offline are useful for limiting much easier online attack vectors.”
Coinbase Makes Good
Coinbase commented that it will deposit funds back into victims’ accounts, “equal to the value of the currency improperly removed from your account at the time of the incident.” Some customers have already been reimbursed, the exchange revealed, promising that customers will receive “the full value of what you lost.”
The exchange is also providing free credit monitoring to affected customers.
Coinbase encouraged users of SMS-based authentication to drop it & to instead use stronger MFA, including TOTP or a hardware security key. It also strongly encouraged victims to change their Coinbase account password to a new, strong & unique password: one that’s not used on any other site.
The same goes for email accounts:
“Because the 3rd parties needed access to your personal email account as part of this incident, we strongly encourage you to change your password in the same way for your email account & for any other online accounts where you use a similar password,” the exchange advised.