Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Bitcoin

Hackers Bypass Coinbase 2FA To Steal Customer Funds (therecord.media) 13

An anonymous reader quotes a report from The Record: More than 6,000 Coinbase users had funds stolen from their accounts after hackers used a vulnerability in Coinbase's SMS-based two-factor authentication system to breach accounts. The intrusions took place earlier this year, between March and May, the exchange said in a data breach notification letter it has filed with US state attorney general offices. Coinbase said the attacks could exploit this bug only if they knew the victim's username and password. "While we are not able to determine conclusively how these third parties gained access to this information, this type of campaign typically involves phishing attacks or other social engineering techniques to trick a victim into unknowingly disclosing login credentials to a bad actor. "We have not found any evidence that these third parties obtained this information from Coinbase itself," the company said. Coinbase said it would reimburse all users who lost funds in these intrusions.
This discussion has been archived. No new comments can be posted.

Hackers Bypass Coinbase 2FA To Steal Customer Funds

Comments Filter:
  • SMS 2FA (Score:5, Insightful)

    by OrangeTide ( 124937 ) on Friday October 01, 2021 @04:19PM (#61852093) Homepage Journal

    SMS-based 2FA is a false sense of security. It has a hole and it gets exploited multiple times a year. If you're still using SMS for your bank, crypto, email, digital wallet, or any other service where money could be extracted from you, please pressure those services to change over now. Right now SMS 2FA is the low hanging fruit for criminals looking to make some easy money. The techniques for exploit are well understood by all, it's become an avenue for entry-level criminals but a very lucrative one.

    • Re:SMS 2FA (Score:5, Insightful)

      by silentbozo ( 542534 ) on Friday October 01, 2021 @04:34PM (#61852115) Journal

      It's amazing that:

      1. Companies still use SMS for 2FA. (a WTF)
      2. New companies use SMS for 2FA. (the real WTF)
      3. Companies are treating your phone number as a unique identifier that is tied to you (so many things wrong with this, I can't even start.)

      Why have we not just banned the use of SMS for 2FA? If not a national ban in law/regulation, then a name and shame list of unsafe providers, so people don't waste their time rewarding incompetency?

      • I'm going to assume that none of the people who upvote this post use SMS for 2FA. Yeah right.
      • SMS is convenient. All security is a balance between ease of use and security. A lot of other options are less convenient. Connected to that, the goal should not be to reduce all security breaches to zero. That's a very high bar and difficult to do with bad payoff for a lot of effort. That said, different purposes should have different security needs, and higher security for things like Coinbase which involve a lot of money should probably be the sort of thing that weighs the security concerns more heavily
    • How is it different than using any of the other ways that lets you just brute force the code? Eventually you'll hit the right one.
      • A few holes with SMS that aren't present on old fashioned SecurID fobs:
        1. it can be easy to redirect an SMS to another device, depending on the carrier. Such as duplicating a SIM or simply going to a victim's account with their carrier and poking a few settings.
        2. it can be possible to spoof the origin of an SMS and get someone to type in the codes they see on another screen. borders on social engineering, but people seem to be uneducated in this easy con. Part of the reason companies use SMS is because the

        • Right. My family went hiking near a water fall and my wife's phone fell in. A trip to the store a couple of hours restoring from backups and she only lost a few hours of information. (Mostly photos from that day)

          Now I lose my smart token fob whatever. How fast can you set me up with a fully functional replacment.?

          I used to use Google authenticator. I know how long it takes to transfer from one device to another. It isn't quick easy or doable in three times the time.

          Mostly use googles new device authen

          • Now I lose my smart token fob whatever. How fast can you set me up with a fully functional replacment.?

            12-24 hours. you can step away from the computer for that long can't you? if not, then own two like I do.

            I used to use Google authenticator. I know how long it takes to transfer from one device to another. It isn't quick easy or doable in three times the time.

            I literally have that OATH-based authenicator cloned on 3 devices. it's easy as piss. here's the command-line version if you want to write a shell script around it instead of using the little app:
            oathtool --base32 --totp "a bunch of letters they show when you click the app the first time" -d 6

    • There is no form of 2FA that will be secure if the code doesn't actually require the second factor.

  • Coinbase's security sucks. This has been an ongoing problem with them [slashdot.org]

    • I don't see how this is their fault. If you have a strong password that you don't use for other sites you're fine. Now if there was a database leak like we've seen for almost every other big site, that would be their fault.

"...a most excellent barbarian ... Genghis Kahn!" -- _Bill And Ted's Excellent Adventure_

Working...