How a phishing attack thwarted MFA to steal money from Coinbase customers
A flaw in Coinbase’s setup of SMS-based MFA allowed attackers to compromise a large number of accounts.
Security experts keep telling us to use multi-factor authentication whenever possible to better secure our online accounts and credentials. But what they don’t always stress is that the type of MFA you adopt makes a difference in whether or not you’re truly protected. And that lesson was hammered home through a recent phishing attack that stole money from Coinbase customers.
SEE: Secure your data with two-factor authentication (free PDF) (TechRepublic)
Coinbase is the world’s second-largest cryptocurrency exchange service, holding accounts for around 68 million users from more than 100 countries around the world.
In a recent blog post and an email to affected customers, the company revealed that a phishing campaign observed between April and early May 2021 gained unauthorized access to the accounts of at least 6,000 customers. The attackers were able to move funds from Coinbase to their own accounts, thus stealing a vast amount of money in the form of cryptocurrency.
Impersonating Coinbase, one of the phishing messages told the user that someone else may have had access to their account, thus prompting Coinbase to lock it. To unlock their account, the user needed to pass a security test. A Coinbase-spoofing phishing page then popped up asking the person to sign in with their login credentials.
After gaining access to the victim’s inbox and Coinbase account, the attackers in some cases used that information to impersonate the user, get an SMS-based two-factor authentication code and access the person’s Coinbase account. From there, it was a simple matter for the cybercriminal to scoop up the funds from the victim’s account.
To hijack a customer’s account, the attackers did need to know the person’s email address, password, and phone number, as well as gain access to their email inbox. Coinbase said it found no evidence that the attackers got this information from the company. Rather, phishing attacks were the likeliest source.
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
Coinbase added that after it learned of the attack, the company started working with outside security vendors to remove the domains and websites used in the phishing campaign. It also alerted the email service providers most affected by the attack.
In its email to affected customers, Coinbase said it would deposit funds into their accounts equal to the value of the currency that was stolen. The company also set up a dedicated phone number—1-844-613-1499—that affected customers could call with any questions or concerns about the attack. Further, Coinbase said it would offer free credit monitoring to those who were affected.
Though the attack worked by tricking users with a phishing message, Coinbase bears a core level of responsibility.
“As complicated as this hack sounds and is, it is even more astounding how lax the security protocols were,” said Purandar Das, president and co-founder at encryption-based security provider Sotero. “From letting the hackers operate for months, letting them steal customers’ credentials, to overriding the MFA, it does not appear that a lot was done right from a security perspective.”
To sign into their Coinbase accounts, customers are prompted to set up a specific method of two-factor authentication. The choices include an SMS text message, an authenticator app or a physical security key. But those who opted for SMS made the wrong choice. In its post, Coinbase admitted to a flaw in its SMS account recovery process, a flaw that the attackers were able to exploit to gain access to certain accounts.
Among the various flavors of MFA or 2FA, SMS-based authentication is considered the least secure and the easiest to thwart. For that reason, Coinbase is now urging people to adopt one of the other methods,
“Many people choose to use SMS 2FA, because it’s linked to a phone number, rather than to one particular device and is generally the easiest to set up and to use,” Coinbase said. “Unfortunately, that same level of convenience also makes it easier for persistent attackers to intercept your 2FA codes. We strongly encourage everyone that currently uses SMS as a secondary authentication method to upgrade to stronger methods like Google Authenticator or a security key everywhere it is supported.”
Beyond switching to a stronger method of authentication, all Coinbase users are urged to change their passwords if they haven’t already done so.