How a phishing attack thwarted MFA to steal money from Coinbase customers

A flaw in Coinbase’s setup of SMS-based MFA allowed attackers to compromise a lot of accounts.


Picture: Wit Olszewski/Shutterstock

Safety specialists hold telling us to make use of multi-factor authentication each time potential to raised safe our on-line accounts and credentials. However what they do not all the time stress is that the kind of MFA you undertake makes a distinction in whether or not or not you are really protected. And that lesson was hammered residence by a latest phishing assault that stole cash from Coinbase prospects.

SEE: Safe your information with two-factor authentication (free PDF) (TechRepublic)

Coinbase is the world’s second-largest cryptocurrency trade service, holding accounts for round 68 million customers from greater than 100 international locations around the globe.

In a latest weblog submit and an electronic mail to affected prospects, the corporate revealed {that a} phishing marketing campaign noticed between April and early Might 2021 gained unauthorized entry to the accounts of at the least 6,000 prospects. The attackers had been capable of transfer funds from Coinbase to their very own accounts, thus stealing an enormous sum of money within the type of cryptocurrency.

Impersonating Coinbase, one of many the phishing messages instructed the person that another person might have had entry to their account, thus prompting Coinbase to lock it. To unlock their account, the person wanted to go a safety check. A Coinbase-spoofing phishing web page then popped up asking the individual to check in with their login credentials.

After getting access to the sufferer’s inbox and Coinbase account, the attackers in some instances used that data to impersonate the person, get an SMS-based two-factor authentication code and entry the individual’s Coinbase account. From there, it was a easy matter for the cybercriminal to scoop up the funds from the sufferer’s account.

To hijack a buyer’s account, the attackers did have to know the individual’s electronic mail handle, password, and telephone quantity, in addition to achieve entry to their electronic mail inbox. Coinbase stated it discovered no proof that the attackers obtained this data from the corporate. Quite, phishing assaults had been the likeliest supply.

SEE: How one can handle passwords: Finest practices and safety suggestions (free PDF) (TechRepublic)

Coinbase added that after it realized of the assault, the corporate began working with outdoors safety distributors to take away the domains and web sites used within the phishing marketing campaign. It additionally alerted the e-mail service suppliers most affected by the assault.

In its electronic mail to affected prospects, Coinbase stated it could deposit funds into their accounts equal to the worth of the foreign money that was stolen. The corporate additionally arrange a devoted telephone quantity—1-844-613-1499—that affected prospects might name with any questions or issues concerning the assault. Additional, Coinbase stated it could supply free credit score monitoring to those that had been affected.

Although the assault labored by tricking customers with a phishing message, Coinbase bears a core degree of accountability.

“As difficult as this hack sounds and is, it’s much more astounding how lax the safety protocols had been,” stated Purandar Das, president and co-founder at encryption-based safety supplier Sotero. “From letting the hackers function for months, letting them steal prospects’ credentials, to overriding the MFA, it doesn’t seem that loads was carried out proper from a safety perspective.” 

To signal into their Coinbase accounts, prospects are prompted to arrange a particular technique of two-factor authentication. The alternatives embrace an SMS textual content message, an authenticator app or a bodily safety key. However those that opted for SMS made the unsuitable alternative. In its submit, Coinbase admitted to a flaw in its SMS account restoration course of, a flaw that the attackers had been capable of exploit to achieve entry to sure accounts.

Among the many varied flavors of MFA or 2FA, SMS-based authentication is taken into account the least safe and the simplest to thwart. For that motive, Coinbase is now urging folks to undertake one of many different strategies,

“Many individuals select to make use of SMS 2FA, as a result of it is linked to a telephone quantity, quite than to 1 specific system and is usually the simplest to arrange and to make use of,” Coinbase stated. “Sadly, that very same degree of comfort additionally makes it simpler for persistent attackers to intercept your 2FA codes. We strongly encourage everybody that presently makes use of SMS as a secondary authentication technique to improve to stronger strategies like Google Authenticator or a safety key in every single place it’s supported.”

Past switching to a stronger technique of authentication, all Coinbase customers are urged to alter their passwords in the event that they have not already carried out so.

Additionally see

Recent Articles


Related Stories

Leave A Reply

Please enter your comment!
Please enter your name here

Stay on op - Ge the daily news in your inbox