Edit: California, not Canada. My bad.
Minor nitpick: I find your framing problematic as it transfers "burden of security" to the end-users over a process that did not involve them: this was not an attack on the users - it was an attack on the telecoms infrastructure.
I have a similar gripe against "identity theft", which really ought to be "fraud against corporation X, using false identity" - however, that framing is necessary to make consumers accept, by default, the burden of clearing debts they were never party to simply because the defrauded party did not have adequately verify perpetrators identity.
From the telco's perspective, they have a responsibility to stop SMS and SIM fraud, and our regulations have failed to properly hold them accountable in this domain.
I would add that the users have some responsibility for losing their emails/passwords, but my initial framing insufficiently demands responsibility for the service providers in this instance. The service providers should be expected to take all reasonable steps to prevent fraud on their platforms, and that should include extra scrutiny of SMS-based authentication mechanisms (e.g., identity verification). This is why Coinbase paid them back, accepting some responsibility for the fraud.
... bank robbery by unknowing proxy. If we reframed the narrative, I bet banks and financial institutions would bust their asses to make things better.
"However, in this incident, for customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account"
The key part being: "a flaw in Coinbase’s SMS Account Recovery"
[1] https://oag.ca.gov/system/files/09-24-2021%20Customer%20Noti...
What makes you believe a specific exploit like that existed against Coinbase's 2FA? And if it existed, then why wasn't that caught in a routine pentest?
[0]: https://krebsonsecurity.com/2021/03/can-we-stop-pretending-s...
[1]: https://lucky225.medium.com/its-time-to-stop-using-sms-for-a...
No, I don't think they have. The document says they will, not that they have. I personally know someone who was had 2FA and tends to be security knowledgeable and was struck by this on 6/7, which is well past their claimed date, so either they are lying or the hacking continues undetected. He has had no ability to get anyone on the phone who will help with the issue. He lost less than $2,000, but it is ridiculous how crypto currency combines the worst of the wild west with the worst of banking with the worst of crappy customer service.
Long story short, I was never refunded despite raising two support tickets. :(
Crypto's value is because it is the wild west. Otherwise, it'd be gold: custodians holding the commodity for owners, most of it locked in cold storage, fully regulated, and governments pursuing theft whenever reported.
Eventually, the end state desired will be reached (regulation, customer service, insurance, pursuit of value theft, etc), it's just taking time for governments and Big Finance to catch up.
EDIT: https://www.cnbc.com/2021/10/01/defi-protocol-compound-mista... (DeFi bug accidentally gives $90 million to users, founder begs them to return it)
Coinbase should continue doing what they are doing, which is to support SMS, and educate and encourage users where possible to use something else instead.
(It’s also the only option offered by many US banks, which is a sad commentary on the level of tech innovation in finance in the USA.)
source? I kind of doubt that's something coinbase would call a flaw in their system?
> Even with the information described above, additional authentication is required in order to access your Coinbase account. However, in this incident, for customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account.
My guess is, because funds were stolen from users' accounts, the CA breach notification laws apply and this needed to be disclosed as such. However, that doesn't necessarily mean that Coinbase was technically "breached," only that customer accounts were compromised.
If the attacker controls your personal email associated with Coinbase, accompanying passwords, and phone number, and you use SMS 2FA, then your funds were stolen. Otherwise, they were safe. That's my reading of the article.
[0]: https://krebsonsecurity.com/2019/08/who-owns-your-wireless-s...
1) They had a reasonable account recovery process after I lost my phone and therefore google authenticator. Binance's process was needlessly annoying and pointless, kucoin straight up decided this was a good opportunity to just block my account completely and steal my money, even after email verification, as well as me supplying all emails they sent me about account activity.
2) They were the most transparent about new requirements about identity verification than others, and still allow withdrawals without verification.
3) Best UI in the game.
From the Coinbase statement
>the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process
Your speculation and conjecture dismisses you from any and all future discussions on this matter. You have demonstrated that your are unfit to comment.
How is this not? 2FA is not to 2FA is you can recover your account with just a text. It does seem a bad engineering decision on their side.
6000 customers affected. If it wasn't a YC company you'd never say that.
I sympathize with the "Not your keys, not your coins" crowd, but you have to admit that you are far more likely to be compensated in the event of an attack if you are using a large exchange. Not guaranteed, of course, but Coinbase has an image to maintain.
I also believe, personally, that a large exchange has much better security than anything I could muster with a hot wallet. Yes, I know I can airgap a cold wallet but I like the ability to quickly sell some amount of crypto at market rates without having to transfer from a paper wallet. I also worry about physical security since my home has been burglarized before. Therefore, I keep my coins on exchanges and follow good practices with 2FA across my accounts (no SMS for any) and have withdrawal delays / whitelisting active.
Despite all the criticisms that come with "the banking system", banks do provide a lot of value to individuals. It is completely understandable that people would want to wrap their decentralized currency inside of a centralized system (exchanges, custodianship, IRAs, etc.) for the benefits that having a bank-like organization can provide.
Apart from the fact that you can save value over time? Because the dollar is only going down.
This is only a recent phenomenon, and I don’t think it holds for all “large exchange[s]”.
If people make a run on the BTC Bank, and your value drops by 40%, CoinBase isn't going to refund you the losses.
I'll guess the users had the same usernames and passwords that they've used for a hundred other sites, and one of those got breached at some point. Don't do that!
If they were certain this was PURELY a phishing campaign against their users, then they had no need to disclose to the government.
Their wording in their disclosure is very very carefully crafted to not deny a breach of their data - pending "conclusive" evidence.
They made a choice to disclose so that the gov't could never claim that they failed to disclose should Coinbase data appear on a darknet website.
And While they make an allusion to social media data collection - I was a target in June, and I absolutely had ZERO social media talking about using coinbase. There is NO WAY hackers could have deduced on social media that I was Coinbase user, nor gotten my cell phone number.
I am 90% confident that Coinbase WAS breached directly, allowing hackers to gain access to email and phone number for my account.
This disclosure is 100% CYA.
Did you ever use any other cryptocurrency website? If so, one of those could have been hacked in order for the hackers to get a list of users to target.
password is 1FA.
SMS is 2FA (not a great one, but still). Coinbase failed at 2FA. 2FA is critically important; that's why it exists.
Not sure why you discount username and phone either. Each of these is an additional layer of security simply by being more information an attacker needs to collect and associate. Coinbase doesn't publish a list of usernames. And how would someone associate phone numbers back to them?
Coinbase
Coinbase <https://verify-customers.elastic-galileo.185-150-117-78.plesk.page/>
Verify your email address
In order to continue using your Coinbase account, you need to reconfirm
your email address. To avoid service interruptions verify your email.
Verify Email Address
<https://verify-customers.elastic-galileo.185-150-117-78.plesk.page/>
If you did not sign up for this account you can ignore this email and the
account will be deleted.
Get the latest Coinbase App for your phone
Coinbase iOS mobile bitcoin wallet
<https://verify-customers.elastic-galileo.185-150-117-78.plesk.page/>
Coinbase Android mobile bitcoin wallet
<https://verify-customers.elastic-galileo.185-150-117-78.plesk.page/>
> whois plesk.page
Domain Name: plesk.page
Registry Domain ID: 41B85291E-PAGE
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: https://www.namecheap.com/
Updated Date: 2021-07-10T14:00:29Z
Creation Date: 2020-03-18T03:06:27Z
Registry Expiry Date: 2022-03-18T03:06:27Z
Registrar: Namecheap Inc.
Registrar IANA ID: 1068
Registrar Abuse Contact Email: abuse@namecheap.com
Registrar Abuse Contact Phone: +1.6613102107
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: REDACTED FOR PRIVACY
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: Privacy service provided by Withheld for Privacy ehf
Registrant Street: REDACTED FOR PRIVACY
...
Anyone who lost money in this should sue Namecheap and Hurricane Electric. They will be stumbling all over themselves to tell your lawyers who their customer was, to avoid liability.
I don't even have a Coinbase account.
I am 90% certain Coinbase has suffered a broad breach of customer data that they have not disclosed yet.
https://haveibeenpwned.com/ says my data has been leaked ~25 times.
Hardware:
Hardware wallets seem to have so many downsides, as far as I can understand.
You can keep multiple copies of your password manager's database (something like a kbdx file), but you won't have multiple copies of the hardware wallet. Therefore a single point of failure. If the wallet is stolen, damaged in a house fire, crushed by some accident etc. you're done. Also, can't the firmware of the hardware wallet possibly have some unknown bugs that might cause some failure in the future? Is the hardware failure-proof? No possibility of manufacturing defect etc.?
Secondly you've to buy a hardware wallet and whatever the cost, it's not free. Whereas an open source password manager like keepass is completely free (as in freedom as well as beer).
You could use a multi purpose computer, e.g. a phone or PC and software to do the same, but they are more complex devices with more avenues to exploit them, e.g. a keylogger plus something than can upload your keepass file means you're robbed.
This is incorrect. Hardware wallets typically come with a recovery seed. Even if the original device gets destroyed, the seed helps you to get access to your addresses/crypto. This covers against all of the scenarios you mentioned.
For example, I just updated the firmware on my device this afternoon. Before I did it, I'm double-prompted to make sure I have my recovery seed in case the update fails.
As for storing in a password manager, you certainly could. I used to print my wallets out back in the day. The hardware just makes the process a bit easier and makes mistakes on my part less likely.
As for SPoF -- hardware wallets are initialized with a seed phrase. You can make as many copies of the seed phrase as you like. You don't even need to load them onto a new device if yours is lost or stolen; the phrase alone is sufficient to re-derive the keys on any computer (although you will sacrifice some security if you decide to recover that way).
In hindsight, I should've known better than to use PII in my account.
It scared me into exiting the space entirely.
*manage: generate, transmit/sync, authenticate, back up
Discussion: https://youtu.be/9k4GP3Evh9c
I actually operate a business that exists solely as a result of this fact.
If you give a user a key, they will lose it. If they’re a customer, you need to have a back up plan for what happens when they lose their keys.
True. And the is also true for password. Sure, generation is different and a way to authorizing a transaction is different, but otherwise form usage perspective password can be viewed as a primitive case of a private key. And industry made a huge progress in password authentications: password managers, OTP, biometric authentications, WebAuthn, etc. Specifically password managers and biometric authentication mechanisms can be re-used for private keys as well.
Having multiple wallets, multisig authentication and smart contracts allows to have recovery paths, while making sure that varios custodians can only perform certain transactions and in a transparent way.
To me, that reads as "if you had 1 BTC stolen on May 20, we will deposit 40k USD into your account, because that was the value of 1 BTC as of May 20", not "if you had 1 BTC stolen, there is now 1 BTC back in your account".
The timeframe listed in the letter covers exactly the time of a massive price spike, so a USD payout would put most people in a better situation than a BTC payout in this specific case, but I'm still curious how this is handled, and whether there is a universally agreed standard for it.
Because next time "we'll reimburse you the USD value of your crypto as of the date of the attack 6 months ago" could mean that someone "made whole" like this has only 10% of what they would have if the attack didn't happen.
Although it sounds like these are email accounts that have been hacked in other ways too.
Falling back to SMS to reset 2FA, or Skype calls where you hold up your ID with a CSR or whatever is just asking for shit like this. In bulk the hardware is probably <$5/token, so well under $10/user (probably closer to $5/user even for a pair of tokens). If your CLTV for your high security financial service can’t afford that, go do something else.
This is a solved problem; the fact that financial institutions have not got on board with 10+ year old stable, cheap, widely available technology is a market failure caused by massive overregulation.
Nothing about this is hard, nothing about this is expensive, there’s just a pervasive attitude in financial technology circles of “this is the way we’ve always done it” or “this is the way everyone else does it”, even if those ways encapsulate a ton of waste and risk.
Even without the whole “n+1 tokens, used only as primary 2fa recovery” scheme, I don’t think there’s a single US retail bank that supports U2F even for normal 2FA login. It’s shameful.
This industry is so ridiculously ripe for disruption but it’s so heavily overregulated that nobody that doesn’t suck is allowed to enter the market. Simple was the first to try (and even they had to use a partner bank) and they got erased via acquisition (and I think subsequently shut down).
The other issue is that you ultimately need some sort of fallback mechanism if someone loses their keys. And it will happen. So you still end up with a process that can be socially engineered, which is generally the weak link in any authentication system.
Doing 2FA via app is fine for most users. The failures happen when users lose their phone and need to reset 2FA. That's where the pain in the ass (but secure pain in the ass) of U2F would come in handy, to re-enroll primary 2FA.
Nobody presently has good ways of doing 2FA resets. U2F hardware is a near-perfect solution.
I am probably not understanding this correctly, but if the attacker had to have knowledge of your password then why did they reimburse affected users. They could've called it a day and claimed it was the user's fault.
Archived version: http://web.archive.org/web/20211001155216/https://oag.ca.gov... (consider https://archive.org/donate to support the cost of operating the archive).
There were a spat of Coinbase SMS phishing texts in July 2021. So the window could be much longer, and the campaign ongoing.
I'll take my chances with the banks and Nigerian Princes.
I don't know if this is right. Traditional money transfer is not some absolute, irreversible thing. It is the product of software yes; but more importantly, it is the product of trust between institutions and individuals, backed by government and the legal system.
In traditional finance, there is _far more_ than just the correctness software ensuring the safekeeping and transfer of your assets.
It's wont stop, not just crypto but almost everything that involves software will have potential attacks. Crypto is just another area where attacks happen. IMO More the attacks, over the time crypto industry will become more robust.
It is so commonplace and high volume that it is not news
If incidents were listed alongside unexpected crypto seizures, crypto would look like the better option whether it was onchain, smart contracts or custodial institutions (like Coinbase) involved. And that has nothing to do with the size of the respective markets
Its not a contest, but anti-crypto people or skeptics are just falling for clickbait at this point and it’s pretty goofy to see.
One thing I've become painfully aware of recently is how all MFA is rendered pretty insecure by various "fallback" processes. I recently switch jobs and realized I had a few accounts using my old work phone as SMS 2fa number. In every case it was ridiculously easy to call a CSR and get 2fa disabled from their end.
Use yubikeys. Use coinbase vaults.
When OTP is available I always remove my phone and use that. Sim swap is such a common attack these days.
https://help.coinbase.com/en/coinbase/getting-started/verify...
Most of the knew jerk reactions in here really don't see to know very much about how this actually works and how it's actually the users responsibility at the end of the day.
Service providers should know better than their users and make the best choices for them.
It is not like when you buy a car you get to choose whether you want airbags or not. They decided for you, and you must have airbags, period.
Users, on overage, do not posses the knowledge to make the best decision when it comes to security.
They go with the least friction solution. SMS works great everybody know how they work.
So, yeah, the burden and responsibility should not be on the end user. This is clearly companies' fault.
I see 2 conflicting claims here:
> While we are not able to determine conclusively how these third parties gained > access to this information
"these" being username, pw, phone number etc. And then:
> We have not found any evidence that these third parties obtained this information from Coinbase itself.
You're technically correct but the first claim undermines the second one to me.
Your car was stolen. I haven't been able to determine conclusively who did steal it or how, but I know it wasn't me.
It's difficult to prove a negative here until you find where the stolen credentials originated from. They're just saying that they have no evidence that it came from themselves thus far.
So it doesn’t necessarily mean they got it from Coinbase.
If people reused passwords, they also could potentially have cobbled together 6000 valid username/password/phone combinations from previous hacks of other services.
https://therecord.media/hackers-bypass-coinbase-2fa-to-steal...
We will be depositing funds into your account equal to the value of the currency improperly removed from your account at the time of the incident. Some customers have already been reimbursed -- we will ensure all customers affected receive the full value of what you lost
At least they will be reimbursed, and everyone should walk happy.
The reimbursement comes from somewhere. Investors may not be happy. "everything is securities fraud"
https://www.google.com/search?q=%22everything+is+securities+...
It's funny how everything old is new again. We are just reinventing FDIC insurance for crypto.
I don't think you'd get FDIC money back if an attacker got into your account. The bank might cover you if they agree it was their fault, similar to Coinbase.
I mean, they'll more likely just move the goalposts than be won over, but at least they're running out of things to complain about. Between this and the Coinbase card, Coinbase has already tackled the two biggest (valid) critiques of crypto that I hear.
It's like people saying, "I don't like the bank with their ridiculous paperwork so I will use a loan shark instead, he doesn't need paperwork"
Then the loan shark disappears/beats you up/asks for loads of interest etc. and you still want to complain to the police.
Most people hate regulators but they are there for a reason. What certifications does coinbase have to hold your millions of dollars of virtual currency?
They were actually created as a much lighter weight framework to avoid the onerous regulation of an actual depository institution.