undefined | Better HN

0 pointsvngzs4y ago0 comments

I haven't been able to verify these sort of claims any more than I've been able to speculate it was blanket telco Letters-of-Authorization (LoAs) [0][1] or classic SIM swaps that resulted in the account takeovers. I'm not claiming you're wrong, but given the timing of the LoA fraud and the attacks, it seemed likely to me that this was not an actual web vulnerability.

What makes you believe a specific exploit like that existed against Coinbase's 2FA? And if it existed, then why wasn't that caught in a routine pentest?

[0]: https://krebsonsecurity.com/2021/03/can-we-stop-pretending-s...

[1]: https://lucky225.medium.com/its-time-to-stop-using-sms-for-a...

0 comments

tyingq4y ago

Coinbase themselves called it "a flaw in Coinbase’s SMS Account Recovery process".[1]

I don't think they would have used that phrasing if it were individually simjacked phones.

[1] https://oag.ca.gov/system/files/09-24-2021%20Customer%20Noti...

vngzsOP4y ago

With only the pdf to go on, I address the "flaw" in more detail in these comment threads [0] [1]. In short, I believe the "flaw" is likely to be "we used SMS for identity verification, without additional necessary scrutiny."

The technical barrier to entry for accruing and using breach databases is near-zero [2], same with the barrier to SMS fraud. Both are routine and easy methods for criminal groups with no special technical abilities, and therefore they are likely. Since the onus is on Coinbase to do identity verification in account recovery, a large number of successful takeovers would be a "flaw" in their process, even if it's not a technical flaw (which I would expect to be expressed in language like "vulnerability").

Accepting untrusted, unauthenticated user input as a SMS verification number would be a serious login-related flaw, and certainly Coinbase pentests their login pages. Any competent pentester would discover such a flaw. So between "Coinbase shipped a critical and obvious login flaw to prod" and "a routine and common criminal tactic was employed successfully against them," I find the latter more likely.

[0]: https://news.ycombinator.com/item?id=28720101

[1]: https://news.ycombinator.com/item?id=28720520

[2]: https://xkcd.com/2176/

hn_throwaway_994y ago

I find your take on this very strange. Given that, again, Coinbase themselves called this "a flaw in Coinbase’s SMS Account Recovery process", it would be bizarre that this was just "standard" run-of-the-mill SIM-swapping, because of course SIM-swapping is always an inherent danger with SMS 2 factor.

Coinbase is very clear in the breach notification that attackers had already acquired users' (a) emails, (b) passwords, and importantly (c) already have access to the users' primary email accounts. At that point, the only thing left preventing account takeover would be the 2FA challenge, and since Coinbase said there was "a flaw in Coinbase’s SMS Account Recovery process" I find it a bizarre conclusion to think that flaw was just a standard SIM-swap.

Edit: Actually, pretty positive it was not just a standard SIM-swap given that, if it were, Coinbase would not have specifically called out "a flaw in Coinbase’s SMS Account Recovery process". If it were just normal SIM-swapping bad guys would have just used that to defeat 2FA during the login process - there would have been no need for them to mess with the account recovery process. That's actually not that uncommon a bug, where 2FA works great to protect login, but there is an oversight that makes it not required during the account recovery process (by definition you're letting people into an account during the recovery process even if they're missing one of their authentication methods) that makes the whole 2FA moot.

tyingq4y ago

If they use that wording, though, they are putting themselves on the hook to fix the "flaw". That's why I'm skeptical that it was just simjacking. I don't see a way that Coinbase could implement SMS 2FA in a way that doesn't have that "flaw".

Thorrez4y ago

>As soon as Coinbase learned of this issue, we updated our SMS Account Recovery protocols to prevent any further bypassing of that authentication process

How is it possible to update the SMS recover protocol to prevent sim swapping?

1 more reply

j / k navigate · click thread line to collapse

0 comments

tyingq4y ago

Coinbase themselves called it "a flaw in Coinbase’s SMS Account Recovery process".[1]

I don't think they would have used that phrasing if it were individually simjacked phones.

[1] https://oag.ca.gov/system/files/09-24-2021%20Customer%20Noti...

vngzsOP4y ago

[0]: https://news.ycombinator.com/item?id=28720101

[1]: https://news.ycombinator.com/item?id=28720520

[2]: https://xkcd.com/2176/

hn_throwaway_994y ago

tyingq4y ago

Thorrez4y ago

>As soon as Coinbase learned of this issue, we updated our SMS Account Recovery protocols to prevent any further bypassing of that authentication process

How is it possible to update the SMS recover protocol to prevent sim swapping?

1 more reply

j / k navigate · click thread line to collapse