Coinbase account hacked? Why two-factor authentication methods are not created equal.
Recently, Medium published an article titled "How to lose $8k worth of bitcoin in 15 minutes with Verizon and Coinbase.com". In this article the author discusses how his Coinbase account was cleaned out using a SMS forwarding/phone porting attack. He goes on to make various recommendations, including using 2fa (two-factor authentication) such as GAuth or Authy instead of SMS.
Make sure you use GAuth or Authy or something else supporting TOTP tokens; consider a FIDO U2F device as well for your gmail account.
Unfortunately, this is partially bad advice.
Why is this bad advice?
The problem with this advice, is the Authy recommendation. Authy is still vulnerable to a similar attack vector. The SMS attack can occur via SMS forwarding, and also phone porting. Authy is also vulnerable to a phone porting attack.
Phone Porting Attack
In the majority of the SMS attacks the attackers had control of multiple types of the victim's accounts (mail, mobile phone, and Bitcoin exchange accounts). With this much control, there is a very high possibility that they would be able to port your mobile number. Authy is designed to be easily moved between mobile devices in the event that you switch to a new phone, or your old phone is stolen or lost. While this is convenient, it also makes it easier for an attacker to port your number and steal your Authy account.
So what should I do?
The best option is to use Google Authenticator or a U2F token where possible. Any account that is associated with your Bitcoin exchange account should always be using two-factor authentication, and again, avoid SMS and Authy. As an additional measure of security, make sure that on any associated accounts you have removed all recovery phone numbers or they could be subject to the attack vectors described above.
As with anything, there is security and usability. As you increase your security, you decrease your usability. It may be inconvenient for you, but you will make it many times more difficult for an attacker to gain access to your account. If you decide not to maintain control of your own private keys, make sure you do your due diligence on the attack vectors being used, and secure your exchange accounts accordingly.
Bonus: While this article mainly describes how to keep your accounts safe by defending against certain attack vectors, it should be noted that using Coinbase's vault would have mitigated the attack this article is based on. I am not aware of a single case where a Coinbase user has had their account drained while using the vault option.
I would like to be clarified with this, Authy and Google Authenticator has the same function as 2 factor authentication, and what is the advantage of Google Authenticator than Authy?
They have the same function, but Google authenticator is tied to a specific device. Authy is tied to a phone number. To get the 2fa code from Google Authenticator, someone would need to physically steal your phone. For someone to steal the code from Authy they would just need to port your phone number to their phone, then they could just install Authy to gain access to your Authy account.
Thanks a lot, i find it very helpful.
I have an Authy app, do you know if i could remove all of the accounts that I've created and then tranfer them to Google Authenticator?
Thanks
Yes you can, but don't remove them until you are sure that you have the initial key or QR code in your possession. If you do not have that, the easiest way is to go into each account and disable 2fa. You will very likely need the code from Authy to do this, so make sure you do not delete it from Authy yet. Once 2fa is disabled, turn it back on, but this time add the account to Google Authenticator. Validate that it works using Google Authenticator before deleting the account from Authy.
Saw your reply here, Ace-One, and thought perhaps you could give me some advice? I am trying to remove Authy Chrome extension (desktop) and replace with another authenticator on the same Win7-64 desktop. I set this up for Coinbase account from which I have transferred USD and crypto into GDAX.
Should be simple, eh?
Well, after I enter the master password in Authy Chrome extension, the extension hangs in search mode for the password. I enabled/disabled to no avail.
Authy has suggested that I do a reset. I'm told that will remove the token from my OS. Note that I do not have multi-device enabled for Authy.
I'm concerned that I will not be able to access my account if I do an Authy Extension reset.
Suggestions?
I'm currently digging into this and have no affiliation with Authy other than being a happy customer.
The author ace-one wrote, "Authy is designed to be easily moved between mobile devices in the event that you switch to a new phone, or your old phone is stolen or lost". And while this is true, the hacker would still have to activate a new Authy app on their device.
That process takes at least 24 hours according to the authy website.
During those 24 hours, Authy sends notification emails to the victim. Let's say their email was also hacked, I'm hoping a person would notice within 24 hours that their phone number had been ported, their email hacked and they were in the process of fixing their phone issue and changing passwords for their email accounts.