Coinbase recently revealed the extent of its hack that occurred between March and May of 2021 and during that time over 6,000 customers had crypto stolen from their accounts. Like with many such attacks, it originated with a massive phishing attack that tricked users into giving up their usernames, passwords, and phone numbers.
Coinbase has a two-factor authentication process in place, so a compromised password alone should not have been enough to breach an account. Coinbase did not release very many specific details about the hack, but it appears that the fraudsters also used SIM Swap attacks to access the accounts.
In a SIM Swap attack a fraudster gains control of another person’s phone number and then uses that phone number to intercept SMS messages. In this case those SMS messages contained the one-time passcodes (OTP) generated by Coinbase that were necessary to access accounts in addition to the password.
The success of these attacks demonstrates just how easily a fraudster can gain control of an account if the two authentication factors being used are relatively weak, like passwords and OTPs are.
Other Two-Factor Authentication Methods
According to an article by PCMag, Coinbase is recommending their users utilize other two-factor authentication methods besides SMS OTPs, like a security key or a time-based one time password (TOTP). Security Keys
A security key, or a U2F key (Universal 2nd Factor), is a physical external device that authenticates a user via USB, bluetooth, or NFC (near field communication). The key is registered to the device and when present, allows users to access their accounts.
While this method is far more secure than SMS OTPs, U2F keys can be expensive and if misplaced or lost they can create unnecessary headaches for a user attempting to login to their account. Also if a security key and the user’s device are stolen together, the thief could potentially use the security key to gain access to accounts if they can gain access to the device.
Time-based One-Time Passcodes (TOTP)
TOTP authenticator apps like Google Authenticator and DUO generate a passcode that is only valid for a specific period of time (60 seconds) and when entered, grants access to the user’s account. Using TOTP prevents SIM Swap attacks and the added security layer means a compromised password won’t be enough for a hacker to access an account. However, TOTP from a mobile app still leaves users vulnerable to real-time man-in-the-middle (MiTM) attacks. Also, if the fraudster can gain access to the device itself, then they can generate a TOTP and access the account as is the case with most friendly and family fraud.
Mobile Payments Are On the Rise Globally
Mobile digital wallet market penetration among consumers has exploded from 18.9% in 2018 to 46% in 2020 according to ACI Worldwide’s Global Payments Trend report. Countries which have traditionally primarily used cash like Brazil and Malaysia are now becoming the fastest adopters of mobile payments and digital wallets. The number of mobile digital wallet transactions ballooned to 102.7 billion in 2020 and that number is projected to hit 2.58 trillion in five years.
A new study conducted by Worldpay by FIS revealed that in 2020, for the first time, payments from digital wallets and contactless in-store payments are exceeding both credit card and cash payments worldwide. Cash payments have seen the most dramatic decrease in use, falling from 42% in 2019 to just 20% of in person payments in 2020. The Worldpay FIS report projects that this trend will continue and that cash will account for less than 13% of payments globally by 2024.
In store digital wallet payments are not the only digital wallet payment method experiencing growth. In 2020, ecommerce transactions that were paid for using a digital wallet rose 7% and by 2024 are expected to make up half of all ecommerce transactions around the world.
FIDO2 Biometric Authentication
Users should not have to spend their money on an expensive security key or download an app that, while better than a password, still has security flaws. Instead, they should use FIDO2 passwordless authentication that is already built into their mobile phone or laptop.
The FIDO2 protocol utilizes private key/public key cryptography. When registering their device, the user is prompted to enter their biometric (fingerprint, face scan) which acts as their private key. This private key is then stored in the secure area of their device, never leaving. The biometric plus the device itself then act as the two authentication factors necessary to access an account.
FIDO2 biometric authentication is effective against SIM Swap, MiTM, and friendly fraud and is the strongest fraud prevention method on the market. Hackers would need to literally hack off the user’s finger and steal the device to access an account.
One issue with FIDO2 has been that, due to the complexity of the cryptography, it takes 12-18 months for a company to implement it on their own. Fortunately, LoginID offers a suite of SDKs and APIs that allow websites and apps to add FIDO2 passwordless authentication with just a few lines of code.
Additionally, LoginID offers a transaction confirmation with biometric digital signature service where the user is prompted to enter their biometric at checkout as a payment authentication. This extra layer of security is a powerful fraud prevention measure and can even lead to a liability shift away from merchants for fraudulent chargebacks.
Account recovery can still be a problem if someone loses their laptop or phone. Best practice is for the user to register multiple devices, like phone and laptop, to high value accounts like a crypto digital wallet. If the user buys a new phone, they can confirm it's them on their already registered laptop.