[HN Gopher] Coinbase Breach Notification ___________________________________________________________________ Coinbase Breach Notification Author : sunils34 Score : 414 points Date : 2021-10-01 15:34 UTC (7 hours ago) (HTM) web link (oag.ca.gov) (TXT) w3m dump (oag.ca.gov) | rhacker wrote: | Almost every exchange supports TOTP, as well as Coinbase, | shouldn't they just disable SMS? | | Although it sounds like these are email accounts that have been | hacked in other ways too. | rsimmons wrote: | The irony in that breach document that the first credit | monitoring agency mentioned at the bottom is Equifax, having the | reputation for one of the worst data breaches in 2017 spanning | nearly 150mil American citizens. | IceWreck wrote: | From what I understand, the SMS verification was bypassed but not | the password validation. | | I am probably not understanding this correctly, but if the | attacker had to have knowledge of your password then why did they | reimburse affected users. They could've called it a day and | claimed it was the user's fault. | [deleted] | xxpor wrote: | Goodwill generated + money saved by avoiding lawsuits > | reimbursement costs | loeg wrote: | If trad banks did that, people would riot. | tfang17 wrote: | Another reminder that text-based 2FA is not secure. | thinkharderdev wrote: | Secure/not-secure is not a binary distinction. And SMS-based | 2fa is still more secure than password alone. | | One thing I've become painfully aware of recently is how all | MFA is rendered pretty insecure by various "fallback" | processes. I recently switch jobs and realized I had a few | accounts using my old work phone as SMS 2fa number. In every | case it was ridiculously easy to call a CSR and get 2fa | disabled from their end. | YeBanKo wrote: | One thing that cryptocurrencies achieved is they introduced a | private key authentication at scale. For a moment, there was a | hope that we can move to private key authentication mechanism. | But, unfortunately, it was quickly rolled back by introduction of | custodial wallets and we got pulled back into world of passwords. | sneak wrote: | sneak's law: users can not (and a tiny subset of users that | actually know how to, will not) securely manage* key material. | | *manage: generate, transmit/sync, authenticate, back up | | Discussion: https://youtu.be/9k4GP3Evh9c | | I actually operate a business that exists solely as a result of | this fact. | | If you give a user a key, they will lose it. If they're a | customer, you need to have a back up plan for what happens when | they lose their keys. | rStar wrote: | couldn't happen to nicer people | [deleted] | BitwiseFool wrote: | > _" We will be depositing funds into your account equal to the | value of the currency improperly removed from your account at the | time of the incident. Some customers have already been reimbursed | -- we will ensure all customers affected receive the full value | of what you lost. You should see this reflected in your account | no later than today."_ | | I sympathize with the "Not your keys, not your coins" crowd, but | you have to admit that you are far more likely to be compensated | in the event of an attack if you are using a large exchange. Not | guaranteed, of course, but Coinbase has an image to maintain. | | I also believe, personally, that a large exchange has much better | security than anything I could muster with a hot wallet. Yes, I | know I can airgap a cold wallet but I like the ability to quickly | sell some amount of crypto at market rates without having to | transfer from a paper wallet. I also worry about physical | security since my home has been burglarized before. Therefore, I | keep my coins on exchanges and follow good practices with 2FA | across my accounts (no SMS for any) and have withdrawal delays / | whitelisting active. | sneak wrote: | > _you have to admit that you are far more likely to be | compensated in the event of an attack if you are using a large | exchange_ | | This is only a recent phenomenon, and I don't think it holds | for all "large exchange[s]". | Kaytaro wrote: | Yeah, Mt. Gox used to be considered a large exchange, the | largest at the time in fact. | CPLX wrote: | Wonder how many people follow this reasoning to the next | logical conclusion and realize that there is literally nothing | to differentiate the coins at all from regular banking except | for the lure of speculation. | BitwiseFool wrote: | I am a cryptocurrency enthusiast/advocate, but I've come to | the realization that "being your own bank" is actually a | terrifying and merciless burden. One small mistake has the | potential to wipe you out and there is no way to get your | funds back. | | Despite all the criticisms that come with "the banking | system", banks do provide a lot of value to individuals. It | is completely understandable that people would want to wrap | their decentralized currency inside of a centralized system | (exchanges, custodianship, IRAs, etc.) for the benefits that | having a bank-like organization can provide. | jonny_eh wrote: | > "being your own bank" is actually a terrifying and | merciless burden | | It's amazing how many smart people take so long to realize | why banks exist. | sneak wrote: | It's also amazing how many smart people are completely | ignorant of the common and routine failure modes of | banks, and why hundreds of millions of people might want | an alternative to that. | | I just had to physically cross an ocean twice because my | bank won't send wires for more than $25k via their | website, and that's one of the gentler failure modes. | | Here are some examples: https://old.reddit.com/r/fatFIRE/ | comments/pycgjx/what_in_the... | | Retail banking in the USA is _terrible_. | max-ibel wrote: | It's really similar to running your own email server. | nybble41 wrote: | There are hybrid systems which offer the best of both | worlds. For example, the open source Muun wallet uses a | 2-of-2 key system[0] in which Muun only has access to one | of the two keys so, unlike a traditional bank or a | custodial exchange like Coinbase, they can't spend any | funds without your signature. Your Muun wallet app also | only has one key, so authentication with the Muun service | is necessary to complete transactions--this allows Muun to | disable the wallet in the event the phone is lost or | stolen, by refusing to countersign its payments. A recovery | code kept offline, on paper, allows you to set up a new | Muun wallet and recover your funds in the event that the | phone holding the original wallet becomes unavailable for | any reason. Finally, for complete self-custody you can | export a PDF with encrypted versions of _both_ keys plus | some additional data ( "output descriptors") which, | together with the offline recovery code, can be used in an | emergency to transfer your funds to a new wallet _without | any involvement from Muun_. | | This does involve using a centralized service to an extent, | but the amount of trust you are asked to extend is limited. | They can't unilaterally take your funds, and they can't | stop you from moving them to another wallet which you fully | control. At the same time, you can safely use the wallet | online with the additional convenience and safeguards | provided by Muun, and it would be difficult to lose your | funds permanently from "one small mistake". | | [0] https://blog.muun.com/muuns-multisig-model/ | [deleted] | [deleted] | YeBanKo wrote: | There are ways to mitigate, such as multisig wallet. For | day to day, use a wallet with a small amount. When it's | balance runs low, you can replenish the amount from your | vault, that requires at least 2 signatures. Crypto is not | about completely eliminating trust from the system, but | rather being able to choose whom you trust and control, | what a trusted party can do. | CPLX wrote: | The benefits of the banking system I would propose to be | self-explanatory, though your parent comment recaps them | well. | | It's the reason to do the crypto part at all that's more | confusing. Unless of course we all just admit that gambling | is unbelievably popular and fun and has been a continued | hit throughout human history. | izzydata wrote: | This seems like an egregious use of the word "literally" I | think you should look up the use cases for decentralized | finance. | CPLX wrote: | There are two spectacular use cases: gambling and illicit | transactions | | That's not snark, those are great use cases, both have | thousands of years of popularity behind them and tons of | demand. | | Hence my parent comment, which points out that when you use | the more heavily regulated centralized exchanges like | coinbase the one remaining use case is gambling. | knownjorbist wrote: | The cypherpunk crowd on HN seems to be all but gone. | Overwhelmingly negative takes on anything crypto-related in | favor of... big banks and media conglomerates. | pgwhalen wrote: | In all seriousness, in what way is defi interacting with | the non-defi world right now to provide value? I'm not too | informed about the space, but from a distance it seems like | every defi innovation so far is just building on top of | something else in the defi space. | | Classic answers like "banking the unbanked in third world | countries" don't seem to be shaking out yet. | knownjorbist wrote: | To ask a different question of traditional banks - where | can you do what you can do in DeFi today in traditional | finance without being either an investment bank yourself | or a HNW individual? | poiuiopkj wrote: | That is the logical conclusion of the institutions, since | they are basically crypto banks. However the underlying coins | are very different from the underlying asset in a bank, even | if their use cases haven't come to fruition and the most | common use case is speculation. The use cases that currently | exist and are important, though probably not to users in this | forum, are borderless transference and the ability to truly | own your assets without a governing body or third party | institution able to touch them. A significant portion of the | world either: lacks institutional banking or is under an | authoritarian / corrupt government that could seize their | assets just because. Which means the current use cases are | incredibly valuable to those individuals. For most users here | coins are probably a novelty used for speculation or asset | diversification. | knownjorbist wrote: | If you know what DeFi is, I don't know how you can arrive at | this conclusion. At this moment, you as an average person can | not profit with _your money_ in the same way that banks | profit with _your money_. You know what the money in your | checking and savings account is actually doing right now, | right? | ekianjo wrote: | > differentiate the coins at all from regular banking | | Apart from the fact that you can save value over time? | Because the dollar is only going down. | make3 wrote: | people invest their money into appreciating assets like | stocks | NineStarPoint wrote: | You can verify that one bitcoin you have today will not be | diluted by more than a certain amount tomorrow. Value is | based on people's value of the object though, and I | wouldn't necessarily bet on Bitcoin keeping that over the | long term. | snotrockets wrote: | And lack of KYC, which enables it to be used for ransomware | payments | ftlio wrote: | I can write code that trades bitcoins without having to ask | anyone for permission. Without getting into what Bitcoin will | change about banking, I'd say that's pretty different from | regular banking. | JohnJamesRambo wrote: | Many cryptocurrencies are deflationary and/or have fixed | supply; I cannot say the same for the dollars in my bank | account. | | https://fred.stlouisfed.org/series/MABMM301USM189S | rchaud wrote: | Bitcoin's near infinite divisibility weakens the fixed | supply argument, does it not? | | The smallest possible fraction of a dollar is $0.01. You | can transact BTC in denominations with a lot more zeros | behind the decimal point. | JohnJamesRambo wrote: | Read more about Bitcoin and what fixed supply means. | threevox wrote: | That's why you don't store money in your bank account, you | keep it in investment vehicles which also appreciate in | value over the long run (not the best inflation foil, but | an OK one) | CPLX wrote: | > Many | | > fixed supply | | Perhaps we've identified a small crack in this otherwise | bulletproof logic. | get52 wrote: | Once again the crypto guys are getting horsefucked, why do people | keep falling for the crypto scam | Ansil849 wrote: | What I'm getting from this is that Coinbase was/is using SMS- | based 2FA? Using anything short of mandatory U2F means the | responsibility of this breach firmly falls on Coinbase's | shoulders. It's like if you found out your bank uses single-bolt | doors for its vault. | thinkharderdev wrote: | Is there any d2c business anywhere in the world right now that | requires U2F on all accounts? I think you underestimate how | confusing all of this is to non-technical users. | Ansil849 wrote: | Plenty of banks require HOTP dongles. Those are, if not more | confusing, than certainly on par with U2F dongles. Meaning if | banks can do HOTP, they can do U2F, and using "confusing to | consumers" is not an excuse. | thinkharderdev wrote: | Which banks require an HOTP dongle for customers. Maybe it | is a non-US thing but I have never once seen that. | ed25519FUUU wrote: | The fact that there's no OTP option even available is what | bothers me. Let the power users use OTP if they want it. | | When OTP is available I always remove my phone and use that. | Sim swap is such a common attack these days. | thepasswordis wrote: | Here's the lesson: | | Use yubikeys. Use coinbase vaults. | babyshake wrote: | Coinbase has already contacted all affected users? | encryptluks2 wrote: | If you got hacked and don't get your funds deposited. Good luck | getting in touch with anyone. I have sent multiple requests to | another issue, was told I should expect a response shortly and | that was months ago. | mdavis6890 wrote: | I think this reflects very favorably on Coinbase. They're making | everyone whole, and gosh - the attackers had the user's | usernames, passwords and phone numbers. Hard not to be | sympathetic to Coinbase in that scenario. How are they supposed | to know those aren't the real users? Consider that if they are | going to identify those cases as fraudulent actors, then they | could easily lock-out legitimate users as well. | | I'll guess the users had the same usernames and passwords that | they've used for a hundred other sites, and one of those got | breached at some point. Don't do that! | q1w2 wrote: | I'm skeptical of their breach notification for the following | reasons... | | If they were certain this was PURELY a phishing campaign | against their users, then they had no need to disclose to the | government. | | Their wording in their disclosure is very very carefully | crafted to not deny a breach of their data - pending | "conclusive" evidence. | | They made a _choice_ to disclose so that the gov 't could never | claim that they failed to disclose should Coinbase data appear | on a darknet website. | | And While they make an allusion to social media data collection | - I was a target in June, and I absolutely had ZERO social | media talking about using coinbase. There is NO WAY hackers | could have deduced on social media that I was Coinbase user, | nor gotten my cell phone number. | | I am 90% confident that Coinbase WAS breached directly, | allowing hackers to gain access to email and phone number for | my account. | | This disclosure is 100% CYA. | [deleted] | gowld wrote: | username and phone is not security factor. | | password is 1FA. | | SMS is 2FA (not a great one, but still). Coinbase failed at | 2FA. 2FA is critically important; that's why it exists. | mdavis6890 wrote: | The attackers also needed to know the user's phone number and | have access to their email account. That is a sufficiently | high bar that I can still be sympathetic to Coinbase here. | | Not sure why you discount username and phone either. Each of | these is an additional layer of security simply by being more | information an attacker needs to collect and associate. | Coinbase doesn't publish a list of usernames. And how would | someone associate phone numbers back to them? | draygonia wrote: | You can easily check databases on and off the darknet to | find people's phone numbers and most people don't have | multiple phone numbers and rarely change their number | because of the associated hassle with moving accounts. The | same goes for their email and even passwords if they reused | them. | mikeiz404 wrote: | For example https://truepeoplesearch.com will give you | name, address, and phone number for free and it is | searchable. | | It's unfortunate how much is out there. | rglover wrote: | Reminder: if you don't own your keys, you don't own your cheese. | | Hardware: | | https://trezor.io/ https://www.ledger.com/ | therein wrote: | Also https://coldcardwallet.com/ | keyb0ardninja wrote: | I must be missing something, but can someone explain what's the | point of a hardware wallet? Why not just use a password | manager? | | Hardware wallets seem to have so many downsides, as far as I | can understand. | | You can keep multiple copies of your password manager's | database (something like a kbdx file), but you won't have | multiple copies of the hardware wallet. Therefore a single | point of failure. If the wallet is stolen, damaged in a house | fire, crushed by some accident etc. you're done. Also, can't | the firmware of the hardware wallet possibly have some unknown | bugs that might cause some failure in the future? Is the | hardware failure-proof? No possibility of manufacturing defect | etc.? | | Secondly you've to buy a hardware wallet and whatever the cost, | it's not free. Whereas an open source password manager like | keepass is completely free (as in freedom as well as beer). | quickthrower2 wrote: | Hardware wallet protocol involves a key phrase and password | you keep secure elsewhere. You need either wallet + password, | or if the wallet breaks, you can buy a new one and initialize | it with the seed phrase and then use the same password. | | You could use a multi purpose computer, e.g. a phone or PC | and software to do the same, but they are more complex | devices with more avenues to exploit them, e.g. a keylogger | plus something than can upload your keepass file means you're | robbed. | rglover wrote: | > If the wallet is stolen, damaged in a house fire, crushed | by some accident etc. you're done. | | This is incorrect. Hardware wallets typically come with a | recovery seed. Even if the original device gets destroyed, | the seed helps you to get access to your addresses/crypto. | This covers against all of the scenarios you mentioned. | | For example, I just updated the firmware on my device this | afternoon. Before I did it, I'm double-prompted to make sure | I have my recovery seed in case the update fails. | | As for storing in a password manager, you certainly could. I | used to print my wallets out back in the day. The hardware | just makes the process a bit easier and makes mistakes on my | part less likely. | symlinkk wrote: | Why would you put thousands of dollars in a wallet you need a | physical device to access? Just put your private key in your | password manager, problem solved | q1w2 wrote: | Keeping your life savings in cash under your mattress is more | stressful than relying on a bank. | rglover wrote: | Do you need me to hold your hand when we cross the street? | q1w2 wrote: | I'm not crossing a street with you if you're carrying $500K | in your backpack everywhere you go. | | Physical possession of wealth is a bad long term strategy. | Eventually people WILL find out, and you WILL become a | target. | | One of the main functions of government is private wealth | protection. Banks are a feature, not a bug. | rglover wrote: | And when they do and I do, I have a large cache of | weapons and ammunition to wave at them with. | | If you think the government is protecting your wealth, | you're incredibly naive. | vladTheInhaler wrote: | So you have to be strapped whenever you want to visit | Starbucks? No thanks. | rglover wrote: | Lol no. Technically I can be because I'm in an open carry | state but I only do that if I'm out in the wild or | traveling solo late at night. | stackedinserter wrote: | How do you move $500K to another country? My country of | origin goes apeshit when I send my parents $2000. | quickthrower2 wrote: | China will go apeshit if you try to use Bitcoin to move | $500k to another country. | | Transferring 500k between most developed countries should | be easy enough, I'd probably talk to both banks first for | such a large amount. | traeregan wrote: | Good advice, but I'll never buy another Ledger product after | getting doxxed in their data leak(s): | https://www.google.com/search?q=ledger+data+leak | | In hindsight, I should've known better than to use PII in my | account. | | It scared me into exiting the space entirely. | vngzs wrote: | Coinbase made everyone whole, and the attackers stole the | credentials (not because of Coinbase's fault) ahead of time, and | the attackers had to perform a "SIM swap" type attack on the | users. "Breach" may be the required term for the Californian | government, but this wouldn't qualify to most people as a | traditional breach (i.e., compromise of Coinbase's | infrastructure). | | Edit: California, not Canada. My bad. | syshum wrote: | They would not be required to have all that info for an | attacker to steal if it was not for the ridiculous reporting | and KYC laws of the US | tgtweak wrote: | It was not a simswap/simjack attack, they exploited an | oversight in coinbase's password-reset 2fa to send the | challenge code for one user to another user's phone number. | vngzs wrote: | I haven't been able to verify these sort of claims any more | than I've been able to speculate it was blanket telco | Letters-of-Authorization (LoAs) [0][1] or classic SIM swaps | that resulted in the account takeovers. I'm not claiming | you're wrong, but given the timing of the LoA fraud and the | attacks, it seemed likely to me that this was not an actual | web vulnerability. | | What makes you believe a specific exploit like that existed | against Coinbase's 2FA? And if it existed, then why wasn't | that caught in a routine pentest? | | [0]: https://krebsonsecurity.com/2021/03/can-we-stop- | pretending-s... | | [1]: https://lucky225.medium.com/its-time-to-stop-using-sms- | for-a... | tyingq wrote: | Coinbase themselves called it _" a flaw in Coinbase's SMS | Account Recovery process"._[1] | | I don't think they would have used that phrasing if it were | individually simjacked phones. | | [1] https://oag.ca.gov/system/files/09-24-2021%20Customer%2 | 0Noti... | vngzs wrote: | With only the pdf to go on, I address the "flaw" in more | detail in these comment threads [0] [1]. In short, I | believe the "flaw" is likely to be "we used SMS for | identity verification, without additional necessary | scrutiny." | | The technical barrier to entry for accruing and using | breach databases is near-zero [2], same with the barrier | to SMS fraud. Both are routine and easy methods for | criminal groups with no special technical abilities, and | therefore they are likely. Since the onus is on Coinbase | to do identity verification in account recovery, a large | number of successful takeovers would be a "flaw" in their | process, even if it's not a technical flaw (which I would | expect to be expressed in language like "vulnerability"). | | Accepting untrusted, unauthenticated user input as a SMS | verification number would be a serious login-related | flaw, and certainly Coinbase pentests their login pages. | Any competent pentester would discover such a flaw. So | between "Coinbase shipped a critical and obvious login | flaw to prod" and "a routine and common criminal tactic | was employed successfully against them," I find the | latter more likely. | | [0]: https://news.ycombinator.com/item?id=28720101 | | [1]: https://news.ycombinator.com/item?id=28720520 | | [2]: https://xkcd.com/2176/ | tyingq wrote: | If they use that wording, though, they are putting | themselves on the hook to fix the "flaw". That's why I'm | skeptical that it was just simjacking. I don't see a way | that Coinbase could implement SMS 2FA in a way that | doesn't have that "flaw". | hn_throwaway_99 wrote: | I find your take on this very strange. Given that, again, | _Coinbase themselves_ called this "a flaw in Coinbase's | SMS Account Recovery process", it would be bizarre that | this was just "standard" run-of-the-mill SIM-swapping, | because of course SIM-swapping is always an inherent | danger with SMS 2 factor. | | Coinbase is very clear in the breach notification that | attackers had already acquired users' (a) emails, (b) | passwords, and importantly (c) already have access to the | users' primary email accounts. At that point, the only | thing left preventing account takeover would be the 2FA | challenge, and since Coinbase said there was "a flaw in | Coinbase's SMS Account Recovery process" I find it a | bizarre conclusion to think that flaw was just a standard | SIM-swap. | | Edit: Actually, pretty positive it was not just a | standard SIM-swap given that, if it were, Coinbase would | not have specifically called out "a flaw in Coinbase's | SMS _Account Recovery_ process ". If it were just normal | SIM-swapping bad guys would have just used that to defeat | 2FA during the login process - there would have been no | need for them to mess with the account recovery process. | That's actually not that uncommon a bug, where 2FA works | great to protect login, but there is an oversight that | makes it not required during the account recovery process | (by definition you're letting people into an account | during the recovery process even if they're missing one | of their authentication methods) that makes the whole 2FA | moot. | tyingq wrote: | Yes! From the linked pdf that came from Coinbase[1]: | | _" However, in this incident, for customers who use SMS | texts for two-factor authentication, the third party took | advantage of a flaw in Coinbase's SMS Account Recovery | process in order to receive an SMS two-factor authentication | token and gain access to your account"_ | | The key part being: _" a flaw in Coinbase's SMS Account | Recovery"_ | | [1] https://oag.ca.gov/system/files/09-24-2021%20Customer%20N | oti... | space_rock wrote: | Agree. Although I would like coinbase to move away from SMS 2fa | sneak wrote: | Using SMS 2FA is negligent, considering it's been four+ years | since NIST told the industry not to use it because it's not | safe. | | (It's also the only option offered by many US banks, which is | a sad commentary on the level of tech innovation in finance | in the USA.) | agumonkey wrote: | I don't know about you, but in the days of smartphones, login | + mail + sms seems pointless. The only lock is the pin code / | fingerprint on your phone, since when that is unlocked, the | attacker gets to trigger all validation steps. | opheliate wrote: | The important part is having physical access to the phone. | A targeted attack against you now requires a physical | element, rather than being entirely online. | willvarfar wrote: | Agree with everything you say, but add to that a lot of | sms 2fa exploits are sim or redirection attacks. It's | possible to get access to a phone number without access | to the phone. | | Here's an old story of a friend who had a weird talk with | someone who had redirected their phone: | | https://williame.github.io/post/24949768311.html | danuker wrote: | Assuming the phone is not remotely exploited. | mdavis6890 wrote: | They already support other forms of 2FA, so I guess you mean | they should turn off support for SMS. Keep in mind that for | many users the alternative is no 2FA at all (they don't | browse HN and Krebs), which is much, much worse. | | Coinbase should continue doing what they are doing, which is | to support SMS, and educate and encourage users where | possible to use something else instead. | zitterbewegung wrote: | How about allowing users to turn off sms. | mrb wrote: | Coinbase does allow SMS to be turned off. I did that on | my account. When SMS is turned off, and when a U2F | security key is the only 2FA you configured, if you lose | the security key the only way to recover the account is | to contact their support department and provide a photo | of yourself holding your ID. | wmf wrote: | _for many users the alternative is no 2FA at all_ | | I'm pretty sure people have phones and Coinbase can force | them to install a 2FA app. | stan_rogers wrote: | I don't have a phone that will run apps. I'm pretty sure | I'm not alone. | cbhl wrote: | Which works fine until they buy a new phone and trade in | or reset the old one without transferring the private | keys -- and now you're locked out of your own account | because you lost your second factor. | Consultant32452 wrote: | No problem, just reset your factor over SMS! | driverdan wrote: | There are multiple ways to avoid this, such as using an | app that saves those keys (eg Authy) or using recovery | keys. | dotBen wrote: | But then bad guy just logs in to Authy with the same | stolen credentials because most normal people will | probably use the same credentials for everything, | including Authy. And arguably, the smartest tech-savvy | folk wouldn't be storing their 2FA keys in the cloud like | Authy anyway. | | If your cloud account is protected by 2FA that's also in | the cloud... it's turtles all the way down. | drexlspivey wrote: | How do you "Log in" to Authy? It's tied to your | Apple/Google ID afaik and the 2fa codes are also | protected with a passphrase. | matheusmoreira wrote: | Emergency single-use codes. They can be printed and | stored in a safe. Not every service with 2FA has this | feature, I have no idea why. How hard could it possibly | be? | toomuchtodo wrote: | > and now you're locked out of your own account because | you lost your second factor. | | To verify someone's identity ("Identity Proofing") using | Stripe Identity [1] costs ~$2. They support IDs from 33 | countries, and have implemented fraud detection in the | flow. If you were so paranoid as to defend against | someone stealing your government issued ID (used in the | proofing process), you could paper mail a OTP to physical | address on file. | | Does it suck and its the cost of no digital ID | infrastructure in the US? Yes. Is it insurmountable? Not | at all. At the end of the day, people are the weakest | link, and we must fallback to meatspace trust anchors (in | this case, possession of government provided ID that can | be provided on demand with robust fraud detection | mechanisms). You are who you are, and own what you own, | not because of key material but because of the law. | | [1] https://stripe.com/identity | bostik wrote: | What they _should_ be doing, is to subsidise YubiKeys to | their high-value customers. | | Not just to lock down the logins to Coinbase, but to also | secure their customers' email, Twitter accounts, and as | many other online systems as would support hardware backed | WebAuthn. Hell, PokerStars did this with RSA tokens back in | 2008 so it's not like it's a new idea. | matheusmoreira wrote: | I love my YubiKey but it doesn't work with my phone. Have | newer models solved this problem? | twostorytower wrote: | My iPhone supports my Google Titankey through NFC, and I | think newer Yubikeys also have NFC. | space_rock wrote: | Ok before I was locked out of my account for changing phone | numbers they only had SMS | leonry wrote: | You can change your phone number by re-validating your | identity. During the 2FA step when logging in, you can | click on "I need to change my phone number" (or similar). | wpietri wrote: | Wait, why should they accept customer funds if they don't | think they can keep them safely? If somebody is saying, | "Let me hold on to your money for you," it seems like a | minimum bar is them being pretty sure it's not going to go | anywhere. | [deleted] | staticassertion wrote: | > which is much, much worse. | | This attack wouldn't have been possible if they didn't | allow SMS 2FA, so I don't think that's fair to say at all. | winkeltripel wrote: | What if the users had no 2fa at all? attackers still had | their passwords and their emails, and their sms numbers | judge2020 wrote: | I'm not entirely familiar with coinbase, so is it really | 2fa or is it 1fa in that you can use SMS as a recovery | method when you don't know your password? | tobstarrr wrote: | Question as they did not mention Sim Swap in the email. Was | this confirmed somewhere? "the third party took advantage of a | flaw in Coinbase's SMS Account Recovery process in order to | receive an SMS two-factor authentication token and gain access | to your account". | | I'm personally more familiar with incidents using SMS stealers | (mobile malware) or use of SS7 vulnerabilites due to my job. | Telcos in our country (europe) run tight security on SIM swaps. | | I was surprised about their recommendation to use time-based | OTPs. They basically have the same attack vectors as SMS minus | independent channel sign-what-you-see capabilites. | | Edit: Answer was in other comments | nickthemagicman wrote: | if they did a SIM swap that means that they compromised the | user's phone, if I'm not mistaken. | sneak wrote: | You are mistaken. A SIM swap is a compromise at the carrier, | not the handset. | hartator wrote: | > i.e., compromise of Coinbase's infrastructure | | How is this not? 2FA is not to 2FA is you can recover your | account with just a text. It does seem a bad engineering | decision on their side. | mmaunder wrote: | > "Breach" may be the required term for the Californian | government, but this wouldn't qualify to most people as a | traditional breach | | 6000 customers affected. If it wasn't a YC company you'd never | say that. | 8BPATUNNTBU wrote: | >> Coinbase made everyone whole | | No, I don't think they have. The document says they will, not | that they have. I personally know someone who was had 2FA and | tends to be security knowledgeable and was struck by this on | 6/7, which is well past their claimed date, so either they are | lying or the hacking continues undetected. He has had no | ability to get anyone on the phone who will help with the | issue. He lost less than $2,000, but it is ridiculous how | crypto currency combines the worst of the wild west with the | worst of banking with the worst of crappy customer service. | Seattle3503 wrote: | Some exchanges have good customer service, but Coinbase isn't | one of them. They went the route of minimizing customer | support staff that many tech companies do. | toomuchtodo wrote: | > but it is ridiculous how crypto currency combines the worst | of the wild west with the worst of banking with the worst of | crappy customer service. | | Crypto's value is _because_ it is the wild west. Otherwise, | it 'd be gold: custodians holding the commodity for owners, | most of it locked in cold storage, fully regulated, and | governments pursuing theft whenever reported. | | Eventually, the end state desired will be reached | (regulation, customer service, insurance, pursuit of value | theft, etc), it's just taking time for governments and Big | Finance to catch up. | | EDIT: https://www.cnbc.com/2021/10/01/defi-protocol-compound- | mista... (DeFi bug accidentally gives $90 million to users, | founder begs them to return it) | | https://en.wikipedia.org/wiki/Cryptocurrency_and_crime | gregwebs wrote: | Bitcoin is a self custody asset just like gold, and IMHO | that and it's de-centralized exchange is actually where all | the value comes from if it has any. People do own gold and | store it on their own property as well. | | Gold owners also use responsible custodians when they don't | store the gold themselves. I think bitcoin owners do not do | the same because they want to have easy access to trading | and there aren't companies that both operate trading and | are either responsible custodians or make it easy to use a | different custodian for storage. | wpietri wrote: | So if its value is in it not being regulated and you think | governments will catch up, you're saying that it will | eventually become worthless. | | If so, I agree. I'm just surprised to see it stated so | baldly. | rednerrus wrote: | We already have all of those things. | 5faulker wrote: | Funny that Canada is the other way around (gov.ca) | amznthrwaway wrote: | Attackers did not have to perform a sim-swap attack. | | Coinbase provided a refund of the dollar value of the assets | when they were taken, _not_ a return of the same assets. | | I'd appreciate if you update your comment to be accurate; | though I fully understand that you are being intentionally | dishonest out of disrespect to HN users. And I fully understand | that dishonest comments like yours are considered to be | absolutely acceptable by Dan Gackle. | lambic wrote: | *Californian government. | [deleted] | RangerScience wrote: | Huh. 3 or so years ago, I got SIM-swapped and they ran away | with my Coinbase crypto, and CB definitely never made me whole. | detaro wrote: | > _had to perform a "SIM swap" type attack on the users._ | | source? I kind of doubt that's something coinbase would call a | flaw in their system? | nabakin wrote: | Looking at his other comments, he's speculating. The document | talks about obtaining an SMS verification token, they say "we | updated our SMS Account Recovery protocols to prevent any | further bypassing of that authentication process", and have | not removed SMS as an authentication option. I see no reason | to think this vulnerability was a SIM swap. Him stating it as | if it's a fact in his original comment is very misleading. | have_faith wrote: | It doesn't matter who techinically is at fault Coinbase wants | to stay ahead of the potential bad press and people pulling | all their funds from the platform. Probably just figured this | was cheaper. | detaro wrote: | I'm in no way arguing that they shouldn't notify | people/replace money/..., I just wonder where the | confidence for the claim that it was just SIM swapping | comes from. | nemacol wrote: | And they would have had to do ~6000 SIM swaps? that seems | like too many for a short period of time. Maybe? | vngzs wrote: | There is some speculation in another comment that their SMS | verification server may have actually had a technical flaw, | and the issue was not a lack of separate identity | verification on SMS [0]. | | However, around the time of the breach date (March - May | 2021), there were a number of "B2B" services that offered a | "type in any SMS number and you will get all text messages | to that number," type feature intended for customer support | teams to use for shared SMS access. Those systems often had | privileged access to telcos and were regularly exploited by | attackers to break 2FA without even a SIM swap [1]. With | those tools, stealing all SMS to a number required only | intent, not conversations with telco support personnel. | | [0]: https://news.ycombinator.com/item?id=28720280 | | [1]: https://krebsonsecurity.com/2021/03/can-we-stop- | pretending-s... | nemacol wrote: | Interesting. thank you for the links. | sam0x17 wrote: | These days in infosec circles simply having SMS-based 2FA | enabled is now considered a no-no because of the notoriously | bad (and inconsistent) security measures at large mobile | carriers. | vngzs wrote: | In the linked PDF, Coinbase does not claim to have knowledge | of a vulnerability in their system (edit: though it does note | "the third party took advantage of a flaw in Coinbase's SMS | Account Recovery process," I interpreted that as "we | supported SMS account recovery at all" which is inherently | broken [0]). The requisite two-factor bypass is detailed in | the linked pdf: | | > Even with the information described above, additional | authentication is required in order to access your Coinbase | account. However, in this incident, for customers who use SMS | texts for two-factor authentication, the third party took | advantage of a flaw in Coinbase's SMS Account Recovery | process in order to receive an SMS two-factor authentication | token and gain access to your account. | | My guess is, because funds were stolen from users' accounts, | the CA breach notification laws apply and this needed to be | disclosed as such. However, that doesn't necessarily mean | that Coinbase was technically "breached," only that customer | accounts were compromised. | | If the attacker controls your personal email associated with | Coinbase, accompanying passwords, _and_ phone number, _and_ | you use SMS 2FA, then your funds were stolen. Otherwise, they | were safe. That 's my reading of the article. | | [0]: https://krebsonsecurity.com/2019/08/who-owns-your- | wireless-s... | [deleted] | detaro wrote: | They also say "we updated our SMS Account Recovery | protocols to prevent any further bypassing of that | authentication process". What did they update if it wasn't | due to a weakness on their side? | | EDIT: on reading some of their docs, recovery is supposed | to be followed by the user submitting ID documents etc | before they get full access back - maybe that's the part | they didn't do before or that could somehow be | circumvented? (which is a flaw, but still requires | intercepting the SMS to use?) | vngzs wrote: | I bet that control of email address + SMS 2FA was | sufficient, alone, to recover the Coinbase account | password. Lots of systems permit this kind of recovery, | and while I may tell a technical crowd "if you use SMS | for 2FA, that's on you" less technical users may not have | the requisite background to understand the security | tradeoff they make in doing so. | | The "flaw," in _my_ reading of it, was to support SMS- | based account recovery at all. But I 'm not necessarily | right here, and open to alternatives. | hourislate wrote: | >(not because of Coinbase's fault) | | From the Coinbase statement | | >the third party took advantage of a flaw in Coinbase's SMS | Account Recovery process | | Your speculation and conjecture dismisses you from any and all | future discussions on this matter. You have demonstrated that | your are unfit to comment. | sangnoir wrote: | > ... the attackers had to perform a "SIM swap" type attack on | the users | | Minor nitpick: I find your framing problematic as it transfers | "burden of security" to the end-users over a process that did | not involve them: this was not an attack on the users - it was | an attack on the telecoms infrastructure. | | I have a similar gripe against "identity theft", which really | ought to be "fraud against corporation X, using false identity" | - however, that framing is necessary to make consumers accept, | by default, the burden of clearing debts they were never party | to simply because the defrauded party did not have adequately | verify perpetrators identity. | zikduruqe wrote: | > I have a similar gripe against "identity theft", which | really ought to be... | | ... bank robbery by unknowing proxy. If we reframed the | narrative, I bet banks and financial institutions would bust | their asses to make things better. | thinkharderdev wrote: | They already do for the most part though right? That is, | they lose a huge amount of money to "identity theft" and | have ample incentives to stop/prevent it. | heleninboodler wrote: | A point very well made by Mitchell and Webb: | https://www.youtube.com/watch?v=CS9ptA3Ya9E | tompazourek wrote: | This is brilliant. | narrator wrote: | The easiest way to prevent sim swap attacks is to use Google | Voice. Google has no customer service, so there isn't anyone | you can call up and con. | ta1234567890 wrote: | That is smart, funny and sad, all at the same time. | pxeboot wrote: | This isn't really true. Google Voice numbers are managed by | bandwidth.com and have been taken by attackers submitting | fraudulent number portability requests in the past. | narrator wrote: | Don't you have to login to your Google account to port a | number? | pxeboot wrote: | It has been possible in some instances for an attacker to | port a number directly from the underlying carrier, in | this case, bandwidth.com. | | When I saw this happen, Google was not aware the number | was gone, so calls and texts from other Google Voice | users still worked. | tyingq wrote: | There's ways to intercept SMS messages without sim- | jacking or number porting too. | | https://arstechnica.com/information- | technology/2021/03/16-at... | vngzs wrote: | I agree. From Coinbase's perspective, they ought to defend | their infrastructure against fraud, whether that is a direct | attack on the users, an attack on the users' telcos, or | insider activity directly. | | From the telco's perspective, they have a responsibility to | stop SMS and SIM fraud, and our regulations have failed to | properly hold them accountable in this domain. | | I would add that the users have some responsibility for | losing their emails/passwords, but my initial framing | insufficiently demands responsibility for the service | providers in this instance. The service providers should be | expected to take all reasonable steps to prevent fraud on | their platforms, and that should include extra scrutiny of | SMS-based authentication mechanisms (e.g., identity | verification). This is why Coinbase paid them back, accepting | some responsibility for the fraud. | miohtama wrote: | Telcos have no responsibility to stop SIM fraud. Telcos | have communicated the last 30 years SMS is not secure | (travels as plain text) and should not be used for 2FA. If | companies have ignored this advise then it is on them. | bbarnett wrote: | And the elephant in the room is... the real purpose, for | many corps eg Google, others, is to identify you, track | you more accurately. | | And your mobile phone number is invaluable here. | dropnerd wrote: | coinbase does kyc. it already knows who you are | | why sms? because everyone has it. we're not in a otp/u2f | only world yet. sms 2fa is better than no 2fa | tdeck wrote: | SIM swapping also allows you to intercept voice calls, | which are encrypted and supposed to be secure. The idea | that telcos have no responsibility to stop people from | taking over the telephone number that customers pay for | is completely absurd. Moreover, often the SIM swapping is | done by employees of the Telco itself using company | infrastructure. | miohtama wrote: | No you are not correct. The whole underlying mobile phone | network infrastructure is based on (failed) trust and is | not secure. Though it is slowly being replaced. | | https://www.theguardian.com/technology/2016/apr/19/ss7-ha | ck-... | | https://www.firstpoint-mg.com/blog/ss7-attack-guide/ | rStar wrote: | replaced by a system which is similarly secure against | all classes of attackers that anyone gives a crap about. | Forbo wrote: | Can you elaborate? I'd like to learn more about this. The | only initiative I know about is STIR/SHAKEN. | miohtama wrote: | I feel people who fled Hong Kong and Belarus care, so it | would be rude to call it crap. | sangnoir wrote: | I fully agree that users are not absolved of all | responsibilities or vigilance (e.g. over | passwords/devices). I think the legal framework has to be | overhauled to clarify the culpability of all parties | involved, rather than the current "Sucks to be you" | attitude towards consumers, who are the least powerful, and | have the least agency in these issues. | ensignavenger wrote: | Coinbase and other sites (especially those that deal in | money) should stop using SIM cards as a form of | authentication. While carriers should probably do more to | secure SIMs and phone #s, it has always been known that the | system was never designed to be used as a security mechanism, | and Coinbase using it as such is a security flaw that they | are responsible for. | Consultant32452 wrote: | Okta architect here. It's hard enough getting MFA to work | in a large organization where technically illiterate people | are surrounded by coworkers to ask who have all figured out | their RSA tokens or Okta Verify enrollment. Trying to | manage this for the general public would be an incredible | undertaking. | | The cost benefit analysis probably does not make sense for | a gazillion low balance users. It may make sense to enforce | strong factors for high balance users. You have to balance | that against them taking their business elsewhere. | Spooky23 wrote: | This. Nerdy people don't understand how much people | struggle with this. | | RSA enrollment is probably the single most challenging | end user issue our IT folks deal with. After password | reset it's the #2 call, and lots of time, training and | engineering effort has been expended to improve the | experience. (And those efforts were very effective!) | wpietri wrote: | So to sum up, an organization promising to take people's | money and keep it safe can't afford to do it except for | people with a great deal of money. However, they're still | going to accept smaller amounts of money. Did I get that | right? | abecedarius wrote: | When I went looking for an online brokerage in the USA | with a reasonable login process (i.e. 2FA, _not_ by SMS | _ever_ ) it seemed pretty hard to find one. (Maybe that's | changed?) These brokerages handle amounts much greater | than a software engineer's retirement savings. | wpietri wrote: | I think the difference for me is the extent to which | transactions are traceable, revertable, and regulated. | The median reaction to theft in the cryptocurrency world | is somewhere between "caveat emptor" and "ha ha, buddy, | you fucked up". | | For traditional finance, it's pretty different. E.g., "If | fraudulent electronic withdrawals are made from your bank | or credit union account but your ATM or debit card is not | lost or stolen, you are not liable if you write to let | the bank or credit union know about the error within 60 | days of when they send you the account statement showing | the fraudulent withdrawals." https://ovc.ojp.gov/sites/g/ | files/xyckuh226/files/media/docu... | Spooky23 wrote: | It's based on risk. TOTP tokens only provide moderate | assurance. | | If you have a lot of money, most brokers will ship you a | hardware token. | ls612 wrote: | Fidelity has the option to use OTP only (although its | unfortunately a shitty Symantec app) | jkepler wrote: | But could one simply take the secret when initializing | the app and stick it in another, like andOTP? My employer | told us that the corporate intranet required we use | Google Authenticator, but when I try other OTP apps, it | still works. | edoceo wrote: | Unfortunately, yes. | bonzini wrote: | In Europe all banks are using 2FA, and it's usually based | on TOTP (and enrolling the first phone is a pain usually | requiring QR codes and whatnot). 17 years ago some were | using smartcards as 2FA. It's doable and secure, to the | point that identity theft is almost unheard of (and | usually used more as a synonym of catfishing than in the | American sense). | | SMS is handy but it should be a last resort rather than | the main second factor. | trelane wrote: | If you can use sms as a factor, you can use sms as a | factor. The only way to win is not to play at all | bonzini wrote: | Yeah what I meant is that companies should propose other | methods than SMS. | | SMS can be good enough to confirm a password reset link | that was sent by email (so you will not really do | anything without access to an account's linked email | address), but not as the main second factor for login. | jkepler wrote: | I bank with a major European bank, and they still rely on | SMS for 2FA for every online transaction, except for | logging into their website. They offer 2FA through their | app, but that only works with iOS or Android with full | Google Play services---for non-Google folks running | LineageOS or /e/ OS, they're stuck with SMS 2FA. | ensignavenger wrote: | Then we need to do a better job making the UX easier. I'm | sure Okta is working on that? | ufmace wrote: | A decent point. It scares me to imagine all the security | checks that would be required to make SMS actually secure | against these kind of attacks, and then getting everyone | to actually follow them. | danuker wrote: | https://web.archive.org/web/20211001153920/https://oag.ca.go... | newfonewhodis wrote: | > Unfortunately, between March and May 20, 2021, you were a | victim of a third-party campaign to gain > unauthorized access to | the accounts of Coinbase customers and move customer funds off | the Coinbase > platform. At least 6,000 Coinbase customers had | funds removed from their accounts, including you. | | I see 2 conflicting claims here: | | > While we are not able to determine conclusively how these third | parties gained > access to this information | | "these" being username, pw, phone number etc. And then: | | > We have not found any evidence that these third parties | obtained this information from Coinbase itself. | | You're technically correct but the first claim undermines the | second one to me. | devrand wrote: | I don't see the conflict with those statement. They're saying | "we don't know where the information came from and we haven't | found any evidence that it came from Coinbase itself". | | It's difficult to prove a negative here until you find where | the stolen credentials originated from. They're just saying | that they have no evidence that it came from themselves thus | far. | mdavis6890 wrote: | How? Those statements seem entirely consistent and reasonable | to me. They have no evidence or reason to believe that the | information was stolen from Coinbase, but beyond that they | don't know how attackers got it. | | Your car was stolen. I haven't been able to determine | conclusively who did steal it or how, but I know it wasn't me. | addingnumbers wrote: | "I know it wasn't us" is exactly the non-sequitur conclusion | they were trying to walk you toward by wording their | statements as they did. | devrand wrote: | How else would you even word it? They accurately described | the situation. If people are leaping to "I know it wasn't | us" then that's their own misinterpretation. | addingnumbers wrote: | > If people are leaping to "I know it wasn't us" then | that's their own misinterpretation. | | Is that not what we just watched a HN reader do with that | analogy? | | It would be equally accurate to say "We have no evidence | that it _wasn 't_ our fault," either statement is equally | meaningless when they have no significant evidence. | | They chose to phrase their ignorance the only way that it | could be misinterpreted as mitigating their liability, | and we just watched that misinterpretation play out here. | | "We haven't found any evidence of who was at fault" would | be more forthright than answering only the half of that | question that sounds better for them. | eli wrote: | Phishing or malware would be obvious avenues for someone to | gain this information not from Coinbase itself. | | If people reused passwords, they also could potentially have | cobbled together 6000 valid username/password/phone | combinations from previous hacks of other services. | saalweachter wrote: | As the Holy Writ says: https://xkcd.com/2176/ | andiliu wrote: | Not necessarily. You can collect information such as username, | passwords, phone numbers from leaked databases and then attempt | to login via Coinbase. Some might have 2FA, so they might even | go as far as to sim swap them given that they know their phone | number. | | So it doesn't necessarily mean they got it from Coinbase. | lbriner wrote: | What can be said that has not already? | | It's like people saying, "I don't like the bank with their | ridiculous paperwork so I will use a loan shark instead, he | doesn't need paperwork" | | Then the loan shark disappears/beats you up/asks for loads of | interest etc. and you still want to complain to the police. | | Most people hate regulators but they are there for a reason. What | certifications does coinbase have to hold your millions of | dollars of virtual currency? | [deleted] | bdcravens wrote: | Coinbase is not an unregulated free-for-all. They are licensed | in all 50 states, and is registered as an MSB with FinCEN. | | https://www.coinbase.com/legal/licenses | arcticbull wrote: | MSB licenses mean basically nothing. Money transmitters are | borderline unregulated, certainly depending on which state | they obtained their licensing. | | They were actually created as a much lighter weight framework | to avoid the onerous regulation of an actual depository | institution. | codingdave wrote: | That page does not list all 50 states, just FYI. | alphabet9000 wrote: | states not listed: California, Hawaii, Indiana, | Massachusetts, Missouri, Montana, Utah, Wisconsin, and | Wyoming | tibiahurried wrote: | These platforms should not offer 2fa with SMS. And force their | customers to use 2FA via MFA instead. | jtchang wrote: | I like this. They are basically making a call to self insure | against these types of incidents and paying out of their own | coffers. It makes sense since recovering the stolen crypto is | near impossible (as designed). | | It's funny how everything old is new again. We are just | reinventing FDIC insurance for crypto. | xqyf wrote: | The FDIC is a government agency created after bank runs were | common during the Depression. This is much different, nothing | has been "reinvented". | rhinoceraptor wrote: | After all, crypto is speedrunning 500 years of bad | economics... | htrp wrote: | Theoretically every bank was self-insured back in the pre FDIC | era... the problem was that some banks didn't actually have the | reserves (especially given fractional reserve banking) | gowld wrote: | FDIC insures your account against bank's overall business | collapse. It doesn't insure your personal account against bank | robbery of your sepcific account (deceptively named "identity | theft"). | | I don't think you'd get FDIC money back if an attacker got into | your account. The bank might cover you if they agree it was | their fault, similar to Coinbase. | tastyfreeze wrote: | There is a difference between self insured and government | insured. At the end of the day I prefer self or market insured | so the business itself is on the hook for a breach. | z3c0 wrote: | Not a bad thing, really. It'll be what's needed to win over | skeptics. | | I mean, they'll more likely just move the goalposts than be won | over, but at least they're running out of things to complain | about. Between this and the Coinbase card, Coinbase has already | tackled the two biggest (valid) critiques of crypto that I | hear. | jefftk wrote: | _In order to access your Coinbase account, these third parties | first needed prior knowledge of the email address, password, and | phone number associated with your Coinbase account, as well as | access to your personal email inbox. While we are not able to | determine conclusively how these third parties gained access to | this information, this type of campaign typically involves | phishing attacks ... Even with the information described above, | additional authentication is required in order to access your | Coinbase account. However, in this incident, for customers who | use SMS texts for two-factor authentication, the third party took | advantage of a flaw in Coinbase's SMS Account Recovery process in | order to receive an SMS two-factor authentication token and gain | access to your account._ | | _We will be depositing funds into your account equal to the | value of the currency improperly removed from your account at the | time of the incident. Some customers have already been reimbursed | -- we will ensure all customers affected receive the full value | of what you lost_ | Fiahil wrote: | Well, it's not like Coinbase should be blamed for all of it. | It's a combination of their customer's poor hygiene + a flaw in | Coinbase's SMS Account Recovery process. | | At least they will be reimbursed, and everyone should walk | happy. | [deleted] | gowld wrote: | > everyone should walk happy. | | The reimbursement comes from somewhere. Investors may not be | happy. "everything is securities fraud" | | https://www.google.com/search?q=%22everything+is+securities+. | .. | latchkey wrote: | I'm guessing their insurance didn't cover it since it | related to insecure account practices. So this is likely | from their own revenues. | | https://help.coinbase.com/en/coinbase/other-topics/legal- | pol... | | I don't see the connection with your link to securities | fraud though. | vngzs wrote: | Anyone care to speculate what the flaw in their SMS recovery | flow actually was? It's hard for me to think there's even a | safe way to implement SMS based account recovery. They would | be smarter to just turn it off. | gowld wrote: | SMS is fundamentally insecure, yes. But this sounds like a | problem in the webapp that prepares and sends SMS messages, | not SMS itself. | floatingatoll wrote: | I do not have specific answer for Coinbase. _Typically_ , | the flaw would be in modifying one of the form inputs to | get the code delivered to a different phone number. That | usually works out to either modifying the "destination | number" client-side form value, or swapping in an | edited/reused session token from a _different_ login | session 's MFA challenge, to exploit missing ownership | checks on the various underlying pkey object IDs. | [deleted] | skybrian wrote: | Why does this say "Submitted Breach Notification _Sample_ " and | "Sample of Notice?" How do we know the sample is real? | detaro wrote: | Because it's a sample of what the communication each customer | got looks like (with e.g. a placeholder for the customer name) | Animats wrote: | The attack still goes on. Email today: Coinbase | Coinbase <https://verify-customers.elastic- | galileo.185-150-117-78.plesk.page/> Verify your email | address In order to continue using your Coinbase | account, you need to reconfirm your email address. To | avoid service interruptions verify your email. Verify | Email Address <https://verify-customers.elastic- | galileo.185-150-117-78.plesk.page/> If you did not | sign up for this account you can ignore this email and the | account will be deleted. Get the latest Coinbase App | for your phone Coinbase iOS mobile bitcoin wallet | <https://verify-customers.elastic- | galileo.185-150-117-78.plesk.page/> Coinbase Android | mobile bitcoin wallet <https://verify-customers.elastic- | galileo.185-150-117-78.plesk.page/> | | Whois info: | | > whois plesk.page Domain Name: plesk.page | Registry Domain ID: 41B85291E-PAGE Registrar WHOIS | Server: whois.namecheap.com Registrar URL: | https://www.namecheap.com/ Updated Date: | 2021-07-10T14:00:29Z Creation Date: 2020-03-18T03:06:27Z | Registry Expiry Date: 2022-03-18T03:06:27Z Registrar: | Namecheap Inc. Registrar IANA ID: 1068 Registrar | Abuse Contact Email: abuse@namecheap.com Registrar Abuse | Contact Phone: +1.6613102107 Domain Status: | clientTransferProhibited | https://icann.org/epp#clientTransferProhibited Registry | Registrant ID: REDACTED FOR PRIVACY Registrant Name: | REDACTED FOR PRIVACY Registrant Organization: Privacy | service provided by Withheld for Privacy ehf Registrant | Street: REDACTED FOR PRIVACY ... | | Traceroute shows that site hosted by Hurricane Electric. | | Anyone who lost money in this should sue Namecheap and Hurricane | Electric. They will be stumbling all over themselves to tell your | lawyers who their customer was, to avoid liability. | | I don't even have a Coinbase account. | LightG wrote: | I'm done with anything crypto. Daily. Bug after bug, breach after | breach. I just don't see how, at any point in the future, crypto | gets any more secure than, say, Microsoft Windows. There'll | always be a bug, there'll always be a fix needed. And this isn't, | "oh, my software crashed for an afternoon", it's potentially a | good chunk of your life savings. | | I'll take my chances with the banks and Nigerian Princes. | cableshaft wrote: | Banks are basically all software too now. They can have the | exact same issues. They're not just taking your bills and | storing them in a physical vault for you to take out later. | jp42 wrote: | checkout rekt.news to follow attacks in crypto world. | | It's wont stop, not just crypto but almost everything that | involves software will have potential attacks. Crypto is just | another area where attacks happen. IMO More the attacks, over | the time crypto industry will become more robust. | vmception wrote: | I use to work with regulators on ACH and bank account fraud, | in the legacy payment systems | | It is so commonplace and high volume that it is not news | | If incidents were listed alongside unexpected crypto | seizures, crypto would look like the better option whether it | was onchain, smart contracts or custodial institutions (like | Coinbase) involved. And that has nothing to do with the size | of the respective markets | | Its not a contest, but anti-crypto people or skeptics are | just falling for clickbait at this point and it's pretty | goofy to see. | tolulade_ato wrote: | Data security is a serious matter, one of the reasons we are | building a product for this for businesses. | laulis wrote: | Could be SIM swapping? | | https://therecord.media/hackers-bypass-coinbase-2fa-to-steal... | rednerrus wrote: | SMS 2FA is not a good idea. | rohitpaulk wrote: | Curious what the total dollar amount involved was. | LightG wrote: | Me too. Everyone is cooing that they "made everyone whole". | What if they weren't able to. | tgsovlerkhgsel wrote: | I wonder how "We will be depositing funds into your account equal | to the value of the currency improperly removed from your account | at the time of the incident" is to be read. | | To me, that reads as "if you had 1 BTC stolen on May 20, we will | deposit 40k USD into your account, because that was the value of | 1 BTC as of May 20", not "if you had 1 BTC stolen, there is now 1 | BTC back in your account". | | The timeframe listed in the letter covers exactly the time of a | massive price spike, so a USD payout would put most people in a | better situation than a BTC payout in this specific case, but I'm | still curious how this is handled, and whether there is a | universally agreed standard for it. | | Because next time "we'll reimburse you the USD value of your | crypto as of the date of the attack 6 months ago" could mean that | someone "made whole" like this has only 10% of what they would | have if the attack didn't happen. | sneak wrote: | High security services should send a pair of U2F keys to each and | every customer when they sign up (or hit a retention/value | threshold), with instructions on how to store them (that is, | different buildings). Then they can use normal app-based 2FA day | to day (NOT TOTP as that is phishable), and use the preenrolled | U2F hardware tokens as recovery methods when the user inevitably | loses their phone and needs to re-enroll their primary 2FA device | (the service app on their new phone). | | Falling back to SMS to reset 2FA, or Skype calls where you hold | up your ID with a CSR or whatever is just asking for shit like | this. In bulk the hardware is probably <$5/token, so well under | $10/user (probably closer to $5/user even for a pair of tokens). | If your CLTV for your high security financial service can't | afford that, go do something else. | | This is a solved problem; the fact that financial institutions | have not got on board with 10+ year old stable, cheap, widely | available technology is a market failure caused by massive | overregulation. | | Nothing about this is hard, nothing about this is expensive, | there's just a pervasive attitude in financial technology circles | of "this is the way we've always done it" or "this is the way | everyone else does it", even if those ways encapsulate a ton of | waste and risk. | | Even without the whole "n+1 tokens, used only as primary 2fa | recovery" scheme, I don't think there's a single US retail bank | that supports U2F even for normal 2FA login. It's shameful. | | This industry is so ridiculously ripe for disruption but it's so | heavily overregulated that nobody that doesn't suck is allowed to | enter the market. Simple was the first to try (and even they had | to use a partner bank) and they got erased via acquisition (and I | think subsequently shut down). | thinkharderdev wrote: | At this point I think the thing holding back U2F is just user | experience. It is not "hard" but it is a pain in the ass and | most people just find it annoying. | | The other issue is that you ultimately need some sort of | fallback mechanism if someone loses their keys. And it will | happen. So you still end up with a process that can be socially | engineered, which is generally the weak link in any | authentication system. | sneak wrote: | The pain in the ass is why it should be used as an primary | app-based 2FA recovery mechanism. | | Doing 2FA via app is fine for most users. The failures happen | when users lose their phone and need to reset 2FA. That's | where the pain in the ass (but secure pain in the ass) of U2F | would come in handy, to re-enroll primary 2FA. | | Nobody presently has good ways of doing 2FA resets. U2F | hardware is a near-perfect solution. | thinkharderdev wrote: | It's a near perfect solution assuming nobody ever loses | their U2F device. | joelbondurant wrote: | Delete Coinbase. | tgsovlerkhgsel wrote: | The PDF link | (https://oag.ca.gov/system/files/09-24-2021%20Customer%20Noti...) | was sometimes throwing a "file not found" error. | | Archived version: | http://web.archive.org/web/20211001155216/https://oag.ca.gov... | (consider https://archive.org/donate to support the cost of | operating the archive). | matchagaucho wrote: | _" Between March and May 20, 2021, you were a victim of a third- | party campaign..."_ | | There were a spat of Coinbase SMS phishing texts in July 2021. So | the window could be much longer, and the campaign ongoing. | thinkharderdev wrote: | Yeah, I was getting the same phishing SMS weekly related to my | Coinbase account. | q1w2 wrote: | Yes, I also received several obviously fake SMSs in June 2021, | so the window is clearly longer than what they are saying. | paxys wrote: | SMS-based 2FA needs to die. | flarex wrote: | It's the easiest to use because of the prevalence of phone | numbers and transferability between phones. These properties | that give it the best user experience also make it the worst | form of 2FA. TOTP and hardware keys are more secure but they | are easier to lock yourself out of the account. ___________________________________________________________________ (page generated 2021-10-01 23:00 UTC)