[HN Gopher] Coinbase Breach Notification
___________________________________________________________________
Coinbase Breach Notification
Author : sunils34
Score : 414 points
Date : 2021-10-01 15:34 UTC (7 hours ago)
(HTM) web link (oag.ca.gov)
(TXT) w3m dump (oag.ca.gov)
| rhacker wrote:
| Almost every exchange supports TOTP, as well as Coinbase,
| shouldn't they just disable SMS?
|
| Although it sounds like these are email accounts that have been
| hacked in other ways too.
| rsimmons wrote:
| The irony in that breach document that the first credit
| monitoring agency mentioned at the bottom is Equifax, having the
| reputation for one of the worst data breaches in 2017 spanning
| nearly 150mil American citizens.
| IceWreck wrote:
| From what I understand, the SMS verification was bypassed but not
| the password validation.
|
| I am probably not understanding this correctly, but if the
| attacker had to have knowledge of your password then why did they
| reimburse affected users. They could've called it a day and
| claimed it was the user's fault.
| [deleted]
| xxpor wrote:
| Goodwill generated + money saved by avoiding lawsuits >
| reimbursement costs
| loeg wrote:
| If trad banks did that, people would riot.
| tfang17 wrote:
| Another reminder that text-based 2FA is not secure.
| thinkharderdev wrote:
| Secure/not-secure is not a binary distinction. And SMS-based
| 2fa is still more secure than password alone.
|
| One thing I've become painfully aware of recently is how all
| MFA is rendered pretty insecure by various "fallback"
| processes. I recently switch jobs and realized I had a few
| accounts using my old work phone as SMS 2fa number. In every
| case it was ridiculously easy to call a CSR and get 2fa
| disabled from their end.
| YeBanKo wrote:
| One thing that cryptocurrencies achieved is they introduced a
| private key authentication at scale. For a moment, there was a
| hope that we can move to private key authentication mechanism.
| But, unfortunately, it was quickly rolled back by introduction of
| custodial wallets and we got pulled back into world of passwords.
| sneak wrote:
| sneak's law: users can not (and a tiny subset of users that
| actually know how to, will not) securely manage* key material.
|
| *manage: generate, transmit/sync, authenticate, back up
|
| Discussion: https://youtu.be/9k4GP3Evh9c
|
| I actually operate a business that exists solely as a result of
| this fact.
|
| If you give a user a key, they will lose it. If they're a
| customer, you need to have a back up plan for what happens when
| they lose their keys.
| rStar wrote:
| couldn't happen to nicer people
| [deleted]
| BitwiseFool wrote:
| > _" We will be depositing funds into your account equal to the
| value of the currency improperly removed from your account at the
| time of the incident. Some customers have already been reimbursed
| -- we will ensure all customers affected receive the full value
| of what you lost. You should see this reflected in your account
| no later than today."_
|
| I sympathize with the "Not your keys, not your coins" crowd, but
| you have to admit that you are far more likely to be compensated
| in the event of an attack if you are using a large exchange. Not
| guaranteed, of course, but Coinbase has an image to maintain.
|
| I also believe, personally, that a large exchange has much better
| security than anything I could muster with a hot wallet. Yes, I
| know I can airgap a cold wallet but I like the ability to quickly
| sell some amount of crypto at market rates without having to
| transfer from a paper wallet. I also worry about physical
| security since my home has been burglarized before. Therefore, I
| keep my coins on exchanges and follow good practices with 2FA
| across my accounts (no SMS for any) and have withdrawal delays /
| whitelisting active.
| sneak wrote:
| > _you have to admit that you are far more likely to be
| compensated in the event of an attack if you are using a large
| exchange_
|
| This is only a recent phenomenon, and I don't think it holds
| for all "large exchange[s]".
| Kaytaro wrote:
| Yeah, Mt. Gox used to be considered a large exchange, the
| largest at the time in fact.
| CPLX wrote:
| Wonder how many people follow this reasoning to the next
| logical conclusion and realize that there is literally nothing
| to differentiate the coins at all from regular banking except
| for the lure of speculation.
| BitwiseFool wrote:
| I am a cryptocurrency enthusiast/advocate, but I've come to
| the realization that "being your own bank" is actually a
| terrifying and merciless burden. One small mistake has the
| potential to wipe you out and there is no way to get your
| funds back.
|
| Despite all the criticisms that come with "the banking
| system", banks do provide a lot of value to individuals. It
| is completely understandable that people would want to wrap
| their decentralized currency inside of a centralized system
| (exchanges, custodianship, IRAs, etc.) for the benefits that
| having a bank-like organization can provide.
| jonny_eh wrote:
| > "being your own bank" is actually a terrifying and
| merciless burden
|
| It's amazing how many smart people take so long to realize
| why banks exist.
| sneak wrote:
| It's also amazing how many smart people are completely
| ignorant of the common and routine failure modes of
| banks, and why hundreds of millions of people might want
| an alternative to that.
|
| I just had to physically cross an ocean twice because my
| bank won't send wires for more than $25k via their
| website, and that's one of the gentler failure modes.
|
| Here are some examples: https://old.reddit.com/r/fatFIRE/
| comments/pycgjx/what_in_the...
|
| Retail banking in the USA is _terrible_.
| max-ibel wrote:
| It's really similar to running your own email server.
| nybble41 wrote:
| There are hybrid systems which offer the best of both
| worlds. For example, the open source Muun wallet uses a
| 2-of-2 key system[0] in which Muun only has access to one
| of the two keys so, unlike a traditional bank or a
| custodial exchange like Coinbase, they can't spend any
| funds without your signature. Your Muun wallet app also
| only has one key, so authentication with the Muun service
| is necessary to complete transactions--this allows Muun to
| disable the wallet in the event the phone is lost or
| stolen, by refusing to countersign its payments. A recovery
| code kept offline, on paper, allows you to set up a new
| Muun wallet and recover your funds in the event that the
| phone holding the original wallet becomes unavailable for
| any reason. Finally, for complete self-custody you can
| export a PDF with encrypted versions of _both_ keys plus
| some additional data ( "output descriptors") which,
| together with the offline recovery code, can be used in an
| emergency to transfer your funds to a new wallet _without
| any involvement from Muun_.
|
| This does involve using a centralized service to an extent,
| but the amount of trust you are asked to extend is limited.
| They can't unilaterally take your funds, and they can't
| stop you from moving them to another wallet which you fully
| control. At the same time, you can safely use the wallet
| online with the additional convenience and safeguards
| provided by Muun, and it would be difficult to lose your
| funds permanently from "one small mistake".
|
| [0] https://blog.muun.com/muuns-multisig-model/
| [deleted]
| [deleted]
| YeBanKo wrote:
| There are ways to mitigate, such as multisig wallet. For
| day to day, use a wallet with a small amount. When it's
| balance runs low, you can replenish the amount from your
| vault, that requires at least 2 signatures. Crypto is not
| about completely eliminating trust from the system, but
| rather being able to choose whom you trust and control,
| what a trusted party can do.
| CPLX wrote:
| The benefits of the banking system I would propose to be
| self-explanatory, though your parent comment recaps them
| well.
|
| It's the reason to do the crypto part at all that's more
| confusing. Unless of course we all just admit that gambling
| is unbelievably popular and fun and has been a continued
| hit throughout human history.
| izzydata wrote:
| This seems like an egregious use of the word "literally" I
| think you should look up the use cases for decentralized
| finance.
| CPLX wrote:
| There are two spectacular use cases: gambling and illicit
| transactions
|
| That's not snark, those are great use cases, both have
| thousands of years of popularity behind them and tons of
| demand.
|
| Hence my parent comment, which points out that when you use
| the more heavily regulated centralized exchanges like
| coinbase the one remaining use case is gambling.
| knownjorbist wrote:
| The cypherpunk crowd on HN seems to be all but gone.
| Overwhelmingly negative takes on anything crypto-related in
| favor of... big banks and media conglomerates.
| pgwhalen wrote:
| In all seriousness, in what way is defi interacting with
| the non-defi world right now to provide value? I'm not too
| informed about the space, but from a distance it seems like
| every defi innovation so far is just building on top of
| something else in the defi space.
|
| Classic answers like "banking the unbanked in third world
| countries" don't seem to be shaking out yet.
| knownjorbist wrote:
| To ask a different question of traditional banks - where
| can you do what you can do in DeFi today in traditional
| finance without being either an investment bank yourself
| or a HNW individual?
| poiuiopkj wrote:
| That is the logical conclusion of the institutions, since
| they are basically crypto banks. However the underlying coins
| are very different from the underlying asset in a bank, even
| if their use cases haven't come to fruition and the most
| common use case is speculation. The use cases that currently
| exist and are important, though probably not to users in this
| forum, are borderless transference and the ability to truly
| own your assets without a governing body or third party
| institution able to touch them. A significant portion of the
| world either: lacks institutional banking or is under an
| authoritarian / corrupt government that could seize their
| assets just because. Which means the current use cases are
| incredibly valuable to those individuals. For most users here
| coins are probably a novelty used for speculation or asset
| diversification.
| knownjorbist wrote:
| If you know what DeFi is, I don't know how you can arrive at
| this conclusion. At this moment, you as an average person can
| not profit with _your money_ in the same way that banks
| profit with _your money_. You know what the money in your
| checking and savings account is actually doing right now,
| right?
| ekianjo wrote:
| > differentiate the coins at all from regular banking
|
| Apart from the fact that you can save value over time?
| Because the dollar is only going down.
| make3 wrote:
| people invest their money into appreciating assets like
| stocks
| NineStarPoint wrote:
| You can verify that one bitcoin you have today will not be
| diluted by more than a certain amount tomorrow. Value is
| based on people's value of the object though, and I
| wouldn't necessarily bet on Bitcoin keeping that over the
| long term.
| snotrockets wrote:
| And lack of KYC, which enables it to be used for ransomware
| payments
| ftlio wrote:
| I can write code that trades bitcoins without having to ask
| anyone for permission. Without getting into what Bitcoin will
| change about banking, I'd say that's pretty different from
| regular banking.
| JohnJamesRambo wrote:
| Many cryptocurrencies are deflationary and/or have fixed
| supply; I cannot say the same for the dollars in my bank
| account.
|
| https://fred.stlouisfed.org/series/MABMM301USM189S
| rchaud wrote:
| Bitcoin's near infinite divisibility weakens the fixed
| supply argument, does it not?
|
| The smallest possible fraction of a dollar is $0.01. You
| can transact BTC in denominations with a lot more zeros
| behind the decimal point.
| JohnJamesRambo wrote:
| Read more about Bitcoin and what fixed supply means.
| threevox wrote:
| That's why you don't store money in your bank account, you
| keep it in investment vehicles which also appreciate in
| value over the long run (not the best inflation foil, but
| an OK one)
| CPLX wrote:
| > Many
|
| > fixed supply
|
| Perhaps we've identified a small crack in this otherwise
| bulletproof logic.
| get52 wrote:
| Once again the crypto guys are getting horsefucked, why do people
| keep falling for the crypto scam
| Ansil849 wrote:
| What I'm getting from this is that Coinbase was/is using SMS-
| based 2FA? Using anything short of mandatory U2F means the
| responsibility of this breach firmly falls on Coinbase's
| shoulders. It's like if you found out your bank uses single-bolt
| doors for its vault.
| thinkharderdev wrote:
| Is there any d2c business anywhere in the world right now that
| requires U2F on all accounts? I think you underestimate how
| confusing all of this is to non-technical users.
| Ansil849 wrote:
| Plenty of banks require HOTP dongles. Those are, if not more
| confusing, than certainly on par with U2F dongles. Meaning if
| banks can do HOTP, they can do U2F, and using "confusing to
| consumers" is not an excuse.
| thinkharderdev wrote:
| Which banks require an HOTP dongle for customers. Maybe it
| is a non-US thing but I have never once seen that.
| ed25519FUUU wrote:
| The fact that there's no OTP option even available is what
| bothers me. Let the power users use OTP if they want it.
|
| When OTP is available I always remove my phone and use that.
| Sim swap is such a common attack these days.
| thepasswordis wrote:
| Here's the lesson:
|
| Use yubikeys. Use coinbase vaults.
| babyshake wrote:
| Coinbase has already contacted all affected users?
| encryptluks2 wrote:
| If you got hacked and don't get your funds deposited. Good luck
| getting in touch with anyone. I have sent multiple requests to
| another issue, was told I should expect a response shortly and
| that was months ago.
| mdavis6890 wrote:
| I think this reflects very favorably on Coinbase. They're making
| everyone whole, and gosh - the attackers had the user's
| usernames, passwords and phone numbers. Hard not to be
| sympathetic to Coinbase in that scenario. How are they supposed
| to know those aren't the real users? Consider that if they are
| going to identify those cases as fraudulent actors, then they
| could easily lock-out legitimate users as well.
|
| I'll guess the users had the same usernames and passwords that
| they've used for a hundred other sites, and one of those got
| breached at some point. Don't do that!
| q1w2 wrote:
| I'm skeptical of their breach notification for the following
| reasons...
|
| If they were certain this was PURELY a phishing campaign
| against their users, then they had no need to disclose to the
| government.
|
| Their wording in their disclosure is very very carefully
| crafted to not deny a breach of their data - pending
| "conclusive" evidence.
|
| They made a _choice_ to disclose so that the gov 't could never
| claim that they failed to disclose should Coinbase data appear
| on a darknet website.
|
| And While they make an allusion to social media data collection
| - I was a target in June, and I absolutely had ZERO social
| media talking about using coinbase. There is NO WAY hackers
| could have deduced on social media that I was Coinbase user,
| nor gotten my cell phone number.
|
| I am 90% confident that Coinbase WAS breached directly,
| allowing hackers to gain access to email and phone number for
| my account.
|
| This disclosure is 100% CYA.
| [deleted]
| gowld wrote:
| username and phone is not security factor.
|
| password is 1FA.
|
| SMS is 2FA (not a great one, but still). Coinbase failed at
| 2FA. 2FA is critically important; that's why it exists.
| mdavis6890 wrote:
| The attackers also needed to know the user's phone number and
| have access to their email account. That is a sufficiently
| high bar that I can still be sympathetic to Coinbase here.
|
| Not sure why you discount username and phone either. Each of
| these is an additional layer of security simply by being more
| information an attacker needs to collect and associate.
| Coinbase doesn't publish a list of usernames. And how would
| someone associate phone numbers back to them?
| draygonia wrote:
| You can easily check databases on and off the darknet to
| find people's phone numbers and most people don't have
| multiple phone numbers and rarely change their number
| because of the associated hassle with moving accounts. The
| same goes for their email and even passwords if they reused
| them.
| mikeiz404 wrote:
| For example https://truepeoplesearch.com will give you
| name, address, and phone number for free and it is
| searchable.
|
| It's unfortunate how much is out there.
| rglover wrote:
| Reminder: if you don't own your keys, you don't own your cheese.
|
| Hardware:
|
| https://trezor.io/ https://www.ledger.com/
| therein wrote:
| Also https://coldcardwallet.com/
| keyb0ardninja wrote:
| I must be missing something, but can someone explain what's the
| point of a hardware wallet? Why not just use a password
| manager?
|
| Hardware wallets seem to have so many downsides, as far as I
| can understand.
|
| You can keep multiple copies of your password manager's
| database (something like a kbdx file), but you won't have
| multiple copies of the hardware wallet. Therefore a single
| point of failure. If the wallet is stolen, damaged in a house
| fire, crushed by some accident etc. you're done. Also, can't
| the firmware of the hardware wallet possibly have some unknown
| bugs that might cause some failure in the future? Is the
| hardware failure-proof? No possibility of manufacturing defect
| etc.?
|
| Secondly you've to buy a hardware wallet and whatever the cost,
| it's not free. Whereas an open source password manager like
| keepass is completely free (as in freedom as well as beer).
| quickthrower2 wrote:
| Hardware wallet protocol involves a key phrase and password
| you keep secure elsewhere. You need either wallet + password,
| or if the wallet breaks, you can buy a new one and initialize
| it with the seed phrase and then use the same password.
|
| You could use a multi purpose computer, e.g. a phone or PC
| and software to do the same, but they are more complex
| devices with more avenues to exploit them, e.g. a keylogger
| plus something than can upload your keepass file means you're
| robbed.
| rglover wrote:
| > If the wallet is stolen, damaged in a house fire, crushed
| by some accident etc. you're done.
|
| This is incorrect. Hardware wallets typically come with a
| recovery seed. Even if the original device gets destroyed,
| the seed helps you to get access to your addresses/crypto.
| This covers against all of the scenarios you mentioned.
|
| For example, I just updated the firmware on my device this
| afternoon. Before I did it, I'm double-prompted to make sure
| I have my recovery seed in case the update fails.
|
| As for storing in a password manager, you certainly could. I
| used to print my wallets out back in the day. The hardware
| just makes the process a bit easier and makes mistakes on my
| part less likely.
| symlinkk wrote:
| Why would you put thousands of dollars in a wallet you need a
| physical device to access? Just put your private key in your
| password manager, problem solved
| q1w2 wrote:
| Keeping your life savings in cash under your mattress is more
| stressful than relying on a bank.
| rglover wrote:
| Do you need me to hold your hand when we cross the street?
| q1w2 wrote:
| I'm not crossing a street with you if you're carrying $500K
| in your backpack everywhere you go.
|
| Physical possession of wealth is a bad long term strategy.
| Eventually people WILL find out, and you WILL become a
| target.
|
| One of the main functions of government is private wealth
| protection. Banks are a feature, not a bug.
| rglover wrote:
| And when they do and I do, I have a large cache of
| weapons and ammunition to wave at them with.
|
| If you think the government is protecting your wealth,
| you're incredibly naive.
| vladTheInhaler wrote:
| So you have to be strapped whenever you want to visit
| Starbucks? No thanks.
| rglover wrote:
| Lol no. Technically I can be because I'm in an open carry
| state but I only do that if I'm out in the wild or
| traveling solo late at night.
| stackedinserter wrote:
| How do you move $500K to another country? My country of
| origin goes apeshit when I send my parents $2000.
| quickthrower2 wrote:
| China will go apeshit if you try to use Bitcoin to move
| $500k to another country.
|
| Transferring 500k between most developed countries should
| be easy enough, I'd probably talk to both banks first for
| such a large amount.
| traeregan wrote:
| Good advice, but I'll never buy another Ledger product after
| getting doxxed in their data leak(s):
| https://www.google.com/search?q=ledger+data+leak
|
| In hindsight, I should've known better than to use PII in my
| account.
|
| It scared me into exiting the space entirely.
| vngzs wrote:
| Coinbase made everyone whole, and the attackers stole the
| credentials (not because of Coinbase's fault) ahead of time, and
| the attackers had to perform a "SIM swap" type attack on the
| users. "Breach" may be the required term for the Californian
| government, but this wouldn't qualify to most people as a
| traditional breach (i.e., compromise of Coinbase's
| infrastructure).
|
| Edit: California, not Canada. My bad.
| syshum wrote:
| They would not be required to have all that info for an
| attacker to steal if it was not for the ridiculous reporting
| and KYC laws of the US
| tgtweak wrote:
| It was not a simswap/simjack attack, they exploited an
| oversight in coinbase's password-reset 2fa to send the
| challenge code for one user to another user's phone number.
| vngzs wrote:
| I haven't been able to verify these sort of claims any more
| than I've been able to speculate it was blanket telco
| Letters-of-Authorization (LoAs) [0][1] or classic SIM swaps
| that resulted in the account takeovers. I'm not claiming
| you're wrong, but given the timing of the LoA fraud and the
| attacks, it seemed likely to me that this was not an actual
| web vulnerability.
|
| What makes you believe a specific exploit like that existed
| against Coinbase's 2FA? And if it existed, then why wasn't
| that caught in a routine pentest?
|
| [0]: https://krebsonsecurity.com/2021/03/can-we-stop-
| pretending-s...
|
| [1]: https://lucky225.medium.com/its-time-to-stop-using-sms-
| for-a...
| tyingq wrote:
| Coinbase themselves called it _" a flaw in Coinbase's SMS
| Account Recovery process"._[1]
|
| I don't think they would have used that phrasing if it were
| individually simjacked phones.
|
| [1] https://oag.ca.gov/system/files/09-24-2021%20Customer%2
| 0Noti...
| vngzs wrote:
| With only the pdf to go on, I address the "flaw" in more
| detail in these comment threads [0] [1]. In short, I
| believe the "flaw" is likely to be "we used SMS for
| identity verification, without additional necessary
| scrutiny."
|
| The technical barrier to entry for accruing and using
| breach databases is near-zero [2], same with the barrier
| to SMS fraud. Both are routine and easy methods for
| criminal groups with no special technical abilities, and
| therefore they are likely. Since the onus is on Coinbase
| to do identity verification in account recovery, a large
| number of successful takeovers would be a "flaw" in their
| process, even if it's not a technical flaw (which I would
| expect to be expressed in language like "vulnerability").
|
| Accepting untrusted, unauthenticated user input as a SMS
| verification number would be a serious login-related
| flaw, and certainly Coinbase pentests their login pages.
| Any competent pentester would discover such a flaw. So
| between "Coinbase shipped a critical and obvious login
| flaw to prod" and "a routine and common criminal tactic
| was employed successfully against them," I find the
| latter more likely.
|
| [0]: https://news.ycombinator.com/item?id=28720101
|
| [1]: https://news.ycombinator.com/item?id=28720520
|
| [2]: https://xkcd.com/2176/
| tyingq wrote:
| If they use that wording, though, they are putting
| themselves on the hook to fix the "flaw". That's why I'm
| skeptical that it was just simjacking. I don't see a way
| that Coinbase could implement SMS 2FA in a way that
| doesn't have that "flaw".
| hn_throwaway_99 wrote:
| I find your take on this very strange. Given that, again,
| _Coinbase themselves_ called this "a flaw in Coinbase's
| SMS Account Recovery process", it would be bizarre that
| this was just "standard" run-of-the-mill SIM-swapping,
| because of course SIM-swapping is always an inherent
| danger with SMS 2 factor.
|
| Coinbase is very clear in the breach notification that
| attackers had already acquired users' (a) emails, (b)
| passwords, and importantly (c) already have access to the
| users' primary email accounts. At that point, the only
| thing left preventing account takeover would be the 2FA
| challenge, and since Coinbase said there was "a flaw in
| Coinbase's SMS Account Recovery process" I find it a
| bizarre conclusion to think that flaw was just a standard
| SIM-swap.
|
| Edit: Actually, pretty positive it was not just a
| standard SIM-swap given that, if it were, Coinbase would
| not have specifically called out "a flaw in Coinbase's
| SMS _Account Recovery_ process ". If it were just normal
| SIM-swapping bad guys would have just used that to defeat
| 2FA during the login process - there would have been no
| need for them to mess with the account recovery process.
| That's actually not that uncommon a bug, where 2FA works
| great to protect login, but there is an oversight that
| makes it not required during the account recovery process
| (by definition you're letting people into an account
| during the recovery process even if they're missing one
| of their authentication methods) that makes the whole 2FA
| moot.
| tyingq wrote:
| Yes! From the linked pdf that came from Coinbase[1]:
|
| _" However, in this incident, for customers who use SMS
| texts for two-factor authentication, the third party took
| advantage of a flaw in Coinbase's SMS Account Recovery
| process in order to receive an SMS two-factor authentication
| token and gain access to your account"_
|
| The key part being: _" a flaw in Coinbase's SMS Account
| Recovery"_
|
| [1] https://oag.ca.gov/system/files/09-24-2021%20Customer%20N
| oti...
| space_rock wrote:
| Agree. Although I would like coinbase to move away from SMS 2fa
| sneak wrote:
| Using SMS 2FA is negligent, considering it's been four+ years
| since NIST told the industry not to use it because it's not
| safe.
|
| (It's also the only option offered by many US banks, which is
| a sad commentary on the level of tech innovation in finance
| in the USA.)
| agumonkey wrote:
| I don't know about you, but in the days of smartphones, login
| + mail + sms seems pointless. The only lock is the pin code /
| fingerprint on your phone, since when that is unlocked, the
| attacker gets to trigger all validation steps.
| opheliate wrote:
| The important part is having physical access to the phone.
| A targeted attack against you now requires a physical
| element, rather than being entirely online.
| willvarfar wrote:
| Agree with everything you say, but add to that a lot of
| sms 2fa exploits are sim or redirection attacks. It's
| possible to get access to a phone number without access
| to the phone.
|
| Here's an old story of a friend who had a weird talk with
| someone who had redirected their phone:
|
| https://williame.github.io/post/24949768311.html
| danuker wrote:
| Assuming the phone is not remotely exploited.
| mdavis6890 wrote:
| They already support other forms of 2FA, so I guess you mean
| they should turn off support for SMS. Keep in mind that for
| many users the alternative is no 2FA at all (they don't
| browse HN and Krebs), which is much, much worse.
|
| Coinbase should continue doing what they are doing, which is
| to support SMS, and educate and encourage users where
| possible to use something else instead.
| zitterbewegung wrote:
| How about allowing users to turn off sms.
| mrb wrote:
| Coinbase does allow SMS to be turned off. I did that on
| my account. When SMS is turned off, and when a U2F
| security key is the only 2FA you configured, if you lose
| the security key the only way to recover the account is
| to contact their support department and provide a photo
| of yourself holding your ID.
| wmf wrote:
| _for many users the alternative is no 2FA at all_
|
| I'm pretty sure people have phones and Coinbase can force
| them to install a 2FA app.
| stan_rogers wrote:
| I don't have a phone that will run apps. I'm pretty sure
| I'm not alone.
| cbhl wrote:
| Which works fine until they buy a new phone and trade in
| or reset the old one without transferring the private
| keys -- and now you're locked out of your own account
| because you lost your second factor.
| Consultant32452 wrote:
| No problem, just reset your factor over SMS!
| driverdan wrote:
| There are multiple ways to avoid this, such as using an
| app that saves those keys (eg Authy) or using recovery
| keys.
| dotBen wrote:
| But then bad guy just logs in to Authy with the same
| stolen credentials because most normal people will
| probably use the same credentials for everything,
| including Authy. And arguably, the smartest tech-savvy
| folk wouldn't be storing their 2FA keys in the cloud like
| Authy anyway.
|
| If your cloud account is protected by 2FA that's also in
| the cloud... it's turtles all the way down.
| drexlspivey wrote:
| How do you "Log in" to Authy? It's tied to your
| Apple/Google ID afaik and the 2fa codes are also
| protected with a passphrase.
| matheusmoreira wrote:
| Emergency single-use codes. They can be printed and
| stored in a safe. Not every service with 2FA has this
| feature, I have no idea why. How hard could it possibly
| be?
| toomuchtodo wrote:
| > and now you're locked out of your own account because
| you lost your second factor.
|
| To verify someone's identity ("Identity Proofing") using
| Stripe Identity [1] costs ~$2. They support IDs from 33
| countries, and have implemented fraud detection in the
| flow. If you were so paranoid as to defend against
| someone stealing your government issued ID (used in the
| proofing process), you could paper mail a OTP to physical
| address on file.
|
| Does it suck and its the cost of no digital ID
| infrastructure in the US? Yes. Is it insurmountable? Not
| at all. At the end of the day, people are the weakest
| link, and we must fallback to meatspace trust anchors (in
| this case, possession of government provided ID that can
| be provided on demand with robust fraud detection
| mechanisms). You are who you are, and own what you own,
| not because of key material but because of the law.
|
| [1] https://stripe.com/identity
| bostik wrote:
| What they _should_ be doing, is to subsidise YubiKeys to
| their high-value customers.
|
| Not just to lock down the logins to Coinbase, but to also
| secure their customers' email, Twitter accounts, and as
| many other online systems as would support hardware backed
| WebAuthn. Hell, PokerStars did this with RSA tokens back in
| 2008 so it's not like it's a new idea.
| matheusmoreira wrote:
| I love my YubiKey but it doesn't work with my phone. Have
| newer models solved this problem?
| twostorytower wrote:
| My iPhone supports my Google Titankey through NFC, and I
| think newer Yubikeys also have NFC.
| space_rock wrote:
| Ok before I was locked out of my account for changing phone
| numbers they only had SMS
| leonry wrote:
| You can change your phone number by re-validating your
| identity. During the 2FA step when logging in, you can
| click on "I need to change my phone number" (or similar).
| wpietri wrote:
| Wait, why should they accept customer funds if they don't
| think they can keep them safely? If somebody is saying,
| "Let me hold on to your money for you," it seems like a
| minimum bar is them being pretty sure it's not going to go
| anywhere.
| [deleted]
| staticassertion wrote:
| > which is much, much worse.
|
| This attack wouldn't have been possible if they didn't
| allow SMS 2FA, so I don't think that's fair to say at all.
| winkeltripel wrote:
| What if the users had no 2fa at all? attackers still had
| their passwords and their emails, and their sms numbers
| judge2020 wrote:
| I'm not entirely familiar with coinbase, so is it really
| 2fa or is it 1fa in that you can use SMS as a recovery
| method when you don't know your password?
| tobstarrr wrote:
| Question as they did not mention Sim Swap in the email. Was
| this confirmed somewhere? "the third party took advantage of a
| flaw in Coinbase's SMS Account Recovery process in order to
| receive an SMS two-factor authentication token and gain access
| to your account".
|
| I'm personally more familiar with incidents using SMS stealers
| (mobile malware) or use of SS7 vulnerabilites due to my job.
| Telcos in our country (europe) run tight security on SIM swaps.
|
| I was surprised about their recommendation to use time-based
| OTPs. They basically have the same attack vectors as SMS minus
| independent channel sign-what-you-see capabilites.
|
| Edit: Answer was in other comments
| nickthemagicman wrote:
| if they did a SIM swap that means that they compromised the
| user's phone, if I'm not mistaken.
| sneak wrote:
| You are mistaken. A SIM swap is a compromise at the carrier,
| not the handset.
| hartator wrote:
| > i.e., compromise of Coinbase's infrastructure
|
| How is this not? 2FA is not to 2FA is you can recover your
| account with just a text. It does seem a bad engineering
| decision on their side.
| mmaunder wrote:
| > "Breach" may be the required term for the Californian
| government, but this wouldn't qualify to most people as a
| traditional breach
|
| 6000 customers affected. If it wasn't a YC company you'd never
| say that.
| 8BPATUNNTBU wrote:
| >> Coinbase made everyone whole
|
| No, I don't think they have. The document says they will, not
| that they have. I personally know someone who was had 2FA and
| tends to be security knowledgeable and was struck by this on
| 6/7, which is well past their claimed date, so either they are
| lying or the hacking continues undetected. He has had no
| ability to get anyone on the phone who will help with the
| issue. He lost less than $2,000, but it is ridiculous how
| crypto currency combines the worst of the wild west with the
| worst of banking with the worst of crappy customer service.
| Seattle3503 wrote:
| Some exchanges have good customer service, but Coinbase isn't
| one of them. They went the route of minimizing customer
| support staff that many tech companies do.
| toomuchtodo wrote:
| > but it is ridiculous how crypto currency combines the worst
| of the wild west with the worst of banking with the worst of
| crappy customer service.
|
| Crypto's value is _because_ it is the wild west. Otherwise,
| it 'd be gold: custodians holding the commodity for owners,
| most of it locked in cold storage, fully regulated, and
| governments pursuing theft whenever reported.
|
| Eventually, the end state desired will be reached
| (regulation, customer service, insurance, pursuit of value
| theft, etc), it's just taking time for governments and Big
| Finance to catch up.
|
| EDIT: https://www.cnbc.com/2021/10/01/defi-protocol-compound-
| mista... (DeFi bug accidentally gives $90 million to users,
| founder begs them to return it)
|
| https://en.wikipedia.org/wiki/Cryptocurrency_and_crime
| gregwebs wrote:
| Bitcoin is a self custody asset just like gold, and IMHO
| that and it's de-centralized exchange is actually where all
| the value comes from if it has any. People do own gold and
| store it on their own property as well.
|
| Gold owners also use responsible custodians when they don't
| store the gold themselves. I think bitcoin owners do not do
| the same because they want to have easy access to trading
| and there aren't companies that both operate trading and
| are either responsible custodians or make it easy to use a
| different custodian for storage.
| wpietri wrote:
| So if its value is in it not being regulated and you think
| governments will catch up, you're saying that it will
| eventually become worthless.
|
| If so, I agree. I'm just surprised to see it stated so
| baldly.
| rednerrus wrote:
| We already have all of those things.
| 5faulker wrote:
| Funny that Canada is the other way around (gov.ca)
| amznthrwaway wrote:
| Attackers did not have to perform a sim-swap attack.
|
| Coinbase provided a refund of the dollar value of the assets
| when they were taken, _not_ a return of the same assets.
|
| I'd appreciate if you update your comment to be accurate;
| though I fully understand that you are being intentionally
| dishonest out of disrespect to HN users. And I fully understand
| that dishonest comments like yours are considered to be
| absolutely acceptable by Dan Gackle.
| lambic wrote:
| *Californian government.
| [deleted]
| RangerScience wrote:
| Huh. 3 or so years ago, I got SIM-swapped and they ran away
| with my Coinbase crypto, and CB definitely never made me whole.
| detaro wrote:
| > _had to perform a "SIM swap" type attack on the users._
|
| source? I kind of doubt that's something coinbase would call a
| flaw in their system?
| nabakin wrote:
| Looking at his other comments, he's speculating. The document
| talks about obtaining an SMS verification token, they say "we
| updated our SMS Account Recovery protocols to prevent any
| further bypassing of that authentication process", and have
| not removed SMS as an authentication option. I see no reason
| to think this vulnerability was a SIM swap. Him stating it as
| if it's a fact in his original comment is very misleading.
| have_faith wrote:
| It doesn't matter who techinically is at fault Coinbase wants
| to stay ahead of the potential bad press and people pulling
| all their funds from the platform. Probably just figured this
| was cheaper.
| detaro wrote:
| I'm in no way arguing that they shouldn't notify
| people/replace money/..., I just wonder where the
| confidence for the claim that it was just SIM swapping
| comes from.
| nemacol wrote:
| And they would have had to do ~6000 SIM swaps? that seems
| like too many for a short period of time. Maybe?
| vngzs wrote:
| There is some speculation in another comment that their SMS
| verification server may have actually had a technical flaw,
| and the issue was not a lack of separate identity
| verification on SMS [0].
|
| However, around the time of the breach date (March - May
| 2021), there were a number of "B2B" services that offered a
| "type in any SMS number and you will get all text messages
| to that number," type feature intended for customer support
| teams to use for shared SMS access. Those systems often had
| privileged access to telcos and were regularly exploited by
| attackers to break 2FA without even a SIM swap [1]. With
| those tools, stealing all SMS to a number required only
| intent, not conversations with telco support personnel.
|
| [0]: https://news.ycombinator.com/item?id=28720280
|
| [1]: https://krebsonsecurity.com/2021/03/can-we-stop-
| pretending-s...
| nemacol wrote:
| Interesting. thank you for the links.
| sam0x17 wrote:
| These days in infosec circles simply having SMS-based 2FA
| enabled is now considered a no-no because of the notoriously
| bad (and inconsistent) security measures at large mobile
| carriers.
| vngzs wrote:
| In the linked PDF, Coinbase does not claim to have knowledge
| of a vulnerability in their system (edit: though it does note
| "the third party took advantage of a flaw in Coinbase's SMS
| Account Recovery process," I interpreted that as "we
| supported SMS account recovery at all" which is inherently
| broken [0]). The requisite two-factor bypass is detailed in
| the linked pdf:
|
| > Even with the information described above, additional
| authentication is required in order to access your Coinbase
| account. However, in this incident, for customers who use SMS
| texts for two-factor authentication, the third party took
| advantage of a flaw in Coinbase's SMS Account Recovery
| process in order to receive an SMS two-factor authentication
| token and gain access to your account.
|
| My guess is, because funds were stolen from users' accounts,
| the CA breach notification laws apply and this needed to be
| disclosed as such. However, that doesn't necessarily mean
| that Coinbase was technically "breached," only that customer
| accounts were compromised.
|
| If the attacker controls your personal email associated with
| Coinbase, accompanying passwords, _and_ phone number, _and_
| you use SMS 2FA, then your funds were stolen. Otherwise, they
| were safe. That 's my reading of the article.
|
| [0]: https://krebsonsecurity.com/2019/08/who-owns-your-
| wireless-s...
| [deleted]
| detaro wrote:
| They also say "we updated our SMS Account Recovery
| protocols to prevent any further bypassing of that
| authentication process". What did they update if it wasn't
| due to a weakness on their side?
|
| EDIT: on reading some of their docs, recovery is supposed
| to be followed by the user submitting ID documents etc
| before they get full access back - maybe that's the part
| they didn't do before or that could somehow be
| circumvented? (which is a flaw, but still requires
| intercepting the SMS to use?)
| vngzs wrote:
| I bet that control of email address + SMS 2FA was
| sufficient, alone, to recover the Coinbase account
| password. Lots of systems permit this kind of recovery,
| and while I may tell a technical crowd "if you use SMS
| for 2FA, that's on you" less technical users may not have
| the requisite background to understand the security
| tradeoff they make in doing so.
|
| The "flaw," in _my_ reading of it, was to support SMS-
| based account recovery at all. But I 'm not necessarily
| right here, and open to alternatives.
| hourislate wrote:
| >(not because of Coinbase's fault)
|
| From the Coinbase statement
|
| >the third party took advantage of a flaw in Coinbase's SMS
| Account Recovery process
|
| Your speculation and conjecture dismisses you from any and all
| future discussions on this matter. You have demonstrated that
| your are unfit to comment.
| sangnoir wrote:
| > ... the attackers had to perform a "SIM swap" type attack on
| the users
|
| Minor nitpick: I find your framing problematic as it transfers
| "burden of security" to the end-users over a process that did
| not involve them: this was not an attack on the users - it was
| an attack on the telecoms infrastructure.
|
| I have a similar gripe against "identity theft", which really
| ought to be "fraud against corporation X, using false identity"
| - however, that framing is necessary to make consumers accept,
| by default, the burden of clearing debts they were never party
| to simply because the defrauded party did not have adequately
| verify perpetrators identity.
| zikduruqe wrote:
| > I have a similar gripe against "identity theft", which
| really ought to be...
|
| ... bank robbery by unknowing proxy. If we reframed the
| narrative, I bet banks and financial institutions would bust
| their asses to make things better.
| thinkharderdev wrote:
| They already do for the most part though right? That is,
| they lose a huge amount of money to "identity theft" and
| have ample incentives to stop/prevent it.
| heleninboodler wrote:
| A point very well made by Mitchell and Webb:
| https://www.youtube.com/watch?v=CS9ptA3Ya9E
| tompazourek wrote:
| This is brilliant.
| narrator wrote:
| The easiest way to prevent sim swap attacks is to use Google
| Voice. Google has no customer service, so there isn't anyone
| you can call up and con.
| ta1234567890 wrote:
| That is smart, funny and sad, all at the same time.
| pxeboot wrote:
| This isn't really true. Google Voice numbers are managed by
| bandwidth.com and have been taken by attackers submitting
| fraudulent number portability requests in the past.
| narrator wrote:
| Don't you have to login to your Google account to port a
| number?
| pxeboot wrote:
| It has been possible in some instances for an attacker to
| port a number directly from the underlying carrier, in
| this case, bandwidth.com.
|
| When I saw this happen, Google was not aware the number
| was gone, so calls and texts from other Google Voice
| users still worked.
| tyingq wrote:
| There's ways to intercept SMS messages without sim-
| jacking or number porting too.
|
| https://arstechnica.com/information-
| technology/2021/03/16-at...
| vngzs wrote:
| I agree. From Coinbase's perspective, they ought to defend
| their infrastructure against fraud, whether that is a direct
| attack on the users, an attack on the users' telcos, or
| insider activity directly.
|
| From the telco's perspective, they have a responsibility to
| stop SMS and SIM fraud, and our regulations have failed to
| properly hold them accountable in this domain.
|
| I would add that the users have some responsibility for
| losing their emails/passwords, but my initial framing
| insufficiently demands responsibility for the service
| providers in this instance. The service providers should be
| expected to take all reasonable steps to prevent fraud on
| their platforms, and that should include extra scrutiny of
| SMS-based authentication mechanisms (e.g., identity
| verification). This is why Coinbase paid them back, accepting
| some responsibility for the fraud.
| miohtama wrote:
| Telcos have no responsibility to stop SIM fraud. Telcos
| have communicated the last 30 years SMS is not secure
| (travels as plain text) and should not be used for 2FA. If
| companies have ignored this advise then it is on them.
| bbarnett wrote:
| And the elephant in the room is... the real purpose, for
| many corps eg Google, others, is to identify you, track
| you more accurately.
|
| And your mobile phone number is invaluable here.
| dropnerd wrote:
| coinbase does kyc. it already knows who you are
|
| why sms? because everyone has it. we're not in a otp/u2f
| only world yet. sms 2fa is better than no 2fa
| tdeck wrote:
| SIM swapping also allows you to intercept voice calls,
| which are encrypted and supposed to be secure. The idea
| that telcos have no responsibility to stop people from
| taking over the telephone number that customers pay for
| is completely absurd. Moreover, often the SIM swapping is
| done by employees of the Telco itself using company
| infrastructure.
| miohtama wrote:
| No you are not correct. The whole underlying mobile phone
| network infrastructure is based on (failed) trust and is
| not secure. Though it is slowly being replaced.
|
| https://www.theguardian.com/technology/2016/apr/19/ss7-ha
| ck-...
|
| https://www.firstpoint-mg.com/blog/ss7-attack-guide/
| rStar wrote:
| replaced by a system which is similarly secure against
| all classes of attackers that anyone gives a crap about.
| Forbo wrote:
| Can you elaborate? I'd like to learn more about this. The
| only initiative I know about is STIR/SHAKEN.
| miohtama wrote:
| I feel people who fled Hong Kong and Belarus care, so it
| would be rude to call it crap.
| sangnoir wrote:
| I fully agree that users are not absolved of all
| responsibilities or vigilance (e.g. over
| passwords/devices). I think the legal framework has to be
| overhauled to clarify the culpability of all parties
| involved, rather than the current "Sucks to be you"
| attitude towards consumers, who are the least powerful, and
| have the least agency in these issues.
| ensignavenger wrote:
| Coinbase and other sites (especially those that deal in
| money) should stop using SIM cards as a form of
| authentication. While carriers should probably do more to
| secure SIMs and phone #s, it has always been known that the
| system was never designed to be used as a security mechanism,
| and Coinbase using it as such is a security flaw that they
| are responsible for.
| Consultant32452 wrote:
| Okta architect here. It's hard enough getting MFA to work
| in a large organization where technically illiterate people
| are surrounded by coworkers to ask who have all figured out
| their RSA tokens or Okta Verify enrollment. Trying to
| manage this for the general public would be an incredible
| undertaking.
|
| The cost benefit analysis probably does not make sense for
| a gazillion low balance users. It may make sense to enforce
| strong factors for high balance users. You have to balance
| that against them taking their business elsewhere.
| Spooky23 wrote:
| This. Nerdy people don't understand how much people
| struggle with this.
|
| RSA enrollment is probably the single most challenging
| end user issue our IT folks deal with. After password
| reset it's the #2 call, and lots of time, training and
| engineering effort has been expended to improve the
| experience. (And those efforts were very effective!)
| wpietri wrote:
| So to sum up, an organization promising to take people's
| money and keep it safe can't afford to do it except for
| people with a great deal of money. However, they're still
| going to accept smaller amounts of money. Did I get that
| right?
| abecedarius wrote:
| When I went looking for an online brokerage in the USA
| with a reasonable login process (i.e. 2FA, _not_ by SMS
| _ever_ ) it seemed pretty hard to find one. (Maybe that's
| changed?) These brokerages handle amounts much greater
| than a software engineer's retirement savings.
| wpietri wrote:
| I think the difference for me is the extent to which
| transactions are traceable, revertable, and regulated.
| The median reaction to theft in the cryptocurrency world
| is somewhere between "caveat emptor" and "ha ha, buddy,
| you fucked up".
|
| For traditional finance, it's pretty different. E.g., "If
| fraudulent electronic withdrawals are made from your bank
| or credit union account but your ATM or debit card is not
| lost or stolen, you are not liable if you write to let
| the bank or credit union know about the error within 60
| days of when they send you the account statement showing
| the fraudulent withdrawals." https://ovc.ojp.gov/sites/g/
| files/xyckuh226/files/media/docu...
| Spooky23 wrote:
| It's based on risk. TOTP tokens only provide moderate
| assurance.
|
| If you have a lot of money, most brokers will ship you a
| hardware token.
| ls612 wrote:
| Fidelity has the option to use OTP only (although its
| unfortunately a shitty Symantec app)
| jkepler wrote:
| But could one simply take the secret when initializing
| the app and stick it in another, like andOTP? My employer
| told us that the corporate intranet required we use
| Google Authenticator, but when I try other OTP apps, it
| still works.
| edoceo wrote:
| Unfortunately, yes.
| bonzini wrote:
| In Europe all banks are using 2FA, and it's usually based
| on TOTP (and enrolling the first phone is a pain usually
| requiring QR codes and whatnot). 17 years ago some were
| using smartcards as 2FA. It's doable and secure, to the
| point that identity theft is almost unheard of (and
| usually used more as a synonym of catfishing than in the
| American sense).
|
| SMS is handy but it should be a last resort rather than
| the main second factor.
| trelane wrote:
| If you can use sms as a factor, you can use sms as a
| factor. The only way to win is not to play at all
| bonzini wrote:
| Yeah what I meant is that companies should propose other
| methods than SMS.
|
| SMS can be good enough to confirm a password reset link
| that was sent by email (so you will not really do
| anything without access to an account's linked email
| address), but not as the main second factor for login.
| jkepler wrote:
| I bank with a major European bank, and they still rely on
| SMS for 2FA for every online transaction, except for
| logging into their website. They offer 2FA through their
| app, but that only works with iOS or Android with full
| Google Play services---for non-Google folks running
| LineageOS or /e/ OS, they're stuck with SMS 2FA.
| ensignavenger wrote:
| Then we need to do a better job making the UX easier. I'm
| sure Okta is working on that?
| ufmace wrote:
| A decent point. It scares me to imagine all the security
| checks that would be required to make SMS actually secure
| against these kind of attacks, and then getting everyone
| to actually follow them.
| danuker wrote:
| https://web.archive.org/web/20211001153920/https://oag.ca.go...
| newfonewhodis wrote:
| > Unfortunately, between March and May 20, 2021, you were a
| victim of a third-party campaign to gain > unauthorized access to
| the accounts of Coinbase customers and move customer funds off
| the Coinbase > platform. At least 6,000 Coinbase customers had
| funds removed from their accounts, including you.
|
| I see 2 conflicting claims here:
|
| > While we are not able to determine conclusively how these third
| parties gained > access to this information
|
| "these" being username, pw, phone number etc. And then:
|
| > We have not found any evidence that these third parties
| obtained this information from Coinbase itself.
|
| You're technically correct but the first claim undermines the
| second one to me.
| devrand wrote:
| I don't see the conflict with those statement. They're saying
| "we don't know where the information came from and we haven't
| found any evidence that it came from Coinbase itself".
|
| It's difficult to prove a negative here until you find where
| the stolen credentials originated from. They're just saying
| that they have no evidence that it came from themselves thus
| far.
| mdavis6890 wrote:
| How? Those statements seem entirely consistent and reasonable
| to me. They have no evidence or reason to believe that the
| information was stolen from Coinbase, but beyond that they
| don't know how attackers got it.
|
| Your car was stolen. I haven't been able to determine
| conclusively who did steal it or how, but I know it wasn't me.
| addingnumbers wrote:
| "I know it wasn't us" is exactly the non-sequitur conclusion
| they were trying to walk you toward by wording their
| statements as they did.
| devrand wrote:
| How else would you even word it? They accurately described
| the situation. If people are leaping to "I know it wasn't
| us" then that's their own misinterpretation.
| addingnumbers wrote:
| > If people are leaping to "I know it wasn't us" then
| that's their own misinterpretation.
|
| Is that not what we just watched a HN reader do with that
| analogy?
|
| It would be equally accurate to say "We have no evidence
| that it _wasn 't_ our fault," either statement is equally
| meaningless when they have no significant evidence.
|
| They chose to phrase their ignorance the only way that it
| could be misinterpreted as mitigating their liability,
| and we just watched that misinterpretation play out here.
|
| "We haven't found any evidence of who was at fault" would
| be more forthright than answering only the half of that
| question that sounds better for them.
| eli wrote:
| Phishing or malware would be obvious avenues for someone to
| gain this information not from Coinbase itself.
|
| If people reused passwords, they also could potentially have
| cobbled together 6000 valid username/password/phone
| combinations from previous hacks of other services.
| saalweachter wrote:
| As the Holy Writ says: https://xkcd.com/2176/
| andiliu wrote:
| Not necessarily. You can collect information such as username,
| passwords, phone numbers from leaked databases and then attempt
| to login via Coinbase. Some might have 2FA, so they might even
| go as far as to sim swap them given that they know their phone
| number.
|
| So it doesn't necessarily mean they got it from Coinbase.
| lbriner wrote:
| What can be said that has not already?
|
| It's like people saying, "I don't like the bank with their
| ridiculous paperwork so I will use a loan shark instead, he
| doesn't need paperwork"
|
| Then the loan shark disappears/beats you up/asks for loads of
| interest etc. and you still want to complain to the police.
|
| Most people hate regulators but they are there for a reason. What
| certifications does coinbase have to hold your millions of
| dollars of virtual currency?
| [deleted]
| bdcravens wrote:
| Coinbase is not an unregulated free-for-all. They are licensed
| in all 50 states, and is registered as an MSB with FinCEN.
|
| https://www.coinbase.com/legal/licenses
| arcticbull wrote:
| MSB licenses mean basically nothing. Money transmitters are
| borderline unregulated, certainly depending on which state
| they obtained their licensing.
|
| They were actually created as a much lighter weight framework
| to avoid the onerous regulation of an actual depository
| institution.
| codingdave wrote:
| That page does not list all 50 states, just FYI.
| alphabet9000 wrote:
| states not listed: California, Hawaii, Indiana,
| Massachusetts, Missouri, Montana, Utah, Wisconsin, and
| Wyoming
| tibiahurried wrote:
| These platforms should not offer 2fa with SMS. And force their
| customers to use 2FA via MFA instead.
| jtchang wrote:
| I like this. They are basically making a call to self insure
| against these types of incidents and paying out of their own
| coffers. It makes sense since recovering the stolen crypto is
| near impossible (as designed).
|
| It's funny how everything old is new again. We are just
| reinventing FDIC insurance for crypto.
| xqyf wrote:
| The FDIC is a government agency created after bank runs were
| common during the Depression. This is much different, nothing
| has been "reinvented".
| rhinoceraptor wrote:
| After all, crypto is speedrunning 500 years of bad
| economics...
| htrp wrote:
| Theoretically every bank was self-insured back in the pre FDIC
| era... the problem was that some banks didn't actually have the
| reserves (especially given fractional reserve banking)
| gowld wrote:
| FDIC insures your account against bank's overall business
| collapse. It doesn't insure your personal account against bank
| robbery of your sepcific account (deceptively named "identity
| theft").
|
| I don't think you'd get FDIC money back if an attacker got into
| your account. The bank might cover you if they agree it was
| their fault, similar to Coinbase.
| tastyfreeze wrote:
| There is a difference between self insured and government
| insured. At the end of the day I prefer self or market insured
| so the business itself is on the hook for a breach.
| z3c0 wrote:
| Not a bad thing, really. It'll be what's needed to win over
| skeptics.
|
| I mean, they'll more likely just move the goalposts than be won
| over, but at least they're running out of things to complain
| about. Between this and the Coinbase card, Coinbase has already
| tackled the two biggest (valid) critiques of crypto that I
| hear.
| jefftk wrote:
| _In order to access your Coinbase account, these third parties
| first needed prior knowledge of the email address, password, and
| phone number associated with your Coinbase account, as well as
| access to your personal email inbox. While we are not able to
| determine conclusively how these third parties gained access to
| this information, this type of campaign typically involves
| phishing attacks ... Even with the information described above,
| additional authentication is required in order to access your
| Coinbase account. However, in this incident, for customers who
| use SMS texts for two-factor authentication, the third party took
| advantage of a flaw in Coinbase's SMS Account Recovery process in
| order to receive an SMS two-factor authentication token and gain
| access to your account._
|
| _We will be depositing funds into your account equal to the
| value of the currency improperly removed from your account at the
| time of the incident. Some customers have already been reimbursed
| -- we will ensure all customers affected receive the full value
| of what you lost_
| Fiahil wrote:
| Well, it's not like Coinbase should be blamed for all of it.
| It's a combination of their customer's poor hygiene + a flaw in
| Coinbase's SMS Account Recovery process.
|
| At least they will be reimbursed, and everyone should walk
| happy.
| [deleted]
| gowld wrote:
| > everyone should walk happy.
|
| The reimbursement comes from somewhere. Investors may not be
| happy. "everything is securities fraud"
|
| https://www.google.com/search?q=%22everything+is+securities+.
| ..
| latchkey wrote:
| I'm guessing their insurance didn't cover it since it
| related to insecure account practices. So this is likely
| from their own revenues.
|
| https://help.coinbase.com/en/coinbase/other-topics/legal-
| pol...
|
| I don't see the connection with your link to securities
| fraud though.
| vngzs wrote:
| Anyone care to speculate what the flaw in their SMS recovery
| flow actually was? It's hard for me to think there's even a
| safe way to implement SMS based account recovery. They would
| be smarter to just turn it off.
| gowld wrote:
| SMS is fundamentally insecure, yes. But this sounds like a
| problem in the webapp that prepares and sends SMS messages,
| not SMS itself.
| floatingatoll wrote:
| I do not have specific answer for Coinbase. _Typically_ ,
| the flaw would be in modifying one of the form inputs to
| get the code delivered to a different phone number. That
| usually works out to either modifying the "destination
| number" client-side form value, or swapping in an
| edited/reused session token from a _different_ login
| session 's MFA challenge, to exploit missing ownership
| checks on the various underlying pkey object IDs.
| [deleted]
| skybrian wrote:
| Why does this say "Submitted Breach Notification _Sample_ " and
| "Sample of Notice?" How do we know the sample is real?
| detaro wrote:
| Because it's a sample of what the communication each customer
| got looks like (with e.g. a placeholder for the customer name)
| Animats wrote:
| The attack still goes on. Email today: Coinbase
| Coinbase <https://verify-customers.elastic-
| galileo.185-150-117-78.plesk.page/> Verify your email
| address In order to continue using your Coinbase
| account, you need to reconfirm your email address. To
| avoid service interruptions verify your email. Verify
| Email Address <https://verify-customers.elastic-
| galileo.185-150-117-78.plesk.page/> If you did not
| sign up for this account you can ignore this email and the
| account will be deleted. Get the latest Coinbase App
| for your phone Coinbase iOS mobile bitcoin wallet
| <https://verify-customers.elastic-
| galileo.185-150-117-78.plesk.page/> Coinbase Android
| mobile bitcoin wallet <https://verify-customers.elastic-
| galileo.185-150-117-78.plesk.page/>
|
| Whois info:
|
| > whois plesk.page Domain Name: plesk.page
| Registry Domain ID: 41B85291E-PAGE Registrar WHOIS
| Server: whois.namecheap.com Registrar URL:
| https://www.namecheap.com/ Updated Date:
| 2021-07-10T14:00:29Z Creation Date: 2020-03-18T03:06:27Z
| Registry Expiry Date: 2022-03-18T03:06:27Z Registrar:
| Namecheap Inc. Registrar IANA ID: 1068 Registrar
| Abuse Contact Email: abuse@namecheap.com Registrar Abuse
| Contact Phone: +1.6613102107 Domain Status:
| clientTransferProhibited
| https://icann.org/epp#clientTransferProhibited Registry
| Registrant ID: REDACTED FOR PRIVACY Registrant Name:
| REDACTED FOR PRIVACY Registrant Organization: Privacy
| service provided by Withheld for Privacy ehf Registrant
| Street: REDACTED FOR PRIVACY ...
|
| Traceroute shows that site hosted by Hurricane Electric.
|
| Anyone who lost money in this should sue Namecheap and Hurricane
| Electric. They will be stumbling all over themselves to tell your
| lawyers who their customer was, to avoid liability.
|
| I don't even have a Coinbase account.
| LightG wrote:
| I'm done with anything crypto. Daily. Bug after bug, breach after
| breach. I just don't see how, at any point in the future, crypto
| gets any more secure than, say, Microsoft Windows. There'll
| always be a bug, there'll always be a fix needed. And this isn't,
| "oh, my software crashed for an afternoon", it's potentially a
| good chunk of your life savings.
|
| I'll take my chances with the banks and Nigerian Princes.
| cableshaft wrote:
| Banks are basically all software too now. They can have the
| exact same issues. They're not just taking your bills and
| storing them in a physical vault for you to take out later.
| jp42 wrote:
| checkout rekt.news to follow attacks in crypto world.
|
| It's wont stop, not just crypto but almost everything that
| involves software will have potential attacks. Crypto is just
| another area where attacks happen. IMO More the attacks, over
| the time crypto industry will become more robust.
| vmception wrote:
| I use to work with regulators on ACH and bank account fraud,
| in the legacy payment systems
|
| It is so commonplace and high volume that it is not news
|
| If incidents were listed alongside unexpected crypto
| seizures, crypto would look like the better option whether it
| was onchain, smart contracts or custodial institutions (like
| Coinbase) involved. And that has nothing to do with the size
| of the respective markets
|
| Its not a contest, but anti-crypto people or skeptics are
| just falling for clickbait at this point and it's pretty
| goofy to see.
| tolulade_ato wrote:
| Data security is a serious matter, one of the reasons we are
| building a product for this for businesses.
| laulis wrote:
| Could be SIM swapping?
|
| https://therecord.media/hackers-bypass-coinbase-2fa-to-steal...
| rednerrus wrote:
| SMS 2FA is not a good idea.
| rohitpaulk wrote:
| Curious what the total dollar amount involved was.
| LightG wrote:
| Me too. Everyone is cooing that they "made everyone whole".
| What if they weren't able to.
| tgsovlerkhgsel wrote:
| I wonder how "We will be depositing funds into your account equal
| to the value of the currency improperly removed from your account
| at the time of the incident" is to be read.
|
| To me, that reads as "if you had 1 BTC stolen on May 20, we will
| deposit 40k USD into your account, because that was the value of
| 1 BTC as of May 20", not "if you had 1 BTC stolen, there is now 1
| BTC back in your account".
|
| The timeframe listed in the letter covers exactly the time of a
| massive price spike, so a USD payout would put most people in a
| better situation than a BTC payout in this specific case, but I'm
| still curious how this is handled, and whether there is a
| universally agreed standard for it.
|
| Because next time "we'll reimburse you the USD value of your
| crypto as of the date of the attack 6 months ago" could mean that
| someone "made whole" like this has only 10% of what they would
| have if the attack didn't happen.
| sneak wrote:
| High security services should send a pair of U2F keys to each and
| every customer when they sign up (or hit a retention/value
| threshold), with instructions on how to store them (that is,
| different buildings). Then they can use normal app-based 2FA day
| to day (NOT TOTP as that is phishable), and use the preenrolled
| U2F hardware tokens as recovery methods when the user inevitably
| loses their phone and needs to re-enroll their primary 2FA device
| (the service app on their new phone).
|
| Falling back to SMS to reset 2FA, or Skype calls where you hold
| up your ID with a CSR or whatever is just asking for shit like
| this. In bulk the hardware is probably <$5/token, so well under
| $10/user (probably closer to $5/user even for a pair of tokens).
| If your CLTV for your high security financial service can't
| afford that, go do something else.
|
| This is a solved problem; the fact that financial institutions
| have not got on board with 10+ year old stable, cheap, widely
| available technology is a market failure caused by massive
| overregulation.
|
| Nothing about this is hard, nothing about this is expensive,
| there's just a pervasive attitude in financial technology circles
| of "this is the way we've always done it" or "this is the way
| everyone else does it", even if those ways encapsulate a ton of
| waste and risk.
|
| Even without the whole "n+1 tokens, used only as primary 2fa
| recovery" scheme, I don't think there's a single US retail bank
| that supports U2F even for normal 2FA login. It's shameful.
|
| This industry is so ridiculously ripe for disruption but it's so
| heavily overregulated that nobody that doesn't suck is allowed to
| enter the market. Simple was the first to try (and even they had
| to use a partner bank) and they got erased via acquisition (and I
| think subsequently shut down).
| thinkharderdev wrote:
| At this point I think the thing holding back U2F is just user
| experience. It is not "hard" but it is a pain in the ass and
| most people just find it annoying.
|
| The other issue is that you ultimately need some sort of
| fallback mechanism if someone loses their keys. And it will
| happen. So you still end up with a process that can be socially
| engineered, which is generally the weak link in any
| authentication system.
| sneak wrote:
| The pain in the ass is why it should be used as an primary
| app-based 2FA recovery mechanism.
|
| Doing 2FA via app is fine for most users. The failures happen
| when users lose their phone and need to reset 2FA. That's
| where the pain in the ass (but secure pain in the ass) of U2F
| would come in handy, to re-enroll primary 2FA.
|
| Nobody presently has good ways of doing 2FA resets. U2F
| hardware is a near-perfect solution.
| thinkharderdev wrote:
| It's a near perfect solution assuming nobody ever loses
| their U2F device.
| joelbondurant wrote:
| Delete Coinbase.
| tgsovlerkhgsel wrote:
| The PDF link
| (https://oag.ca.gov/system/files/09-24-2021%20Customer%20Noti...)
| was sometimes throwing a "file not found" error.
|
| Archived version:
| http://web.archive.org/web/20211001155216/https://oag.ca.gov...
| (consider https://archive.org/donate to support the cost of
| operating the archive).
| matchagaucho wrote:
| _" Between March and May 20, 2021, you were a victim of a third-
| party campaign..."_
|
| There were a spat of Coinbase SMS phishing texts in July 2021. So
| the window could be much longer, and the campaign ongoing.
| thinkharderdev wrote:
| Yeah, I was getting the same phishing SMS weekly related to my
| Coinbase account.
| q1w2 wrote:
| Yes, I also received several obviously fake SMSs in June 2021,
| so the window is clearly longer than what they are saying.
| paxys wrote:
| SMS-based 2FA needs to die.
| flarex wrote:
| It's the easiest to use because of the prevalence of phone
| numbers and transferability between phones. These properties
| that give it the best user experience also make it the worst
| form of 2FA. TOTP and hardware keys are more secure but they
| are easier to lock yourself out of the account.
___________________________________________________________________
(page generated 2021-10-01 23:00 UTC)