GRC Viewpoint

A Flaw in SMS Authentication Led to the Theft of Funds From 6000 Users

Several thousand accounts of Coinbase users were compromised after the exchange implemented SMS-based authentication improperly.

As reported by Coinbase, funds were taken from accounts by a third party.

A vulnerability in two-factor authentication was the cause of the incident, which occurred between March and May 20, 2021.

Concerns About Security:

During the attack, malicious actors gained access to the victim’s email addresses, passwords, and phone numbers because they were previously aware of their email addresses and passwords.

According to the company, it is unable to “determine conclusively” how the actors obtained the keystrokes but suggested that phishing or social engineering attacks were used to fool victims into disclosing login credentials to bad actors.

Moreover, Coinbase says that it has not found any evidence that these third parties obtained this information from the company itself.

An account can typically be locked down with two-factor authentication regardless of whether the credentials are available.

However, they were able to bypass this extra layer of security due to a flaw in Coinbase’s SMS-based authentication system.

Customers who use SMS text messages for two-factor authentication were able to gain access to their accounts by exploiting a bug in Coinbase’s SMS Account Recovery process.

Breach of Privacy:

A company spokesperson added that the third party could have been privy to all information in every account that a refund for any lost funds was also promised to the customers.t had been affected, which would include the victim’s full name, email address, home address, date of birth, IP addresses used for account activities, transaction history, and account balance.

To access the Coinbase platform, users must upgrade their authentication protocols via an app or hardware key. In the letter, Coinbase said it has “updated” its authentication parameters.

Customers were also told that they will be reimbursed for any lost funds.

Related Articles

Latest Articles