The crypto community is debating whether SMS two-factor authentication (2FA) should ever be used for account security following news that a Coinbase client is suing the cryptocurrency exchange for $96,000.
On March 6, Jared Ferguson filed a lawsuit against Coinbase in the United States District Court for the Northern District of California, alleging that he had lost “90% of his savings” after money was taken from his account by identity thieves and Coinbase had refused to do this. reimburse him.
Ferguson is believed to have fallen prey to a form of identity theft known as “SIM swapping,” in which fraudsters gain control of a phone number by tricking the telecom provider into linking the number to their own SIM card.
This allows them to bypass any SMS 2FA on an account, and in this situation they could allegedly confirm the withdrawal of $96,000 from Ferguson’s Coinbase account.
Ferguson claimed he lost service after his phone was hacked on May 9, and found money debited from his Coinbase account after getting a new SIM card and restoring his service as instructed by his service provider T-Mobile.
T-Mobile was sued by a SIM-swapping victim earlier in February 2021, following the theft of approximately $450,000 worth of Bitcoin (BTC).
Coinbase denied any responsibility for the hack of Ferguson’s account, telling him in an email that he is “responsible for the security of your email, your passwords, your 2FA codes and your devices.”
Related: Hacker returns stolen money to Tender.fi and receives $97,000 bounty reward
Crypto community members generally doubted that Ferguson’s lawsuit would be successful, noting that Coinbase encourages the use of authentication apps for 2FA instead of SMS, describing the latter as the “least secure” form of authentication.
I suspect his password was compromised because it was used on other sites, one of which was breached. Coinbase is also encouraging the Authenticator app for 2FA by labeling it as “secure” and SMS as “moderately secure”.
— Dave Ferguson (@_sc0rn) March 7, 2023
Some Reddit users discussing the lawsuit in a post titled “Never Use SMS 2FA” went so far as to suggest that SMS 2FA should be banned, but noted that it was the only authentication option available to many services, as one user said:
“Unfortunately, many of the services I use do not yet offer Authenticator 2FA. But I definitely think the texting approach has proven to be unsafe and should be banned.”
Blockchain security firm CertiK warned of the dangers of using SMS 2FA in September 2022, with security expert Jesse Leclere telling Cointelegraph in an interview that “SMS 2FA is better than nothing, but it is the most vulnerable form of 2FA in use today. ”
Leclere said dedicated authentication apps like Google Authenticator or Duo provide almost all the convenience of using SMS 2FA while removing the risk of SIM swapping.
Reddit users shared similar advice, but added authentication apps on phones also make that device a single point of failure and recommended using separate hardware authentication devices.