We advise our users to install Authenticator apps (Google Authenticator, Microsoft Authenticator) as their primary 2FA method to secure their Coinbase accounts from phone porting attacks. You can follow the steps outlined in our support article to use Authenticator.
The instant and irreversible nature of digital currency enables fascinating use cases and drives our mission to create an open financial system for the world. This includes helping merchants accept bitcoin with no chargeback risk and helping users do global remittances instantly at low fees. But that very nature of bitcoin also attracts sophisticated attackers that challenge this mission.
Security of any system is as strong as its weakest link. Recent attempts to break into Coinbase user accounts point back to that weakest link being telecom companies (telcos). I’ll explain that after a brief overview of two factor authentication.
Two-Factor Authentication (2FA):
When you log in to any service in the cloud that’s storing anything of value (money, data, assets) it is crucial to have two factors. The first is something you know (a strong password) and the second is something you always have (like your mobile phone). Sending a 6 digit pin code via SMS to your mobile phone, allowed online services to verify during the login process that it was indeed you who requested access to the service.
It was intended for the second factor to be the physical device that you always have in your control. But, sending SMS to your phone actually verifies you have access to your phone number, not really your phone device. This distinction is really important as it turns out phone numbers can be stolen far more easily than physical phone devices.
Telcos as weakest link in SMS based 2FA
Telcos break the assumption that SMS based 2FA is reliable for two reasons. First, some telcos allow SMS to be readable online thereby making SMS based second factor only as strong as user’s telco billing password. Secondly, poor security processes at telcos around phone portability enable attackers to takeover accounts more easily. In the past several months, we’ve been working behind the scenes to stay ahead of these attacks. We wrote about this recently and would like to share things we have since built to keep our users safe despite these vulnerabilities. In a second blog post, I will provide more details of the vulnerabilities exposed by poor security practices at telcos.
Authenticator as your primary second factor authentication:
We recommend all users, especially those with high balances or those more security conscious to install device-only 2FA apps which are also commonly referred to as Authenticator apps, examples being: Google Authenticator, Microsoft Authenticator, etc.
You have to first download the Authenticator app on your mobile device and then you would scan a QR code on Coinbase’s security settings page. This QR code is essentially a secret key that is shared securely once between your mobile device and Coinbase. The Time-based One Time Password (TOTP) protocol is then used to authenticate you every time you try to log in to Coinbase. Next time you log in to Coinbase and use your Authenticator app, the app will use the current time of day and the secret key to generate a 6 digit code. When you enter that 6 digit code on Coinbase, we’ll check if it is valid by using the same parameters (current time of day and the secret key). You will notice that with this 2FA method, no data is ever shared over the air unlike SMS. Hence, it is much more secure to man-in-the-middle attacks.
For making future account recovery easy, we recommend users should note down the secret key that is generated after linking Coinbase with their Authenticator app on a piece of paper or a USB key that should be kept offline. In a forthcoming release, we will have backup recovery codes and then we’d recommend you to write those down instead. Note that you are trading-off usability for security with this choice. So if you lose the device where you’ve installed the Authenticator app and do not have access to your secret key, then you’ll have to contact Coinbase support. This is why it is important to write down the secret key and store it securely at the time of setting up Authenticator to avoid delays in account recovery later on.
We also support the use of Authy app, which instead of using the traditional QR code method to send you your secret key, uses an API to deliver the secret key securely to your device. Once you’ve installed Authy, we recommend disabling the Multi-device option. This means nobody can add a new Authy app to your account. Also pay attention to any emails or SMS messages you may get from Authy as they may communicate with you if they see someone trying to change your 2FA data.
Auto Lock your account on seeing suspicious activity:
Please pay special attention to SMS or emails from Coinbase that inform you that your 2FA settings or password have been changed or a new device has been added, or a withdrawal has been made from your account.
You can also auto lock your account by following a special one-time use link that we recently added at the bottom of our emails. That link leads you to a Disable Signin page. When in doubt, always hover over any URL link to first confirm it leads you to Coinbase.com before clicking it.
Balancing security with usability:
Balancing security with usability is always a hard product trade-off. We balance this trade-off by making our second-factor authentication an opt-in. So users who want to continue using SMS based second-factor authentication, can still do so. We can’t move them over to Authenticator overnight without a significant amount of hand-holding. In light of this and despite vulnerabilities in SMS-2FA, we still need to protect those users’ funds from account takeovers. We are actively working on an account takeover detection system that uses behavioral anomaly detection and will delay withdrawals of digital currency from suspicious sessions. We expect to launch this feature within the next few months. Stay tuned.
In a lot of respects, Coinbase is building one of the most sophisticated security companies in the world. We use advanced cryptography, state-of-art 2FA, data science and machine learning to stay one step ahead of the attackers. If you’d like to join us in our mission to help make finance 2.0 user friendly as well as secure, please look at https://www.coinbase.com/careers.
I’ll also be presenting on this topic and risk engineering in general at the following venues. Come check them out:
Thanks to my colleagues: Tom Boice, Linda Xie, Dave Farmer, Rob Witoff and Jeremy Henrickson for reading multiple drafts of this article and risk- and security-engineering teams at Coinbase for pushing the bar on security at Coinbase.
Updated: on Apr 25 with minor edits to clarify that Coinbase supports all Authenticator apps (Google Authenticator, Microsoft Authenticator, etc)
Are you interested in building wealth with Cryptocurrency?
Be sure to check out our Automated Cryptocurrency Solutions.
#Coinbase #Bitcoin #Ethereum #Blockchain #Cryptocurrency