Debate over 2FA using SMS after sim-swapping victim sues Coinbase
The crypto community is debating whether SMS two-factor authentication (2FA) should ever be used for account security following news that a Coinbase customer is suing the cryptocurrency exchange for $96,000.
On Mar. 6 Jared Ferguson filed a lawsuit against Coinbase in the United States District Court for the Northern District of California, claiming he lost “90% of his life savings” after funds were withdrawn from his account by identity thieves and Coinbase had refused to reimburse him.
Ferguson is said to have fallen prey to a type of identity theft known as “sim-swapping,” which allows fraudsters to gain control of a phone number by tricking the telecom provider into linking the number to their own sim card.
This allows them to bypass any SMS 2FA on an account, and in this situation allegedly allowed them to confirm the withdrawal of $96,000 from Ferguson’s Coinbase account.
Ferguson claimed he lost service after his phone was hacked on May 9, and noticed the funds had been taken from his Coinbase account after getting a new sim card and restoring his service as per instructions from his service provider T-Mobile.
T-Mobile was previously sued by a sim-swapping victim in Feb. 2021, following the theft of approximately $450,000 worth of Bitcoin (BTC).
Coinbase denied any responsibility for the hack of Ferguson’s account, telling him in an email that he is “responsible for the security of your e-mail, your passwords, your 2FA codes, and your devices.”
Related: Hacker returns stolen funds to Tender.fi, gets $97K bounty reward
Members of the crypto community were generally doubtful that Ferguson’s lawsuit would be successful, noting that Coinbase encourages the use of authenticator apps for 2FA rather than SMS and describes the latter as the “least secure” form of authentication.
I’m guessing his password was compromised because it was used on other sites, one of which got breached. Also, Coinbase encourages Authenticator app for 2FA by labeling it “secure” and SMS as “moderately secure”.
— Dave Ferguson (@_sc0rn) March 7, 2023
Some Reddit users discussing the lawsuit in a post titled “Never Use SMS 2FA” went as far as suggesting SMS 2FA should be banned, but noted that it was the only authentication option available for many services, as one user said:
“Unfortunately a lot of services I use don’t offer Authenticator 2FA yet. But I definitely think the SMS approach has proven to be unsafe and should be banned.”
Blockchain security firm CertiK warned of the dangers of using SMS 2FA in Sept. 2022, with its security expert Jesse Leclere telling Cointelegraph in an interview that “SMS 2FA is better than nothing, but it is the most vulnerable form of 2FA currently in use.”
Leclere said dedicated authenticator apps like Google Authenticator or Duo offer nearly all the convenience of using SMS 2FA while removing the risk of sim-swapping.
Reddit users shared similar advice but added authenticator apps on phones also make that device a single point of failure and recommended the use of separate hardware authentication devices.