Prominent cryptocurrency exchange Coinbase revealed that a malicious entity managed to dodge the firm’s SMS multi-factor authentication mechanism and siphon off with funds from 6,000 users.
According to reports from Bleeping Computer, the massive security breach of Coinbase customers’ accounts took place between March and May 20, this year. The entire hacking fiasco involved phishing scams, as well as a major vulnerability exploit, on the company’s security measures. In a notification sent to the users, Coinbase asserted that the hackers require the user’s email address, password, and phone number associated with their Coinbase account and have access to the victim’s email account to carry out the attack.
The crypto exchange, however, did not disclose how the hackers obtained the information but speculated that they may have stolen account credentials from phishing campaigns that are rampant in the industry.
Did TrickBot banking trojan compromise Coinbase user details?
While there is no official confirmation of the same, it is important to understand that the TrickBot banking trojan has been previously reported to have added support for stealing funds stored in Coinbase.com accounts.
The TrickBot banking trojan is essentially a malware strain that was first identified in 2016. Several experts had previously speculated that it was created by some of the developers who worked on the Dyre banking trojan, which happens to be another malware that harvested information by targeting online banking sites. The operators of the Dyre banking trojan were arrested in late 2015.
Coinbase’s MFA failed to come to the rescue
Cryptocurrency exchanges such as Coinbase leverage top-notch packages when it comes to security. One such is multi-factor authentication which is an added security layer in addition to username and password. A Coinbase user is required to provide a unique verification code sent to their mobile phone alongside their username and password.
Hence, if a user has this provision enabled, MFA would prevent malicious actors from accessing the account even if they have access to the exchange user’s credentials and email account. However, MFA failed and the vulnerability that was found in their SMS account recovery process enabled the hackers to gain the SMS two-factor authentication token that is required to access secured funds. Coinbase further disclosed,
“Even with the information described above, additional authentication is required in order to access your Coinbase account. However, in this incident, for customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account. Once in your account, the third party was able to transfer your funds to crypto wallets unassociated with Coinbase.”
The proponent of financial privacy reiterated the famous adage – “Not your keys, not your crypto.” Even as Coinbase assured that it would reimburse all affected users, significant damage has already been done.
Casa’s Jameson Lopp stated that it is “negligent for any financial service to offer SMS account recovery.”