Another day, another security breach at a major cryptocurrency exchange. Today Coinbase disclosed that a previously unknown two-factor authentication (2FA) bug allowed attackers to abuse the account recovery process and gain full access to a customer’s cryptocurrency account.
Bleeping computer has a nice writeup on the event and what has transpired over the past days as it relates to this disclosure by Coinbase. While the company has indicated that they will credit customers’ accounts with the amount that they lost through unauthorized access, it wasn’t just cryptocurrency the hackers had access to. In addition to the cryptocurrency, the attackers had access to all of the customer’s personal information including home addresses, contact information, date of birth, etc. All information that can easily be used to execute additional target attacks against a person’s other assets such as bank accounts.
This attack underscores the weakness in platforms that rely on two-factor authentication systems other than physical tokens or two-factor authentication applications such as a physical Yubikey, Authy or Google Authenticator. Two-factor authentication mechanisms that rely on email or SMS messaging are vulnerable to the bugs that Coinbase had in their application platform, man-in-the-middle attacks, or to attackers that have already gained access to email accounts. All too often, an attacker has gained access to email accounts of a target before going after other accounts and assets. This means that any two-factor authentication codes sent to the target’s email address are easily intercepted and offer little protection.
Take the time to secure your accounts the right way, and use secure methods of two-factor authentication. The additional step needed to login is well worth the effort if it means your bank account isn’t cleaned out the next time you login.