I read a story by Quin Chen on CNBC today “This is how you can protect your cryptocurrencies from hackers”. I’m writing this post in response to that, in the hope that I can help better educate people about what’s really happening in regards to SIM “hijacking”. And I’m hoping we can open a dialog with crypto wallets and exchanges in the hope they come up with a better solution to this problem. While Coinbase may not have experienced a hack, its customers face losing their money everyday.
Quin referenced a post written by Dan Romero, VP, Ops at Coinbase. In Dan’s post, he refers to the problem as “phone porting”. While phone porting is a problem and it does happen, it’s not the main problem that we’re seeing in the crypto world today. The problem we are seeing is called SIM hijacking — a very different problem — but leads to the same issue of someone losing their money.
SIM porting is a process whereby your phone operator ports your number to a different network. For example, if you’re with T-Mobile and your number is “ported”, it means it’s no longer on the T-Mobile network — it’s now on AT&T or another network. That’s not what’s happening to the vast majority of the people who experienced this type of social engineering, in the crypto world. What’s happening, is bad actors are ordering new SIMs so they can access your mobile phone number while disconnecting your SIM — without porting it to another network. Porting to a new network is less likely to happen.
OK, so that’s minor detail as the net problem is the same? Right? Yes, but it’s important we know what the problem is before we try to tackle it.
I’m hoping Coinbase and other wallets and exchanges will change their security policy in regards to password recovery. Coinbase does provide great detailed instructions on how to turn off SMS based 2FA — but that’s not enough in my opinion. They should (must) disable this feature and invest in their own 2FA app.
I’ d like to ask Coinbase and other wallets and exchanges to build their own 2FA app — designed just for their service. Google Authenticator is not a well designed app for what it’s worth. Lose your phone or get a new one and you end up with a very painful road ahead. I recommend using 1Password for strong password creation — instead of 2FA. But that’s just my opinion. By working with Authy (Twilio), Coinbase can easily white label their own app. This would prevent bad actors from stealing crypto from any of their customers through this attack vector.
Also, in Dan’s post he says
we have built several systems designed to help protect customers from phone porting. One system is able to detect phone porting at the phone network level in real-time. Another system is able to detect unusual activity for a customer’s account using a risk model.
I’d love to know what these systems are. As far as I’m aware, it’s technically impossible for Coinbase, or any other company, to protect customers from phone porting at the phone network level. I worked in the mobile industry for years and I’ve never witnessed any company being able to see what’s happening inside a network operator in regards to SIM porting. I’d love to learn more about what it is they are claiming — in case I’m wrong.
Dan also asserted
Over 75% of Coinbase customers with large digital currency balances are now using Google Authenticator-type two-factor authentication.
On September 22nd I left a comment for Dan, asking him “what percentage of all customers does this represent?” He has yet to respond.
For all we know, the number of customers with large amounts of currency might represent less than half of all customers — in which case, very few people are being protected by a 2FA app. I think more transparency is needed here as people’s livelihoods are at stake.
☞ **Please tap or click “**👏” on the left side of the screen to let Paul and others know that you appreciated this post. The number of claps indicates how much you liked the post and support its content, so put those hands together as many times as you like. 🔒