Cryptocurrency platform Coinbase has revealed the account takeover rates for user accounts in an effort to encourage customers to upgrade their security settings.
The stats say about 95% of Coinbase’s customers are enrolled in SMS-based two-factor authentication—the weakest 2FA method available. These same users made up 95.65% of all account takeovers Coinbase had experienced as of November 2022.
Meanwhile, users who protected their accounts with stronger two-factor authentication modes, such as authenticator apps and security keys, made up less than 5% of the account takeovers.
Coinbase requires all users to protect their accounts with two-factor authentication. This forces anyone logging in to supply both the correct password and a one-time passcode generated on their phone, thereby making it much harder to break in.
The only problem? Not all two-factor authentication setups are equal. By default, Coinbase secures user accounts with an SMS-based 2FA system, which can still be vulnerable to hacking. This is because the one-time passcode is sent to the user’s phone through their cellular provider. (An authenticator app, on the other hand, cuts out the cellular provider and generates the one-time passcode directly on the device.)
Over the years, hackers have shown they can intercept SMS-based two-factor authentication codes by tricking cellular providers into cloning a victim’s mobile phone number to a new SIM card, which they can then place in their own phone. These so-called SIM-swapping attacks can involve the hacker resorting to identity theft or bribing cellular employees for such access.
The results can be devastating for victims. SIM-swapping attacks have helped cybercriminals steal cryptocurrency and even infiltrate major tech companies, including Reddit and Twitter.
In 2021, Coinbase itself disclosed that hackers stole cryptocurrency from at least 6,000 users, likely through a combination of phishing emails and SIM swapping. The heists have caused a growing number of consumers to file class-action lawsuits against the cryptocurrency industry and cellular providers for failing to protect their accounts from SIM-swapping attacks.
As Coinbase noted in its disclosure: “While text based two-factor authentication is significantly better than a simple username/password combination it isn’t perfect."
As a result, the company is urging users to switch to stronger two-factor authentication methods, which also include using the Coinbase app to directly send a push notification to the user’s smartphone to unlock access.
Interestingly, though, the Coinbase stats reveal the stronger 2FA authentication modes haven’t been impervious to account takeover attempts. Accounts secured with authenticator apps made up 4.13% of the account takeovers. Meanwhile, accounts protected with security keys comprised 0.04% of the takeovers. This suggests the hackers planted malware on the victim’s smartphone or physically stole access to the user’s devices or security key to break in.
Although 95% of Coinbase’s customers rely on the vulnerable SMS-based 2FA mode, the company said those with high balances tend to adopt the strongest forms of two-factor authentication.
“Just over 5% of our user base has chosen push, time-based one-time passwords, and physical security keys—but those users represent over 57% of the assets we have under custody,” it said.
Coinbase didn’t immediately respond to a request for comment, making it unclear if the company plans on ever retiring SMS-based 2FA. But in the meantime, users can upgrade their two-factor authentication method by going into account settings.