Debate over 2FA using SMS after sim swap victim sues Coinbase
The crypto community is debating whether SMS two-factor authentication (2FA) should ever be used for account security following news that a Coinbase customer is suing the cryptocurrency exchange for $96,000.
On March 6, Jared Ferguson filed a lawsuit against Coinbase in the US District Court for the Northern District of California, claiming he lost “90% of his savings” after funds were withdrawn from his account by identity thieves and Coinbase refused to reimburse him.
Ferguson is said to have fallen victim to a type of identity theft known as “sim-swapping”, which allows fraudsters to gain control of a phone number by tricking the telecom provider into linking the number to their own SIM card.
This allows them to bypass any SMS 2FA on an account, and in this situation allegedly allowed them to verify the withdrawal of $96,000 from Ferguson’s Coinbase account.
Claiming he lost service after his phone was hacked on May 9, Ferguson noticed the money had been taken from his Coinbase account after getting a new SIM card and restoring service as instructed by his service provider T -Mobile.
T-Mobile was previously sued by a sim swap victim in February 2021, following the theft of approximately $450,000 worth of Bitcoin (BTC).
Coinbase denied any responsibility for the hack of Ferguson’s account, telling him in an email that he is “responsible for the security of your email, your passwords, your 2FA codes and your devices.”
Related: Hacker returns stolen funds to Tender.fi, receives $97,000 bounty
Members of the crypto community were generally skeptical that Ferguson’s lawsuit would be successful, noting that Coinbase encourages the use of authentication apps for 2FA instead of SMS and describing the latter as the “least secure” form of authentication.
Some Reddit users discussing the lawsuit in a post titled “Never Use SMS 2FA” went so far as to suggest that SMS 2FA should be banned, but noted that it was the only authentication option available for many services, as one user said:
“Unfortunately, many services I use don’t offer Authenticator 2FA yet. But I definitely think the SMS approach has been shown to be insecure and should be banned.”
Blockchain security firm CertiK warned of the dangers of using SMS 2FA in September 2022, while security expert Jesse Leclere told Cointelegraph in an interview that “SMS 2FA is better than nothing, but it is the most vulnerable form of 2FA currently in use . ”
Leclere said dedicated authenticator apps like Google Authenticator or Duo offer almost all the convenience of using SMS 2FA while removing the risk of sim swapping.
Reddit users shared similar advice, but adding authentication apps to phones also makes that device a single point of failure and recommended using separate hardware authentication devices.