95% of Coinbase Users Rely on SMS-Based 2FA, Account Takeover Stats Reveal - PCMag

Cryptocurrency level Coinbase has revealed the relationship takeover rates for idiosyncratic accounts successful an effort to promote customers to upgrade their information settings. 

The stats(Opens successful a caller window) accidental astir 95% of Coinbase’s customers are enrolled successful SMS-based two-factor authentication—the weakest 2FA method available. These aforesaid users made up 95.65% of each relationship takeovers Coinbase had experienced arsenic of November 2022. 

ATO stands for relationship takeovers. (Credit: Coinbase)

Meanwhile, users who protected their accounts with stronger two-factor authentication modes, specified arsenic authenticator apps and security keys, made up little than 5% of the relationship takeovers. 

Coinbase requires each users to support their accounts with two-factor authentication. This forces anyone logging successful to proviso some the close password and a one-time passcode generated connected their phone, thereby making it overmuch harder to interruption in. 

The lone problem? Not each two-factor authentication setups are equal. By default, Coinbase secures idiosyncratic accounts with an SMS-based 2FA system, which tin inactive beryllium susceptible to hacking. This is due to the fact that the one-time passcode is sent to the user’s telephone done their cellular provider. (An authenticator app, connected the different hand, cuts retired the cellular supplier and generates the one-time passcode straight connected the device.)

(Credit: Getty Images/bin kontan)

Over the years, hackers person shown they tin intercept SMS-based two-factor authentication codes by tricking cellular providers into cloning a victim’s mobile telephone fig to a caller SIM card, which they tin past spot successful their ain phone. These alleged SIM-swapping attacks tin impact the hacker resorting to individuality theft oregon bribing cellular employees for specified access. 

The results tin beryllium devastating for victims. SIM-swapping attacks person helped cybercriminals steal cryptocurrency and adjacent infiltrate large tech companies, including Reddit and Twitter. 

In 2021, Coinbase itself disclosed that hackers stole cryptocurrency from astatine slightest 6,000 users, apt done a operation of phishing emails and SIM swapping. The heists person caused a increasing fig of consumers to record class-action lawsuits(Opens successful a caller window) against the cryptocurrency manufacture and cellular providers for failing to support their accounts from SIM-swapping attacks. 

(Credit: Getty Images/wenjin chen)

As Coinbase noted successful its disclosure: “While substance based two-factor authentication is importantly amended than a elemental username/password operation it isn’t perfect."

As a result, the institution is urging users to power to stronger two-factor authentication methods, which besides see utilizing the Coinbase app to straight nonstop a push notification(Opens successful a caller window) to the user’s smartphone to unlock access. 

Interestingly, though, the Coinbase stats uncover the stronger 2FA authentication modes haven’t been impervious to relationship takeover attempts. Accounts secured with authenticator apps made up 4.13% of the relationship takeovers. Meanwhile, accounts protected with information keys comprised 0.04% of the takeovers. This suggests the hackers planted malware connected the victim’s smartphone oregon physically stole entree to the user’s devices oregon information cardinal to interruption in. 

Although 95% of Coinbase’s customers trust connected the susceptible SMS-based 2FA mode, the institution said those with precocious balances thin to follow the strongest forms of two-factor authentication.

“Just implicit 5% of our idiosyncratic basal has chosen push, time-based one-time passwords, and carnal information keys—but those users correspond implicit 57% of the assets we person nether custody,” it said.

Coinbase didn’t instantly respond to a petition for comment, making it unclear if the institution plans connected ever retiring SMS-based 2FA. But successful the meantime, users tin upgrade their two-factor authentication method by going into relationship settings(Opens successful a caller window).