A US mobile phone user has described his shock at having his entire Coinbase cryptocurrency account drained of money in a SIM port attack. In a candid account of security failings, Sean Coonce, who has a role in engineering leadership at BitGo, outlined what happened:
I lost north of $100,000 last Wednesday. It evaporated over a 24-hour time span in a “SIM port attack” that drained my Coinbase account.
In a SIM port attack, the attacker ports your SIM card to a phone that they control. Coonce found he had trouble logging into his Google account, and so he contacted his mobile provider, but he didn’t suspect an attack until it was too late:
The attacker then initiates the password reset flow on your email account. A verification code is sent from your email provider to your phone number — which is intercepted by the attacker, as they now control your SIM card.
Once the attacker controls your primary email account, they begin to move laterally across any lucrative online services that you manage via that email address (bank accounts, social media accounts, etc.). If they’re terribly malicious, they can even lock you out of your own accounts with little recourse to reclaim them.
In retrospect, he says, he could have protected himself by moving his cryptocurrency to offline storage, and taken better care of his online footprint and personal information. However, it was the SMS based 2FA which enabled the hacker to take over his SIM card and redirect emails to a different mobile device.
- Move your crypto to a hardware wallet/offline storage/multi-sig wallet whenever you are not transacting. Do not leave funds idle on exchanges or fiat on-ramps. I treated Coinbase like a bank account and you have absolutely zero recourse in the case of an attack.
- Regardless of the assets and/or identities you are trying to protect online, upgrade to hardware based security (ie: something physical that an attacker would have to physically obtain in order to perform an attack).
- Reduce the urge to needlessly share personally identifiable information (birthdate, location, pictures with geolocation data embedded in them, etc.) online. All of that quasi publicly available data can be turned against you in the event of an attack.
- In some cases, an online service will not support hardware-based 2FA (they rely on weaker SMS based 2FA). In these cases, you might be better off creating a Google Voice phone number (which cannot be SIM ported) and using that as your 2-Factor Auth recovery number.
- Instead of binding everything to a single email address, create a secondary address for your critical online identities (bank accounts, social media accounts, crypto exchanges, etc.). Do not use this email address for anything else and keep it private. Back up that address with some form of hardware-based 2FA.
- Offline Password Manager: Use a password manager for your passwords. Even better, use an offline password manager like Password Store. lrvick has an excellent comparison chart of various password managers as well as a vetted recommendation for the more technically inclined.
It seems the moral of the story is that SMS-based two factor authentication is not enough to protect mobile users from sophisticated fraudsters.