Debate over 2FA using SMS after sim-swapping victim sues Coinbase

The crypto assemblage is debating whether SMS two-factor authentication (2FA) should ever beryllium utilized for relationship information pursuing quality that a Coinbase lawsuit is suing the cryptocurrency speech for $96,000.

On Mar. 6 Jared Ferguson filed a lawsuit against Coinbase successful the United States District Court for the Northern District of California, claiming helium mislaid “90% of his beingness savings” aft funds were withdrawn from his relationship by individuality thieves and Coinbase had refused to reimburse him.

Ferguson is said to person fallen prey to a benignant of individuality theft known arsenic “sim-swapping,” which allows fraudsters to summation power of a telephone fig by tricking the telecom supplier into linking the fig to their ain sim card.

This allows them to bypass immoderate SMS 2FA connected an account, and successful this concern allegedly allowed them to corroborate the withdrawal of $96,000 from Ferguson's Coinbase account.

Ferguson claimed helium mislaid work aft his telephone was hacked connected May 9, and noticed the funds had been taken from his Coinbase relationship aft getting a caller sim paper and restoring his work arsenic per instructions from his work supplier T-Mobile.

T-Mobile was previously sued by a sim-swapping victim successful Feb. 2021, pursuing the theft of astir $450,000 worthy of Bitcoin (BTC).

Coinbase denied immoderate work for the hack of Ferguson’s account, telling him successful an email that helium is “responsible for the information of your e-mail, your passwords, your 2FA codes, and your devices.”

Related: Hacker returns stolen funds to Tender.fi, gets $97K bounty reward

Members of the crypto assemblage were mostly doubtful that Ferguson’s suit would beryllium successful, noting that Coinbase encourages the usage of authenticator apps for 2FA alternatively than SMS and describes the second arsenic the “least secure” signifier of authentication.

I'm guessing his password was compromised due to the fact that it was utilized connected different sites, 1 of which got breached. Also, Coinbase encourages Authenticator app for 2FA by labeling it "secure" and SMS arsenic "moderately secure".

— Dave Ferguson (@_sc0rn) March 7, 2023

Some Reddit users discussing the suit successful a station titled “Never Use SMS 2FA” went arsenic acold arsenic suggesting SMS 2FA should beryllium banned, but noted that it was the lone authentication enactment disposable for galore services, arsenic 1 idiosyncratic said:

“Unfortunately a batch of services I usage don’t connection Authenticator 2FA yet. But I decidedly deliberation the SMS attack has proven to beryllium unsafe and should beryllium banned.”

Blockchain information steadfast CertiK warned of the dangers of utilizing SMS 2FA successful Sept. 2022, with its information adept Jesse Leclere telling Cointelegraph successful an interrogation that “SMS 2FA is amended than nothing, but it is the astir susceptible signifier of 2FA presently successful use.”

Leclere said dedicated authenticator apps similar Google Authenticator oregon Duo connection astir each the convenience of utilizing SMS 2FA portion removing the hazard of sim-swapping.

Reddit users shared akin proposal but added authenticator apps connected phones besides marque that instrumentality a azygous constituent of nonaccomplishment and recommended the usage of abstracted hardware authentication devices.