On October 1st, Coinbase revealed that 6,000 of their users lost crypto assets after falling for a phishing scheme. The phishing campaign successfully bypassed the SMS-based authentication the company employs to verify user accounts. 

News of the phishing attack was first reported in August, but the scope of it only became clear after a letter Coinbase sent to affected customers began to circulate recently. According to Coinbase, all users impacted by the attack will be reimbursed.

This phishing attack is the latest in a long line of hacks, phishing attacks, and other cybersecurity breaches that have targeted users of digital asset exchanges – as of July 2021, cryptocurrency crimes this year have amounted to over $681 million, and this number is actually fairly small compared to recent years. 

The attack reinforces many of the same lessons previous events, such as the Liquid exchange hack and the Poly Network DeFi breach, have taught us. 

So, what can we learn from this latest crypto crime?

Attackers exploited a flaw in
SMS-based 2FA to compromise Coinbase accounts

The Coinbase attackers utilized a phishing method to steal users’ assets. Phishing is defined as a social engineering attack where a criminal sends a fraudulent message to a victim to trick them into revealing sensitive information, or to deploy malicious software onto their system.

In this particular case, Coinbase says the attackers successfully phished victims’ email credentials, and then used those compromised email accounts to take over related Coinbase accounts and drain users’ cryptocurrency. 

Coinbase offers several options for adding security to consumers’ accounts, including a feature called two-factor authentication or 2FA (a method in which a user is granted access to an application only after successfully presenting two or more pieces of evidence to an authentication mechanism). 

“The third party took advantage of a flaw in Coinbase’s SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to [users’] accounts,” Coinbase explains in their letter to customers.

While SMS based 2FA is easier for many users, it is less secure because motivated attackers are able to intercept 2FA codes. 

An important reminder of the dangers of phishing

For asset managers and financial institutions, this should serve as a reminder to always be aware of the possibility of a phishing attack. Any time there is a communication regarding your finances or customer funds, it’s important to be skeptical, and ask yourself if you may be responding to a malicious actor. 

Other standard security measures that are useful in preventing phishing include:

  • Don’t give your information to an unsecured site (it should have a closed padlock symbol next to the URL, and start with “https”)
  • Don’t click links in emails
  • Look for inconsistencies in actual email addresses – even if the name that shows up alongside the email address seems correct
  • Never follow a link to any financial services from an email. Type in the address yourself, or better yet bookmark trusted URLs for your online financial tools
  • Know what a phishing scam looks like in general

In terms of two-factor authentication, it’s best to avoid using SMS, because it can be intercepted or rerouted to devices controlled by attackers. 

Hardware tools or authenticator applications (such as Google Authenticator) are more robust authentication methods; we recommend avoiding the use of SMS-based 2FA with any financial service to reduce your exposure to similar attacks.

Lessons for institutional investors

Beyond standard anti-phishing takeaways, there are also further lessons institutional investors can learn from this event. 

Though some institutions may currently be holding crypto on exchanges – like Coinbase – this is not a particularly secure option. In general, retail exchanges are designed for retail investors.

Their number-one priority is to make it easy for anyone to acquire and use cryptocurrency

The way exchange wallets are set up can be acceptable for keeping smaller values, but when moving large amounts of funds – including your customers’ funds – exchange wallets introduce too much operational risk.

If you’re leaving large sums of assets on an exchange, you may even be directly targeted in a spear-phishing campaign (unlike this attack, which targeted Coinbase users).

As an institutional market participant, you should employ institutional-grade custody and settlement processes. Putting your funds or customer assets into exchange sub-custody simply adds another layer of risk.

On the other hand, if you have direct custody of your assets, you have greater control over your assets and how you secure them.

You set the security policies and you choose what tools you want to use to protect your assets – rather than relying on anyone else’s cybersecurity decisions. 

MPC (multi-party computation) is a method of protecting private keys that secures digital assets against hacks, theft, and even internal attackers. Today, it’s considered a best practice to implement MPC for financial institutions

Our recommendation for FIs is to remain in control of your digital and crypto assets using MPC, alongside tools like workflow authorizations.

This enables key stakeholders to approve withdrawals and deposits, helping secure against the possibility of theft like the Coinbase phishing attack.

Fireblocks is helping financial institutions across the globe implement direct custody solutions within their organization. Through utilizing MPC and other tools, organizations can make security the number one priority while ensuring speed and efficiency across the board. Interested in learning more about our philosophy on digital asset security? Read our latest security whitepaper for everything you need to know about securing crypto in 2021.