The cryptocurrency community is debating whether SMS two-factor authentication (2FA) should be used for account security following news that a Coinbase customer is suing the cryptocurrency exchange for $96,000.
On March 6th, Jared Ferguson filed a lawsuit against Coinbase in U.S. District Court for the Northern District of California. He claimed that he lost “90% of his life’s savings” after his account was withdrawn by identity thieves and Coinbase refused to refund him. Ferguson is said to have fallen prey to identity theft known as “SIM swapping.” This allows scammers to take control of your phone number by tricking your carrier into linking it to your girlfriend’s SIM card.
This allegedly allowed them to bypass SMS 2FA on the account and confirm a withdrawal of $96,000 from Ferguson’s Coinbase account in this situation.
Ferguson claimed that his phone was hacked on May 9 and lost service, and after following instructions from service provider T-Mobile to obtain a new SIM card and restore service, funds were withdrawn from his Coinbase account. T-Mobile has been sued by sim-swap victims after about $450,000 worth of Bitcoin (BTC) was stolen in February 2021.
Coinbase denied responsibility for the hacking of Ferguson’s account, saying in an email that it is “responsible for the security of your email, password, 2FA code, and device.”
Members of the cryptocurrency community are generally skeptical that the Ferguson lawsuit will succeed. And other users shared similar advice but recommended using a separate hardware authenticator.
“Unfortunately, many services I use do not yet offer Authenticator 2FA. However, the SMS approach has proven to be insecure and I am convinced it should be banned.”
Blockchain security firm CertiK warned about the dangers of using SMS 2FA in September 2022, and its security expert Jesse Leclere said in an interview with Cointelegraph: “Dedicated authenticator apps such as Google Authenticator and Duo offer almost all the convenience of using SMS 2FA while eliminating the risk of SIM swaps,” Leclere said.