Coinbase account hacked? Why two-factor authentication methods are not created equal.

Recently, Medium published an article titled "How to lose $8k worth of bitcoin in 15 minutes with Verizon and Coinbase.com". In this article the author discusses how his Coinbase account was cleaned out using a SMS forwarding/phone porting attack. He goes on to make various recommendations, including using 2fa (two-factor authentication) such as GAuth or Authy instead of SMS.

Make sure you use GAuth or Authy or something else supporting TOTP tokens; consider a FIDO U2F device as well for your gmail account.

Unfortunately, this is partially bad advice.

Why is this bad advice?

The problem with this advice, is the Authy recommendation. Authy is still vulnerable to a similar attack vector. The SMS attack can occur via SMS forwarding, and also phone porting. Authy is also vulnerable to a phone porting attack.

Phone Porting Attack

In the majority of the SMS attacks the attackers had control of multiple types of the victim's accounts (mail, mobile phone, and Bitcoin exchange accounts). With this much control, there is a very high possibility that they would be able to port your mobile number. Authy is designed to be easily moved between mobile devices in the event that you switch to a new phone, or your old phone is stolen or lost. While this is convenient, it also makes it easier for an attacker to port your number and steal your Authy account.

So what should I do?

The best option is to use Google Authenticator or a U2F token where possible. Any account that is associated with your Bitcoin exchange account should always be using two-factor authentication, and again, avoid SMS and Authy. As an additional measure of security, make sure that on any associated accounts you have removed all recovery phone numbers or they could be subject to the attack vectors described above.

As with anything, there is security and usability. As you increase your security, you decrease your usability. It may be inconvenient for you, but you will make it many times more difficult for an attacker to gain access to your account. If you decide not to maintain control of your own private keys, make sure you do your due diligence on the attack vectors being used, and secure your exchange accounts accordingly.

Bonus: While this article mainly describes how to keep your accounts safe by defending against certain attack vectors, it should be noted that using Coinbase's vault would have mitigated the attack this article is based on. I am not aware of a single case where a Coinbase user has had their account drained while using the vault option.