Coinbase made everyone whole, and the attackers stole the credentials (not because of Coinbase's fault) ahead of time, and the attackers had to perform a "SIM swap" type attack on the users. "Breach" may be the required term for the Californian government, but this wouldn't qualify to most people as a traditional breach (i.e., compromise of Coinbase's infrastructure).
> ... the attackers had to perform a "SIM swap" type attack on the users
Minor nitpick: I find your framing problematic as it transfers "burden of security" to the end-users over a process that did not involve them: this was not an attack on the users - it was an attack on the telecoms infrastructure.
I have a similar gripe against "identity theft", which really ought to be "fraud against corporation X, using false identity" - however, that framing is necessary to make consumers accept, by default, the burden of clearing debts they were never party to simply because the defrauded party did not have adequately verify perpetrators identity.
It was not a simswap/simjack attack, they exploited an oversight in coinbase's password-reset 2fa to send the challenge code for one user to another user's phone number.
No, I don't think they have. The document says they will, not that they have. I personally know someone who was had 2FA and tends to be security knowledgeable and was struck by this on 6/7, which is well past their claimed date, so either they are lying or the hacking continues undetected. He has had no ability to get anyone on the phone who will help with the issue. He lost less than $2,000, but it is ridiculous how crypto currency combines the worst of the wild west with the worst of banking with the worst of crappy customer service.
Even though I stopped using coinbase, I appreciate the company compared to others because:
1) They had a reasonable account recovery process after I lost my phone and therefore google authenticator. Binance's process was needlessly annoying and pointless, kucoin straight up decided this was a good opportunity to just block my account completely and steal my money, even after email verification, as well as me supplying all emails they sent me about account activity.
2) They were the most transparent about new requirements about identity verification than others, and still allow withdrawals without verification.
>the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process
Your speculation and conjecture dismisses you from any and all future discussions on this matter. You have demonstrated that your are unfit to comment.
>"We will be depositing funds into your account equal to the value of the currency improperly removed from your account at the time of the incident. Some customers have already been reimbursed -- we will ensure all customers affected receive the full value of what you lost. You should see this reflected in your account no later than today."
I sympathize with the "Not your keys, not your coins" crowd, but you have to admit that you are far more likely to be compensated in the event of an attack if you are using a large exchange. Not guaranteed, of course, but Coinbase has an image to maintain.
I also believe, personally, that a large exchange has much better security than anything I could muster with a hot wallet. Yes, I know I can airgap a cold wallet but I like the ability to quickly sell some amount of crypto at market rates without having to transfer from a paper wallet. I also worry about physical security since my home has been burglarized before. Therefore, I keep my coins on exchanges and follow good practices with 2FA across my accounts (no SMS for any) and have withdrawal delays / whitelisting active.
I think this reflects very favorably on Coinbase. They're making everyone whole, and gosh - the attackers had the user's usernames, passwords and phone numbers. Hard not to be sympathetic to Coinbase in that scenario. How are they supposed to know those aren't the real users? Consider that if they are going to identify those cases as fraudulent actors, then they could easily lock-out legitimate users as well.
I'll guess the users had the same usernames and passwords that they've used for a hundred other sites, and one of those got breached at some point. Don't do that!
Coinbase
Coinbase <https://verify-customers.elastic-galileo.185-150-117-78.plesk.page/>
Verify your email address
In order to continue using your Coinbase account, you need to reconfirm
your email address. To avoid service interruptions verify your email.
Verify Email Address
<https://verify-customers.elastic-galileo.185-150-117-78.plesk.page/>
If you did not sign up for this account you can ignore this email and the
account will be deleted.
Get the latest Coinbase App for your phone
Coinbase iOS mobile bitcoin wallet
<https://verify-customers.elastic-galileo.185-150-117-78.plesk.page/>
Coinbase Android mobile bitcoin wallet
<https://verify-customers.elastic-galileo.185-150-117-78.plesk.page/>
Traceroute shows that site hosted by Hurricane Electric.
Anyone who lost money in this should sue Namecheap and Hurricane Electric. They will be stumbling all over themselves to tell your lawyers who their customer was, to avoid liability.
I must be missing something, but can someone explain what's the point of a hardware wallet? Why not just use a password manager?
Hardware wallets seem to have so many downsides, as far as I can understand.
You can keep multiple copies of your password manager's database (something like a kbdx file), but you won't have multiple copies of the hardware wallet. Therefore a single point of failure. If the wallet is stolen, damaged in a house fire, crushed by some accident etc. you're done. Also, can't the firmware of the hardware wallet possibly have some unknown bugs that might cause some failure in the future? Is the hardware failure-proof? No possibility of manufacturing defect etc.?
Secondly you've to buy a hardware wallet and whatever the cost, it's not free. Whereas an open source password manager like keepass is completely free (as in freedom as well as beer).
Why would you put thousands of dollars in a wallet you need a physical device to access? Just put your private key in your password manager, problem solved
One thing that cryptocurrencies achieved is they introduced a private key authentication at scale. For a moment, there was a hope that we can move to private key authentication mechanism. But, unfortunately, it was quickly rolled back by introduction of custodial wallets and we got pulled back into world of passwords.
I wonder how "We will be depositing funds into your account equal to the value of the currency improperly removed
from your account at the time of the incident" is to be read.
To me, that reads as "if you had 1 BTC stolen on May 20, we will deposit 40k USD into your account, because that was the value of 1 BTC as of May 20", not "if you had 1 BTC stolen, there is now 1 BTC back in your account".
The timeframe listed in the letter covers exactly the time of a massive price spike, so a USD payout would put most people in a better situation than a BTC payout in this specific case, but I'm still curious how this is handled, and whether there is a universally agreed standard for it.
Because next time "we'll reimburse you the USD value of your crypto as of the date of the attack 6 months ago" could mean that someone "made whole" like this has only 10% of what they would have if the attack didn't happen.
I also find that to be a weird stance. People can hold USD or stablecoin a on their Coinbase account if they wish. For people who choose to hold assets other than USD, it seems more logical to replace those assets. Coinbase already trades all of them. Or, since this was a Coinbase flaw, allow the user to choose whether they want the original assets restored or the dollar value at the time of theft (since in theory they could have sold). This way Coinbase feels more pain, but customers should be happy because they come out no worse and possibly better off.
High security services should send a pair of U2F keys to each and every customer when they sign up (or hit a retention/value threshold), with instructions on how to store them (that is, different buildings). Then they can use normal app-based 2FA day to day (NOT TOTP as that is phishable), and use the preenrolled U2F hardware tokens as recovery methods when the user inevitably loses their phone and needs to re-enroll their primary 2FA device (the service app on their new phone).
Falling back to SMS to reset 2FA, or Skype calls where you hold up your ID with a CSR or whatever is just asking for shit like this. In bulk the hardware is probably <$5/token, so well under $10/user (probably closer to $5/user even for a pair of tokens). If your CLTV for your high security financial service can’t afford that, go do something else.
This is a solved problem; the fact that financial institutions have not got on board with 10+ year old stable, cheap, widely available technology is a market failure caused by massive overregulation.
Nothing about this is hard, nothing about this is expensive, there’s just a pervasive attitude in financial technology circles of “this is the way we’ve always done it” or “this is the way everyone else does it”, even if those ways encapsulate a ton of waste and risk.
Even without the whole “n+1 tokens, used only as primary 2fa recovery” scheme, I don’t think there’s a single US retail bank that supports U2F even for normal 2FA login. It’s shameful.
This industry is so ridiculously ripe for disruption but it’s so heavily overregulated that nobody that doesn’t suck is allowed to enter the market. Simple was the first to try (and even they had to use a partner bank) and they got erased via acquisition (and I think subsequently shut down).
At this point I think the thing holding back U2F is just user experience. It is not "hard" but it is a pain in the ass and most people just find it annoying.
The other issue is that you ultimately need some sort of fallback mechanism if someone loses their keys. And it will happen. So you still end up with a process that can be socially engineered, which is generally the weak link in any authentication system.
From what I understand, the SMS verification was bypassed but not the password validation.
I am probably not understanding this correctly, but if the attacker had to have knowledge of your password then why did they reimburse affected users. They could've called it a day and claimed it was the user's fault.
The irony in that breach document that the first credit monitoring agency mentioned at the bottom is Equifax, having the reputation for one of the worst data breaches in 2017 spanning nearly 150mil American citizens.
If you got hacked and don't get your funds deposited. Good luck getting in touch with anyone. I have sent multiple requests to another issue, was told I should expect a response shortly and that was months ago.
It's the easiest to use because of the prevalence of phone numbers and transferability between phones. These properties that give it the best user experience also make it the worst form of 2FA. TOTP and hardware keys are more secure but they are easier to lock yourself out of the account.
I'm done with anything crypto. Daily. Bug after bug, breach after breach. I just don't see how, at any point in the future, crypto gets any more secure than, say, Microsoft Windows. There'll always be a bug, there'll always be a fix needed. And this isn't, "oh, my software crashed for an afternoon", it's potentially a good chunk of your life savings.
I'll take my chances with the banks and Nigerian Princes.
Banks are basically all software too now. They can have the exact same issues. They're not just taking your bills and storing them in a physical vault for you to take out later.
I mean you’re aware USAA got a increasingly damming and public reprimand for their failure of IT security controls? By no means the only bank in that bucket either.
checkout rekt.news to follow attacks in crypto world.
It's wont stop, not just crypto but almost everything that involves software will have potential attacks. Crypto is just another area where attacks happen. IMO More the attacks, over the time crypto industry will become more robust.
[+] [-] vngzs|4 years ago|reply
Edit: California, not Canada. My bad.
[+] [-] sangnoir|4 years ago|reply
Minor nitpick: I find your framing problematic as it transfers "burden of security" to the end-users over a process that did not involve them: this was not an attack on the users - it was an attack on the telecoms infrastructure.
I have a similar gripe against "identity theft", which really ought to be "fraud against corporation X, using false identity" - however, that framing is necessary to make consumers accept, by default, the burden of clearing debts they were never party to simply because the defrauded party did not have adequately verify perpetrators identity.
[+] [-] tgtweak|4 years ago|reply
[+] [-] 8BPATUNNTBU|4 years ago|reply
No, I don't think they have. The document says they will, not that they have. I personally know someone who was had 2FA and tends to be security knowledgeable and was struck by this on 6/7, which is well past their claimed date, so either they are lying or the hacking continues undetected. He has had no ability to get anyone on the phone who will help with the issue. He lost less than $2,000, but it is ridiculous how crypto currency combines the worst of the wild west with the worst of banking with the worst of crappy customer service.
[+] [-] space_rock|4 years ago|reply
[+] [-] detaro|4 years ago|reply
source? I kind of doubt that's something coinbase would call a flaw in their system?
[+] [-] biushdfjsdf|4 years ago|reply
1) They had a reasonable account recovery process after I lost my phone and therefore google authenticator. Binance's process was needlessly annoying and pointless, kucoin straight up decided this was a good opportunity to just block my account completely and steal my money, even after email verification, as well as me supplying all emails they sent me about account activity.
2) They were the most transparent about new requirements about identity verification than others, and still allow withdrawals without verification.
3) Best UI in the game.
[+] [-] RangerScience|4 years ago|reply
[+] [-] hourislate|4 years ago|reply
From the Coinbase statement
>the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process
Your speculation and conjecture dismisses you from any and all future discussions on this matter. You have demonstrated that your are unfit to comment.
[+] [-] hartator|4 years ago|reply
How is this not? 2FA is not to 2FA is you can recover your account with just a text. It does seem a bad engineering decision on their side.
[+] [-] lambic|4 years ago|reply
[+] [-] 5faulker|4 years ago|reply
[+] [-] mmaunder|4 years ago|reply
6000 customers affected. If it wasn't a YC company you'd never say that.
[+] [-] tobstarrr|4 years ago|reply
[deleted]
[+] [-] amznthrwaway|4 years ago|reply
[deleted]
[+] [-] DrJones1098|4 years ago|reply
[+] [-] syshum|4 years ago|reply
[+] [-] BitwiseFool|4 years ago|reply
I sympathize with the "Not your keys, not your coins" crowd, but you have to admit that you are far more likely to be compensated in the event of an attack if you are using a large exchange. Not guaranteed, of course, but Coinbase has an image to maintain.
I also believe, personally, that a large exchange has much better security than anything I could muster with a hot wallet. Yes, I know I can airgap a cold wallet but I like the ability to quickly sell some amount of crypto at market rates without having to transfer from a paper wallet. I also worry about physical security since my home has been burglarized before. Therefore, I keep my coins on exchanges and follow good practices with 2FA across my accounts (no SMS for any) and have withdrawal delays / whitelisting active.
[+] [-] mdavis6890|4 years ago|reply
I'll guess the users had the same usernames and passwords that they've used for a hundred other sites, and one of those got breached at some point. Don't do that!
[+] [-] Animats|4 years ago|reply
> whois plesk.page
Traceroute shows that site hosted by Hurricane Electric.Anyone who lost money in this should sue Namecheap and Hurricane Electric. They will be stumbling all over themselves to tell your lawyers who their customer was, to avoid liability.
I don't even have a Coinbase account.
[+] [-] rglover|4 years ago|reply
Hardware:
https://trezor.io/ https://www.ledger.com/
[+] [-] q1w2|4 years ago|reply
[+] [-] keyb0ardninja|4 years ago|reply
Hardware wallets seem to have so many downsides, as far as I can understand.
You can keep multiple copies of your password manager's database (something like a kbdx file), but you won't have multiple copies of the hardware wallet. Therefore a single point of failure. If the wallet is stolen, damaged in a house fire, crushed by some accident etc. you're done. Also, can't the firmware of the hardware wallet possibly have some unknown bugs that might cause some failure in the future? Is the hardware failure-proof? No possibility of manufacturing defect etc.?
Secondly you've to buy a hardware wallet and whatever the cost, it's not free. Whereas an open source password manager like keepass is completely free (as in freedom as well as beer).
[+] [-] traeregan|4 years ago|reply
In hindsight, I should've known better than to use PII in my account.
It scared me into exiting the space entirely.
[+] [-] symlinkk|4 years ago|reply
[+] [-] YeBanKo|4 years ago|reply
[+] [-] sneak|4 years ago|reply
*manage: generate, transmit/sync, authenticate, back up
Discussion: https://youtu.be/9k4GP3Evh9c
I actually operate a business that exists solely as a result of this fact.
If you give a user a key, they will lose it. If they’re a customer, you need to have a back up plan for what happens when they lose their keys.
[+] [-] tgsovlerkhgsel|4 years ago|reply
To me, that reads as "if you had 1 BTC stolen on May 20, we will deposit 40k USD into your account, because that was the value of 1 BTC as of May 20", not "if you had 1 BTC stolen, there is now 1 BTC back in your account".
The timeframe listed in the letter covers exactly the time of a massive price spike, so a USD payout would put most people in a better situation than a BTC payout in this specific case, but I'm still curious how this is handled, and whether there is a universally agreed standard for it.
Because next time "we'll reimburse you the USD value of your crypto as of the date of the attack 6 months ago" could mean that someone "made whole" like this has only 10% of what they would have if the attack didn't happen.
[+] [-] freeAgent|4 years ago|reply
[+] [-] danuker|4 years ago|reply
[+] [-] rhacker|4 years ago|reply
Although it sounds like these are email accounts that have been hacked in other ways too.
[+] [-] sneak|4 years ago|reply
Falling back to SMS to reset 2FA, or Skype calls where you hold up your ID with a CSR or whatever is just asking for shit like this. In bulk the hardware is probably <$5/token, so well under $10/user (probably closer to $5/user even for a pair of tokens). If your CLTV for your high security financial service can’t afford that, go do something else.
This is a solved problem; the fact that financial institutions have not got on board with 10+ year old stable, cheap, widely available technology is a market failure caused by massive overregulation.
Nothing about this is hard, nothing about this is expensive, there’s just a pervasive attitude in financial technology circles of “this is the way we’ve always done it” or “this is the way everyone else does it”, even if those ways encapsulate a ton of waste and risk.
Even without the whole “n+1 tokens, used only as primary 2fa recovery” scheme, I don’t think there’s a single US retail bank that supports U2F even for normal 2FA login. It’s shameful.
This industry is so ridiculously ripe for disruption but it’s so heavily overregulated that nobody that doesn’t suck is allowed to enter the market. Simple was the first to try (and even they had to use a partner bank) and they got erased via acquisition (and I think subsequently shut down).
[+] [-] thinkharderdev|4 years ago|reply
The other issue is that you ultimately need some sort of fallback mechanism if someone loses their keys. And it will happen. So you still end up with a process that can be socially engineered, which is generally the weak link in any authentication system.
[+] [-] IceWreck|4 years ago|reply
I am probably not understanding this correctly, but if the attacker had to have knowledge of your password then why did they reimburse affected users. They could've called it a day and claimed it was the user's fault.
[+] [-] xxpor|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] loeg|4 years ago|reply
[+] [-] tgsovlerkhgsel|4 years ago|reply
Archived version: http://web.archive.org/web/20211001155216/https://oag.ca.gov... (consider https://archive.org/donate to support the cost of operating the archive).
[+] [-] rsimmons|4 years ago|reply
[+] [-] encryptluks2|4 years ago|reply
[+] [-] matchagaucho|4 years ago|reply
There were a spat of Coinbase SMS phishing texts in July 2021. So the window could be much longer, and the campaign ongoing.
[+] [-] paxys|4 years ago|reply
[+] [-] flarex|4 years ago|reply
[+] [-] LightG|4 years ago|reply
I'll take my chances with the banks and Nigerian Princes.
[+] [-] cableshaft|4 years ago|reply
[+] [-] dogman144|4 years ago|reply
[+] [-] jp42|4 years ago|reply
It's wont stop, not just crypto but almost everything that involves software will have potential attacks. Crypto is just another area where attacks happen. IMO More the attacks, over the time crypto industry will become more robust.
[+] [-] tfang17|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] thepasswordis|4 years ago|reply
Use yubikeys. Use coinbase vaults.