Cody Brown, the founder of IRL, a VR production studio based in NYC, recently lost $8,000 worth of bitcoin on Coinbase. Based on current circumstances, the theft seems irreversible and the loss of Brown will likely not be recovered.
Brown started using Coinbase since 2015 and like most users, he had a Verizon phone number attached to his Coinbase account. He had been using Coinbase to purchase thousands of dollars worth of bitcoin, Ether and Litecoin for over two years.
However, during the two years he had been using Coinbase, Brown didn’t enable a two-factor authentication (2FA) security measure such as Google Authenticator and failed to implement necessary fraud prevention systems on his Verizon phone. Weak security measures of both Brown’s Coinbase account and his Verizon mobile phone made it significantly easier for hackers and fraudsters to access his account and move bitcoin out of the account.
The majority of bitcoin wallets recommend users to either implement a second password or Google Authenticator to approve outgoing transactions. For instance, Xapo requires a text and number combination-based password for users to confirm outgoing transactions. By doing so, even if hackers gain access to Xapo accounts, they will not be able to send transactions from the hacked account to another account without knowing the password. Xapo also requires users to input email and mobile confirmation codes to change the password and overall, it is difficult for hackers to circumvent the Xapo security system.
Blockchain, better known to users as Blockchain.info, has a similar security system in which it requires users to implement both Google Authenticator and a pin code on top of a passphrase. To access the account via the web, users need to input confirmation codes sent to both their email addresses and the Google Authenticator app. To send transactions from a Blockchain account to an external account, users need to input their number-based pin code, as a second layer verification for outgoing transactions.
According to Brown, Coinbase doesn’t set Google Authenticator as a requirement and accepts SMS verification. However, as seen in the case of Brown, without proper mobile phone fraud prevention systems in place, it is incredibly easy to gain access to the mobile phones of Coinbase account users.
In the case of Brown, an unknown hacker called Verizon support and provided a billing statement of Brown to gain access to his phone number. Brown wrote:
“After talking at length with customer service reps, I learned that the hacker did not need to give them my pin number or my social security number and was able to get approval to takeover my cell phone number with simple billing information.”
Once the hacker gained access to Brown’s Verizon mobile phone, the hacker successfully hacked into the Coinbase account of Brown and moved funds out of his account. Before moving the transactions, Brown noted that the hacker reset the password of Brown’s Coinbase account and changed the device attached to the account.
In total, 1.18 bitcoin, 70.96 Litecoin and 16.03 Ethers have been sent from Brown’s account to an external account.
All of this could have been avoided if Brown would have:
Coinbase and other bitcoin wallet or exchange users must learn through Brown’s mistake and ensure that proper security measures are set in place.
Some bitcoin wallet service providers including the popular hardware wallet manufacturers such as Trezor have even criticized Google Authenticator and other TOTP 2FA authentication apps for being insecure, as they store cryptographic codes online.
Although apps like Google Authenticator are very convenient to use, if users are concerned about the security, Trezor recommends U2F.
Featured image from Shutterstock