The crypto community is debating whether SMS two-factor authentication (2FA) should be used for account security following news that a Coinbase customer is suing the cryptocurrency exchange for $96,000.
Jared Ferguson filed a lawsuit against Coinbase in the U.S. District Court for the Northern District of California on March 6, claiming he lost "90% of his life savings" after identity thieves withdrew funds from his account, and that Coinbase refused to reimburse him. .
Ferguson is said to have fallen victim to a type of identity theft known as "SIM swapping," which allows fraudsters to take control of phone numbers by tricking telecom providers into linking the numbers to their own SIM cards.
This enabled them to bypass any SMS 2FA on the account, allegedly allowing them in this case to confirm the withdrawal of $96,000 from Ferguson’s Coinbase account.
Ferguson claimed his phone was out of service after it was hacked on May 9 and noted that funds had been withdrawn from his Coinbase account after getting a new SIM card and following instructions from service provider T-Mobile to restore service . T-Mobile was sued by a SIM swap victim in February 2021 after about $450,000 worth of bitcoin was stolen.
Coinbase has denied any responsibility for the hack of Ferguson's account, telling him in an email that he is "responsible for the security of your email, passwords, 2FA codes, and devices." Members of the crypto community are generally skeptical that Ferguson’s lawsuit will succeed, noting that Coinbase encourages the use of authenticator apps for 2FA over SMS, describing the latter as the “least secure” form of authentication. Some Reddit users discussed the lawsuit in a thread titled "Never use SMS 2FA," even suggesting that SMS 2FA should be banned, but pointing out that it's the only authentication option available for many services, as one user put it: "Unfortunately, many of the services I use don't yet offer Authenticator 2FA. But I definitely think the SMS method has proven to be insecure and should be banned."
Blockchain security firm CertiK warned of the dangers of using SMS 2FA in September, with its security expert Jesse Leclere telling Cointelegraph, “SMS 2FA is better than nothing, but it’s the most vulnerable form of 2FA in use today.”
Dedicated authenticator apps like Google Authenticator or Duo offer nearly all the convenience of using SMS 2FA while eliminating the risk of SIM swapping, Leclere said.
A Reddit user shared similar advice, but adding an authenticator app to the phone would also make the device a single point of failure and suggested a separate hardware authentication device.
