Coinbase Hack: Here’s What We’ve Learned

发布于 Oct 26, 2021 | 部落格

coinbase-hack-banner

Coinbase has long been considered the leading digital exchange in the world, thanks to its early role in the rise of cryptocurrency adoption. This culminated in a much-publicized IPO listing earlier this year when it made its debut on Nasdaq, closing at $328.28 per share. The crypto trading platform’s listing was expected to attract widespread attention from the general public, and didn’t fail to disappoint, culminating in a market spike that captured a Bitcoin all-time-high (ATH) at the time.

Fast forward a few months later and Coinbase is once again turning heads, but this time for all the wrong reasons. The US company reported falling prey to a phishing hack, resulting in a loss of funds for at least 6,000 users. The hack was allegedly executed by way of exploiting the platform’s multi-factor authentication (MFA) process.

How Did the Coinbase Breach Take Place?

The hackers got access to the email addresses, passwords, and phone numbers of the affected Coinbase accounts through phishing methods. While the investigation showed no evidence that the information was harvested from the company’s database, it still exposed the inconvenient truth that regardless of size and popularity, centralized exchanges remain vulnerable to sophisticated hacking techniques.

According to Coinbase:

“In this incident, for customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account.”

The total amount stolen from the platform was not revealed, but the hit on consumer trust in exchanges are massive costs that the whole industry might have to endure in the long run, not to mention the expenses that Coinbase incurred in order to rectify the situation.

Exchange hacks are not a novel occurence in the cryptocurrency space, with a litany of infamous hacks (Mt.Gox/Coincheck/Cryptopia/Binance etc) eroding trust in centralized exchanges (CEX) over the years. Even as soft target DeFi rose to prominence, 2020 was a bumper year for hackers. CEXs have always been bounty targets to hackers who have the right resources and ingenuity to exploit security vulnerabilities of market platforms online.

This article investigates the incident and whether any measures, like AuthSec, could have prevented this MFA mishap. 

What Can We Learn From the Coinbase Hack?

After being widely lambasted for their poor customer service response, Coinbase took the hit and refunded its users with an amount equal to what was stolen from them. This was a fortunate outcome since most hack victims are not as lucky. Smaller exchanges don’t all have the capability to bear the costs of theft for users.

Security should be a top priority above everything else, especially for crypto market platforms, because the moment your users’ funds are stolen, they are out of your reach forever. Blockchain transactions are immutable, which means that no single entity has the power to reverse them. A hack could force you to either take drastic measures to refund users or worse, go bankrupt. 

Therefore, it is highly advisable to implement extra measures in ensuring that your platforms are safe, even in the event that malicious actors somehow gain access to your personal information. Let’s talk about the crucial steps you could take to protect you and your clients’ digital assets. 

Does AuthSec Deliver The More Secure Authentication Solution?

There are companies that offer security applications which are worth a try, but the best ones are those that provide multiple authentication methods simultaneously, like digital and physical authentication.

An example of this technological feature can be seen with products that require key pairs (like PIN codes), the physical ownership of mobile devices, and biometric identifiers (like fingerprints or facial recognition), all at the same time. In such applications, the private key to access a user’s funds can remain secure despite an attacker gaining access to the PIN code, since there are multiple layers of authentication.

This method is more secure because it requires hackers to gain access to the physical device and secure user identifiers first in order to be successful in stealing a wallet owner’s holdings. One example of such an application that offers this technology is CYBAVO’s AuthSec.

AuthSec is a comprehensive security management tool that individual users and institutions can use. It provides different security features that work together to ensure multiple layers of security.

Password-Less System and Stronger Authentication Layers

The Coinbase mishap clearly indicates that passwords and two-factor authentications are not secure enough. CYBAVO’s technology eliminates the need for password authentication and replaces it with password-less systems, which can be bound to fingerprints, facial recognition, or PIN codes, which are harder to access for hackers.

In addition to multi-factor authentication, AuthSec’s system also offers customizable authentication strength levels that can be adjusted according to different factors. Risk warnings are also presented as easily understandable data to users. 

Despite being a password-less system, CYBAVO provides multiple layers of security that enables the application to detect attackers even before they break into a system. The authentication system constantly monitors and evaluates the mobile and environmental information to determine if an authentication request is safe, or if it stems from suspicious circumstances. 

AuthSec as a Security Management Solution for Institutions

AuthSec is built to protect high-profile organizations and institutions like Coinbase, which makes it the ideal authentication solution for entities that store and manage massive crypto holdings.

CYBAVO allows you to access decentralized server management solutions that don’t rely on third-party applications, which could become attack vectors. It implements a public key cryptography (PKC) signature verification system that prevents unauthorized individuals from performing incoming and outgoing transactions. The firm also offers a proprietary and high-grade encryption tool that can secure messages, transactions, and every form of communication within a network. 

While its features may seem difficult to understand on paper, AuthSec is actually designed for easy deployment in order to help institutions conveniently set up security systems without the need for an expert on authentication systems and security infrastructures.

Its UI provides a clear and easy way to set up advanced features like rule-based control, automated user behavior monitoring, suspicious behavior warning systems, and a customizable user-friendly 2FA interface.

The risk rule, for example, allows the management and authentication of certain user interactions within a platform based on the level of risk they pose. In fact, one can filter and control their users’ actions based on defined metrics.

Other authenticators in the market include Hanko and TrustFactor.

Alternative Security Measures

Cold Wallets 

Large crypto exchanges like Coinbase spend an enormous amount of money in order to keep their platforms secure and free from cybercriminals. However, no online exchange is absolutely safe from a well-orchestrated security breach.

This is where cold storage like hardware wallets shine, as they allow you to store cryptocurrencies you bought from exchanges in a physical offline device. While popular physical wallets like Ledger and Trezor may incur extra costs, they are definitely worth their added protection. Note, however, that this method requires you to be responsible for safeguarding your own investment and private key or seed phrase. Even the market leader Ledger is also no stranger to phishing attacks, as their devastating 2020 database hacks and resulting phishing campaigns showed.

Insured Digital Wallets or Vaults

Not everyone is comfortable with taking charge of their own hardware wallets, especially if you have a corporate account or hold massive funds where the risk is considerably higher.

In such cases, insured digital wallets are better options since they provide coverage in the event of loss and have cutting-edge security mechanisms like multi-party computation (MPC) that could put your mind at ease when storing substantial digital assets without any hassle from you. If this method suits you better, consider using a proven solution like CYBAVO VAULT.

How to Protect Yourself Against Phishing

Spending time and money on onboarding the best digital and physical security can drastically reduce the odds of theft and loss of funds for your institution. However, these technologies shouldn’t replace traditional cybersecurity best practices, including basic measures you can take to secure yourself online. 

Learn to spot scams and phishing attempts when you see them. Double-check the websites you visit to make sure that they’re secure and legitimate. Moreover, you should avoid clicking on email links and attachments from unverified sources. 

Never share your PIN codes, passwords, one-time passwords (OTP), or anything personal with anyone online. Remember, most digital exchanges (and banks) make it crystal clear that they would never ask for your personal information.

Lastly, you should consider investing in the right security mechanism because when it comes to security, the extra cost is usually worth it. If you’re managing a large investment portfolio of crypto assets, wallet security on a shoestring simply won’t cut it in 2021.

If the Coinbase hack can teach us anything, it’s that you can lose your funds in an exchange despite taking all the precautions, hence, an investment in extra security is crucial for large cryptocurrency holders.

How CYBAVO provides peace of mind for institutional assets

Cybersecurity specialists CYBAVO, one of the founding members of the MPC Alliance, continuously upgrades and diversifies its digital asset storage and wallet solutions by implementing best-in-class security features. 

CYBAVO has created Authsec, an Authentication & Authorization App, for customers to securely access their VAULT system. CYBAVO VAULT is a secure storage and wallet management system designed for businesses to perform streamlined blockchain transactions. 

CYBAVO also enlists Sepior, a world-leading threshold security provider who supports CYBAVO with its Threshold Signature Technology (ThresholdSig), preventing your private key from existing entirely on any single device. 

CYBAVO, with its world-class team of cybersecurity veterans, provides an industry-leading solution that offers security features to ensure security throughout all the stages of a transaction. Their S&P AA-rated international insurance adds additional reassurance for institutional investors, and their ISO 27001 and NIST Certification further attest to their commitment to providing the most secure solution. Learn more about CYBAVO’s insurance here and important insurance criteria to consider when choosing a service provider.