When hackers stole cryptocurrency from the accounts of 6,000 Coinbase customers between March and May of this year, the trading platform said the perpetrator used a familiar method: phishing.
The breach marked a classic example in which both factors — passwords and SMS confirmations — were compromised, as Simon Law, CEO at LoginID, said in a Monday (Oct. 4) interview with PYMNTS CEO Karen Webster.
In this case, a fake website that looked like Coinbase was able to dupe account holders and capture passwords from users who volunteered them, Law said. The perpetrators then found out each person’s name and phone number, called their mobile operator and said they needed to add another chip to their account. “That’s how easy it is to get access to someone’s account,” Law said.
He added that in the past nine months, most crypto exchanges have removed SMS as an option, and regulators are also starting to consider removing SMS as a factor of authentication. “So, yeah, this is a good example,” Law said. “We should be moving to FIDO [for] a better experience and better security.”