Hey /r/cryptocurrency!
I made some comments on the posts regarding the individual suing Coinbase yesterday and based on some of the responses I thought a post about Two-Factor Auth (2FA) would be a good idea. There seems to be a good understanding that SMS is not ideal but not necessarily why.
Who am I to give any kind of advice? Well, I work in Cyber Security and have some experience working for a Cryptocurrency exchange. During my time there I did a lot of Penetration Testing of the 2FA system we used, especially on additional forms of 2FA we pushed out. I no longer work in the industry as I did not want my ability to make my mortgage payment to be tied to bear/bull runs but I'm still here DCAing with the rest of you and I'd love if everyone here who chooses to keep their funds on an exchange did so as safely as possible, though I will parrot the most common advice on this sub and highly recommend you do not as your wallet is safer than your exchange account in regards to account takover.
Let's first talk about the pre-requisite to any 2FA failing you. Regardless of what form of 2FA you use, an attacker accessing your funds on an exchange needs to know your username and password. Without this information, being able to bypass 2FA does them no good. This is why every single security professional would recommend that you have a unique password for each financial application you are using and the email account you are tying to these applications. This way, if your password for another application is compromised and then sold on the black market without your knowledge (companies should disclose a breach but not everyone keeps track of every email they receive), an attacker cannot reuse that username/password combo to log into your exchange account.
Now unfortunately that is not the only way an attacker can gain knowledge of your username/password. Phishing campaigns are notorious for tricking users into parting with their unique username/password combinations. Even if you do everything right (unique passwords), if an attacker manages to trick you into providing them with your exchange password by sending you a link to a site that looks identical to your exchange, you are shit out of luck. This is why despite the fact that it is technically possible to use SMS safely, I would never recommend it as even the most knowledgeable user can still be bamboozled.
So now let's talk about SMS and why it is one of the worst forms of 2FA (though I'd argue it might still be better than getting One Time Passcodes to your email). SMS, unlike using a Yubikey, Push2FA, Google Authenticator, or ID Verification is susceptible to an attack called SIM Swapping. I'm sure many of you have heard of this attack but let me break it down for you so that everyone who reads this has a basic understanding. SIM swapping occurs when an attacker gains enough personal information about a victim (via phishing, purchasing information off the blackmarket, or Open Source Intelligence Gathering ie OSINT) and uses that information to convince that victim's cellular company that they are infact that person. The cellular company then uses the same technology that allows for phone number portability to port the victim's number to the attacker's SIM card. The victim now no longer has a working phone number and the attacker will now receive any text's intended for the victim. The attacker then using the username/password combination obtained via a method described previously in this post authenticates as the victim and receives the SMS text with the OTP and they now have your funds.
So how do we fight this? We use literally any other form of 2FA. How would I personally rank them? Probably like this:
- Yubikey - connected to your device it provides a code as your second factor of authentication
- TOTP i.e. Google Auth, Okta, etc
- Push2FA - instead of entering a code from an app, a modal is pushed to your mobile app that you then use to approve the login. I don't love this method either, but it's way more useable than IDV and more secure than SMS. If you really have an aversion to Google Auth, I guess this is the way.
- ID verification - what it sounds like, you use your Government ID. Typically this is used for account recovery and when done well protects the user by providing them a way to get their account back without having to use customer support. If an attacker tries to use this to downgrade another form of 2FA the user is informed and can then change their password.
I rank Yubikey #1 because it is the easiest item to keep safe without sacrificing usability. Most people do not carry their Yubikey around with them everywhere so it can stay protected in your home. TOTP on the other hand is only as hardened as your cell phone is if it gets stolen from you. I once had a friend who knew I was a "hacker" ask me to hack her phone and she handed it to me. I assumed I'd open it, attempt to guess her pin and hand it back as we were eating dinner and I don't carry my laptop everywhere, but she didn't even have a lock on her phone. I went to her also unprotected Venmo app and showed her how easy it would be to send myself money. Now this was years ago and I'd say most people are smart enough to lock their devices but not all methods of device locking are created equal either so know that if you do choose to use TOTP it is only as secure as your phone is. Additionally, most TOTP codes are short (6 digits) whereas Yubikey's code is fairly verbose. If the application does not implement rate limiting in theory a savvy attacker could brute force TOTP. An application that only rate limits by IP could be beaten by someone using a tool like this: https://github.com/RhinoSecurityLabs/IPRotate_Burp_Extension.
Two last things to expand upon. I do not know of an exchange that allows email OTP for authentication, however I do know of traditional banks that do. Please, for the love of god and all that is holy do not use email 2FA. If an attacker compromises your email account they now have the keys to every application you have configured this way. Essentially all they need to do now is Password Reset, change your creds, and login. If they are really savvy, they will change your email filtering rules so that the victim does not get notifications of emails regarding sites the attacker is trying to compromise. As for my dislike of Push2FA, it is primarily because it forces the user to be discerning. Most people have the intelligence to not just approve any push notification sent to them, but not everyone does and even if they do, if an attacker times their push notification right after the user's they could trick them into approving the wrong modal.
So to summarize this post. Please do not use SMS as a form of 2FA. It is incredibly insecure compared to other methods of 2FA. Ideally, use a Yubikey but if you cannot afford another piece of technology after spending money on wallets and crypto at least use TOTP and hope that your exchange rate limits properly. If you have any questions for me I am now getting started work an hour late so I may be slow to respond but I will try to get back to any security related questions on this post! Stay safe out there friends.
[link] [comments]
You can get bonuses upto $100 FREE BONUS when you:
π° Install these recommended apps:
π² SocialGood - 100% Crypto Back on Everyday Shopping
π² xPortal - The DeFi For The Next Billion
π² CryptoTab Browser - Lightweight, fast, and ready to mine!
π° Register on these recommended exchanges:
π‘ Binanceπ‘ Bitfinexπ‘ Bitmartπ‘ Bittrexπ‘ Bitget
π‘ CoinExπ‘ Crypto.comπ‘ Gate.ioπ‘ Huobiπ‘ Kucoin.
Comments