HCGH - Good Old Phishing
How Crypto Gets Hacked: What Happened to Coinbase could happen to anyone in DeFi
Disclaimer: I’ll be talking about individual crypto projects in this series but this is for informational purposes only and not a solicitation to buy or sell any securities or cryptoassets.
Do your own due diligence.
You may have heard that Coinbase was hacked recently. This was due to a vulnerability in their SMS text messaging verification system, which was the last resort plan for multi-factor authentication (MFA) to access a user’s account. Funny enough, Tech Crunch wrote about how SMS-based MFA was flawed back in 2017, specifically in relation to Coinbase. And Coinbase knew they were bad!
Just four days before the hack was announced, on September 27th Coinbase came out with a blog post about recent phishing scams, where they stated:
There are many types of 2FA, ranging from a physical key (such as a YubiKey) — the most secure — to SMS verification — the least secure. Many people choose to use SMS 2FA, because it’s linked to a phone number, rather than to one particular device, and is generally the easiest to set up and to use. Unfortunately, that same level of convenience also makes it easier for persistent attackers to intercept your 2FA codes. We strongly encourage everyone that currently uses SMS as a secondary authentication method to upgrade to stronger methods like Google Authenticator or a security key everywhere it is supported.
SMS-based 2FA/MFA is one of the most convenient options for consumers, which is why every company still uses it, but security-wise it’s the worst kind of MFA still in use. This is partly what led to the hack.
Another interesting thing about this recent hack is that Coinbase says they could not have gotten as far as they did without the emails, passwords, and phone numbers associated with these accounts. And how do they think hackers got this information? That’s right: phishing, the very thing they tried to make users aware of four days earlier.
Phishing: (noun) the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.
As Coinbase explained in the blog post, hackers had sent misleading emails to people that looked legitimate:
Once the hackers were able to phish user data from the actual users, they used it to get far enough in the multi-factor authentication process to be able to use the SMS-based feature, which they were then able to exploit. The reason only 6000 customer accounts were hacked was because those customers activated SMS-based 2FA instead of using something more robust like an authenticator app.
Phishing emails have been around for a long time, and they remain an effective way to steal your account information or trick you into sending someone money.
Security is pretty hard to brute-force-hack these days, so the easiest way to get into someone else’s account is through the emotional and sometimes gullible human being behind the keyboard, namely you.
So what does this have to do with DeFi? (HINT: Crypto doesn’t solve this.)
Phishing is not only still common in traditional finance, but also in the world of DeFi.
In fact, over this past year I was one of the people who received some these phishing emails. As a result of the Ledger hack, where emails, names, and addresses of the hardware wallet maker’s users were stolen, they must have gotten my email address and sent me fraudulent emails for a Chainlink, Compound, and Uniswap token upgrade. The protocols and their followers tried to let others know when they found them:
I tried to warn my followers as well:
They set up fake Substack accounts with names like “uniswapupgrade##@substack.com” to create professional looking newsletters to explain to users how they should “update their tokens,” which is not a thing.
The Uniswap one was even more convincing because it happened around the time that Uniswap was trying to convince users to move to Uniswap V3. But there is only one Uniswap token, and you don’t need it to operate in any version of the Uniswap protocol. In fact, both versions are still operating simultaneously. There will never be a need to “upgrade a token,” but some users who probably didn’t know any better fell prey to these phishing attempts.
According to Coindesk, there have also been many other protocols targeted with Substack phishing emails, possibly by the very same scammers:
Projects such as RenProject, Kyber Network, Synthetix, Quant, UMA “and probably more,” were also victims, according to cybersecurity researcher Avigayil Mechtinger of the firm Intezer.
And it wasn’t just Substack. Members of the infamous “Wall Street Bets” crew also fell victim to a phishing scam through a Telegram group, where scammers convinced members to invest in a new “WSB Finance” crypto token they said was designed by the WSB team (it wasn’t). They were told to invest with their ETH and Binance coin (BNB) now before it was listed on the exchanges to get in early on the action. Sounds like a deal right? Except that when they tried to receive their token from a “token bot” there was a “problem with the bot.”
Thoughts:
I saw a lot of dunking on Coinbase and a lot of those “see what happens when your keep your crypto on an exchange? Not your keys, not your coins!” takes after Coinbase was hacked, but the reality is it could have happened to any of your financial accounts. I wanted to try to show that phishing for information is what led to this hack, and phishing emails and messages will continue to be a problem long after Coinbase is gone. The best thing you can do is stay informed. Understand how these new DeFi tools are going to work, and try not to believe everything you read on the internet. Always beware of emails asking you to input any kind of information directly through a link.
I also don’t want Coinbase to get off easy though. SMS-based 2FA has a terrible track record as a security measure, and they aren’t the only ones at fault here. Every other financial institution should stop using them. People should be aware they should be using password managers and an authentication app like Authy or Google Authenticator. Then problems like this will become less frequent. (And if you have an authenticator, SAVE THOSE BACKUP CODES in case your device is ever lost or stolen.)
I think DeFi can solve a lot problems, create some new ones, and will continue being a huge topic of conversation into the future. But it won’t change people falling for scams on the internet.
Since reading the book Ghost in the Wires about Kevin Mitnick’s hacking and “social engineering” of company employees in the 1980’s, I’ve learned that this is as true now as it was then: People are still the weakest link in any security setup.
Thanks for reading.