When hackers stole cryptocurrency from the accounts of 6,000 Coinbase customers between March and May of this year, the trading platform said the perpetrator used a familiar method: phishing.
The breach marked a classic example in which both factors — passwords and SMS confirmations — were compromised, as Simon Law, CEO at LoginID, said in a Monday (Oct. 4) interview with PYMNTS CEO Karen Webster.
In this case, a fake website that looked like Coinbase was able to dupe account holders and capture passwords from users who volunteered them, Law said. The perpetrators then found out each person’s name and phone number, called their mobile operator and said they needed to add another chip to their account. “That’s how easy it is to get access to someone’s account,” Law said.
He added that in the past nine months, most crypto exchanges have removed SMS as an option, and regulators are also starting to consider removing SMS as a factor of authentication. “So, yeah, this is a good example,” Law said. “We should be moving to FIDO [for] a better experience and better security.”
SMS Is Familiar – But Weak
Law said some platforms stick with SMS because of the user experience — people are used to using text messaging and may not be familiar with using a stronger second factor, such as Google Authenticator. But the Coinbase event has shown the need for platforms to enforce using a better method.
“I think they need to move on to a stronger factor authentication,” Law said. “Luckily, FIDO’s pretty good at the user experience part of it as well.”
He explained that platforms need only teach users to move away from text messaging, adding that it’s not that good of a user experience. “They should use biometric authentication right away; they should move to FIDO,” Law suggested.
Better Factors of Authentication
The combination of passwords and SMS should no longer be used, Law said. If SMS is to be used, it should be combined with another factor such as a security, FIDO or something else.
A lot of companies the size of Coinbase want to build things on their own. It’s understandable that they want to control their security – but at the same time, there are experts in the field of security that could provide it. “There is still a difference between something that is fully certified, and people have been working for that for years as a separate company, versus building everything in-house,” Law said.
Other exchanges have eliminated SMS and use a Google Authenticator – but that is a poor user experience. That’s why Coinbase has been so successful in comparison to other exchanges.
“It’s a double-edged sword,” Law said. “They want to make it easy for users so that there’s more adoption, but they need the extra security. So, this is what happens. We need the whole industry to start moving on to better factors of authentication, like FIDO.”
A New Concept Now in R&D
LoginID is working with the blockchain community on a new concept: enabling FIDO directly with the chain. “That way, you can actually provide the strong authentication and great user experience directly,” Law said.
He added that this will take time to adopt in the Web 3.0 world because it’s still in the R&D space – but once that happens, he believes a lot of these Web 2.0 platforms layering on Web 3.0 will kind of disappear, and people will be able to start directly developing strong authentication with Web 3.0.
“For the exchanges, that can be another way of authenticating directly to the block,” Law concluded. “And then there are a lot of exchanges that are moving in the decentralized exchange route, so that’s where that can help as well.”