A debate emerges among crypto community members over the safety of SMS two-factor authentification.
The cryptocurrency community members are divided on whether crypto companies and products should implement two-factor authentication (2FA) using SMS after a Bitcoin investor sued Coinbase over a SIM-swap attack.
Coinbase user Jared Ferguson sued Coinbase in the US District Court for the North District of California after attackers stole $96,000 from his exchange wallet. The plaintiff filed the lawsuit on March 6th, claiming that he lost nearly all his life savings in an attack classified as SIM-swap.
Did you know?
Want to get smarter & wealthier with crypto?
Subscribe - We publish new crypto explainer videos every week!
What is a Liquidity Pool in Crypto? (Animated)
SIM-swapping is a cyberattack involving bad actors exploiting weaknesses in two-factor authentication that uses a text message or a call for the second step of the verification process. The attackers often trick the telecom providers to link the phone number used for verifying the targeted account with their own SIM card.
Once they have taken over the phone number, the attackers can easily bypass the 2FA and confirm transactions on the target account.
According to Ferguson, the man received a notification for a SIM swap request from his mobile service provider, T-Mobile, on May 9th. Ferguson realized that his funds had been withdrawn from his Coinbase account when he replaced his SIM card the following day.
Ferguson claims that Coinbase bears responsibility, under state and federal laws, for unauthorized withdrawals.
Coinbase denied any responsibility. Part of the email response by Coinbase included in the complaint reads:
Please note you are solely responsible for the security of your e-mail, your passwords, your 2FA codes, and your devices.”
In February 2021, another user sued the mobile telecommunication company in a sim-swap fraud that led to attackers stealing Bitcoins worth $450,000.
While the crypto community remains doubtful Ferguson will win the case, the issue has sparked a people’s reaction to the use of SMS 2FA.
Many people criticized SMS 2FA in Reddit Post titled “Never Use SMS 2FA”. Some even suggested that it should be banned. Many Reddit users believed that dedicated authenticator apps such as Google Authenticator are safer.