1. Home
  2. SMS

SMS

Debate over 2FA using SMS after SIM-swapping victim sues Coinbase

While members of the crypto community are doubtful the lawsuit against Coinbase will be successful, it has sparked a conversation about the issues with SMS 2FA.

The crypto community is debating whether SMS two-factor authentication (2FA) should ever be used for account security following news that a Coinbase customer is suing the cryptocurrency exchange for $96,000.

On Mar. 6 Jared Ferguson filed a lawsuit against Coinbase in the United States District Court for the Northern District of California, claiming he lost “90% of his life savings” after funds were withdrawn from his account by identity thieves and Coinbase had refused to reimburse him.

Ferguson is said to have fallen prey to a type of identity theft known as “SIM swapping,” which allows fraudsters to gain control of a phone number by tricking the telecom provider into linking the number to their own SIM card.

This allows them to bypass any SMS 2FA on an account, and in this situation allegedly allowed them to confirm the withdrawal of $96,000 from Ferguson's Coinbase account.

Ferguson claimed he lost service after his phone was hacked on May 9, and noticed the funds had been taken from his Coinbase account after getting a new sim card and restoring his service as per instructions from his service provider T-Mobile.

T-Mobile was previously sued by a SIM-swapping victim in February 2021 following the theft of approximately $450,000 worth of Bitcoin (BTC).

Coinbase denied any responsibility for the hack of Ferguson’s account, telling him in an email that he is “responsible for the security of your e-mail, your passwords, your 2FA codes, and your devices.”

Related: Hacker returns stolen funds to Tender.fi, gets $97K bounty reward

Members of the crypto community were generally doubtful that Ferguson’s lawsuit would be successful, noting that Coinbase encourages the use of authenticator apps for 2FA rather than SMS and describes the latter as the “least secure” form of authentication.

Some Reddit users discussing the lawsuit in a post titled “Never Use SMS 2FA” went as far as suggesting SMS 2FA should be banned, but noted that it was the only authentication option available for many services, as one user said:

“Unfortunately a lot of services I use don’t offer Authenticator 2FA yet. But I definitely think the SMS approach has proven to be unsafe and should be banned.”

Blockchain security firm CertiK warned of the dangers of using SMS 2FA in September, with its security expert Jesse Leclere telling Cointelegraph that “SMS 2FA is better than nothing, but it is the most vulnerable form of 2FA currently in use.”

Leclere said dedicated authenticator apps like Google Authenticator or Duo offer nearly all the convenience of using SMS 2FA while removing the risk of SIM swapping.

Reddit users shared similar advice but added authenticator apps on phones also make that device a single point of failure and recommended the use of separate hardware authentication devices.

Bitcoin vs. Tulip Mania: Why the Comparison Wilts Under Scrutiny

Sam Bankman-Fried may no longer be allowed to play League of Legends

Sam Bankman-Fried is, for the most part, still able to freely access the internet through various devices. Prosecutors want to change that.

Sam Bankman-Fried, the former CEO of crypto exchange FTX, may no longer be able to play League of Legends and other video games if newly proposed changes to his bail conditions from United States prosecutors are approved.

In a Feb. 15 letter to United States District Judge Lewis Kaplan, U.S. Attorney Damian Williams asked the court to further expand restrictions surrounding Bankman-Fried’s electronic device usage.

They pointed to Bankman-Fried’s recent device usage as cause for concern, and agreed with the court’s intuition that it was “shortsighted” to focus only on restricting the use of apps, adding:

“There is now a record before the Court of a defendant who appears motivated to circumvent monitoring and find loopholes in existing bail conditions. The appropriate course, therefore, is broader restrictions on the defendant’s cellphone, tablet, computer, and internet usage, with limited exceptions.”

The prosecutors propose that Bankman-Fried should be prohibited from using cellphones, tablets, computers, or the internet, except for very limited uses such as reviewing pre-trial evidence, communicating with lawyers and accessing emails.

He would be restricted to using a single computer and cell phone, which in addition to his Gmail account would be monitored using a “pen register” — a device or process that essentially produces a list of phone numbers of internet addresses contacted from a specific source.

Bankman-Fried is understood to be an avid gamer, having reportedly played online video games such as League of Legends during fundraising rounds while at FTX. 

Bankman-Fried also mentioned during an interview with New York Times on Nov. 13 that he likes to play games, as it helps him “unwind a bit” and clear his mind.

Under the newly proposed bail conditions, it appears that Bankman-Fried will no longer be allowed to partake in the activity.

Related: Judge allows release of identities of guarantors behind Sam Bankman-Fried’s bail

Earlier this month, the former CEO was prohibited from using encrypted messaging apps after he was found to have contacted potential witnesses in his criminal case.

He has also been temporarily banned from using VPNs on Feb. 14, after the Justice Department discovered he had used a VPN on two different occasions — in order to watch sports coverage. This ban will be further discussed during a Feb. 16 hearing.

Many from the crypto community were disgusted by the initial conditions of Bankman-Fried’s bail, which required him to wear an ankle bracelet but afforded him full computer and internet access from his parents luxurious home in sunny California.

Bitcoin vs. Tulip Mania: Why the Comparison Wilts Under Scrutiny

Bitcoin without internet: SMS service allows sending BTC with a text

“A person literally without no internet access can go from having no Bitcoin to having Bitcoin and then go to spending Bitcoin,” Kgothatso Ngako explains.

An innovation using the cellular network (GSM) could onboard millions of Bitcoin (BTC) users previously unreachable by the internet-dependent Bitcoin protocol. Built by South African developer Kgothatso Ngako, the new SMS-based service is named Machankura, a slang South African word for money.

KG, as he’s known to his friends, spoke to Cointelegraph from Pretoria, South Africa, about his fascination with Bitcoin and the hope that Bitcoin via text will bring BTC to millions of Africans.

An English speaker, when KG first learned about Bitcoin, he streamed audiobooks and podcasts religiously on the way to work. As he fell down the Bitcoin rabbit hole, his 20-minute commute became a 2-hour wander to the Council for Scientific and Industrial Research (CSIR) in South Africa, where he worked as a software developer.

In a separate interview, Master Guantai, founder of Bitcoin Mtaani, told Cointelegraph, “The number of cellphones in Africa is double the number of people.” However, internet-enabled smartphone penetration remains low.

In Kenya, Guantai’s home country, he explains that topping up a phone with airtime is as common as credit card payments in the West. A report by Caribou backs up the statement: 94% of financial transactions in Africa are through USSD, the protocol used to send text messages, whereas just 6% of these transactions are made via mobile apps. ​​

In sum, while there are millions of phones in Africa, they’re mostly used for texting. KG had stumbled onto something that could be huge for Bitcoin adoption in Africa.

“This year, a lot of conversations in the space were around USSD or making Bitcoin accessible on feature phones–this could be a part-time project–let me just set it up. And that’s basically how Machankura came to be!”

KG started by building an African language translation project Exonumia. Now providing Bitcoin-related education in dozens of languages, he explained to Cointelegraph that if we make Bitcoin more accessible to Africans, then, as a consequence, they will learn about money and find a way to improve their quality of life.

Once Exonumia picked up steam, he questioned, “what are the other barriers to accepting Bitcoin? Language is one–the other is internet access.” He sums up the internet in Africa as a space dominated by big applications such as Instagram and Facebook. The problems inherent to smartphone users are having enough space on phones, internet connectivity and price.

KG shares screenshots of Machankura in action.

KG coded up Manchakura while working at the CRIS, explaining, “The major focus is on spending and receiving Bitcoin.” KG explains how it works: Users dial a number; they are then introduced to a menu where they can learn more about Bitcoin or register an account. "All you need to register an account is a 5-digit pin, and from there on, you are presented with a different menu: send and receive Bitcoin.”

Here is Paco, the Bitcoin traveler who won’t stop teaching people about Bitcoin around the world–demonstrating Machankura to a teacher in Nigeria, at Cointelegraph’s request.

As a result, Lightning wallet-compatible apps on phones or computers can send Bitcoin over the Lightning Network to the phone’s number–it has effectively become a lightning address. Machankura has integrated with Bitrefill, an increasingly popular prepaid gift card service for Bitcoin in Africa. Plus, as of today, South Africans will be able to top up their Lighting Wallets with credit from grocery stores in a partnership with “One for you,” a voucher provider. 

As Ngako summarizes, "A person literally without no internet access can go from having no Bitcoin to having Bitcoin and then go to spending Bitcoin."

Related: Bitcoin is for billions: Fedimint on scaling BTC in the global south

Master Guantai also shares that it works well in six African countries already. Plus, popular exchange Paxful has already shown interest, Guantai explains, as the ease with which people can be onboarded using GSM is understated.

KG flags potential concerns with the innovation as the government banning or reacting negatively to Bitcoin. The commission fees for buying the voucher could put people off, and the fact that KG understands that in offering a centralized company to onboard people into Bitcoin, there’s a risk that they don’t spend the time getting to know the technology.

Plus, the service is custodial, a point that works against the Bitcoin ethos of “not your keys, not your coins.” So, he is looking for a way to use SIM cards as private keys.

Bitcoin vs. Tulip Mania: Why the Comparison Wilts Under Scrutiny

Binance Warns Crypto Investors of ‘Massive Phishing Scam via SMS’

Binance Warns Crypto Investors of ‘Massive Phishing Scam via SMS’Cryptocurrency exchange Binance has warned investors of a “massive phishing scam via SMS.” The scammers sent SMS messages to crypto users informing them of a withdrawal request from an unknown IP address they may want to cancel. Massive Phishing Scam Targeting Crypto Investors Binance CEO Changpeng Zhao (CZ) tweeted Friday: There is a massive phishing […]

Bitcoin vs. Tulip Mania: Why the Comparison Wilts Under Scrutiny

Coinbase Reveals Massive Hack of User Accounts: Over 6,000 Customers Lost Funds

Coinbase Reveals Massive Hack of User Accounts: Over 6,000 Customers Lost FundsThe Nasdaq-listed cryptocurrency exchange Coinbase has disclosed that at least 6,000 users were victims of a hacking campaign to gain unauthorized access to the accounts of Coinbase customers. The hackers also took advantage of a flaw in Coinbase’s SMS Account Recovery process to gain access to user accounts. Cryptocurrencies of at Least 6,000 Coinbase Customers […]

Bitcoin vs. Tulip Mania: Why the Comparison Wilts Under Scrutiny