1. 33

  2. 15

    SMS 2-Factor auth is not secure, because the phone networks are not secure. The telecoms company reps are easily social engineered, the network layers are ridiculously insecure, the actual mobile communications are easily attacked by sufficiently motivated entities. You pick a layer of the stack, you can probably find an easy attack.

    No one should be using SMS codes as a 2-factor authentication method in 2017, but here we are.

    1. 5
    2. 9

      The author admits it, but it’s worth reiterating that if you don’t have the private key to the address with the BTC, you don’t actually own the BTC. At minimum, exchanges should implement multisig with the user holding part of the key.

      1. 8

        Verizon would seem to have quite the liability here. Ironically maybe more because of the text. “Hey, we got fooled, nothing we could do.” That’s one defense, maybe. But sending a text “hey, you’re getting hacked, call us back.” And then not answering the phone? Never a good look to know something is wrong and proceed recklessly.

        1. 2

          Verizon would seem to have quite the liability here

          I disagree.

          They offer a phone service. At no point did they advertise their service as one that can be used to secure a third party email service.

          If you built your system on shaky foundation that was never meant to support your system, you can’t blame the people who built the foundation.

          1. 6

            Indeed, they offer a phone service, but then they gave that phone service to somebody else. The author isn’t paying Verizon for somebody else to have service.

            1. 1

              Ok, but how do we proceed from here? Assuming most people want or should have secure text communications, should we create a secure SMS 2.0 or drop it in favour of HTTPS chat/email? Could a company do a blackberry these days and have their own SMS network? These days if you have a SIM card you generally have some sort of data on it anyway, is there much point to insecure SMS any more? Should we we drop phone numbers while we are it to and just use VoIP and IM/email?

          2. 8

            That’s the value proposition of cryptocurrency. You are responsible for your own security. The government can’t bail you out and they can’t bail other people out at your expense.

            If you have your cryptobucks in other people’s wallet that is secured to your email which is secured to a telecom service then this is going to happen.

            1. 4

              Lesson 1: If you don’t have sole access to the private key, they aren’t your Bitcoins. This is one of the reasons Bitcoin was created. You have the power to take full control; use it. Put effort into your security proportional to your exposure. $8000 in Bitcoin and misc. altcoins should warrant at least a password-protected backed-up local wallet. Use your phone; there are easy apps for this. Mycelium, breadwallet, etc.

              Lesson 2: Never use SMS auth. Only use authentication based on well-reviewed cryptosystems. Humans, and systems easily controlled by humans, cannot be trusted. TOTP is fine, U2F is better. Closed source solutions like Duo are an acceptable compromise.

              1. 2

                So, what are the current Best Practices for dealing with these sorts of markets? What are reasonable and secure alternatives to Coinbase?

                1. 4

                  Xapo takes security seriously: https://support.xapo.com/xapo-security

                  • keys are stored offline
                  • multiple signatures are used
                  • data is encrypted and distributed across multiple regions
                  • they use 2fa, a pin and a password to access the vault
                  • it requires 48 hours to move bitcoins out of the vault

                  You can still use sites like coinbase, just don’t leave a lot of bitcoins in them

                  1. [Comment removed by author]

                    1. 2

                      They do provide insurance: https://xapo.com/terms/, though only for things related to the company, not failures on the users fault:

                      The Xapo Bitcoin Reserve is designed to cover direct and effective losses suffered by users as a result of attacks of hackers to our systems, theft by any third party and/or Xapo employee from our systems or facilities, break-ins at a physical location of our vaults, and/or our bankruptcy, which are not due to or related to your acts, omissions or errors (“Qualifying Losses”).

                      What exactly are you looking for? FDIC insurance? I don’t think the US government is ever going to insure a competing currency.

                      There are risks to action and risks to inaction. Keeping your bitcoin on a piece of paper under your mattress is also dangerous - the primary danger, at least with bitcoin, being you’d lose the private key…

                      For this particular case Xapo requires 24 hours to reset a password and sends a bunch of warnings before they do it.

                  2. 3

                    Some alternatives to Bitcoin allow electronic transfers to be reversed. :)

                    1. 3

                      Given the history of Bitcoin markets, I wouldn’t keep any money in any of them that you aren’t planning on trading right now. So many of them have been hacked or have the founders mysteriously disappear with the money.

                      1. 1

                        One alternative is Blockchain wallet (https://blockchain.info/) This site cannot reset your password because your password ultimately secures your wallet’s private key. This means that the service is as secure as your password, which could be considered a “secure alternative to Coinbase”. Note that this does not include ethereum or litecoin wallets, nor an exchange though.

                        Coinbase also claims to have FDIC insured deposits for its US customers (but only for the USD balance), so that can be a real advantage over other exchanges at least. They’re also insured against theft/security failures (their policy would probably be detailed enough to exclude OP’s problem).