Salutations, savvy crypto sages. It’s another entry of Olliv the Above, your weekly deep dive into the news that’s lighting up web3 and crypto discussions. In this week’s edition, we’re taking a closer look at one wrinkle of crypto wallet security: the two-factor authentication process.
Two factor fallout
The crypto and web3 community is taking another look at two-factor authentication, known as 2FA, after a former Coinbase customer is seeking triple damages from the centralized crypto exchange in a lawsuit. The investor at the heart of the lawsuit lost his crypto when hackers did something called a SIM swap, allowing them to briefly impersonate the investor and initiate large transfers off the centralized exchange without his knowledge. Once the investor got wise to the hack, it was too late: the transactions were executed and nearly $100K worth of crypto was gone.
Without getting too far in the weeds of the plaintiff’s claim, let’s skip ahead and look at the practice of 2FA. As a disclaimer, enabling 2FA is widely considered best practice if you’re going to self-custody your own crypto because it is an added security layer.
The way 2FA works is that it helps verify a user’s identity when accessing private accounts online. There are a number of ways to deploy 2FA, though. One of the popular ways to enable 2FA is having unique codes sent to a user’s mobile phone number with each sign-in attempt, and then entering the code is the final step that grants access to private accounts.
Playing the SIMs
The SMS text method for 2FA is quite common since mobile phones are practically ubiquitous nowadays. Unfortunately, that also means it is so common that scammers have devised a low-tech way to exploit it with a SIM swap. In the case of a SIM swap, a hacker temporarily impersonates a verified user with the telecom provider. And if 2FA is set up to send a one-time code via text message, then an imposter posing as the account holder (but using a different SIM card) can unlock that account.
The lawsuit filed against Coinbase illustrates how 2FA enabled via SMS messaging leaves users vulnerable to hackers. How can crypto investors protect themselves from SIM swaps? It’s important to screen incoming phone calls and texts to numbers that are connected to any sort of 2FA service. Spam calls and texts could be coming from potential scammers.
If you’re going to switch on 2FA, which is still regarded as the right move, then going with a more secure delivery system than SMS text message might be the better choice. Authenticator apps are common across both iOS and Android devices, and these apps could stave off the malicious SIM swap attack described above.
An authenticator app can serve multiple accounts that are using 2FA. While that means more convenience for users, it may be wise to avoid loading up one single app with the backup keys to multiple accounts – a misplaced device could prove to be more costly this way. Some investors might feel more comfortable keeping their crypto wallet 2FA on a completely separate authenticator app than one they use for recovering their work email, for example.
Closing the loop
At Olliv, we champion the self-custodial model for crypto. That means investors are responsible for safeguarding the private keys to their crypto wallets. If this seems like a daunting task, then you may want to browse through our crypto 101 resources before embarking on your path to maintain custody of your own crypto. Knowledge is power, after all.
Sign up for the Olliv newsletter to get more updates like this delivered right to your inbox. We’d be off the mark if we didn’t also mention that all crypto transactions are final and irreversible. At the risk of repeating ourselves, take care to always safeguard your personal information when buying, selling, or swapping digital assets. Ciao for now, peeps.