Coinbase sees a lot of motivated attackers, it’s one of the things that makes working in security at Coinbase so interesting. I want to deep dive into one recent attack for a few reasons: 1) when we share we all get stronger; 2) It was a really interesting way to end-run around a lot of traditional security protections and highlights, the extent of which personal and corporate systems are linked; 3) we found very little in the way of public discussion around this set of attack vectors and want to help move it from ‘theoretical’ to ‘this really happens’. To be crystal clear, I’m happy to say, no customer data or funds were lost or at risk of loss.
Rewind back to 25 Aug. It’s around 9 AM when one of our high profile employees wrote in to our on call security engineer. The user said that something weird was happening with his phone. He got some text messages that are strange and concerning:
The security engineer on call immediately recognized this as a phone account takeover and kicked off our compromised account runbook: disable 3rd party accounts via SSO, disable internal accounts, review logs for any suspicious activity, etc. While that was going on, we had another security person hop on a conference call with the employee and Verizon. It turns out the attacker was able to impersonate the employee on a call with Verizon support the previous evening (see the text message second from the bottom) using basic personal information. Personal information like this is available in distressing volume from a number of sources, so we assumed the attacker obtained this online rather than dumpster diving. Once the attacker got access to the account, he was able to reset the Verizon portal password, set up a phone number forward pointing to a VOIP number and do one more little thing that we’ll get to later.
With Verizon on the phone, it was a fairly simple matter to re-reset the portal password, set an account PIN to prevent attacker re-entry and un-do the phone forward. But the attacker had access for a solid 4 hours, what mischief did he get up to in that time? Surprisingly little. The attacker was able to add a new device to the employee’s Authy account (which we revoked), but didn’t actually try to use it. As far as we could tell (and can tell to this day) the attacker did nothing else. We reviewed access logs from the employee’s personal and corporate online presence with no unusual findings. Because this employee is awesome, he uses a password manager to establish long, random and unique passwords across all his services, has two-factor authentication (2fa) set up everywhere and uses more long, random strings as answers to his account recovery questions. He was locked down tight.
The next morning all hell breaks loose. The same target employee’s facebook account sent the following messages to Brian (our CEO):
Brian turned around and flagged this to security again, this was not a normal request and we had warned the company to be on guard for this kind of thing. We tried calling the employee on his cellphone, and we got a Verizon error message “Unable to reach this number”. We used an alternate contact method to wake the employee up and when he tried to call us from his cellphone he learned that his account had been deactivated. That other little thing the attacker did? He started a port of the phone number from Verizon to a VOIP provider, and that port had completed overnight.
The attacker had complete control of that phone number and used it to go through the account recovery process of several personal accounts including Facebook. The attacker also sent text messages to a number of other Coinbase employees also asking for password resets or for the transfer of Bitcoin. We began a round of password resets and recovery phone number changes across all of this employee’s personal and corporate accounts. We were also able to get in contact with an outstanding Verizon employee who understood the urgency and impact of our situation and shepherded our case through the byzantine halls of inter-carrier communications. We had control of the phone number back by 2 PM (which, if you’ve ever tried to get two phone companies to talk to each other, is a significant achievement. We were initially assuming we wouldn’t be able to regain control until the following week).
With control of the phone regained and enhanced carrier security in place, we began the long recovery phase ensuring we hit every account on every service this employee used. We also put out some company wide guidance on cellphone account security.
This ended fairly well for us, but that’s frequently not the case. Attackers regularly target individual users who don’t have a full-time security team around to help with the response and aren’t already well postured to resist an attack. In those cases, it can take weeks to get back to normal, if ever. If the only winning move is not to play, what can you do to become a hard target?
Call your cell phone provider and set up a PIN or password, ask for a port freeze and ask to lock your account to your current SIM. Not all providers will do all of those things. If yours won’t, consider changing to one that will. Use long, random and unique passwords for every service. Use a password manager to make that easy. Use two-factor authentication everywhere (personally, I recommend (in order) U2F, Push-based and TOTP/token-based. Only use SMS if there is no other option). If you’re a Coinbase customer, install the Authy app to get non-SMS 2fa. The assumption that control of a phone number is sufficient proof of identity is false. Just as we should no longer trust SMS for two-factor authentication, we shouldn’t trust it for account recovery. Disable this anywhere you can.