Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneBbohnH1:16696
HistoryJun 16, 2014 - 8:14 p.m.

Coinbase: 2FA settings allowed to be changed with no delay/freeze on funds

2014-06-1620:14:31
bbohn
hackerone.com
16
JSON

With the nature of bitcoin’s instant transactions and the increase level of phishing/malware attempts on users, many bitcoin related businesses have freeze/delays on funds once a user changes their 2FA settings.

That design keeps the 2FA from being defeated instantly if the user’s email account has been breached. It gives the true owner of an account time to respond to breaches and work with companies to prove identity if they lost access to their email account. If there isn’t a breach, and the user needs to change the 2FA legitimately, it is a simple delay on movement of funds in the name of security.

Recently I was attacked by a team of hackers that first gained access to my father’s email account that had top level access to my email accounts. The hackers read and researched my inboxes for days and staged a full attack on my online accounts Sunday 6/8.

They changed my email account passwords and used ‘lost password’ feature to gain access to my other accounts. My ATT account was a first target where they added many features that even the online chat rep I spoke with did not know existed. Text to Web was activated and also call forwarding of incoming calls was also enabled. Text to Web allows the hacker to view all text messages onto a web page. I asked the rep if they had that type of service and he said that it didn’t exist. It was enabled for over 24 hours since I was told it didn’t exist but I stumbled upon the link and then saw all my SMS messages on a web page. This feature removes any security with SMS and also allows hackers to reset/reinstall 2FA applications like Authy since SMS is used to sync.

I believe the hackers switched my Coinbase account from using Authy to just simple SMS codes. I saw two authentication code text messages on my phone for the two fraudulent bitcoin purchases of $666.28 and $333.17 to max out the $1,000 daily limit. I did not use that method before and am shocked that the account did not have any delay/freeze on funds after such a change.

Other bitcoin businesses range from freezing the account as soon as the 2FA is altered to having a day delay on all withdrawals as standard policy.

I am out $1,000 and would like to know why Coinbase does not give their users the ability to protect themselves more when 1FA is breached and 2FA is being altered.

-Bill

JSON