The most vulnerable form of 2FA: how can you protect your funds when you buy crypto?

SMS verification is, perhaps, one of the most popular ways of protecting online accounts. The key to its popularity is its simplicity. All that users have to do upon login is to type a temporary code that they receive on their mobile phones via SMS. Initially implemented by an online payment service NETICASH in 2004, it has since turned into a security standard for many industries.

Cryptocurrency-related services do not lag behind as well. Some centralized crypto exchanges and other blockchain-related platforms even consider it as an absolute ‘must’. Sometimes it is impossible to finalize creating a new account or to buy crypto until you set up SMS verification, the service simply wouldn’t let you get to the next step.

Indeed, this type of verification adds some layers of security. It makes a hacker not only guess your password but also find a way to access your phone and pick up the code which is a much more complicated task. But still, it is not as secure as one may hope for. In fact, Jesse Leclere, a security expert from Certic has called it “the most vulnerable form of 2FA” in one of his recent interviews.

Why is it so weak, how can one bypass it and what is the best way for cryptocurrency holders to enhance the security of their digital assets? Let’s find out.

What is 2FA?

In a nutshell, two-factor authentication is an additional layer of security that requires two different methods of identification for a user to prove the right to access something. It serves to prevent unauthorized access via a stolen password and reduces the risks of data leakage and identity or money theft.

Typically, 2FA covers either two of the following:

  • Something you know, i.e. your password
  • Something you have, i.e. a temporary code sent to another device
  • Something you are, i.e. your biometrics such as fingerprint or your face

SMS verification covers the second element as it requires a user to type a code sent to the mobile phone via SMS.

Benefits of SMS authentication

As stated earlier, SMS verification is one of the weakest options to secure your account. However, it still has some benefits worth mentioning.

First, it is very simple to use. Users don’t need to install any additional applications. All they need to do upon the sign-up is to provide their mobile numbers and afterward type the code that they receive via SMS every time they want to log in. The same applies to the cases when they want to buy crypto or perform any other important activities.

Next, it is inexpensive for business owners as it doesn’t require purchasing any additional hardware. There is plenty of free software available on the web at their disposal.

Finally, it is possible to verify your authenticity via SMS even if you don’t have internet access. Many providers enable their users to receive incoming messages even when they have negative balances. As a result, this solution is accessible practically anywhere at any time.

Problems with SIM-based 2FA

In fact, there is only one problem and it is the insecurity of this verification method. As technologies evolve, hackers use more sophisticated methods of attacks. Believe it or not, getting access to your SMS is not rocket science.

Thus, in 2021, a popular cryptocurrency exchange was targeted and  hackers were able to bypass its SMS verification and this affected around 6,000 accounts in total. An interesting fact is that it took two whole months for the company to notice the breach. Your account may be breached and you may not even be aware of this fact.

Five ways for hackers to break into your account via SMS

So how is it possible to gain access to SMS? There are five most popular ways that hackers resort to.

1)   SIM swapping

This is a rather complicated method of attack as it implies getting access to many different pieces of your personal information. But still, it is not rare.

Here’s how it works. Fraudsters gather personal details about their victims via phishing, purchasing them from organized criminals, or conducting pointed social engineering attacks. After that, they call the telephone company and convince its representatives to port the victim’s phone number to a different SIM. With all the personal data at hand, it’s quite easy to prove identity. Besides, to facilitate the process, they may bribe workers responsible for such activities.

The rest is as easy as 1-2-3. With messages arriving at the hacker’s SIM, you may consider the rest of your personal information gone for good together with all your funds.

By the way, this is exactly how Twitter CEO, Jack Dorsey, was targeted in 2019. A group of hackers gained access to his account through Twitter’s text-to-tweet service operated by a third-party service Cloudhopper. They had been streaming offensive posts across his multi-million audience for 15 minutes until the account owner got it back under his control.

2)   Remote Desktop Protocol

With many companies sending their employees to work from home during the recent pandemic, remote desktop protocol attacks have increased multifold. ESET Threat report reveals that in the course of 2020, the number of RDP attacks increased by 768%.

Hackers may bribe phone company employees into installing RDP software on their laptops. After that, they gain access to the company’s customers’ numbers and conduct the SIM swap that has been described above. You know the rest of the story.

3)   Phishing/spoofing

Aside from sophisticated technical methods, hackers may rely on good old ways that have been working fine for ages. Having obtained a victim’s phone number, they may send a message containing a contaminated link urging the recipient to click on it. After that, they may get access not only to your messages but to any other information stored on your smartphone.

4)   Social engineering

Other social engineering attacks work just as fine, too. The most typical scenario implies hackers gathering the personal information of their victims and calling phone companies to request a secondary SIM. Once a new SIM is shipped, they intercept its delivery and gain control over the victims’ phone numbers. After that, they will gain access to all SMS codes that they need.

5)   Marketing SMS services

Worst of all, hackers may simply gain access to your messages through various marketing services designed for sending those annoying ads in a bulk. All that the malefactors have to do to reroute the messages is to pay a small fee for such a service. The lack of proper regulation in this area together with a few simple actions results in massive data leakages. A popular cybersecurity podcast Motherboard published a detailed explanation on Vice last year.

Although the methods described above mostly refer to traditional platforms, they work with blockchain-based services offering their users some options to buy crypto just as fine. This is because these companies rely on the same insecure SMS verification methods. If your digital wallet or an account on an online exchange is protected by nothing but SMS authentication, a hacker may easily gain access to your funds.

Once compromised, your crypto will be lost with no chance of recovery. Since blockchain doesn’t forgive mistakes and doesn’t have a refund option, there will be no way to retrieve your money. Don’t say we didn’t warn you.

2FA, How can I protect my cryptocurrency?

Worries aside, there are still many other options to secure your digital assets without having to purchase an inconvenient cold wallet. Here are a few tips:

  • Set up strong passwords. First things first, protect your account at the most basic level. Forget about “password123”, “qwerty” and other most popular passwords. Use combinations of digits, letters, and special characters that are hard to guess. If you find it hard to remember many different passwords, use password managers.
  • Implement app-based authentication. Google Authenticator, Authy, or Microsoft Authenticator are some of the most popular options compatible with most applications. Typically, exchanges and other services operating with blockchain offer this feature for operations with finance such as buying and selling crypto.
  • Set up biometric authentication. Popular exchanges such as Binance and Huobi have long ago implemented biometric verification with your face which is one of the most convenient options from the end-user point of view.

Keep in mind, though, that if you store your crypto in a hot wallet, there is always a risk of your account being hijacked. Therefore, the more layers of security you add, the better. You don’t have to be the fastest in this security race, you only need to have a better security level than other unfortunate cryptocurrency users.

  • Store your funds in a cold wallet. Assume you have purchased some crypto and now store it long-term waiting for high ROI. For higher security, you may get yourself a hardware wallet from popular services such as Trezor or Ledger. However, you would need to take care of their physical security yourself. In addition, such wallets are usually not user-friendly which complicates matters for non-tech-savvy users.

If you prefer to outsource the whole process, VAULTALP could be of great assistance. Our service can relieve you of all these headaches while providing institutional-grade security for your assets combined with full insurance protection.

Gold & Crypto updates from VAULTALP

Lee Fuller, WordPress Developer, UK