95% of Coinbase users rely on SMS-based 2FA, account takeover stats reveal

Cryptocurrency platform Coinbase has revealed user account takeover rates in an effort to encourage customers to upgrade their security settings.

statistics(opens in a new window) Let’s say about 95% of Coinbase’s customers are signed up for SMS-based two-factor authentication – the weakest 2FA method available. These same users made up 95.65% of all account takeovers that Coinbase has seen as of November 2022.

ATO stands for Account Takeovers. (credit: Coinbase)

Meanwhile, users who protected their accounts with stronger two-factor authentication modes, such as authenticator apps and security keys, accounted for less than 5% of account takeovers.

Coinbase requires all users to protect their accounts with two-factor authentication. This forces anyone logging in to supply both the correct password and a one-time passcode that is generated on their phone, making it much more difficult to hack.

The only problem? Not all two-factor authentication settings are created equal. By default, Coinbase secures user accounts with SMS-based 2FA, which is still vulnerable to hacking. This is because the one-time passcode is sent to the user’s phone through the cellular service provider. (The authenticator app, on the other hand, cuts out the cellular provider and generates a one-time passcode directly on the device.)

(Image credit: Getty Images/bin kontan)

Over the years, hackers have shown that they can intercept SMS-based two-factor authentication codes by tricking cellular service providers into cloning a victim’s cellphone number onto a new SIM card, which they can then put into their own phones. These alleged SIM swap attacks could include the hacker resorting to identity theft or bribing mobile operators for such access.

The results can be devastating for the victims. SIM swap attacks have helped cybercriminals steal cryptocurrency and even infiltrate major tech companies, including Reddit and Twitter.

In 2021, Coinbase itself revealed that hackers stole cryptocurrency from at least 6,000 users, likely through a combination of phishing emails and SIM swaps. Thefts have caused an increasing number of consumers to file class action lawsuits(opens in a new window) Against the cryptocurrency industry and cellular service providers for failing to protect their accounts from SIM swapping attacks.

(Image credit: Getty Images/wenjin chen)

As Coinbase noted in its disclosure: “While text-based two-factor authentication is much better than a simple username/password combination, it is not perfect.”

As a result, the company is urging users to switch to stronger two-factor authentication methods, which also includes using the Coinbase app to send a direct push notification.(opens in a new window) on the user’s smartphone to unlock access.

Interestingly, however, Coinbase stats reveal that the strongest 2FA authentication modes were not impervious to account takeover attempts. Accounts secured using authenticator apps accounted for 4.13% of account takeovers. Meanwhile, accounts protected with security keys accounted for 0.04% of acquisitions. This indicates that hackers have planted malware on the victim’s smartphone or stolen access to the user’s hardware or security key to hack it.

Although 95% of Coinbase customers rely on a weak SMS-based 2FA mode, the company said those with high balances tend to adopt the strongest form of two-factor authentication.

“More than 5% of our user base has opted for payment, time-based one-time passwords, and physical security keys — but these users account for over 57% of the assets we hold,” she said.

Coinbase did not immediately respond to a request for comment, making it unclear whether the company plans to retire SMS-based 2FA. But in the meantime, users can upgrade their two-factor authentication method by going into the account settings(opens in a new window).