CertiK

CertiK says SMS is the ‘most vulnerable’ form of 2FA in use

The level of security provided by SMS pales in comparison to authenticators or physical security keys, CertiK’s Jesse Leclere says in an interview.

Using SMS as a form of two-factor authentication has always been popular among crypto enthusiasts. After all, many users are already trading their cryptos or managing social pages on their phones, so why not simply use SMS to verify when accessing sensitive financial content?

Unfortunately, con artists have lately caught on to exploiting the wealth buried under this layer of security via SIM-swapping, or the process of rerouting a person’s SIM card to a phone that is in possession of a hacker. In many jurisdictions worldwide, telecom employees won’t ask for government ID, facial identification, or social security numbers to handle a simple porting request.

Combined with a quick search for publicly available personal information (quite common for Web3 stakeholders) and easy-to-guess recovery questions, impersonators can quickly port an account’s SMS 2FA to their phone and begin using it for nefarious means. Earlier this year, many crypto Youtubers fell victim to a SIM-swap attack where hackers posted scam videos on their channel with text directing viewers to send money to the hacker’s wallet. In June, Solana nonfungible token (NFT) project Duppies had its official Twitter account breached via a SIM-Swap with hackers tweeting links to a fake stealth mint.

I regard to this matter, Cointelegraph spoke with CertiK’s security expert Jesse Leclere. Known as a leader in the blockchain security space, CertiK has helped over 3,600 projects secure $360 billion worth of digital assets and detected over 66,000 vulnerabilities since 2018. Here’s what Leclere had to say:

“SMS 2FA is better than nothing, but it is the most vulnerable form of 2FA currently in use. Its appeal comes from its ease of use: Most people are either on their phone or have it close at hand when they’re logging in to online platforms. But its vulnerability to SIM card swaps cannot be underestimated.”

Leclerc explained that dedicated authenticator apps, such as Google Authenticator, Authy or Duo, offer nearly all the convenience of SMS 2FA while removing the risk of SIM-swapping. When asked if virtual or eSIM cards can hedge away the risk of SIM-swap-related phishing attacks, for Leclerc, the answer is a clear no:

“One has to keep in mind that SIM-swap attacks rely on identity fraud and social engineering. If a bad actor can trick an employee at a telecom firm into thinking that they are the legitimate owner of a number attached to a physical SIM, they can do so for an eSIM as well.

Though it is possible to deter such attacks by locking the SIM card to one’s phone (Telecom companies can also unlock phones), Leclere nevertheless points to the gold standard of using physical security keys. “These keys plug into your computer’s USB port, and some are near-field communication (NFC) enabled for easier use with mobile devices,” explaine Leclere. “An attacker would need to not only know your password but physically take possession of this key in order to get into your account.”

Leclere pointed out that after mandating the use of security keys for employees in 2017, Google has experienced zero successful phishing attacks. “However, they’re so effective that if you lose the one key that is tied to your account, you will most likely not be able to regain access to it. Keeping multiple keys in safe locations is important,” he added.

Finally, Leclere said that in addition to using an authenticator app or a security key, a good password manager makes it easy to create strong passwords without reusing them across multiple sites. “A strong, unique password paired with non-SMS 2FA is the best form of account security,” he stated.

CertiK shares security tips following third BAYC security compromise in six months

According to CertiK, investors should be highly skeptical of free NFT giveaways, as well as small peculiarities in sites they interact with.

On June 4, the popular nonfungible token, or NFT, project Bored Ape Yacht Club (BAYC) suffered its third security compromise this year. Nearly 142 Ether (ETH) ($250,000) worth of NFTs was stolen after hackers gained access to the Discord account of a BAYC community manager and posted a message with a link to a fake website.

The link advertised a limited-time free-NFT giveaway to users who connected their wallets, which were then drained of NFTs. During two prior occasions in April, hackers breached BAYC’s Discord and Instagram pages and managed to siphon 91 NFTs, worth over $1.3 million at the time of the second attempt, via a phishing link. 

As told by blockchain security firm CertiK, hackers quickly moved stolen funds to obfuscation platform Tornado Cash, making it impossible to trace any further flow of funds on the blockchain. In a statement to Cointelegraph, sources at CertiK explained that however legitimate the project may seem, “NFT holders should also be highly suspicious of anyone claiming to offer free assets, as these can often be phishing attacks.” In addition, CertiK wrote:

“In the case of the June 4th attack, the malicious carbon-copy site had some small differences. Firstly, there were no links to social media sites on the phishing site. There was also an added tab titled “claim free land” and specifically targeted popular NFT projects.”

As a precautionary measure, Certik recommended crypto enthusiasts look for subtle peculiarities on such sites, as they are frequently an indicator of malicious activity. “At the very least, users engaging with such giveaways should always make an effort to confirm the legitimacy of the site by comparing it with a known and confirmed site and looking for any discrepancies,” they concluded.