SMS

Debate over 2FA using SMS after SIM-swapping victim sues Coinbase

While members of the crypto community are doubtful the lawsuit against Coinbase will be successful, it has sparked a conversation about the issues with SMS 2FA.

The crypto community is debating whether SMS two-factor authentication (2FA) should ever be used for account security following news that a Coinbase customer is suing the cryptocurrency exchange for $96,000.

On Mar. 6 Jared Ferguson filed a lawsuit against Coinbase in the United States District Court for the Northern District of California, claiming he lost “90% of his life savings” after funds were withdrawn from his account by identity thieves and Coinbase had refused to reimburse him.

Ferguson is said to have fallen prey to a type of identity theft known as “SIM swapping,” which allows fraudsters to gain control of a phone number by tricking the telecom provider into linking the number to their own SIM card.

This allows them to bypass any SMS 2FA on an account, and in this situation allegedly allowed them to confirm the withdrawal of $96,000 from Ferguson’s Coinbase account.

Ferguson claimed he lost service after his phone was hacked on May 9, and noticed the funds had been taken from his Coinbase account after getting a new sim card and restoring his service as per instructions from his service provider T-Mobile.

T-Mobile was previously sued by a SIM-swapping victim in February 2021 following the theft of approximately $450,000 worth of Bitcoin (BTC).

Coinbase denied any responsibility for the hack of Ferguson’s account, telling him in an email that he is “responsible for the security of your e-mail, your passwords, your 2FA codes, and your devices.”

Related: Hacker returns stolen funds to Tender.fi, gets $97K bounty reward

Members of the crypto community were generally doubtful that Ferguson’s lawsuit would be successful, noting that Coinbase encourages the use of authenticator apps for 2FA rather than SMS and describes the latter as the “least secure” form of authentication.

Some Reddit users discussing the lawsuit in a post titled “Never Use SMS 2FA” went as far as suggesting SMS 2FA should be banned, but noted that it was the only authentication option available for many services, as one user said:

“Unfortunately a lot of services I use don’t offer Authenticator 2FA yet. But I definitely think the SMS approach has proven to be unsafe and should be banned.”

Blockchain security firm CertiK warned of the dangers of using SMS 2FA in September, with its security expert Jesse Leclere telling Cointelegraph that “SMS 2FA is better than nothing, but it is the most vulnerable form of 2FA currently in use.”

Leclere said dedicated authenticator apps like Google Authenticator or Duo offer nearly all the convenience of using SMS 2FA while removing the risk of SIM swapping.

Reddit users shared similar advice but added authenticator apps on phones also make that device a single point of failure and recommended the use of separate hardware authentication devices.

Bitcoin without internet: SMS service allows sending BTC with a text

“A person literally without no internet access can go from having no Bitcoin to having Bitcoin and then go to spending Bitcoin,” Kgothatso Ngako explains.

An innovation using the cellular network (GSM) could onboard millions of Bitcoin (BTC) users previously unreachable by the internet-dependent Bitcoin protocol. Built by South African developer Kgothatso Ngako, the new SMS-based service is named Machankura, a slang South African word for money.

KG, as he’s known to his friends, spoke to Cointelegraph from Pretoria, South Africa, about his fascination with Bitcoin and the hope that Bitcoin via text will bring BTC to millions of Africans.

An English speaker, when KG first learned about Bitcoin, he streamed audiobooks and podcasts religiously on the way to work. As he fell down the Bitcoin rabbit hole, his 20-minute commute became a two-hour wander to the Council for Scientific and Industrial Research (CSIR) in South Africa, where he worked as a software developer.

In a separate interview, Master Guantai, founder of Bitcoin Mtaani, told Cointelegraph, “The number of cellphones in Africa is double the number of people.” However, internet-enabled smartphone penetration remains low.

In Kenya, Guantai’s home country, he explains that topping up a phone with airtime is as common as credit card payments in the West. A report by Caribou backs up the statement: 94% of financial transactions in Africa are through USSD, the protocol used to send text messages, whereas just 6% of these transactions are made via mobile apps. ​​

In sum, while there are millions of phones in Africa, they’re mostly used for texting. KG had stumbled onto something that could be huge for Bitcoin adoption in Africa.

“This year, a lot of conversations in the space were around USSD or making Bitcoin accessible on feature phones—this could be a part-time project–let me just set it up. And that’s basically how Machankura came to be!”

KG started by building an African language translation project Exonumia. Now providing Bitcoin-related education in dozens of languages, he explained to Cointelegraph that if we make Bitcoin more accessible to Africans, then, as a consequence, they will learn about money and find a way to improve their quality of life.

Once Exonumia picked up steam, he asked, “what are the other barriers to accepting Bitcoin? Language is one–the other is internet access.” He sums up the internet in Africa as a space dominated by big applications such as Instagram and Facebook. The problems inherent to smartphone users are having enough space on phones, internet connectivity and price.

KG shares screenshots of Machankura in action.

KG coded up Manchakura to solve those problems, explaining, “The major focus is on spending and receiving Bitcoin.” KG explains how it works: Users dial a number and are then introduced to a menu where they can learn more about Bitcoin or register an account. “All you need to register an account is a 5-digit pin, and from there on, you are presented with a different menu: Send and receive Bitcoin.”

Here is Paco, the Bitcoin traveler who won’t stop teaching people about Bitcoin around the world, demonstrating Machankura to a teacher in Nigeria, at Cointelegraph’s request.

As a result, Lightning wallet-compatible apps on phones or computers can send Bitcoin over the Lightning Network to the phone’s number—it has effectively become a Lightning address. Machankura has integrated with Bitrefill, an increasingly popular prepaid gift card service for Bitcoin in Africa. Plus, as of Wednesday, South Africans will be able to top up their Lighting Wallets with credit from grocery stores in a partnership with “One for you,” a voucher provider. 

As Ngako summarizes, “A person literally without no internet access can go from having no Bitcoin to having Bitcoin and then go to spending Bitcoin.”

Related: Bitcoin is for billions: Fedimint on scaling BTC in the global south

Master Guantai also shares that it works well in six African countries already. Plus, popular exchange Paxful has already shown interest, Guantai explains, as the ease with which people can be onboarded using GSM is understated.

KG flags potential concerns with the innovation as the government banning or reacting negatively to Bitcoin. The commission fees for buying the voucher could put people off, and the fact that KG understands that in offering a centralized company to onboard people into Bitcoin, there’s a risk that they don’t spend the time getting to know the technology.

Plus, the service is custodial, a point that works against the Bitcoin ethos of “not your keys, not your coins.” So, he is looking for a way to use SIM cards as private keys.