Debate over 2FA using SMS after sim-swapping victim sues Coinbase

cointelegraph.com:

The crypto community is debating whether SMS two-factor authentication (2FA) should ever be used for account security following news that a Coinbase customer is suing the cryptocurrency exchange for $96,000.

On Mar. 6 Jared Ferguson filed a lawsuit against Coinbase in the United States District Court for the Northern District of California, claiming he lost “90% of his life savings” after funds were withdrawn from his account by identity thieves and Coinbase had refused to reimburse him.

Ferguson is said to have fallen prey to a type of identity theft known as “sim-swapping,” which allows fraudsters to gain control of a phone number by tricking the telecom provider into linking the number to their own sim card.

This allows them to bypass any SMS 2FA on an account, and in this situation allegedly allowed them to confirm the withdrawal of $96,000 from Ferguson's Coinbase account.

Ferguson claimed he lost service after his phone was hacked on May 9, and noticed the funds had been taken from his Coinbase account after getting a new sim card and restoring his service as per instructions from his service provider T-Mobile.

T-Mobile was previously sued by a sim-swapping victim in Feb. 2021, following the theft of approximately $450,000 worth of Bitcoin (BTC).

Coinbase denied any responsibility for the hack of Ferguson’s account, telling him in an email that he is “responsible for the security of your e-mail, your passwords, your 2FA codes, and your devices.”

Related: Hacker returns stolen funds to Tender.fi, gets $97K bounty reward

Members of the crypto community were generally doubtful that Ferguson’s lawsuit would be successful, noting that Coinbase encourages the use of authenticator apps for 2FA rather than SMS and