Removing SMS 2FA for sign in and password recovery and advice on Email and Phone security

Skip to the bottom of this post if you just want information on setting up the Authy App and details of the additions we have made to our 2FA security processes.

As you may be aware from news stories in the press, there has been a recent increase in the instances of people having their mobile phone numbers taken over by malicious attackers via social engineering of mobile phone operator staff.

In summary, the attack involves a hacker contacting a victim’s phone operator and convincing a call centre agent to transfer the victim’s phone number over to another, hacker controlled, SIM card.  From there, the hacker arranges to reset the victim’s email using the SMS recovery option on their email account by which point the hacker often has all the information they need to access the vast majority of the victim’s online accounts.

What makes this different from other attacks is that someone could have reasonably good security and it can still be circumvented.

To prevent this, we recommend that you do not in any way enable the use of your phone number to recover access to your email address or vice versa.

Below is a short summary of useful steps you can take to secure your email, mobile phone and phone number if you are not already doing so.

How to secure your email

All email systems are different but high level we recommend the following:

  • Do not use SMS or voice for 2FA access to your email (unless there is no other option).
  • Do not use SMS or voice for password recovery for your email account (even if there is no other option).
  • Set up device based 2FA solutions such as Authy* or Google Authenticator so that authentication is only possible if you have the actual phone and not just the phone number.
  • Only ever enter 2FA credentials directly on the site they are meant for. Do not pass the details on to anyone or approve a Google prompt or Microsoft Authenticator notification even if you have previously been contacted and told to expect this 2FA request.
  • Do not reuse passwords anywhere. One account, one password.
  • Do not use password hints.

* Although Authy asks for a phone number to ease setup, by default it does not allow switching physically to a new phone, even if the phone number has not changed.  This should not be disabled (by allowing Multi Device 2FA) unless it is enabled only for the period when a new device is intended to be added (such as the Chrome App or a second known phone) and then immediately disabled.

How to secure your mobile phone and phone number

  • Encrypt your phone.
  • Set up a lock screen password, PIN, etc.
  • Take advantage of any extra security features from your phone operator, such a requiring an extra PIN or password before changes can be made to your account.
  • If your phone stops working and a restart does not fix the problem, contact your phone operator immediately to find out why.
  • Contact your phone operator and, if possible, ask them to require you to personally go into an operator owned store with a proof of identity in order to transfer your phone number to a different SIM card*.

* Unfortunately, this last suggestion is not foolproof and you must take action to secure your phone and email in order to limit the damage caused in the event a hacker succeeds in taking over your phone number.

Coinfloor’s security additions in light of the increased “phone number takeover” risk

Since day one, all Coinfloor users have been required to set up either Authy (SMS and App) or YubiKey Two-Factor Authentication. So if someone were to find out a user’s username and password they would still not be able to log into their account without the user’s Authy One-Time Password token or YubiKey device. 2FA on Coinfloor is, and always has been, mandatory.

To help reduce the impact of a hacker taking over any of our users’ phones, we have also made the following recent additions to our security processes:

1. We have disabled SMS 2FA authentication for sign in and password recovery

If you have been using YubiKey, you are not affected by this change.

If you have been using SMS tokens to sign in to your Coinfloor account, you now need to install the Authy App and set it up using the same phone number to which you had been receiving the SMS. If you don’t have a smartphone or a tablet, or you use a Windows phone, you can install the app on your computer. The app is available for the following operating systems:

The device you set up with the Authy App will become “something you have” to sign in to your Coinfloor account with the One-Time Passwords generated by the app.
Once the app is set up, Coinfloor will automatically appear on your list of accounts, as you have already had your Coinfloor Authy account set up for the SMS service. Please note that Authy App can not be replaced by Google Authenticator.


2. We require more authentication / verification before changing 2FA settings

If you ever wish to change the 2FA details you store with us (i.e. switch between Authy and YubiKey or change phone number), you will be required to provide a selfie of your face while holding a valid Government ID and paper with text clearly confirming your wish to make the change along with the current date. This is in addition to the information we already require.

These are unfortunately less convenient processes than the ones we had before, but we feel that, as attention towards Bitcoin increases, they are now warranted.

Summary

The above advice goes beyond Bitcoin.  As we all grow to rely on the internet and our phones more, the cost of our smart devices and online accounts being hacked also increases.  Please be vigilant and hopefully you can prevent your phone or email being taken over or at least limit the damage significantly if they are.

Coinfloor Team

Helpful links:

What is a YubiKey?
Why YubiKey wins?
Buy a YubiKey compatible with your Coinfloor account
What is Authy?
Authy for PC – is this still Two-Factor Authentication if I am using the same device?
Using Multi-Device with Authy and device control
PCMag – Two-Factor Authentication: Who Has It and How to Set It Up