Another sim swap scam

[Oshosondy]

Sim swap attack is not new but people are still getting scammed because of it. See Jared Ferguson that filed a lawsuit against Coinbase, likely he can not win. Coinbase encourage their customers to use 2FA app.

The crypto community is debating whether SMS two-factor authentication (2FA) should ever be used for account security following news that a Coinbase customer is suing the cryptocurrency exchange for $96,000.

On Mar. 6 Jared Ferguson filed a lawsuit against Coinbase in the United States District Court for the Northern District of California, claiming he lost “90% of his life savings” after funds were withdrawn from his account by identity thieves and Coinbase had refused to reimburse him.

Ferguson is said to have fallen prey to a type of identity theft known as “sim-swapping,” which allows fraudsters to gain control of a phone number by tricking the telecom provider into linking the number to their own sim card.

This type of scam has happened several times without number but still people are just adamant until they are attacked. 2FA apps are free applications.

How can I prevent a phone-based attack?
To help protect your Coinbase account from this type of attack, we highly recommend using a stronger form of 2-step verification, such as Universal 2nd Factor (U2F) with a security key or Time-based One Time Password (TOTP) with a mobile authenticator app like Duo or Google Authenticator. Learn more about keeping your Coinbase account secure.

Even if many Coinbase and other platform users read this, they will not be bothered by it. You can see a report recently that said that over 89% of US are using centralized platforms like banks and exchanges for their crypto holdings? People are people, they do not want to learn until they are scammed, or their account or wallet is hacked.

https://cointelegraph.com/news/89-still-trust-centralized-custodians-despite-2022-s-collapses-survey


If you are not trading, get your coins out of exchanges and other centralized platforms, use a noncustodial wallet that you have control over and be careful of scammers and other attackers, be careful of malware. But if you are a crypto trader, secure the money you have on the exchange or other centralized platforms with 2FA app, the 2FA app should be on another device.

[Potato Chips]

It's definitely the users responsibility to secure their account but CB could do better when it comes to getting people off SMS 2FA. At the very least, it should be tagged as weak (or something similar) and not "moderately secure" as this could make people complacent. I'm not sure if this has been changed but when you sign up, there's a step called 2fa but you can only setup SMS 2fa...

[Rikafip]

Sim swap attack is not new but people are still getting scammed because of it. See Jared Ferguson that filed a lawsuit against Coinbase, likely he can not win. Coinbase encourage their customers to use 2FA app.

First and foremost he should blame himself for that because who in the right mind stores 90% of the life savings on the exchange and 2nd, how exactly is that Coinbase fault that he got sim swapped? Anyway, good luck to him with the lawsuit.

You can see a report recently that said that over 89% of US are using centralized platforms like banks and exchanges for their crypto holdings? People are people, they do not want to learn until they are scammed, or their account or wallet is hacked.

I am not surprised at all to see that majority haven't learned anything from what happened to others and many don't learn even after they lose the money themselves. I know some people that lost money on both Celsius and FTX and they still keep large amount of money on Binance, thinking that they are too big to fail.

[Oshosondy]

It's definitely the users responsibility to secure their account but CB could do better when it comes to getting people off SMS 2FA. At the very least, it should be tagged as weak (or something similar) and not "moderately secure" as this could make people complacent. I'm not sure if this has been changed but when you sign up, there's a step called 2fa but you can only setup SMS 2fa...

Sim authentication is the worst that we know of. The best are 2FA and password, but I have only noticed password (that users can set) on Kucoin, but maybe probably on Binance which I have not set before which was adviced while making fiat transaction on Binance. These are the two best that exchanges need to let users know and enabling the two is perfect. You are not wrong, there should be something like a disturbance notification which can make people to set 2FA instead, but most exchanges are not doing that. But I am always surprised that people can be comfortable without 2FA setup, as for me, I can not be comfortable unless I set it, even as I have only trading funds on the exchanges.

First and foremost he should blame himself for that because who in the right mind stores 90% of the life savings on the exchange and 2nd, how exactly is that Coinbase fault that he got sim swapped? Anyway, good luck to him with the lawsuit.

I accept this because you are also right, I am still also wondering that people that are not traders are leaving money on exchanges, this is where I saw the report but which is a survey though:

https://cointelegraph.com/news/89-still-trust-centralized-custodians-despite-2022-s-collapses-survey

What I have noticed is that people can never learn or change, or maybe they do not know the right thing to do by not knowing how not secure exchanges are and how they do not have control over their assets, that exchanges are the ones that have the control and doing it on their behalf.

[Z-tight]

What I have noticed is that people can never learn or change, or maybe they do not know the right thing to do by not knowing how not secure exchanges are and how they do not have control over their assets, that exchanges are the ones that have the control and doing it on their behalf.

"Some exchanges are too big to fail" is what many people use to defend their actions of leaving funds in exchanges, i have a friend who recently bought BTC and held them in his Binance wallet, i told him to move his funds to an electrum wallet were he would own the keys to his funds, but my friend told me he read somewhere that 99% of people will lose crypto in self custody.

This is just one of the many lies and marketing strategy that CZ uses to deceive people into storing their funds in his exchange, imagine someone believing that they cannot write down 12-24 words and keep it safe, because CZ says their funds are 'safu' with them.

[albon]

SIM Swap Attack Although most people know about this attack, they don't think about it, and they neglect to increase the security of their account; if someone has important funds on an exchange platform, then it is foolish to ignore using 2FA or U2F because scammers look highly at the exchange platform and its clients are always targeted because the centralized exchange platform is a financial institution that has billions of dollars of users’ funds, so I agree with you OP, the centralized exchange platforms are not a safe place to save funds, so whoever wants to trade can transfer part of his funds only to the exchange platform at the time of need and not all he owns, and he must use the Google Authenticator application without other applications, or uses U2F technology, it is more secure than 2FA, but I do not think that all exchanges now support it.

[tabas]

Yeah, it's been happening and saw a lot of news about it years ago and it won't stop until these users learn their lessons of activating 2FA or simply put away their funds from centralized exchanges. I cannot imagine if the amount of the assets he's got is around $90k and let it sit on Coinbase for nothing. I'm not victim blaming but everyone who's got huge funds that are trusting these exchanges will not refund any of your loss whenever your account becomes hack or you become the next sim swap scam victim.

[Plaguedeath]

I wonder why Coinbase didn't freeze the funds because when the thieves login with Jared Ferguson's account, the IP address and device used by the thieves is different with Jared Ferguson. I don't think $90K is small money for developed country, they should use security check and manual withdrawal on big amount money. Despite how many people are complaining Coinbase is strict and tend to freeze someone funds, but they're not freeze the funds in this important situation.

[hugeblack]

It seems like a desperate attempt from him to get his money back or at least force Coinbase to track down the scammers who stole his coins. After all, Coinbase has a huge database and you can provide him with more information, but isn't it logical to delete this option since it is no longer safe?
I do not remember the last time I entered my phone number for a site or platform, and therefore this method should not be used except in a limited range.

[stompix]

First and foremost he should blame himself for that because who in the right mind stores 90% of the life savings on the exchange and 2nd, how exactly is that Coinbase fault that he got sim swapped? Anyway, good luck to him with the lawsuit.

This is really weird, why is he suing Coinbase and not his telecom provider?
It was T-Mobile that allowed a stranger to gain access to his sim and telephone number, how could Coinbase verify every time it's the actual owner of the sim and not an attacker doing so?

His claims are based on old cases rulings that if a bank accepts an un-authorized transfer they must refund the account in question, but this was not an unauthorized transfer, if this passes on then I can simply tell all my relatives my login details and then claim every single penny back from the exchange as it was an unauthorized access since I'm not the one doing it.

I wonder why Coinbase didn't freeze the funds because when the thieves login with Jared Ferguson's account, the IP address and device used by the thieves is different with Jared Ferguson.

Because most likely they used that smartphone with the cloned IP to log in, so it would still shave a T-Mobile-owned IP address.
I don't know how things work in the US but here with both operators as I travel a lot I see my Ip changing on my smartphone every day so you can't put that much trust in it and it would only lead to thousands of accounts being frozen every day and customers just quitting. And furthermore, even if they would have frozen that account, the unlocking happens via 2FA wit an sms code, it's not like they are going to ask you for a full KYC again.

[Darker45]

I feel terribly sorry for this guy. He doesn't seem to know what he's doing. He's clueless.

First, although this might be an exaggeration to earn sympathy and make his case sound more serious, he's keeping 90% of his life savings not just in a single basket but also in the most wrong of places.

Second, he doesn't seem to be aware of all the necessary measures to keep his account safe. SMS OTP is definitely not enough. Especially with as big a savings as $96,000 in his account, he should have maximized all security features Coinbase has to offer.

Third, he doesn't seem to understand what a sim-swap attack is. That's why he's barking at the wrong tree. Rather than asking the refund from Coinbase, he probably should try asking it from his sim provider instead.

[Franctoshi]

This is just one of the many lies and marketing strategy that CZ uses to deceive people into storing their funds in his exchange, imagine someone believing that they cannot write down 12-24 words and keep it safe, because CZ says their funds are 'safu' with them.

In this case I would like to think that such person or set people are lazy ones if they can't take good custody of their own money, then whom else?. Must take full responsibility of whatever that may happen to their money on CEX and not put the blame on anyone, though we may face some kind of difficulties or challenges in trying to keep our keys safe, however that should not stand as a point or a ground for finding Centralized exchanges as being more useful and not storing their cryptos in the right place where they have their keys.

[Saisher]

Two things Coinbase can negotiate to help track the scammers it's cheaper to do that than face a lawsuit and spend money on lawyers and the possibility that they lose the case and pay him, or the court compel Coinbase to help him track the scammers or pay him for the missing funds since in the first place they should do away that feature because of the sim swap, its the weakest form of security exchange can employ.
Investors should choose the best possible option to secure their account, 2FA is the safest so it should be the priority  Jared Ferguson may be ignorant about sim swaps because if he is aware of it, he'll go for the safest and secure one.