How Phishers Take Your One-Time Passwords

One-time passwords (OTPs) are a ubiquitous form of two-factor authentication (2FA) these days. But are they secure? Most people trust that their OTPs won’t be compromised during the short period in which they are active—and that’s usually true. However, a new phishing tactic has emerged that leverages social engineering and 2FA to trick users into giving up their OTPs so hackers can access their accounts.

Recently, cybercriminals targeted users of crypto-wallet provider Coinbase with this type of scheme. Attackers created phishing emails that asked known active users to visit and log in to (or grant direct access to) their Coinbase accounts. The users clicked the social engineering link, which brought them to a fake Coinbase landing page. This site allowed hackers to interact with victims in real time under the guise of a website login. Users shared their email addresses, passwords, phone numbers, OTPs, and other personal information through this interface. These bad actors were able to steal from over 6,000 customers using this method before Coinbase identified the operation and shut it down.

The Coinbase phishing scheme represents an evolution in the threat landscape. This methodology, paired with the ubiquity of OTP login protocols today, presents a real and present threat to individuals and businesses alike—and proves the value of certificate based passwordless authentication. Modern authentication should be both user friendly and secure. OTP should be considered a legacy technology that was meant as a bridge from the username/password dominated world of the past to the present where better passwordless technologies exist. Enterprises that conduct business that may be vulnerable to a hack of this nature may want to invest in certificate based authentication like passwordless to help users identify and avoid phishing.

For more insight into the Coinbase phishing hack and what it means for your enterprise security, listen to Root Causes, episode 190, “Phishing Coinbase.”