Stellar Lumens (XLM) Forum with for newcomers and contributor's rewarded Check here




Three ways to prevent exchange hacks—how 3FA can foil cryptocurrency exchange robberi
  • 1 Vote(s) - 1 Average
  • 1
  • 2
  • 3
  • 4
  • 5

#1
[Image: three-ways-prevent-hacks-cover.jpg&w=824&h=298&q=75]
Three ways to prevent exchange hacks—how 3FA can foil cryptocurrency exchange robberies

The recent hack of the world’s biggest cryptocurrency exchange, Binance, highlights the need for heightened security in the crypto space.

Quote:
In what Wired reported as “a ‘large-scale security breach,’ hackers stole not only 7,000 bitcoin—equivalent to over $40 million ($56 million at the time of this writing, just one week later)—but also some user two-factor authentication codes and API tokens.”

This is just one of the many cryptocurrency heists totaling 100s of millions of dollars that CipherTrace has reported on in the last year.

Why are sophisticated hackers targeting the crypto space? Because, obviously, that’s where the money is. The huge hot wallet stash looted from Binance represented only about 2 percent of the exchange’s reserves. And, if this is the rumored ‘Crypto Spring’ to the recent winter, then as valuations begin to rise dramatically expect things to get worse.

The good thing for the industry is that Binance did the right thing—they were transparent and didn’t delay in reporting the theft, announcing it the same day it was discovered. “The hackers used a variety of techniques, including phishing, viruses and other attacks,” according to Binance CEO Changpeng Zhao in a May 7 blog post.

Quote:
“The hackers had the patience to wait, and execute well-orchestrated actions through multiple seemingly independent accounts at the most opportune time. The transaction is structured in a way that passed our existing security checks.”

Moreover, Zhao announced that no customer funds would be used to cover losses, as Binance had set up a self-insurance fund in 2018 that accrues 10 percent of all trading fees in a separate cold wallet.

How did the theft occur? We are currently researching the attack, but from what we know Binance had the current state of the cybersecurity art in place. The attacker(s) probably used a password stolen in a phishing attack, or they exploited a combination of vulnerabilities.

As Chairman of the Anti-Phishing Working Group, an organization that has been fighting eCrime and phishing for more than 16 years, I can tell you it’s highly likely that phishing was an attack vector.

Spear phishing (targeted attacks on high-value individuals) and business email compromise (BEC) are getting a lot worse. And phishers are casting their nets—and spears—at crypto companies in particular. The Binance hack could have been an employee being duped into giving a password by a clever email ruse. It could have been phishing plus fileless malware or an APT. It could have stemmed from any number of vulnerabilities typically present in the attack surface of such a large, global IT network.

Time to triple-down on security

Two-factor authentication (2FA) is no longer strong enough, and SMS is a weak second factor. As was detailed in the CipherTrace Q4 2018 Crypto AML report, attackers often “port” phone numbers in order to receive SMS text messages that are used in a number of 2FA systems. Which obviously means this approach is not secure. But, by having an authentication app on the phone, instead of relying on SMS text message codes, companies are protected even if an employee’s phone is hijacked or SIM-swapped.

So what can and should exchanges do to prevent thefts? In our opinion, given the ever-increasing sophistication and persistence of the bad guys, there’s only one viable solution at the moment. Well, there’s three, actually.

The answer is three-factor authentication (3FA)—two things they have, and one thing they know. To access the network, exchange employees should be required to use an authentication app on their phone, a certificate on their computer to access the corporate VPN, and a password. That way, if criminals phish an exchange worker’s password or break it with brute force they’re still not getting in. Plus, unlike passwords, certificates can be revoked.

The attacker can gain the password and even compromise one of the user’s devices but that won’t get all three factors. And without compromising all three factors, they’re not getting in. Three-factor is the new strong auth. It may sound like this proposal puts an onerous burden on employees, but having a certificate on the computer takes no day-to-day effort.



source https://cryptoslate.com/three-ways-to-pr...robberies/
by Dave Jevans
Reply


Possibly Related Threads...
Thread Author Replies Views Last Post
  How the Cryptocurrency Era Began and What Impact Does It Have on Britain? crytocure 1 25 8 hours ago
Last Post: Mockingbird
  Top Cryptocurrency Coin Mixer Seized; Grayscale Investments 'Big News' Today crytocure 0 27 Yesterday, 01:26 PM
Last Post: crytocure
  Top 7 Waves of Cryptocurrency Layoffs Throughout Early 2019 crytocure 0 24 22-05-2019, 12:20 PM
Last Post: crytocure
  How to buy/sell cryptocurrency and not be deceived: signs of fraud in OTC deals crytocure 0 30 21-05-2019, 03:04 PM
Last Post: crytocure
  Insured Cryptocurrency Custody Services and Their Potential Impact crytocure 0 15 20-05-2019, 12:28 PM
Last Post: crytocure
  Cryptocurrency Investing vs Trading, which is right for you? crytocure 0 15 19-05-2019, 02:31 PM
Last Post: crytocure
  Hot NEWS exBlock ? Launching a Digital Asset Exchange ? Milner 0 14 17-05-2019, 03:41 PM
Last Post: Milner
  Cryptocurrency Exchanges Are Cleaning up Their Act crytocure 0 24 15-05-2019, 02:19 PM
Last Post: crytocure
  World-Wide Cryptocurrency Trading Volume Peaks Near an Impressive $100 Billion crytocure 0 21 14-05-2019, 02:36 PM
Last Post: crytocure
  Twitter and Google Trends Influence Cryptocurrency Prices crytocure 0 16 14-05-2019, 01:16 PM
Last Post: crytocure



Users browsing this thread: 1 Guest(s)