In a display of 2FA’s issues, unauthorised transactions approved without users’ authentication took money from 483 accounts.
Crypto.com acknowledged that it had lost $34.65m worth of cash, Bitcoin & Ethereum after getting attacked in an attack that slipped big transactions past 2-factor authentication (2FA).
Users had complained that their accounts had been drained: thievery that the cryptocurrency exchange initially denied. Crypto.com wrote on Twitter that “a small number of users are reporting suspicious activity on their accounts,” but that “all funds are safe.”
Customer Funds
The company’s CEO, Kris Marszalek, reiterated in a tweet that “no customer funds were lost.”
Now, Crypto.com has acknowledged that the total amount of the loss exceeds $300m – far more than was 1st estimated – but that all customers had been reimbursed.
The company also explained that the thieves pulled it off by going past the exchange’s 2FA system.
Losses
Despite customers having reported losses, Crypto.com’s last statement stated that the robbery occurred the previous Mon. at about 12:46 am UTC.
That is when the exchange’s risk monitoring systems noticed unauthorised transactions coming out of 483 accounts & being approved without users’ 2FA authentication. The company did not immediately respond to a request for clarification on the timeline or an update on its investigation.
Suspended Withdrawals
Crypto.com immediately suspended withdrawals on the platform as it investigated. The exchange fully restored the affected accounts, revoked all 2FA tokens & added additional security hardening measures, requiring all customers to re-login & set up their 2FA token.
Withdrawals were suspended for about 14 hours, & withdrawals resumed that Tues. at 5:46 PM UTC.
Before it stopped withdrawals, Crypto.com lost 836.26 ETH & 443.93 BTC, which equalled around $15.54m & $19.04m, respectively, as of last reckoning. The exchange reported that it lost $66,200 worth of other currencies, too.
Theft
Marszalek acknowledged the theft in an online interview with Bloomberg, confirming that around 400 user accounts were indeed compromised & had funds drained as a result. Marszalek did not give details of how, exactly, attackers pulled off the breach.
He played down the value of the lost funds, remarking that “One has to remember that, given the scale of the business, these materials are not particularly material,” & adding that “customer funds were never at risk.”
Rubbish that 2FA
Crypto.com explained that it is abandoned its 2FA “in an abundance of caution” & has migrated to a “completely new 2FA infrastructure.”
“2FA tokens for all users worldwide were subsequently revoked to ensure the new infrastructure was in effect,” the exchange outlined. “We have mandatory 2FA policies on both the frontend & backend to protect users during this revocation phase, as outflows such as withdrawals have a requirement to setup & use 2FA in order to withdraw.”
Crypto.com also introduced an additional layer of security, adding a mandatory 24-hour delay between registration of a new whitelisted withdrawal address & 1st withdrawal.
Time Delay
There will be a time delay in between notifications of withdrawal addresses having been added, to give users enough time “to react and respond,” the exchange stated.
The notifications will also include instructions on contacting the exchange if the address whitelisting was unauthorised.
Crypto.com explained that it has done a full, internal audit of its infrastructure & has implemented additional, unspecified security-hardening measures. It is also brought in 3rd-party security firms to perform additional security checks on its platform & to initiate “additional threat intelligence services.”
Security Features
The exchange plans to release additional end-user security features as it moves away from 2FA & on to what it called “true” multifactor authentication (MFA).
Finally, Crypto.com is introducing the Worldwide Account Protection Program (WAPP) to offer additional protection & security for user funds held in the Crypto.com app and the Crypto.com Exchange. Designed to protect user funds against unauthorised withdrawals, WAPP restores funds up to USD $250k for qualified users.
To qualify for WAPP, users are required to enable MFA on all transaction types where it is available, set up an anti-phishing code at least 21 days prior to the reported unauthorised transaction, keep off of jailbroken devices, file a police report & provide a copy of it to Crypto.com, & complete a questionnaire to support a forensic investigation.
Highest Priority
“The safety of our customers’ funds is our highest priority, & we are continually enhancing our Defence-in-Depth security & protection measures,” Marszalek explained.
“While we are reminded of the existence of bad actors intent on committing fraud, this new Worldwide Account Protection Program, along with our new MFA infrastructure, gives our users unprecedented protection of their funds, & hopefully, peace of mind.”
What’s Weak About 2FA?
2FA combines …
- Something you know, such as a password or PIN,
- Something you have, such as a mobile phone, smart card, or USB token, and/or
- Something you are, such as voice prints, fingerprints, or iris prints.
Unfortunately, the “something you know” slice of the pie is often an easily guessed, or phished password. The “something you have” is usually a mobile phone, which is verified using a texted password that can be intercepted.
MFA is considered stronger than 2FA in that it adds more factors of authentication, eliminating security threats associated with 2FA. There are several ways to attack 2FA, including but not limited to:
Social engineering. As Coinbase noted when 6,000 of its customers got ripped-off in Oct. 2021, users’ email addresses, passwords, phone numbers & personal email inboxes are often gained through phishing attacks or other social engineering techniques that trick victims into disclosing their login credentials.
“Since cryptocurrency is still a relatively new technology, it presents an opportunity for threat actors to socially engineer targets,” observed Hank Schless, Senior Manager, Security Solutions at Lookout. “Crypto investors are constantly looking for an edge in the market or what the next big currency that’s going to explode in value.
Malicious Apps
Attackers can use this desire for information to get users to download malicious apps or share login credentials for legitimate trading platforms they use.”
An attacker can then use the malicious app to take additional data from the device it is on or take the login credentials they’ve stolen & try them across any number of cloud apps used for both work & personal life, Schless outlined.
“In order to increase the likelihood of success, attackers target users across both mobile devices & cloud platforms,” he continued.
“For example, at Lookout, we discovered almost 200 malicious cryptocurrency apps on the Google Play Store. Most of these applications advertised themselves as mining services in order to entice users to download them.”
Cookie session hijacking. Cookie theft, also called session hijacking or pass-the-cookie attack, involves a thief inserting themself between a computer & a server in order to steal what’s known as a magic cookie: a session that authenticates a user to a remote server.
After stealing the cookie, an intruder can monitor & potentially capture everything from the account & can take full control of the connection.
It happened to Google in Oct. 2021, when it caught & brushed off a bunch of cookie-stealing YouTube channel hijackers who were running cryptocurrency scams on, or auctioning off, ripped-off channels.
Duplicate code generators. As security journalist Brian Krebs has reported, these days, there are bot-based services that make it “relatively easy” for crooks to phish one-time passwords (OTPs) from targets.
They are designed to trick victims into giving up those OTPs, which crooks can use to take over an account, assuming they’ve 1st filched a target’s login credentials. In the earlier days of authentication, attackers have also used trojans to intercept OTPs.
‘That’s Where the Money Is’
Neil Jones, cybersecurity evangelist for Egnyte, was unsurprised by the fact that criminals would target a cryptocurrency exchange, nor that they stole $34.6m. Just like Willie Sutton answered when asked why he robbed banks, “That’s where the money is.”
No, what surprised Jones was that nearly 500 users were robbed.
He outlined a few lessons from the security breach, including:
- The importance of an effective 2FA solution that prompts end-users for additional verification when large transactions occur unexpectedly.
- The need for a current & road-tested incident response plan.
- The requirement for end users to be notified promptly & accurately when cyber-attacks take place, to help protect brand reputation.
Cryptocurrency Markets
More breaches are inevitable, states Jones. Companies “should keep posted for developments in this space, as this likely isn’t the last breach you’ll see in the cryptocurrency markets,” he predicted.
Rick Holland, Chief Information Security Officer & VP, or strategy at Digital Shadows, pointed out that Crypto.com is a significant cryptocurrency exchange, & thus makes an inviting target for criminals.
“The cryptocurrency space is a perfect storm of opportunity for cyber-criminals,” Holland observed. “It is cross-border, unregulated, speculative, & experiencing a gold rush of vulnerable investors who don’t understand the risks. There is also a higher bar for technical knowledge if you want to invest in crypto.”
Example
He gave an example: using an offline hardware wallet (e.g., Ledger) which he praised as “a great way to reduce the risk of losing your crypto should an exchange be compromised.”
However, it is easier said for the none technical, he noted: “Setting up one of these wallets & moving your crypto from exchanges isn’t trivial & is too high of a bar for many crypto investors. Ordinary people struggle with passwords, so using 24-word seed phrases on top of them doesn’t make for the most practical user experience.”
As for what crypto-platform providers like Crypto.com should do to avoid massive breaches like this one, Lookout’s Schless had a recommendation: “Ensure that employees are protected & don’t become conduits for cyber-criminals to make their way into the infrastructure,” he explained.
Mobile Phishing
“Employees are constantly targeted by mobile phishing & other attacks that would give a cyber-criminal a backstage pass to the company’s infrastructure,” Schless expanded.
It is advisable to throw some upper-tier security at the risk, he observed:
“The risk of this happening can be reduced by implementing a powerful combination of a unified mobile threat defence (MTD) & cloud access security broker (CASB) solution that can protect the user on the endpoint & recognise anomalous activity indicative of a compromised employee account.”