The thieves who stole $40 million from cryptocurrency exchange Binance got in the one way they weren’t supposed to: through the security system.
Two-factor authentication is supposed to be the gold standard in privacy and protection of Internet data, but in Tuesday’s $40 million dollar heist from the top cryptocurrency exchange, it seems to have been the method thieves used to break into user accounts.
According to Binance’s official security breach update, “[h]ackers were able to obtain a large number of user API keys, 2FA codes, and potentially other info. The hackers used a variety of techniques, including phishing, viruses and other attacks. We are still concluding all possible methods used.”
All withdrawals from Binance will be suspended for at least a week while Binance works on its security.
In a Twitter AMA, Binance CEO Changpeng “CZ” Zhao added, “It was a very advanced, persistent hacking effort. They used both internal and external methods to trap a lot of phish, and get a lot of user accounts.”
The attackers were very patient, he added, waiting until they had access to a large number of accounts with sizable Bitcoin (BTC) balances. The largest held more than 670 BTC, worth almost $4 million. In all they took 7,070 BTC, worth $42.1 million at press time. That was about 2% of Binance’s total Bitcoin holdings, he added. The theft came in a single transaction.
The lost funds will be covered by Binance’s Secure Asset Fund for Users (SAFU) which is funded with 10% of the trading fees Binance charges. That was set up on July 14, 2018, after an earlier hack.
Whether or not you use it, you certainly have access to 2FA; Twitter and Facebook offer it. Your bank very likely does as well, as all the major banks do. So does Google—which has a very popular app, Google Authenticator. That is the one Binance uses.
Virtually all cryptocurrency exchanges use 2FA too, at least in the form of a software generated one time password (OTP).
[Here’s a list from Two Factor Auth, which tracks companies in a variety of industries that use 2FA, and shames those that do not.]
A software OTP generally uses a smartphone app that generates a password good for a short period of time—30 seconds is common—that matches a password generator on the company’s server. Authentication can also come from a log-in code sent via SMS—the most common method—or via email or phone.
An API is a version of this that connects the user’s computer directly with a corporate server, bypassing the need for the user to input a code at every login. A stronger way to enable 2FA is using a physical token supplied either by the company your account is with, or through a third-party device from companies like Yubico.
Zhao told Binance customers to reset their account passwords and API passwords, and reset authenticators by disabling and restarting their Google Authenticator app.
How thieves can break 2FA
Zhao said the thieves used both internal and external methods. External phishing methods generally involve tricking someone into giving up a password by pretending to be from the company that issued it. Internal is more tricky, and can involve insiders at the company hacked—Binance in this case—or one involved in the 2FA process. Often, this means getting control of the cell phone number on the smartphone with an authenticator app. That can be simpler than it sounds.
In January of 2018, CoinAgenda founder Michael Terpin claimed he lost $28.3 million in cryptocurrency after an AT&T employee working with a gang of thieves allowed a scammer to swap his SIM card information onto a new device, effectively giving them Terpin’s smartphone. He is suing AT&T for $228.3 million, including punitive damages.
It also happens on a smaller scale. In this Medium article, Cody Brown explains how he lost $8,000 worth of Bitcoin from Coinbase after a Verizon representative was tricked into allowing a scammer to take over his cell number. While he received a message from Verizon telling him he had authenticated his account on a different device, he was not able to reach fraud prevention in time and watched his account being drained live. While he had used Google Authenticator in the past, he had turned it off because of the inconvenience.
And it’s nothing new. In 2014, The Verge wrote about a $10,000 theft—then 10.6 bitcoin—from a Coinbase user’s account after his API was compromised.
[Editor’s note: Modern Consensus’ editor in chief was the victim of a “porting” hack last year.]
So, maybe that thumb drive wallet in your desk drawer isn’t such a bad idea after all.