Malta Crypto Brokers Foris DAX MT Ltd., known for its domain name Crypto.com, experienced a multi-million dollar “bank robbery” earlier this month.
according to a short safety report Published yesterday, 483 customers experienced ghost withdrawals totaling over 4,800 ether tokens, over 440 bitcoin tokens, and over $66,000, which are listed only as “Other Cryptocurrencies”.
Using approximate exchange rates on January 17, 2022 (ETH1=$3300, BTC1=$43,000), which is when the fake transaction was discovered, the total loss from this heist is approximately $35,000,000.
What went wrong?
Crypto.com claims “All accounts found to be affected have been fully recovered”, which we assume means that customers who make virtual withdrawals are reimbursed by Crypto.com itself.
The report did not detail how the crooks carried out the attack, but simply stated “Transactions are approved without user input 2FA authentication controls.”
The report doesn’t explain, or even mention, whether the 2FA code was entered by someone — though not the customer himself — to authorize a fraudulent withdrawal, or whether the 2FA portion of the authentication process was somehow bypassed entirely.
This means we can’t easily say how or why the 2FA process doesn’t work, although several possible explanations come to mind.
If you’re interested in seeing how your own 2FA system fails, there’s a long list of possibilities to consider, including:
- A fundamental flaw in the underlying 2FA system. For example, SMS-based systems based on one-time numeric codes from flawed random generators may produce guessable sequences that allow an attacker to predict the correct code entered for some or all of the user.
- Breach of 2FA authentication database. For example, application-based code generator systems often rely on seed, it cannot be stored as a hash like a normal password. Both the client and the server must access the clear text of the seed at login, so a server-side vulnerability could provide an attacker with the details needed to compute a one-time code sequence for some or all of a user.
- Poor coding during online login. A misconfigured authentication server may inadvertently allow client login requests to manipulate the configuration settings used, for example by including undocumented HTTP headers or adding special URL parameters that accidentally override existing security precautions.
- Weak internal controls to detect risky behavior by support or IT staff. For example, an overly helpful (or willfully corrupt) insider might not be peer-reviewed or second-signed for major account changes. This is how the infamous 2020 Twitter hack happened: Joe Biden, Elon Musk, Barack Obama, Bill Gates, Apple and more famous accounts thanks to helpful support staff allowing attackers to change their usage was taken over by changing the email address of the email address. Protect these accounts.
- Fail-open behavior during authentication. Access control systems are sometimes required Fail to close, for example, if the system crashes and no one can sneak in, it is sometimes necessary to Failed to open, for example, so that no one is locked inside during an emergency evacuation. Unexpected reasons for a system crash can lead to a false failure mode that results in an incorrect system configuration, such as unlocking for everyone when the system should be completely shut down.
What happened next?
Crypto.com claims it has “Migrating to a new 2FA infrastructure”, apparently due to “Very cautious”.
Given that overreacting in cybersecurity can be as costly and counterproductive as underreacting, we never fully understand what the term “extremely cautious” is supposed to mean, but it seems to be a phrase that must be said in contemporary breach reports, as if taking suitable Preventive measures are no longer good enough.
After all, if the root cause of your 2FA failure is reason (1) above—an inherent flaw in the 2FA system itself—it seems appropriate to make a fundamental change by swapping it out for an entirely new 2FA technology.
However, if the root cause is reason (5) above – it’s too easy for support staff to authorize account resets – then changing the underlying 2FA technology may have little impact.
what to do?
- If you are a Crypto.com customer, you will need to reconfigure your account to use the new system. It’s worth noting that there is now apparently a 24 hour sunrise period to add new balance transfer accounts. This is designed to give you extra time to spot or warn of unexpected account changes attempted by scammers.
- If you’re considering adding 2FA to your own online service, don’t just test the obvious parts of the system. Make sure to consider all points of interaction with the rest of the system and consider hiring penetration testers to detect unexpected types of failures.
- If you work in PR or marketing, have the entire company practice what to do if a breach occurs. This doesn’t mean you expect to fail. But it does mean that if you get caught, the legally and ethically necessary process of communicating with an unfortunate client won’t take up planning time that’s better spent researching and getting things right.
