How 3FA can foil cryptocurrency exchange robberies – a modest proposal

The recent hack of the world’s biggest cryptocurrency exchange, Binance, highlights the need for heightened security in the crypto space. In what Wired reported as “a ‘large-scale security breach,’ hackers stole not only 7,000 bitcoin—equivalent to over $40 million ($56 million at the time of this writing, just one week later)—but also some user two-factor authentication codes and API tokens.” This is just one of the many cryptocurrency heists totaling 100s of millions of dollars that CipherTrace has reported on in the last year.

Why are sophisticated hackers targeting the crypto space? Because, obviously, that’s where the money is. The huge hot wallet stash looted from Binance represented only about 2% of the exchange’s reserves. And if this is the rumored Crypto Spring, and valuations begin to rise dramatically, expect things to get worse.

The good thing for the industry is that Binance did the right thing—they were transparent and didn’t delay in reporting the theft, announcing it the same day it was discovered. “The hackers used a variety of techniques, including phishing, viruses and other attacks,” according to Binance CEO Zhao Changpeng in a May 7 blog post. “The hackers had the patience to wait, and execute well-orchestrated actions through multiple seemingly independent accounts at the most opportune time. The transaction is structured in a way that passed our existing security checks.” Moreover, Zhao announced that no customer funds would be used to cover losses, as Binance had set up a self-insurance fund in 2018 that accrues 10% of all trading fees in a separate cold wallet.

How did the theft occur? We are currently researching the attack, but from what we know Binance had the current state of the cybersecurity art in place. The attacker(s) probably used a password stolen in a phishing attack, or they exploited a combination of vulnerabilities.

As Chairman of the Anti-Phishing Working Group, an organization that has been fighting eCrime and phishing for more than 16 years, I can tell you it’s highly likely that phishing was an attack vector. Spear phishing (targeted attacks on high-value individuals) and business email compromise (BEC) are getting a lot worse. And phishers are casting their nets—and spears—at crypto companies in particular. The Binance hack could have been an employee being duped into giving a password by a clever email ruse. It could have been phishing plus fileless malware or an APT. It could have stemmed from any number of vulnerabilities typically present in the attack surface of such a large, global IT network.

Time to triple-down on security

Two-factor authentication (2FA) is no longer strong enough, and SMS is a weak second factor. As was detailed in the CipherTrace Q4 2018 Crypto AML report, attackers often “port” phone numbers in order to receive SMS text messages that are used in a number of 2FA systems. Which obviously means this approach is not secure. But by having an authentication app on the phone, instead of relying on SMS text message codes, companies are protected even if an employee’s phone is hijacked or SIM-swapped.

So what can and should exchanges do to prevent thefts? In our opinion, given the ever-increasing sophistication and persistence of the bad guys, there’s only one viable solution at the moment. Well, there’s three, actually. The answer is three-factor authentication (3FA)—two things they have, and one thing they know. To access the network, exchange employees should be required to use an authentication app on their phone, a certificate on their computer to access the corporate VPN, and a password. That way, if criminals phish an exchange worker’s password or break it with brute force they’re still not getting in. Plus, unlike passwords, certificates can be revoked.

The attacker can gain the password and even compromise one of the user’s devices but that won’t get all three factors. And without compromising all three factors, they’re not getting in. Three factor is the new strong auth. It may sound like this proposal puts an onerous burden on employees, but having a certificate on the computer takes no day-to-day effort.