It has been a recent uprising during the past couple of years that companies and services have encouraged to start rolling out two-factor authentication modalities to its users whether it be in the form of a text-message, email, through an authentication app or via other means.
However, a recent security breach fell upon the hands on a Maltese crypto-coin broker Foris DAX MT Ltd, or known more commonly as Crypto.com released a security report [1] which outlined the biggest culprit which lost them a total of 4,836.26 Etherium and 443.93 Bitcoin, $66,200 USD in value in other smaller cryptocurrencies; totalling up to nearly $35,000,000 dollars. The culprit was 2FA tokens not being triggered.
So what happened?
This largest finger to point to is Crypto.com themselves due to a misconfiguration of their one-time password approach, which were six-digit codes provided to a user via a text or by a multi-factor authentication application states Zilvinas Bareisis from an interview with American Banker [2]. Bareisis hypothesizes that Crypto.com mistakenly allowed users to authorize transactions without needing this one-time code or that hackers through a more invasive approach, intercepted these one-time passwords; affecting 483 users. Although resolved, Crypto.com and its users were impacted albeit the affected accounts being restored with Crypto’s own funds.
How did they fix this?
Supposedly the company’s risk monitoring systems were able to detect the issue in which they say “triggered an immediate response from multiple teams to assess the impact,” resulting in a 14 hour downtime to precisely locate and fix the issue. Due to this issue, Crypto.com decided to implement a new 2FA infrastructure, which in short means users will now have the chance to enroll in an insurance program to cover up to $250,000 in losses but only if they enable a multi-factor authentication. Also, all current users must-reconfigure their accounts in compliance to this new protocol. On the company side, they are fast-forwarding their transition past 2FA as they “will be releasing additional end-user security features as we move away from 2-Factor Authentication and to true Multi-Factor Authentication (MFA)” [1].
Why is this a big deal?
As a huge player in the cryptocurrency game with crypto coins being a nearly untraceable and non-reversible, having their security breach due to two-factor authentication issues sheds a new look to the transition of having more options to secure your own account. As an avid user of password managers (Bitwarden in my case) I believe that with the rise of database breaches and data being worth more than oil, it is absolutely mandatory for user sensitive data to be protected at a higher cost, even if the minimum requirement is simply a two-factor authentication. Passwords have never been enough for the past couple of years and two-factor authentication is starting to show weaknesses that can cause catastrophic damages to assets, users and company reputation. The ability to layer on an extra layer of protection greatly reduces the risk of even the slightest system error, as an intruder would have to identify and try to bypass a multitude of unique authentication methods which could range from sms + a physical form (yubikey), sms + email, email + physical form + security questions, etc or even more than three at the same time. The importance of security is more prevalent than ever now and services should start standardizing giving users the ability to protect themselves which as a byproduct protects the companies image as well.
References:
[1] Crypto.com Security Report & Next Steps – Jan 20, 2022
[2] Crypto.com hack exposes shortcomings of multifactor authentication | American Banker – Jan 26, 2022
[3] Cryptocoin broker Crypto.com says 2FA bypass led to $35m theft – Naked Security (sophos.com) – Jan 21, 2022
This was an interesting read. However, I’m hesitant to agree with the headline arguing that 2-factor authentication is no longer secure enough. As per the article, Crypto.com may have been breached due to flaws in their 2FA design, not due to flaws within the idea of 2FA itself (i.e., Crypto.com not requiring one-time passwords to facilitate transactions). That said, I do certainly recognize how it will be important to move towards multi-factor authentication modalities in the future. To expand on this, consider how this article suggested one alternative way that hackers could have breached Crypto.com – that is by intercepting one-time passwords sent to users. Whether or not this was the case, it highlights the fact that security measures must efficiently change with the times, in order to retain their effectiveness. Interestingly enough, this can already be seen in day-to-day life. I’ve noticed, for example, that Binance (another crypto exchange) has semi-recently switched over to a multi-factor authentication design, whereby you must produce two separate one-time codes (one sent to your email and another to your phone) in order to login.
I agree with your comment, Jamie. I don’t think that the security breach on Crypto.com was due to 2-factor authentication, it was due to faulty 2-factor authentication. This blog post quotes Zilvinas Bareisis on doubting whether the second factor of authentication was being properly applied. I don’t think we should be so critical of 2-factor authentication when done properly, the concern is when the authentication measures fail. It shocks me how a platform that manages so much money could have a security breach to this extent! I would think that they would want to consider their security measures more seriously! I guess moving forward they will!
This is a very engaging post. I have some doubts about 2FA that is SMS based due to the common SIM swap technique, however I believed that 2FA code generation using a seed was practically unbreakable. It would be interesting to find out the real reason the 2FA in Crypto.com was bypassed, perhaps they did not mention it because it is their fault and do not want users to lose trust. I do recall reading that Crypto.com reimbursed users, but hopefully something like this does not happen again. It is recommended to withdraw digital assets to a cold wallet to avoid them from being stolen in such a way like this.
This was an interesting post. I believe 2 factor authentication is still secure enough for most situations though. Hacking crypto results in instant cash, this is not the case for the vast majority of cases. For example, social media does not need more than 2 factor authentication(a password is probably enough at the moment) as no serious hackers are willing to go through the trouble of accessing a random social media account. 3+ factor authentication makes sense for anything money related though. Crypto.com will certainly have to increase their security after learning the hard way.
I think this is a good lesson that whenever you buy cryptocurrency off of an exchange, it is best to move it right away to a secure self-storage option such as a crypto-wallet as it protects you against malicious actors targeting the exchange, but in this case it’s a mix of both where the exchange itself had faulty implementation of 2FA. When dealing with large sums of money, I think it’s best to not take any chances, even if the SMS 2FA was properly implemented, sim swapping attacks still leave a big vulnerability once someone has information that can identify you.
Spending $100 – $200 on a cold storage wallet is a cheap insurance premium compare to losing your entire portfolio.
Considering crypto is on the rise these days, where even kids seem to develop an interest. I was hoping since multiple users around the world participate in crypto mining daily, the security system would be somewhat better than a 2FA. We learnt in the lecture that Facebook uses multiple layers “onion” to hash their users password in order to provide the best security to their customers. I do not see why the company in your blog could not use something similar. Yes the clients required a one time password but in my opinion the company could’ve used another factor authentication on top of a 2FA. However, the clients should also be careful when they are putting their own money on the line. Apart from that great post and thank you for raising awareness about this incident.
A very interesting and engaging post to read, Mr. Nguyen. I personally have never been a big crypto investor, however following the news that comes out of the scene, and the amount of money there is floating around in the crypto exchange it is mind boggling to imagine that an exchange as large as crypto.com would have such flawed security. Hopefully, with the move to MFA, these strings will be tightened, but it makes you wonder at what point do you have enough authentication factors, and it goes to show that your weakest link will always allow “hackers” in (ie sim swapping, a weakly secured email account to receive 2FA codes on, etc.). It will surely be interesting to see how situations such as these develop in the future, and what more is done about them. Again, at what point do we have enough factors to authenticate ourselves.
I believe with the overall premise that 2FA is starting to show it’s weaknesses, and that multi-factor authentication is am absolute requirement in security as we move forward. As someone who uses 2+FA myself on as many accounts that offer it, I do sometimes wonder about the future and how we will eventually balance the overall security provided with more and more ‘inconveniences’ added on to logging in to every account. More to the post, I found the bit interesting about crypto.com offering insurance, but it seems only to those that enable 2FA, and that the ‘default’ option is to leave their customers uninsured unless they complete some action (that is, are dormant/forgotten about accounts that still hold assets will now be by default be uninsured?). Great post, lots to think about for keeping my own personal security in mind, Thanks Duc!
Thanks for the post Duc, it was an informative read. Since Bareisis can only hypothesize two potential causes for the issue I’m skeptical as to whether or not this was an issue inherent with 2FA because I feel that most authentication methods have interception or theft as a weaknesses. As a result, I think that regardless of how many layers of authentication we use someone will be willing and able to compromise our account information so the real question becomes how many layers do we consider to be “secure enough”? I’m sure it’s not as easy as it sounds but perhaps rather than adding new layers there could be developments to make our existing authentication methods computationally unfeasible to hack.
This was a great post as it brings up a case where 2FA did not work and how it harmed a lot of people resulting in a big financial cost for Cyrpto.com. While I still do believe 2FA is a great way to secure ones accounts, your post highlights the importance of ensuring that the 2FA is working and not faulty. As your post says, the estimated loss was around $35,000,000 dollars which is crazy to think about. You would expect a company like Crypto.com to have steps in place to ensure that their authenticity methods work, so it is surprising to see such a big flaw in their token activation. Since crypto is still growing, it is good to have events like these in early stages as it informs other companies to not make the same mistakes as it’s competitors. Overall this post was highly informative that brings up the need for security in crypto.
This was an interesting article to read because it discussed how even two-factor authentication isn’t good enough for security. It astounds me that a platform that handles so much money could have such a serious security violation! However, I believe this has less to do with 2FA and more to do with their architecture of the 2FA system. With that in mind, I believe we should continually improve our security system, as every system will have some flaws in it.
Hackers will always try to find a new ‘trojan horse’ to infiltrate our electronics. This blog shows that the user needs to remain vigilant of their data, even after using two-step authenticators. This approach is good, but, as pointed out by one of the other comments, SIM swapping is one tactic to bypass this wall. A the end of the day, the user needs to utilize whatever means they can to make the ‘wall’ harder to infiltrate by using more steps to secure their devices and receive notifications of a ‘new’ device gaining (or attempting to) access your account. The user is at the centre of this since their attentiveness can mean the difference between a secure bank account to a unwelcomed guests.
While the article indicates that the weaknesses of 2FA are being to reveal themselves, the evidence indicates that it was more of the fault of the developers and their implementation of the system that led to the security breach. 2FA as a whole should still be widely secured more so than just a single password but it also demonstrates the importance of how the 2FA system is to be implement. This article shows that even a small mistake can lead to catastrophic or even irreversible damages. Thus in terms of security, 2FA in itself isn’t the problem rather instead the developers behind the system and the factor of human error is what brings 2FA its weaknesses.
This was an interesting read, indeed! It is surprising to see how a system like this had that security issue, even to that extent. I also don’t think that the issue was due to the 2FA technology, it was something faulty within the system but not the 2FA technology. I believe that 2FA is still one of the great ways to ensure security in any system. But the incident described in this blog post teaches us that it is important that the security systems we are building must be tested and verified that it’s functioning in every cases. Otherwise even a single mistake can cost billions.
This was a great post to read especially I agree that two-factor authentication started to be not to be sufficient for security. Although, nowadays many apps are using it and it is critical to web security because it eliminates the risks associated with compromised passwords right away. But personally I had an experience where I set up the 2FA for one of my mobile apps and the fraudster was able to get! In addition, 2FA really doesn’t provide identity authentication!! Thanks for that post!
This was an interesting read. Your post is very good overall but I do not agree with your headline which says ‘2FA is no longer secure enough’. I think that the flaw here is in the company’s own design of its 2FA, rather than the whole 2FA technology. Although I agree that we should move to multi-factor authentication in the future. It is shocking to see how a company where people are investing from all around the world wasn’t able to provide a proper form of security.
To be honest, on my view, 2 Factor authentication is not likely to reduce cyber attacks because then all authentications can get hacked by a cyber criminal which gives more information on the victim, so 2 factor authentication is not enough on protecting online information these days.
Great post. However, I do not believe that 2FA was the cause of the security breach in this case and I also don’t believe it puts your possessions or information at risk. I think a lesson we learn from this is to also try to provide our own protection to our data and possessions as well depend on what is being provided by the service or organization.
Interesting Post! Two-factor authentication is helpful. It’s an important part of a broader approach called multi-factor authentication that makes logging in more of a hassle but also makes it vastly more secure.