So what happened?<\/h2>\n\n\n\n![\"Cryptocurrency](\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\")
crypto.com one-time passwords (nurtphoto via getty images)<\/figcaption><\/figure>\n\n\n\nThis largest finger to point to is Crypto.com themselves due to a misconfiguration of their one-time password approach, which were six-digit codes provided to a user via a text or by a multi-factor authentication application states Zilvinas Bareisis<\/em> from an interview with American Banker<\/a><\/em> [2]. Bareisis hypothesizes that Crypto.com mistakenly allowed users to authorize transactions without needing this one-time code or that hackers through a more invasive approach, intercepted these one-time passwords; affecting 483 users. Although resolved, Crypto.com and its users were impacted albeit the affected accounts being restored with Crypto’s own funds.<\/p>\n\n\n\nHow did they fix this?<\/h2>\n\n\n\n
Supposedly the company’s risk monitoring systems were able to detect the issue in which they say “triggered an immediate response from multiple teams to assess the impact,” resulting in a 14 hour downtime to precisely locate and fix the issue. Due to this issue, Crypto.com decided to implement a new 2FA infrastructure, which in short means users will now have the chance to enroll in an insurance program to cover up to $250,000 in losses but only if they enable a multi-factor<\/strong> authentication. Also, all current users must-reconfigure their accounts in compliance to this new protocol. On the company side, they are fast-forwarding their transition past 2FA as they “will be releasing additional end-user security features as we move away from 2-Factor Authentication and to true Multi-Factor Authentication (MFA)” [1]<\/sub>.<\/p>\n\n\n\nWhy is this a big deal?<\/h2>\n\n\n\n
As a huge player in the cryptocurrency game with crypto coins being a nearly untraceable and non-reversible, having their security breach due to two-factor authentication issues sheds a new look to the transition of having more options to secure your own account. As an avid user of password managers (Bitwarden in my case) I believe that with the rise of database breaches and data being worth more than oil, it is absolutely mandatory for user sensitive data to be protected at a higher cost, even if the minimum requirement is simply a two-factor authentication. Passwords have never been enough for the past couple of years and two-factor authentication is starting to show weaknesses that can cause catastrophic damages to assets, users and company reputation. The ability to layer on an extra layer of protection greatly reduces the risk of even the slightest system error, as an intruder would have to identify and try to bypass a multitude of unique authentication methods which could range from sms + a physical form (yubikey), sms + email, email + physical form + security questions, etc or even more than three at the same time. The importance of security is more prevalent than ever now and services should start standardizing giving users the ability to protect themselves which as a byproduct protects the companies image as well. <\/p>\n\n\n\n
References:<\/h2>\n\n\n\n
[1] Crypto.com Security Report & Next Steps<\/a> – Jan 20, 2022 <\/p>\n\n\n\n[2] Crypto.com hack exposes shortcomings of multifactor authentication | American Banker<\/a> – Jan 26, 2022<\/p>\n\n\n\n
![\"Cryptocurrency](\"https:\/\/imageio.forbes.com\/specials-images\/imageserve\/61e980d4e1dfb2c643f40200\/Cryptocurrency-Companies-Photo-Illustrations\/960x0.jpg?fit=bounds&format=jpg&width=960\")
This largest finger to point to is Crypto.com themselves due to a misconfiguration of their one-time password approach, which were six-digit codes provided to a user via a text or by a multi-factor authentication application states Zilvinas Bareisis<\/em> from an interview with American Banker<\/a><\/em> [2]. Bareisis hypothesizes that Crypto.com mistakenly allowed users to authorize transactions without needing this one-time code or that hackers through a more invasive approach, intercepted these one-time passwords; affecting 483 users. Although resolved, Crypto.com and its users were impacted albeit the affected accounts being restored with Crypto’s own funds.<\/p>\n\n\n\n Supposedly the company’s risk monitoring systems were able to detect the issue in which they say “triggered an immediate response from multiple teams to assess the impact,” resulting in a 14 hour downtime to precisely locate and fix the issue. Due to this issue, Crypto.com decided to implement a new 2FA infrastructure, which in short means users will now have the chance to enroll in an insurance program to cover up to $250,000 in losses but only if they enable a multi-factor<\/strong> authentication. Also, all current users must-reconfigure their accounts in compliance to this new protocol. On the company side, they are fast-forwarding their transition past 2FA as they “will be releasing additional end-user security features as we move away from 2-Factor Authentication and to true Multi-Factor Authentication (MFA)” [1]<\/sub>.<\/p>\n\n\n\n As a huge player in the cryptocurrency game with crypto coins being a nearly untraceable and non-reversible, having their security breach due to two-factor authentication issues sheds a new look to the transition of having more options to secure your own account. As an avid user of password managers (Bitwarden in my case) I believe that with the rise of database breaches and data being worth more than oil, it is absolutely mandatory for user sensitive data to be protected at a higher cost, even if the minimum requirement is simply a two-factor authentication. Passwords have never been enough for the past couple of years and two-factor authentication is starting to show weaknesses that can cause catastrophic damages to assets, users and company reputation. The ability to layer on an extra layer of protection greatly reduces the risk of even the slightest system error, as an intruder would have to identify and try to bypass a multitude of unique authentication methods which could range from sms + a physical form (yubikey), sms + email, email + physical form + security questions, etc or even more than three at the same time. The importance of security is more prevalent than ever now and services should start standardizing giving users the ability to protect themselves which as a byproduct protects the companies image as well. <\/p>\n\n\n\n [1] Crypto.com Security Report & Next Steps<\/a> – Jan 20, 2022 <\/p>\n\n\n\n [2] Crypto.com hack exposes shortcomings of multifactor authentication | American Banker<\/a> – Jan 26, 2022<\/p>\n\n\n\nHow did they fix this?<\/h2>\n\n\n\n
Why is this a big deal?<\/h2>\n\n\n\n
References:<\/h2>\n\n\n\n