Crypto.com is one of the biggest and most well-known cryptocurrency exchange websites. They are backed by celebrities such as Matt Damon.
The company has been making a name for itself the past few years. They purchased the naming rights to the Staples Center in Los Angeles.
Earlier this year, the company admitted that 483 of its users were hit by a cyber-attack. The hack led to unauthorized withdrawals worth $35 million.
The company’s risk monitoring system detected unauthorized activity on user accounts. Transactions were being approved without two-factor authentication.
This is the security protocol where the user receives a one-time code after entering the password.
The unauthorized withdrawals had over $15 million worth of Ethereum, $19 million worth of Bitcoin, and $66,200 in “other currencies”.
So far, the company has released no explanation of how the attack occurred.
Crypto.com said it revoked all customer 2FA tokens and added security measures. The website required all customers to re-login and set up 2FA.
The company also added security including a mandatory 24-hour delay when adding a new address.
The hack of Crypto.com is one of many recent cyber attacks against the industry.
A few months ago, the Poly Network lost $600 million in Cryptocurrency to hackers.
More than 80% of cyber-attacks happen because of a compromised password.
Because of the weakness in passwords, two-factor authentication has become the standard.
Yet, like any cyber security solution, hackers have come up with ways to get around 2FA.
Here are a few of the problems with two-factor authentication and how you can keep yourself secure.
Major companies including Microsoft have told customers to stop using 2FA that use text messages or voice calls.
This is because texts and voice calls have incredibly poor security.
For instance, SIM swapping has been used as a way to get around 2FA.
SIM swapping involves a hacker convincing a mobile service provider that they are the victim.
Then they convince the company to switch the phone number to a device of their choice.
SMS one-time codes can also be compromised through a method called a reverse proxy
In this case, the hacker impersonates the website and can see the 2FA code entered by the victim.
If a hacker has access to your username and password they can use social engineering to get you to share the 2FA.
For instance, the hacker might send you an email pretending to be the website you are trying to log into.
They have a made-up excuse to request the verification code that was sent to you.
Once you send the code they would be able to bypass the 2FA.
Messaging mirror apps:
Hackers know people like to use the same username and password on different websites.
Yet, if hackers can access the Apple ID or Google account on your smartphone they can download apps without you knowing.
There are message mirroring apps that can remotely receive all communications sent to a victim’s phone – this includes one-time codes for 2FA.
This type of cyber attack demonstrates how risky SMS-based 2FA is.
How do you protect yourself from failing 2FA?:
The goal is to limit the use of 2FA.
Sometimes you might not have a choice but to use it. However, there are apps you can use that generate one-time codes for logging into accounts.
Another option is to use a hardware device such as YubiKey.
This is a small USB or near-field communication device that reduces the need for 2FA.
The USB is a physical device that must be present to log into the website.
These methods will create multiple layers of security to protect your accounts and help keep your private data safe.