[2019-05-08] Binance Confirms 7000BTC ($40m) Security Breach

bbc.reporter

legendary

Activity: 3010

Merit: 1460

Quote from: stompix on May 14, 2019, 06:11:37 AM

Quote from: IconFirm on May 14, 2019, 04:06:12 AM

Quote from: stompix on May 14, 2019, 12:12:50 AM

Besides, making the code public will also help hackers, it will be simply a toss of a coin, who will find the flaw first, a good guy or a bad guy.

That's absolutely NOT how open source code works. It's actually the safest code because it is picked apart by the community to ensure that it is safe before it is released. When has Bitcoin been hacked? Closed code is notorious for having security issues & vulnerabilities, plus you have no idea what's in that code of course.

The bitcoin code has proven to have flaws a lot of times and a lot of times new versions fixed have been rushed.
And this is exactly how open source code works, you let people know your code, you let everyone know how the code is written and how it works. Just because 20 guys said: ok this version is ok it doesn't mean it is.

And the supreme argument why it is not better like that is that nobody is doing!!! Grin

I reckon that the only reason none of the exchanges are doing it is because none of them want their code to be copied and have a competing exchange with the same code. However, if the code is opensource, it would be developed and improved upon faster, patches for bugs and flaws will be coded faster and it might be the most secure code that an exchange can have.

Also, the closed source model has already been proven that it is not immune to attacks which they are protecting their software from.

Whittiesense

newbie

Activity: 23

Merit: 1

Quote from: CryptoBry on May 07, 2019, 10:04:16 PM

Binance is supposed to be beyond hacking as we expect that it can avail of the best and the most expensive security technology available at hand. Unfortunately, nothing is really secured in our modern interconnected world as hackers, phishers, scammers and all their cohorts are one step ahead of the game. In fact, the best way to do is to hire those hackers into your side...this is a good idea that Binance should look into. The reality is that Binance can be hacked, what about ordinary guys and gals like us?

Wow! Hire them to your side! If only that was truly possible, because first of all they hide their true identities. Expect they make a publication stating their intention (with the peace flag). Then just maybe, one of them might show interest to work with the company or organization. But on a second thought, how much can the organization pay them when they can easily get their desired amount from their comfortable zone?. So the possibility of this happening is slim. Also , if they do agree to the terms and conditions, what's the guarantee that they will not be apprehended?

stompix

legendary

Activity: 2912

Merit: 6403

Blackjack.fun

Quote from: IconFirm on May 14, 2019, 04:06:12 AM

Quote from: stompix on May 14, 2019, 12:12:50 AM

Besides, making the code public will also help hackers, it will be simply a toss of a coin, who will find the flaw first, a good guy or a bad guy.

That's absolutely NOT how open source code works. It's actually the safest code because it is picked apart by the community to ensure that it is safe before it is released. When has Bitcoin been hacked? Closed code is notorious for having security issues & vulnerabilities, plus you have no idea what's in that code of course.

The bitcoin code has proven to have flaws a lot of times and a lot of times new versions fixed have been rushed.
And this is exactly how open source code works, you let people know your code, you let everyone know how the code is written and how it works. Just because 20 guys said: ok this version is ok it doesn't mean it is.

And the supreme argument why it is not better like that is that nobody is doing!!! Grin

IconFirm

hero member

Activity: 1438

Merit: 574

Always ask questions. #StandWithHongKong

Quote from: stompix on May 14, 2019, 12:12:50 AM

Besides, making the code public will also help hackers, it will be simply a toss of a coin, who will find the flaw first, a good guy or a bad guy.

That's absolutely NOT how open source code works. It's actually the safest code because it is picked apart by the community to ensure that it is safe before it is released. When has Bitcoin been hacked? Closed code is notorious for having security issues & vulnerabilities, plus you have no idea what's in that code of course.

stompix

legendary

Activity: 2912

Merit: 6403

Blackjack.fun

Quote from: bbc.reporter on May 13, 2019, 09:22:13 PM

@squatter. This brings to us a question if it would be best for an exchange to have their code opensource for everyone to check and see for weaknesses in security and bugs.
It has worked for operating systems and some of the best cryptocoins, why can it not work of an exchange.

I'm pretty sure that after investing thousands of $ in their scripts the last thing they think about it is to make it public so thousands of clones would pop up Tongue

.
Besides, making the code public will also help hackers, it will be simply a toss of a coin, who will find the flaw first, a good guy or a bad guy.

bbc.reporter

legendary

Activity: 3010

Merit: 1460

@squatter. This brings to us a question if it would be best for an exchange to have their code opensource for everyone to check and see for weaknesses in security and bugs.

It has worked for operating systems and some of the best cryptocoins, why can it not work of an exchange.

squatter

legendary

Activity: 1666

Merit: 1196

STOP SNITCHIN'

Quote from: IconFirm on May 11, 2019, 02:25:42 PM

Because I've not seem any solid proof yet.

Has any exchange ever provided solid proof of being hacked? I suppose an exchange would want to provide as little detail as possible about the inner workings of their security procedures to prevent further compromises.

Quote from: IconFirm on May 11, 2019, 02:25:42 PM

What would happen if the third hack cleaned them out completely?

Hence the old adage, "not your keys, not your coins." This applies to all exchanges.

IconFirm

hero member

Activity: 1438

Merit: 574

Always ask questions. #StandWithHongKong

Quote from: Kemarit on May 10, 2019, 08:47:38 AM

Correct me if I'm wrong, but in 2018 there was a 'successful breach' in Binance.

You're correct, they lost users KYC details in that hack. I consider all centralized exchanges either untrustworthy, unsafe or both - but a centralized exchange that has been "hacked" twice in two years should be considered extremely untrustworthy, unsafe & incompetent.

Quote from: figmentofmyass on May 11, 2019, 01:11:05 PM

why though? they're not haircutting user funds (and stealing them). they're compensating users for everything.

Because I've not seem any solid proof yet. They should compensate anyone who lost funds, it's their fault, not once, but twice. What would happen if the third hack cleaned them out completely? - nobody would get compensated & I doubt everyone would be saying how trustworthy they are then.

ololajulo

sr. member

Activity: 2240

Merit: 270

SOL.BIOKRIPT.COM

Is just the case of the inevitable happening, Its a warning to every high rated exchanges of temerity of their fortified exchange services. We have not seen any exchange defend their staff of not participating in such hacks in the past and may not see. I think there should always be a way to compensate users though not necessarily satisfying. I wasn't surprised anyway but not happy with the chairman's response to the hack follow up

figmentofmyass

legendary

Activity: 1652

Merit: 1483

Quote from: IconFirm on May 11, 2019, 05:49:58 AM

Quote from: figmentofmyass on May 11, 2019, 01:26:00 AM

the name is poking fund at wex users, who as we all know, lost everything.

WEX was an obvious scam right from the very beginning, anyone who didn't see it or do any research on them before handing over their coins only has themselves to blame.

i have mixed feelings about that. i don't think wex launched with any ill intentions. btc-e got all their $$ nabbed by its payment processors and the feds (along with domain, servers, etc). the first thing they did was refund 55-60% of all account value to users. they issued tokens for the debt, some of which they repaid over time. they seemed to have every intention of making good.

obviously something happened in june/july 2018. i'm not sure if it was a botched transfer of ownership, some sort of robbery or compromise, or something else. there are some suspicions the admins robbed the exchange at that point (and shut down withdrawals) to fund vinnik's fight against extradition to the USA. to me, that's when it became a scam. i don't see why they would pay back 60% of the money, run an exchange for a year, and then scam if it was a scam from the very beginning.

Quote from: IconFirm on May 11, 2019, 05:49:58 AM

I've yet to see any solid proof that this was the work of hackers either - has their been any or are we to believe that it's true "because binance says so"? My first thoughts were that it's another inside job like most centralized exchange hacks are.

why though? they're not haircutting user funds (and stealing them). they're compensating users for everything.

IconFirm

hero member

Activity: 1438

Merit: 574

Always ask questions. #StandWithHongKong

Quote from: figmentofmyass on May 11, 2019, 01:26:00 AM

the name is poking fund at wex users, who as we all know, lost everything.

WEX was an obvious scam right from the very beginning, anyone who didn't see it or do any research on them before handing over their coins only has themselves to blame.

I've yet to see any solid proof that this was the work of hackers either - has their been any or are we to believe that it's true "because binance says so"? My first thoughts were that it's another inside job like most centralized exchange hacks are.

figmentofmyass

legendary

Activity: 1652

Merit: 1483

Quote from: bbc.reporter on May 10, 2019, 09:03:11 PM

How high is the possibility that the hack was only a show used as an excuse to release Binance's secure asset fund for users, also known as SAFU? Would Binance be capable of this or are they plainly just incompetent?

"safu" is just a word for "binance's reserves". it's already their money. i'm pretty sure the optics around getting hacked are not worth the payoff for binance no matter what.

side note, their usage of "safu" is not in the best taste either. it always irked me. the name is poking fund at wex users, who as we all know, lost everything.

bbc.reporter

legendary

Activity: 3010

Merit: 1460

Quote from: Kemarit on May 10, 2019, 08:47:38 AM

Quote from: bbc.reporter on May 09, 2019, 11:46:06 PM

Quote from: squatter on May 09, 2019, 01:03:07 AM

Quote from: bbc.reporter on May 08, 2019, 08:06:22 PM

@Slow death. The solution is for the exchange to be smarter than the thieves. The thieves will never stop trying as long as there is something valuable in the vault.

You can only hire so many pen-testers. At best, you can outsmart most thieves, but never all of them. That's why there has been so much emphasis on reducing losses to limited hot wallets in these situations. All in all, this could have been a lot worse.

Agreed. However, if you cannot run a secure exchange that holds 100s of millions of people's money then you have no right to be running an exchange. There will always be thieves that will certainly never change.

Correct me if I'm wrong, but in 2018 there was a 'successful breach' in Binance. The hackers was able to get the users logins thorough phishing link, installing API access on the affected accounts. So in a sense, Binance by that time should have step up their security. But I guess the hackers was again, always one step of the game and this time they are very successful. I guess, no one is really safe, even though Binance, in my opinion, have implemented security features after that breached.

How high is the possibility that the hack was only a show used as an excuse to release Binance's secure asset fund for users, also known as SAFU? Would Binance be capable of this or are they plainly just incompetent?

figmentofmyass

legendary

Activity: 1652

Merit: 1483

Quote from: DooMAD on May 09, 2019, 08:13:50 AM

No surprise here. Just another ticking time bomb where the clock ran out. The next one is already counting down. Expect nothing to change. We'll be having this same discussion again soon enough.

Quote from: Slow death on May 08, 2019, 04:03:57 PM

I think you're looking at this tragic event in a very wrong way. They are not incompetent, they are not to blame for have thieves in this crypto world. The biggest problem is the thieves, no one can say that it has an impenetrable security system... there is always some damn thief who will find a way to steal in the system that is considered the safest in the world. We must fight to reduce the actions of these criminals and there must be very harsh penalties against these criminals

If not incompetent, then certainly arrogant. To think you can keep thousands of BTC in a hotwallet where access is enabled via API keys and then pretend you aren't going to suffer the exact same fate as other exchanges that have lost funds in the same manner is astoundingly hard-headed.

historically, this was not a big hack. binance said they had 2% of customer funds in hot wallets. that's not unreasonable IMO and is the same standard coinbase uses. you can't run one of the largest spot exchanges in the world and not have thousands of BTC in a hot wallet.

there's also a big difference between "binance getting their wallets hacked" and what actually happened. from the statements CZ made, it appears these were individual account holders who got phished/hacked and had their API keys compromised who had their accounts all cleaned out at once. it doesn't sound like a server side compromise. i don't think an exchange should be crucified because some users were careless with their API keys and had their accounts cleaned out.

i suspect binance has warded off many attacks that other exchanges in the past failed to. yes they could have had better internal withdrawal controls but no system is perfect nor unbeatable. we should just be glad they are covering the losses if their system wasn't even compromised.

DaCryptoRaccoon

hero member

Activity: 1220

Merit: 612

OGRaccoon

Number of things in the release to think about.

https://www.bbc.co.uk/news/technology-4819

Binance seem to have known exactly how this happens very quickly after the breach.
Normal practice would tell you the first release is normally not as in depth as this they state that the hackers must have been patent before striking so were Binance aware of this before time? if not how would they know they were holding off?

Another thing they said the following to the bbc

According to Binance, the attackers used a variety of techniques to break in. They deployed viruses and used phishing attacks to get security information.

and then later

The hackers "had the patience to wait" and acquire access to a number of accounts before withdrawing the huge haul of bitcoins, according to Binance.

All this info from the first 24 hr's of Binance own investigation?
Unless they knew prior they had some kind of issue and they were monitoring the situation seems more likely story.

Undecided

Kemarit

legendary

Activity: 3080

Merit: 1353

Quote from: bbc.reporter on May 09, 2019, 11:46:06 PM

Quote from: squatter on May 09, 2019, 01:03:07 AM

Quote from: bbc.reporter on May 08, 2019, 08:06:22 PM

@Slow death. The solution is for the exchange to be smarter than the thieves. The thieves will never stop trying as long as there is something valuable in the vault.

You can only hire so many pen-testers. At best, you can outsmart most thieves, but never all of them. That's why there has been so much emphasis on reducing losses to limited hot wallets in these situations. All in all, this could have been a lot worse.

Agreed. However, if you cannot run a secure exchange that holds 100s of millions of people's money then you have no right to be running an exchange. There will always be thieves that will certainly never change.

Correct me if I'm wrong, but in 2018 there was a 'successful breach' in Binance. The hackers was able to get the users logins thorough phishing link, installing API access on the affected accounts. So in a sense, Binance by that time should have step up their security. But I guess the hackers was again, always one step of the game and this time they are very successful. I guess, no one is really safe, even though Binance, in my opinion, have implemented security features after that breached.

bbc.reporter

legendary

Activity: 3010

Merit: 1460

Quote from: squatter on May 09, 2019, 01:03:07 AM

Quote from: bbc.reporter on May 08, 2019, 08:06:22 PM

@Slow death. The solution is for the exchange to be smarter than the thieves. The thieves will never stop trying as long as there is something valuable in the vault.

You can only hire so many pen-testers. At best, you can outsmart most thieves, but never all of them. That's why there has been so much emphasis on reducing losses to limited hot wallets in these situations. All in all, this could have been a lot worse.

Agreed. However, if you cannot run a secure exchange that holds 100s of millions of people's money then you have no right to be running an exchange. There will always be thieves that will certainly never change.

DooMAD

legendary

Activity: 3948

Merit: 3191

Leave no FUD unchallenged

No surprise here. Just another ticking time bomb where the clock ran out. The next one is already counting down. Expect nothing to change. We'll be having this same discussion again soon enough.

Quote from: Slow death on May 08, 2019, 04:03:57 PM

Quote from: bbc.reporter on May 07, 2019, 09:54:49 PM

Binance is collecting millions in fees. Can it be given an excuse to be this incompetent?

I think you're looking at this tragic event in a very wrong way. They are not incompetent, they are not to blame for have thieves in this crypto world. The biggest problem is the thieves, no one can say that it has an impenetrable security system... there is always some damn thief who will find a way to steal in the system that is considered the safest in the world. We must fight to reduce the actions of these criminals and there must be very harsh penalties against these criminals

If not incompetent, then certainly arrogant. To think you can keep thousands of BTC in a hotwallet where access is enabled via API keys and then pretend you aren't going to suffer the exact same fate as other exchanges that have lost funds in the same manner is astoundingly hard-headed.

shamc

copper member

Activity: 336

Merit: 1

I'd guess it is negligence from their security team when testing API connections. Someone probably created one with an embedded Trojan that found a way in

squatter

legendary

Activity: 1666

Merit: 1196

STOP SNITCHIN'

Quote from: bbc.reporter on May 08, 2019, 08:06:22 PM

@Slow death. The solution is for the exchange to be smarter than the thieves. The thieves will never stop trying as long as there is something valuable in the vault.

You can only hire so many pen-testers. At best, you can outsmart most thieves, but never all of them. That's why there has been so much emphasis on reducing losses to limited hot wallets in these situations. All in all, this could have been a lot worse.

Topic: [2019-05-08] Binance Confirms 7000BTC ($40m) Security Breach (Read 672 times)