Another episode of "Not your keys, not your Coins"

PX-Z

hero member

Activity: 1554

Merit: 880

pxzone.online

Quote from: witcher_sense on January 26, 2022, 12:59:00 AM

/snip..

Quote from: o_e_l_e_o on January 26, 2022, 04:47:06 AM

I'm not aware of any other exchange which comes close to such a decentralized model. Even other good DEXs such as LocalCryptos still depend on a centralized websites and its servers.

Thanks to both of you, I get it now. So far with the bisq tx/trading practice I considered it as the safest, at least for now and for what I know.

While I'm reading several reviews of bisq, it's sad to read as others considered decentralization as cons and not for everyone, at least for the eye of investors, institutional or even those not. They are more comfortable of having a platform that can be hacked together with their funds and petsonal information instead of having full control of their funds and safe from identity thief.
This may be one of the reasons why dex still need a long run before it will be used by the majority.

Cookdata

hero member

Activity: 1106

Merit: 912

Not Your Keys, Not Your Bitcoin

I believe that a lack of knowledge about private keys, public keys, and addresses contributed to many users preferring to let their coins get stuck on an exchange.
Crypto. com exchange is just a normalized broker that operates similarly to a bank, and I don't see why anyone would want to keep their money on a well-regulated exchange by the US.
This attack may be painful, but it serves as a reminder that your coins are not safe on an exchange except with you and no one else.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

Quote from: PX-Z on January 25, 2022, 09:03:10 PM

If there will be a decentralized hosting servers, idk how it will be made, but it could be the best IMO.

Yeah, as witcher_sense has said (and at risk of sounding like a broken record), the answer here again is Bisq. The best way of having decentralized hosting is for every user to host their own instance. This is similar to what happens with bitcoin (ignoring of course all the people who use custodial or light wallets rather than running their own node). All the code of Bisq is open source, you can download it and build it from source, you run it locally and connect directly to other users (over Tor). There are no central wallets to deposit coins to and no central servers to connect to.

I'm not aware of any other exchange which comes close to such a decentralized model. Even other good DEXs such as LocalCryptos still depend on a centralized websites and its servers.

witcher_sense

legendary

Activity: 2450

Merit: 4415

🔐BitcoinMessage.Tools🔑

Quote from: PX-Z on January 25, 2022, 09:03:10 PM

This is good for bitcoin tx and p2p tx. Best practice is still on the work of smart contracts.

For a bitcoin transaction to occur, there have to be satisfied certain conditions specified in a special script. A script executes automatically once a sender of funds provides certain information. This script is no different from a smart-contract except that it is written in Turing-incomplete language that doesn't allow for loops and DDoS attacks. All transactions in bitcoin, including a multisignature one used for escrow, are therefore very robust smart-contracts albeit simple.

Quote from: PX-Z on January 25, 2022, 09:03:10 PM

But if we consider about a system hacked, this lines of codes can be altered with malicious one if this codes are held in traditional hosting servers. If there will be a decentralized hosting servers, idk how it will be made, but it could be the best IMO.

It is an open-source project https://github.com/bisq-network/bisq which means the code is available for everyone to review, share, fork, and download. It will be difficult for Bisq developers try to inject malicious code without being caught by those constantly monitoring and reviewing the changes.

PX-Z

hero member

Activity: 1554

Merit: 880

pxzone.online

Quote from: o_e_l_e_o on January 25, 2022, 03:19:55 PM

With a truly decentralized exchanges such as Bisq, your coins are only sent to an escrow address. The escrow address is a 2-of-2 multi-sig address between you and the person you are trading with. Bisq have no control over the address. This is a truly decentralized model.

This is good for bitcoin tx and p2p tx. Best practice is still on the work of smart contracts.

But if we consider about a system hacked, this lines of codes can be altered with malicious one if this codes are held in traditional hosting servers. If there will be a decentralized hosting servers, idk how it will be made, but it could be the best IMO.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

Quote from: examplens on January 25, 2022, 12:55:59 PM

If we talk about dex exchanges, Isn't it necessary to send funds to the trading account so, even you hold your keys, your coins can be robbed if a hack happened.

Depends on the DEX. The trouble is that there are a lot of exchanges which use the word decentralized simply as a marketing gimmick when they are actually nothing of the short (such as EtherDelta as we just discussed). Just because the exchange doesn't fulfill your orders and pairs you up with other users does not automatically mean they are decentralized, but unfortunately a lot of users don't understand this. If you have to deposit your coins to an address or wallet which the exchange controls, then that exchange is not decentralized. It's really as simple as that. If the exchange can hold complete control over your coins, then all control is centralized with them.

With a truly decentralized exchanges such as Bisq, your coins are only sent to an escrow address. The escrow address is a 2-of-2 multi-sig address between you and the person you are trading with. Bisq have no control over the address. This is a truly decentralized model.

examplens

legendary

Activity: 3472

Merit: 3507

Crypto Swap Exchange

Quote from: sheenshane on January 25, 2022, 09:57:27 AM

That's right, nothing new here and it was expected that if the exchange has been hacked, the percentage of having a refund is very small if it's the platform is a big exchange platform. Just like Binance exchange that has a SAFU, it's possible that they will refund all their customers once they get hacked?

that in theory there is a basis for such thinking, big exchange will refund his customers. But in reality, did you hear about Mt.Gox? Big exchange, safu blah blah... it is of little use to aggrieved users (I am one of them Sad

)

Quote from: o_e_l_e_o on January 25, 2022, 11:01:33 AM

This is correct. You can read more here: https://www.zdnet.com/article/exclusive-talktalk-hacker-also-breached-etherdelta-cryptocurrency-exchange/

Essentially the CEO's personal details were used to gain access to EtherDelta's admin account and Cloudflare account, and then redirect all traffic to a malicious clone of the website. When users then entered their private keys (since that is the ridiculous way in which EtherDelta works), the malicious site sent them off to the attacker and their funds were stolen.

Further, EtherDelta isn't really decentralized at all. How can a decentralized exchange have a CEO? Why does it need users to enter their private keys?

the bottom line is that it is an equally high risk, no matter if "your keys, your coins".
If we talk about dex exchanges, Isn't it necessary to send funds to the trading account so, even you hold your keys, your coins can be robbed if a hack happened.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

Quote from: PX-Z on January 25, 2022, 09:12:34 AM

Quote from: examplens on January 25, 2022, 08:49:03 AM

I remember etherdelta DEX exchange, where people still have control over their keys and funds, but they were still compromised and many users were left without money.

As far as I remember, the etherdelta hacked was still caused of their user's actions, the hacked was comparable to phishing using the original website where users redirected to the fake website using the original.

This is correct. You can read more here: https://www.zdnet.com/article/exclusive-talktalk-hacker-also-breached-etherdelta-cryptocurrency-exchange/

Essentially the CEO's personal details were used to gain access to EtherDelta's admin account and Cloudflare account, and then redirect all traffic to a malicious clone of the website. When users then entered their private keys (since that is the ridiculous way in which EtherDelta works), the malicious site sent them off to the attacker and their funds were stolen.

Further, EtherDelta isn't really decentralized at all. How can a decentralized exchange have a CEO? Why does it need users to enter their private keys?

sheenshane

legendary

Activity: 2492

Merit: 1232

That's right, nothing new here and it was expected that if the exchange has been hacked, the percentage of having a refund is very small if it's the platform is a big exchange platform. Just like Binance exchange that has a SAFU, it's possible that they will refund all their customers once they get hacked?

The "Not your key and your coins" is the golden law in crypto, we should always apply this law if we have a crypto asset and when we did trade in any exchange platform don't leave any fund to them. It's not an ideal decision to leave your crypto in any centralized exchange platform because it's very risky. The possible hack will occur at anytime and I think that's a part of a risk in the world of crypto.

PX-Z

hero member

Activity: 1554

Merit: 880

pxzone.online

Quote from: examplens on January 25, 2022, 08:49:03 AM

Quote from: PX-Z on January 22, 2022, 02:40:34 AM

This is another reminder to everyone whether you're a newbie or not, that using platforms such exchanges which the users doesn't have full control of their assets always have the risk of getting robbed, either the platform refunded it, worst if not.

from this, it might be inferred that decentralised platforms, where users control their keys, are safe?
I remember etherdelta DEX exchange, where people still have control over their keys and funds, but they were still compromised and many users were left without money.

As far as I remember, the etherdelta hacked was still caused of their user's actions, the hacked was comparable to phishing using the original website where users redirected to the fake website using the original.
Yes, their users have full control to their keys yet their actions cause the lost of their own funds.

Having full control of your funds has lots of responsibilities since you will stand as your own bank, by means of fully control of it, it's not just storing it on your secured device, it is paired by the user's actions.

Yes, storing it on secured device it means the funds were safe, not until the owner make an action like opening it on a website, addons/plugin, etc.

examplens

legendary

Activity: 3472

Merit: 3507

Crypto Swap Exchange

Quote from: PX-Z on January 22, 2022, 02:40:34 AM

This is another reminder to everyone whether you're a newbie or not, that using platforms such exchanges which the users doesn't have full control of their assets always have the risk of getting robbed, either the platform refunded it, worst if not.

from this, it might be inferred that decentralised platforms, where users control their keys, are safe?
I remember etherdelta DEX exchange, where people still have control over their keys and funds, but they were still compromised and many users were left without money.

BernyJB

full member

Activity: 182

Merit: 190

Security codes are, at best, temporary fixes in an endless battle.
Personally, I think it's lame that crypto.com denied the hack, even when everybody knew about it, and were providing numbers as to its extent. It's great they refunded people, but in a market in which confidence is of utmost importance, I don't see the advantage of such a position.

I do think it's great to remind everybody to keep control over their assets. But, on the other hand, if you're trading, for example, you need to keep your coins in the exchange. I'd be very wary of having a single penny in an exchange that, if something happens, chooses to bury its head in the sand and act like everything's cool.

PX-Z

hero member

Activity: 1554

Merit: 880

pxzone.online

Quote from: The Cryptovator on January 23, 2022, 08:25:10 AM

Nothing new. It will happen and we have to use them as well.

Nah, people should be very cautious and be knowledgeable time after time when such incidents happened. Crypto.com has lots of services to be used such as their card so using such platform cost a lot, I mean it needs to have some xxxx balance that you can say it's not that huge but it's enough amount.

Quote from: The Cryptovator on January 23, 2022, 08:25:10 AM

This type of hacking will never stop unless some security features couldn't be broken by hackers. But we know it's quite impossible

Security codes/integrations/practices are designed against vulnerabilities and attacks, it just that the implementations of these are poorly implemented on their system and that's why this usually happens.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

Quote from: Pmalek on January 23, 2022, 05:10:48 AM

If it's something else than a SIM swap attack, then what could it be?

Faulty implementation, poor coding, buggy systems, and so forth. There is no system or piece of software in existence which is invulnerable to some form of hack or attack. Most exchanges aren't developing their own security systems, but rather using third party implementations for their back end, their password databases, their 2FA, their KYC processes, and so on, and then cobbling them all together, hoping they've implemented them all properly, and hoping they haven't introduced any critical vulnerabilities in the process. In this case they failed.

The bottom line is that we have no idea about the security of any centralized exchange, and anyone using them has to trust them completely. Even the big ones such as crypto.com have critical vulnerabilities in their code.

Quote from: ?? on ??

And in worse case, it's possible they didn't have enough reserve fund so you must be content with multiple partial refund.

Or worst case, they go bankrupt and you lose everything.

The Cryptovator

legendary

Activity: 2394

Merit: 2223

Signature space for rent

Nothing new. It will happen and we have to use them as well. But should be careful and do not hold their unnecessary funds that haven't been used for trade. This type of hacking will never stop unless some security features couldn't be broken by hackers. But we know it's quite impossible. Due to lack of Liquidity, we can't trade on Dex and high fees as well. So by force, we need to use Cex. But the best practice is to move your assets on the non-custodial wallet. For example, currently, many people avoid trade due to the red market, so it's better to move funds from the exchange to the wallet. It would reduce the risk.

Darker45

legendary

Activity: 2576

Merit: 1860

According to various sources, affected users were refunded. It seems these news are true. So far, I haven’t heard of complaints coming from the victims that they have not received refunds. And I think the damage was not that huge. Crypto.com could easily handle the amount. They are a huge exchange, after all. Moreover, failing or a delay of a refund could only increase the damage as it will surely cause a backlash of their users. A quick refund will speak of their efficiency, though. So far it seems Crypto.com has properly managed the aftermath of the incident.

However, the point is not whether the users were refunded or not. It was that there was a successful security breach which resulted to the loss of funds. Not to mention that Crypto.com is certainly not an easy target. So this is indeed another strong reminder that for as long as your money is in a centralized exchange, no amount of security measures would guarantee you 100% that your funds are safe.

Pmalek

legendary

Activity: 2730

Merit: 7065

Quote from: ?? on ??

It should be the former since they bother revoked all customer 2FA token which force user to waste their time.

Hopefully, they will figure out what caused it. Being able to circumvent 2FA security isn't nice to read. Makes you question some of your own setups where 2FA is used. If it's something else than a SIM swap attack, then what could it be?

passwordnow

hero member

Activity: 3136

Merit: 591

Leading Crypto Sports Betting & Casino Platform

Quote from: cryptoaddictchie on January 22, 2022, 03:04:29 AM

Actually this ia true. But for some reason those have been compromised like binance, kucoin, and crypto.com so far refunded what was stolen that means they are pretty established to have backed up funds for incidents like these. However users must be cautious and only store amount you think you can tolerate when gone and something goes wrong on a centralized platform.

Yes, it's like part of their plan b if ever they're compromised and that's why they've handled this well but hopefully, to strengthen their security is what they should aim for. They are for sure have their budget for everything but they just can't avail to get hacked again and refund another batch of affected users if it ever happens again.

Quote from: tranthidung on January 22, 2022, 03:24:31 AM

Quote from: passwordnow on January 22, 2022, 02:56:55 AM

They did a refund.

Refund or compensate for users is good response. It can help them to get reputation in terms of customer service. Regarding to sercurity, they have to improve.

This hack is another reminder for people who leave their coins on centralized exchanges with belief that exchanges have good security and will protect fund of customers well enough.

I agree about their security, it is what it is and after experiencing a hack, they're for sure not going to compromise their exchange by not focusing of increasing their budget for it.

Quote from: PX-Z on January 22, 2022, 05:16:23 AM

Good thing if it's the case, either way, it doesn't change the fact that even as secured and as big as this exchange is still can be breached.

There's always the case of updates for their security and that's why maintaining and improving it continuously is a must when you run a big business such as a crypto exchange. I'm sure they'll be hiring more people just to focus on it.

Quote from: PX-Z on January 22, 2022, 05:16:23 AM

Having an insurance for lost funds cannot be used as excuse in the future to let them say that "We're trusted and fully funded crypto exchange, so come use our service". Decentralized exchanges should improve and be normalize in crypto space.

It adds confidence to the users but they just can't tell that from time to time. Prevention is still better than what we're thinking from those words.

Quote from: ?? on ??

Quote from: passwordnow on January 22, 2022, 02:56:55 AM

It's always good to remind everyone especially the newbies that are saving their funds and assets into an exchange. In times that a hack happens, they never know if the exchange is going to be responsible for refunding them.

Even if the exchange refund, sometimes you'll need to perform certain procedure and wait for some time. It could be problem if you're in dire need of money.

I agree, there's the process for refunding and if you're one of the affected users, you have no choice but to wait for their assessment and full refund.

PX-Z

hero member

Activity: 1554

Merit: 880

pxzone.online

Quote from: Pmalek on January 22, 2022, 07:44:16 AM

I find this part of the announcement the most worrying:

Quote

On Monday, at around 12:46 am UTC, Crypto.com’s risk monitoring systems detected “unauthorized activity on a small number of user accounts” where transactions were being authorized without the two-factor authentication (2FA) control being entered by the user, according to the official document.

The exchange proceeded by halting withdrawals and revoking all customer 2FA tokens, adding even more security-hardening measures that required everyone to relog in and reactivate their 2FA token before allowing only authorized action, as detailed in the statement.

I am not sure if this means that the hackers found a way around the 2FA system and emptied user accounts even if they had 2FA activated. That would then explain why they introduced an additional security layer. Or that only those accounts without 2FA were compromised. How did you understand it?

There's no specifics of this, there's also no statement on their end the specifics of how attackers pulled off the breach. I only guess that it could be a flaw something on their 2fa system on how they implemented it.

I see no github issue of related to 2fa regarding this too.

Pmalek

legendary

Activity: 2730

Merit: 7065

Quote from: tranthidung on January 22, 2022, 03:24:31 AM

This hack is another reminder for people who leave their coins on decentralized exchanges with belief that exchanges have good security and will protect fund of customers well enough.

I am sure you were thinking of one thing but wrote something completely different. Just for clarity, you were probably trying to warn users against leaving their coins on centralized exchanges.

I find this part of the announcement the most worrying:

Quote

On Monday, at around 12:46 am UTC, Crypto.com’s risk monitoring systems detected “unauthorized activity on a small number of user accounts” where transactions were being authorized without the two-factor authentication (2FA) control being entered by the user, according to the official document.

The exchange proceeded by halting withdrawals and revoking all customer 2FA tokens, adding even more security-hardening measures that required everyone to relog in and reactivate their 2FA token before allowing only authorized action, as detailed in the statement.

I am not sure if this means that the hackers found a way around the 2FA system and emptied user accounts even if they had 2FA activated. That would then explain why they introduced an additional security layer. Or that only those accounts without 2FA were compromised. How did you understand it?

Topic: Another episode of "Not your keys, not your Coins" (Read 259 times)