Binance BTC Hack is due to 2FA | Bitcointalksearch.org

TravelMug

hero member

Activity: 2632

Merit: 833

Quote from: bob123 on May 10, 2019, 10:14:11 AM

Quote from: LuckyBtc on May 10, 2019, 09:41:23 AM

Someone on Twitter claiming he had found a glitch that could let him/her bypass 2fa and captcha on iOS devices, He had reported it to Binance but was ignored.
https://twitter.com/pacpoker/status/1094814265981190145?s=19

This was 3 months ago. And he didn't make the glitch public, which said he will do.

Furthermore the 2FA is checked server-side. So technically it is not possible to bypass 2FA by manipulating the client (in this case: the iOS app).

IMO this was just a bad joke. And far away from being a 'source' to the statement that binance had a security breach.

I agree, as per Binance they said the hackers was able to obtain 2FA and Google authentication through phishing attack. So there's no way that Binance itself can see if indeed it was from the hacker because they were able to get entry through right channels.

squatter

legendary

Activity: 1666

Merit: 1196

STOP SNITCHIN'

Quote from: Patatas on May 10, 2019, 02:18:48 PM

Do you actually believe that news? Apart from bitcointalk, every other community thinks it's an inside job which I pretty much agree with. It's not the first time, neither last that these exchange owners like to fuck around with the traders. At this point, I've digested it.

If they're covering the lost funds from their own money, why would you assume it's an inside job? What does Binance have to gain by telling the world they got hacked?

Patatas

legendary

Activity: 1750

Merit: 1115

Providing AI/ChatGpt Services - PM!

Quote from: jdarren on May 08, 2019, 06:45:40 PM

With the recent Binance hack of 7,000 BTC cyber security firm Ciphertrace pointed out that the reason hackers were able to obtain API keys, 2FA codes and other info was due to hacking hot wallets using a two factor approach, social engineering and SIM card porting of phone numbers.

What Dave Jevans recommends moving forward is a 3FA approach. Has anyone used this or what are your thoughts?

https://cryptobriefing.com/binance-promises-to-cover-7000-btc-lost-in-hack/

Do you actually believe that news? Apart from bitcointalk, every other community thinks it's an inside job which I pretty much agree with. It's not the first time, neither last that these exchange owners like to fuck around with the traders. At this point, I've digested it.

bob123

legendary

Activity: 1624

Merit: 2481

Quote from: LuckyBtc on May 10, 2019, 09:41:23 AM

Someone on Twitter claiming he had found a glitch that could let him/her bypass 2fa and captcha on iOS devices, He had reported it to Binance but was ignored.
https://twitter.com/pacpoker/status/1094814265981190145?s=19

This was 3 months ago. And he didn't make the glitch public, which said he will do.

Furthermore the 2FA is checked server-side. So technically it is not possible to bypass 2FA by manipulating the client (in this case: the iOS app).

IMO this was just a bad joke. And far away from being a 'source' to the statement that binance had a security breach.

LuckyBtc

legendary

Activity: 1288

Merit: 1011

Quote from: bob123 on May 10, 2019, 07:17:28 AM

Quote from: TheHas on May 10, 2019, 06:04:27 AM

Quote from: bob123 on May 09, 2019, 07:17:17 AM

It is the user who has to use the safe (i.e. securely storing api key / 2FA codes).
Binance can't force anyone to protect their password / 2FA code / etc..

But the issue wasn't that people were careless with their 2fa or passwords. The issue was that Binance had a security breach that circumvented these security checks.

I get that in crypto you are responsible for your own security - but in this case the problem wasn't the user, it was the 'trusted' and apparently 'safu' centralized exchange, who has such an inflated sense of self importance that they were considering risking the entire integrity of Bitcoin through a roll back.

Do you have any source for this statement ?

I can't find any news stating that binance's security was compromised.

Someone on Twitter claiming he had found a glitch that could let him/her bypass 2fa and captcha on iOS devices, He had reported it to Binance but was ignored.
https://twitter.com/pacpoker/status/1094814265981190145?s=19

bob123

legendary

Activity: 1624

Merit: 2481

Quote from: TheHas on May 10, 2019, 06:04:27 AM

Quote from: bob123 on May 09, 2019, 07:17:17 AM

It is the user who has to use the safe (i.e. securely storing api key / 2FA codes).
Binance can't force anyone to protect their password / 2FA code / etc..

But the issue wasn't that people were careless with their 2fa or passwords. The issue was that Binance had a security breach that circumvented these security checks.

I get that in crypto you are responsible for your own security - but in this case the problem wasn't the user, it was the 'trusted' and apparently 'safu' centralized exchange, who has such an inflated sense of self importance that they were considering risking the entire integrity of Bitcoin through a roll back.

Do you have any source for this statement ?

I can't find any news stating that binance's security was compromised.

TheHas

full member

Activity: 616

Merit: 167

Quote from: bob123 on May 09, 2019, 07:17:17 AM

It is the user who has to use the safe (i.e. securely storing api key / 2FA codes).
Binance can't force anyone to protect their password / 2FA code / etc..

But the issue wasn't that people were careless with their 2fa or passwords. The issue was that Binance had a security breach that circumvented these security checks.

I get that in crypto you are responsible for your own security - but in this case the problem wasn't the user, it was the 'trusted' and apparently 'safu' centralized exchange, who has such an inflated sense of self importance that they were considering risking the entire integrity of Bitcoin through a roll back.

bob123

legendary

Activity: 1624

Merit: 2481

Quote from: figmentofmyass on May 09, 2019, 02:42:18 PM

that's my belief based on the statements binance made, but AFAIK no details about how 2FA and API keys were compromised have been released. have they?

No, unfortunately not.
Currently it can only be assumed, but based on their statements it sounded like its not a security problem on their end.

Quote from: figmentofmyass on May 09, 2019, 02:42:18 PM

they have urged all users to change passwords, 2FA, and most specifically API keys so i guess we can't be sure this is 100% client side yet.

This indeed sounds strange.
But i guess that's not a clue towards server side problems.

They might want all user to change their secret information because of a server-side security breach or because they believe there are more keys somehow laked / stolen.

Quote from: figmentofmyass on May 09, 2019, 02:42:18 PM

API keys were hacked from binance's servers last year and there have been recent suspicions of an ongoing problem.

Were they ?

I remember that most (if not all) people had their API key entered into a 3rd party trading software/script.
And this software had maliciously used the API keys to buy (and pump) a worthless coin, which has been sold by the attacker to get lots of profit out of it.

I didn't see any news regarding the security of binance being compromised. IIRC it was 100% users fault back then.

darylalban

jr. member

Activity: 184

Merit: 1

I think the million dollar question people are trying to solve is to what degree will we need to prove ones identity . 3FA would work but even something as far as 4FA would be necessary.

figmentofmyass

legendary

Activity: 1652

Merit: 1483

Quote from: bob123 on May 09, 2019, 07:17:17 AM

Quote from: LuckyBtc on May 09, 2019, 05:11:34 AM

One solution is just to use DEX, We need people to start using DEX and protect themselves from hackers, We should be responsible for our own protection.

People weren't able to protect their API-keys and 2FA codes which lead to the loss of funds.
So how should they going to be capable of protecting their private keys..

Binance's security is fine. Based on all information, it is each users fault for not protecting his 2FA codes / API keys.
It hasn't been mentioned anywhere that there was some security breach.

that's my belief based on the statements binance made, but AFAIK no details about how 2FA and API keys were compromised have been released. have they? they have urged all users to change passwords, 2FA, and most specifically API keys so i guess we can't be sure this is 100% client side yet. API keys were hacked from binance's servers last year and there have been recent suspicions of an ongoing problem.

TimeBits

member

Activity: 224

Merit: 62

Quote from: examplens on May 09, 2019, 09:24:10 AM

Quote from: darklus123 on May 09, 2019, 12:44:27 AM

Eventually sooner or later hackers will be able to obtain new tactics or find out any loopholes of the said 3FA. Therefore the best thing to do is to always move your funds in and out from any trading platforms.

I know this is kinda toxic idea but I think that is one of the best thing we can do for now.

You have people who earn from trading. So, they need to have funds on the platform because then he can trade with them. Just think how complicated after every trade to withdraw funds and deposit it again for a new trade.

Quote from: TimeBits on May 08, 2019, 08:59:56 PM

Imagine I had a blockchain of everyone and their face in my country, we could set up drone helicopter or plane to scan your face and if it does not match our data base, it kills you.

Interesting idea for new KYC method. Grin

inb4 facebook is using it

https://www.youtube.com/watch?v=l4x0vOAu0lQ

inb4 we are all dead

examplens

legendary

Activity: 3248

Merit: 3098

Quote from: darklus123 on May 09, 2019, 12:44:27 AM

Eventually sooner or later hackers will be able to obtain new tactics or find out any loopholes of the said 3FA. Therefore the best thing to do is to always move your funds in and out from any trading platforms.

I know this is kinda toxic idea but I think that is one of the best thing we can do for now.

You have people who earn from trading. So, they need to have funds on the platform because then he can trade with them. Just think how complicated after every trade to withdraw funds and deposit it again for a new trade.

Quote from: TimeBits on May 08, 2019, 08:59:56 PM

Imagine I had a blockchain of everyone and their face in my country, we could set up drone helicopter or plane to scan your face and if it does not match our data base, it kills you.

Interesting idea for new KYC method. Grin

TimeBits

member

Activity: 224

Merit: 62

I mean do the two options I presented

add a throttle on withdraws (I could cook up this code and have no education in coding)

and 3fa/4fa/5fa (WARNING THIS MAY LEAD TO A WEAPON OF MASS DESTRUCTION or a WEAPON OF MASS SAFETY)
https://www.cnbc.com/2019/05/08/facebook-rolls-back-ban-on-cryptocurrency-ads.html

bob123

legendary

Activity: 1624

Merit: 2481

Quote from: LuckyBtc on May 09, 2019, 05:11:34 AM

One solution is just to use DEX, We need people to start using DEX and protect themselves from hackers, We should be responsible for our own protection.

People weren't able to protect their API-keys and 2FA codes which lead to the loss of funds.
So how should they going to be capable of protecting their private keys..

Quote from: pokermaniacxxx on May 09, 2019, 05:39:02 AM

This is really bad news... Binance should have invested more in security

Binance's security is fine. Based on all information, it is each users fault for not protecting his 2FA codes / API keys.
It hasn't been mentioned anywhere that there was some security breach.

Quote from: joshy23 on May 09, 2019, 06:36:58 AM

Whatever they claimed that they are safe, hackers job is to keep trying to penetrate the security of the exchange so for sure they will find ways
to do that

That's true, but in this case it the fault of each affected user individually.

Quote from: TheHas on May 09, 2019, 07:08:36 AM

To use an analogy, instead of investing in 3 padlocks, it would be more secure to invest in a Safe.

It is the user who has to use the safe (i.e. securely storing api key / 2FA codes).
Binance can't force anyone to protect their password / 2FA code / etc..

TheHas

full member

Activity: 616

Merit: 167

I doubt 3fa will make much difference in the longterm, just like 2fa didnt make a difference l.

My fiat bank doesn't require 3fa, so why is that the answer for a crypto exchange?

To use an analogy, instead of investing in 3 padlocks, it would be more secure to invest in a Safe. I feel like 3fa is just adding an extra layer of the same depth of security.

When Binance finishes their investigation, I doubt 3fa will be their recommended action for this hack.

joshy23

sr. member

Activity: 1078

Merit: 256

Quote from: hahahafr on May 09, 2019, 03:41:54 AM

It's so sad that these hackers always get to have their way with the funds of users as and when they please. I believe it is time we really give the development of Decentralized Exchanges some level of attention because no matter how these centralized exchanges claim they are they still get hacked.

Whatever they claimed that they are safe, hackers job is to keep trying to penetrate the security of the exchange so for sure they will find ways
to do that, they will keep doing it until finally got a victim and enjoy the sucked profits from someone's wallet. really need to be more extra careful
whenever you have good amount of money inside the exchange.

pokermaniacxxx

newbie

Activity: 53

Merit: 0

This is really bad news... Binance should have invested more in security

LuckyBtc

legendary

Activity: 1288

Merit: 1011

Quote from: TheKeyLongThumbI on May 09, 2019, 04:20:52 AM

Quote from: jdarren on May 08, 2019, 06:45:40 PM

With the recent Binance hack of 7,000 BTC cyber security firm Ciphertrace pointed out that the reason hackers were able to obtain API keys, 2FA codes and other info was due to hacking hot wallets using a two factor approach, social engineering and SIM card porting of phone numbers.

What Dave Jevans recommends moving forward is a 3FA approach. Has anyone used this or what are your thoughts?

https://cryptobriefing.com/binance-promises-to-cover-7000-btc-lost-in-hack/

What? All this time I thought that activating 2fa on all my accounts made me feel that my funds are very secured but now it is vulnerable? Then that 3FA approach is useless then. I think we need more softwares to successfully track this hackers instead of buffing up the security measures each time it gets breached because these hackers will just study it until they crack the code again and again.

One solution is just to use DEX, We need people to start using DEX and protect themselves from hackers, We should be responsible for our own protection. Hardware wallet + dedicated OS for crypto transactions should be used I think.

CryptoBry

sr. member

Activity: 1008

Merit: 355

Quote

What Dave Jevans recommends moving forward is a 3FA approach. Has anyone used this or what are your thoughts?

This 3FA can be coming soon triggered by what just happened in Binance which resulted into the loss of around $40 Million dollars putting the security measures of Binance into question. Now, this can be a little bit funny, because when hackers can find out the best to go around with 3FA we can expect to get 4FA. I am then suggesting that to pole-vault the technology on this side, why not go directly to 6FA so that hackers can have a hell of time destroying its protection? Okay, am just kidding but then why not, right?

bob123

legendary

Activity: 1624

Merit: 2481

Quote from: vennali on May 09, 2019, 01:31:34 AM

3Fa would certainly change things.

I don't think so.

Most people are lazy as f**k. They would probably use 1 device (e.g. their mobile) for the 2nd and 3rd factor, therefore basically creating a 2FA again.

If done properly, it definitely increases the security. But i doubt the majority will be able to handle this correctly.

Quote from: TheKeyLongThumbI on May 09, 2019, 04:20:52 AM

What? All this time I thought that activating 2fa on all my accounts made me feel that my funds are very secured but now it is vulnerable?

It is not vulnerable.
But if you don't know how to protect your sensitive information... it is only your fault.

It's like saying "I thoughts passwords are secure, now my account is at risk if i tell everyone my password ?".

If you keep your 2FA codes secure, so that noone except for you can access them, it is safe.
If you share your 2FA codes (or they can be accessed by other in any other way), it is not.

Topic: Binance BTC Hack is due to 2FA (Read 504 times)