Pages:
Author

Topic: Binance BTC Hack is due to 2FA (Read 529 times)

hero member
Activity: 2632
Merit: 833
May 12, 2019, 12:00:09 AM
#53
Someone on Twitter claiming he had found a glitch that could let him/her bypass 2fa and captcha on iOS devices, He had reported it to Binance but was ignored.
https://twitter.com/pacpoker/status/1094814265981190145?s=19

This was 3 months ago. And he didn't make the glitch public, which said he will do.

Furthermore the 2FA is checked server-side. So technically it is not possible to bypass 2FA by manipulating the client (in this case: the iOS app).

IMO this was just a bad joke. And far away from being a 'source' to the statement that binance had a security breach.

I agree, as per Binance they said the hackers was able to obtain 2FA and Google authentication through phishing attack. So there's no way that Binance itself can see if indeed it was from the hacker because they were able to get entry through right channels.
legendary
Activity: 1666
Merit: 1196
STOP SNITCHIN'
May 11, 2019, 02:06:37 AM
#52
Do you actually believe that news? Apart from bitcointalk, every other community thinks it's an inside job which I pretty much agree with. It's not the first time, neither last that these exchange owners like to fuck around with the traders. At this point, I've digested it.

If they're covering the lost funds from their own money, why would you assume it's an inside job? What does Binance have to gain by telling the world they got hacked?
legendary
Activity: 1750
Merit: 1115
Providing AI/ChatGpt Services - PM!
May 10, 2019, 01:18:48 PM
#51
With the recent Binance hack of 7,000 BTC cyber security firm Ciphertrace pointed out that the reason hackers were able to obtain API keys, 2FA codes and other info was due to hacking hot wallets using a two factor approach, social engineering and SIM card porting of phone numbers.

What Dave Jevans recommends moving forward is a 3FA approach. Has anyone used this or what are your thoughts?

https://cryptobriefing.com/binance-promises-to-cover-7000-btc-lost-in-hack/
Do you actually believe that news? Apart from bitcointalk, every other community thinks it's an inside job which I pretty much agree with. It's not the first time, neither last that these exchange owners like to fuck around with the traders. At this point, I've digested it.
legendary
Activity: 1624
Merit: 2481
May 10, 2019, 09:14:11 AM
#50
Someone on Twitter claiming he had found a glitch that could let him/her bypass 2fa and captcha on iOS devices, He had reported it to Binance but was ignored.
https://twitter.com/pacpoker/status/1094814265981190145?s=19

This was 3 months ago. And he didn't make the glitch public, which said he will do.

Furthermore the 2FA is checked server-side. So technically it is not possible to bypass 2FA by manipulating the client (in this case: the iOS app).

IMO this was just a bad joke. And far away from being a 'source' to the statement that binance had a security breach.
legendary
Activity: 1288
Merit: 1012
May 10, 2019, 08:41:23 AM
#49
It is the user who has to use the safe (i.e. securely storing api key / 2FA codes).
Binance can't force anyone to protect their password / 2FA code / etc..

But the issue wasn't that people were careless with their 2fa or passwords. The issue was that Binance had a security breach that circumvented these security checks.

I get that in crypto you are responsible for your own security - but in this case the problem wasn't the user, it was the 'trusted' and apparently 'safu' centralized exchange, who has such an inflated sense of self importance that they were considering risking the entire integrity of Bitcoin through a roll back.


Do you have any source for this statement ?

I can't find any news stating that binance's security was compromised.
Someone on Twitter claiming he had found a glitch that could let him/her bypass 2fa and captcha on iOS devices, He had reported it to Binance but was ignored.
https://twitter.com/pacpoker/status/1094814265981190145?s=19
legendary
Activity: 1624
Merit: 2481
May 10, 2019, 06:17:28 AM
#48
It is the user who has to use the safe (i.e. securely storing api key / 2FA codes).
Binance can't force anyone to protect their password / 2FA code / etc..

But the issue wasn't that people were careless with their 2fa or passwords. The issue was that Binance had a security breach that circumvented these security checks.

I get that in crypto you are responsible for your own security - but in this case the problem wasn't the user, it was the 'trusted' and apparently 'safu' centralized exchange, who has such an inflated sense of self importance that they were considering risking the entire integrity of Bitcoin through a roll back.


Do you have any source for this statement ?

I can't find any news stating that binance's security was compromised.
full member
Activity: 616
Merit: 167
May 10, 2019, 05:04:27 AM
#47

It is the user who has to use the safe (i.e. securely storing api key / 2FA codes).
Binance can't force anyone to protect their password / 2FA code / etc..

But the issue wasn't that people were careless with their 2fa or passwords. The issue was that Binance had a security breach that circumvented these security checks.

I get that in crypto you are responsible for your own security - but in this case the problem wasn't the user, it was the 'trusted' and apparently 'safu' centralized exchange, who has such an inflated sense of self importance that they were considering risking the entire integrity of Bitcoin through a roll back.
legendary
Activity: 1624
Merit: 2481
May 10, 2019, 02:00:37 AM
#46
that's my belief based on the statements binance made, but AFAIK no details about how 2FA and API keys were compromised have been released. have they?

No, unfortunately not.
Currently it can only be assumed, but based on their statements it sounded like its not a security problem on their end.



they have urged all users to change passwords, 2FA, and most specifically API keys so i guess we can't be sure this is 100% client side yet.

This indeed sounds strange.
But i guess that's not a clue towards server side problems.

They might want all user to change their secret information because of a server-side security breach or because they believe there are more keys somehow laked / stolen.



API keys were hacked from binance's servers last year and there have been recent suspicions of an ongoing problem.

Were they ?

I remember that most (if not all) people had their API key entered into a 3rd party trading software/script.
And this software had maliciously used the API keys to buy (and pump) a worthless coin, which has been sold by the attacker to get lots of profit out of it.

I didn't see any news regarding the security of binance being compromised. IIRC it was 100% users fault back then.
jr. member
Activity: 184
Merit: 1
May 09, 2019, 01:47:09 PM
#45
I think the million dollar question people are trying to solve is to what degree will we need to prove ones identity . 3FA would work but even something as far as 4FA would be necessary.
legendary
Activity: 1652
Merit: 1483
May 09, 2019, 01:42:18 PM
#44
One solution is just to use DEX, We need people to start using DEX and protect themselves from hackers, We should be responsible for our own protection.

People weren't able to protect their API-keys and 2FA codes which lead to the loss of funds.
So how should they going to be capable of protecting their private keys..

Binance's security is fine. Based on all information, it is each users fault for not protecting his 2FA codes / API keys.
It hasn't been mentioned anywhere that there was some security breach.

that's my belief based on the statements binance made, but AFAIK no details about how 2FA and API keys were compromised have been released. have they? they have urged all users to change passwords, 2FA, and most specifically API keys so i guess we can't be sure this is 100% client side yet. API keys were hacked from binance's servers last year and there have been recent suspicions of an ongoing problem.
member
Activity: 224
Merit: 62
May 09, 2019, 11:26:58 AM
#43
Eventually sooner or later hackers will be able to obtain new tactics or find out any loopholes of the said 3FA. Therefore the best thing to do is to always move your funds in and out from any trading platforms.

I know this is kinda toxic idea but I think that is one of the best thing we can do for now.

You have people who earn from trading. So, they need to have funds on the platform because then he can trade with them. Just think how complicated after every trade to withdraw funds and deposit it again for a new trade.


Imagine I had a blockchain of everyone and their face in my country, we could set up drone helicopter or plane to scan your face and if it does not match our data base, it kills you.


Interesting idea for new KYC method.  Grin

inb4 facebook is using it

https://www.youtube.com/watch?v=l4x0vOAu0lQ

inb4 we are all dead
legendary
Activity: 3472
Merit: 3507
Crypto Swap Exchange
May 09, 2019, 08:24:10 AM
#42
Eventually sooner or later hackers will be able to obtain new tactics or find out any loopholes of the said 3FA. Therefore the best thing to do is to always move your funds in and out from any trading platforms.

I know this is kinda toxic idea but I think that is one of the best thing we can do for now.

You have people who earn from trading. So, they need to have funds on the platform because then he can trade with them. Just think how complicated after every trade to withdraw funds and deposit it again for a new trade.


Imagine I had a blockchain of everyone and their face in my country, we could set up drone helicopter or plane to scan your face and if it does not match our data base, it kills you.


Interesting idea for new KYC method.  Grin
member
Activity: 224
Merit: 62
May 09, 2019, 08:18:35 AM
#41
I mean do the two options I presented

add a throttle on withdraws (I could cook up this code and have no education in coding)

and 3fa/4fa/5fa (WARNING THIS MAY LEAD TO A WEAPON OF MASS DESTRUCTION or a WEAPON OF MASS SAFETY)
https://www.cnbc.com/2019/05/08/facebook-rolls-back-ban-on-cryptocurrency-ads.html
legendary
Activity: 1624
Merit: 2481
May 09, 2019, 06:17:17 AM
#40
One solution is just to use DEX, We need people to start using DEX and protect themselves from hackers, We should be responsible for our own protection.

People weren't able to protect their API-keys and 2FA codes which lead to the loss of funds.
So how should they going to be capable of protecting their private keys..



This is really bad news... Binance should have invested more in security

Binance's security is fine. Based on all information, it is each users fault for not protecting his 2FA codes / API keys.
It hasn't been mentioned anywhere that there was some security breach.



Whatever they claimed that they are safe, hackers job is to keep trying to penetrate the security of the exchange so for sure they will find ways
to do that

That's true, but in this case it the fault of each affected user individually.



To use an analogy, instead of investing in 3 padlocks, it would be more secure to invest in a Safe.

It is the user who has to use the safe (i.e. securely storing api key / 2FA codes).
Binance can't force anyone to protect their password / 2FA code / etc..
full member
Activity: 616
Merit: 167
May 09, 2019, 06:08:36 AM
#39
I doubt 3fa will make much difference in the longterm, just like 2fa didnt make a difference l.

My fiat bank doesn't require 3fa, so why is that the answer for a crypto exchange?

To use an analogy, instead of investing in 3 padlocks, it would be more secure to invest in a Safe. I feel like 3fa is just adding an extra layer of the same depth of security.

When Binance finishes their investigation, I doubt 3fa will be their recommended action for this hack.
sr. member
Activity: 1078
Merit: 256
May 09, 2019, 05:36:58 AM
#38
It's so sad that these hackers always get to have their way with the funds of users as and when they please. I believe it is time we really give the development of Decentralized Exchanges some level of attention because no matter how these centralized exchanges claim they are they still get hacked.
Whatever they claimed that they are safe, hackers job is to keep trying to penetrate the security of the exchange so for sure they will find ways
to do that, they will keep doing it until finally got a victim and enjoy the sucked profits from someone's wallet. really need to be more extra careful
whenever you have good amount of money inside the exchange.
newbie
Activity: 53
Merit: 0
May 09, 2019, 04:39:02 AM
#37
This is really bad news... Binance should have invested more in security
legendary
Activity: 1288
Merit: 1012
May 09, 2019, 04:11:34 AM
#36
With the recent Binance hack of 7,000 BTC cyber security firm Ciphertrace pointed out that the reason hackers were able to obtain API keys, 2FA codes and other info was due to hacking hot wallets using a two factor approach, social engineering and SIM card porting of phone numbers.

What Dave Jevans recommends moving forward is a 3FA approach. Has anyone used this or what are your thoughts?

https://cryptobriefing.com/binance-promises-to-cover-7000-btc-lost-in-hack/


What? All this time I thought that activating 2fa on all my accounts made me feel that my funds are very secured but now it is vulnerable? Then that 3FA approach is useless then. I think we need more softwares to successfully track this hackers instead of buffing up the security measures each time it gets breached because these hackers will just study it until they crack the code again and again.
One solution is just to use DEX, We need people to start using DEX and protect themselves from hackers, We should be responsible for our own protection. Hardware wallet + dedicated OS for crypto transactions should be used I think.
sr. member
Activity: 1008
Merit: 355
May 09, 2019, 03:56:45 AM
#35
Quote
What Dave Jevans recommends moving forward is a 3FA approach. Has anyone used this or what are your thoughts?

This 3FA can be coming soon triggered by what just happened in Binance which resulted into the loss of around $40 Million dollars putting the security measures of Binance into question. Now, this can be a little bit funny, because when hackers can find out the best to go around with 3FA we can expect to get 4FA. I am then suggesting that to pole-vault the technology on this side, why not go directly to 6FA so that hackers can have a hell of time destroying its protection? Okay, am just kidding but then why not, right?
legendary
Activity: 1624
Merit: 2481
May 09, 2019, 03:35:10 AM
#34
3Fa would certainly change things.

I don't think so.

Most people are lazy as f**k. They would probably use 1 device (e.g. their mobile) for the 2nd and 3rd factor, therefore basically creating a 2FA again.

If done properly, it definitely increases the security. But i doubt the majority will be able to handle this correctly.



What? All this time I thought that activating 2fa on all my accounts made me feel that my funds are very secured but now it is vulnerable?

It is not vulnerable.
But if you don't know how to protect your sensitive information... it is only your fault.

It's like saying "I thoughts passwords are secure, now my account is at risk if i tell everyone my password ?".

If you keep your 2FA codes secure, so that noone except for you can access them, it is safe.
If you share your 2FA codes (or they can be accessed by other in any other way), it is not.
Pages:
Jump to: