Pages:
Author

Topic: Crypto.com suspends withdrawals (Read 261 times)

legendary
Activity: 2576
Merit: 1860
January 20, 2022, 11:27:42 PM
#24
The security race between hackers and companies are closer than many might be thinking. It seems there is no amount of security that guarantees 100% protection of funds. Passwords, OTPs, 2FAs, and so on are now proven uncapable of providing perfect protection. Even this new multi-factor authentication that crypto.com is talking about could only bolster its security for a certain period of time before hackers would successfully challenge it as well.

Once again, we're provided with another reason to keep our funds under our sole control.
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
January 20, 2022, 10:29:37 AM
#23
More news are coming

The Hackers also stole 444 BTC.
According to the CEO, Already fully refunded.

https://www.protocol.com/bulletins/crypto-com-hack
Quote
Marszalek said Crypto.com "very quickly stopped" unauthorized withdrawals and lifted restrictions within 14 hours. All accounts affected were fully reimbursed, he said. Crypto news site the Block reported that withdrawals consisted of 4,830 ether, worth $15 million, and 444 bitcoins, worth $18.5 million, though Marszalek did not confirm the value.

Bloomberg reported that Crypto.com has yet to receive any communication from regulators following the breach, but Marszalek said he was prepared to share information on the theft if regulators do inquire. In the U.S., there are few federal laws governing data breaches except for health-related data, and state laws vary. Federally regulated banking organizations will have to report breaches under a new law that takes effect in April, but crypto exchanges are not yet broadly regulated on the federal level.

“Obviously, it’s (a) great lesson and we are continuously strengthening our infrastructure,” Marszalek told Bloomberg. “Given the scale of the business, these numbers are not particularly material and customer funds were not at risk.”

 
legendary
Activity: 2968
Merit: 3406
Crypto Swap Exchange
January 19, 2022, 02:24:25 PM
#22
Although Crypto.com didn't make any statements about this, PeckShield (a security-audit company) claims that 16M has been stolen and is currently being laundered using TornadoCash: https://twitter.com/peckshield/status/1483246262371557378
It's a bit weird that they kept saying "no customer funds were lost" and still continued with that approach, even though their CEO "admitted in this video" that 400 accounts were affected and they "fully reimbursed" them [there's a big difference between those two]!

  • "ErgoBTC" is claiming there's another 444BTC in the equation, so that makes it around "33M" in total!
staff
Activity: 3500
Merit: 6152
January 19, 2022, 05:32:34 AM
#21
They re-enabled "address whitelisting" around 10 hours ago, but the interesting part is the fact that they just added delayed protection now! I'm quite surprised that a platform of that size, never had such protection in place [there are certain platforms out there that have a 48 to 72-hour hold for withdrawing to new addresses and they're not that popular] and in addition to that, most of their users are complaining about the added layer of security [SMH]!


Although Crypto.com didn't make any statements about this, PeckShield (a security-audit company) claims that 16M has been stolen and is currently being laundered using TornadoCash: https://twitter.com/peckshield/status/1483246262371557378

legendary
Activity: 2716
Merit: 1225
Once a man, twice a child!
January 19, 2022, 05:20:22 AM
#20
~snipped
I get your point now. Thanks a great deal.
legendary
Activity: 3472
Merit: 3507
Crypto Swap Exchange
January 18, 2022, 04:03:22 PM
#19
Is there a better way to go about this, then? I'm also guilty of this, though I haven't had any issues since I started using GA as a 2FA tool on my device for years now.

Just use different devices. 2FA is supposed to be an extra layer of security. If your computer gets infected by malware, and you're accessing Authy's 2FA through the desktop app on the same computer that you're logging in to exchanges with, then what's the point? A hacker could simply log in and authorize the withdrawals himself.

Beyond different devices, your 2FA device should not be used for anything else other than 2FA. No games, no surfing the web, just 2FA.
Now, the other thing is it also depends a lot on the amount of money being discussed.

I have an insecure hot wallet on my phone but, the amount of crypto in that wallet is not enough to make a difference in my life, it's not even enough to make a difference in my spending habits this week.

Some time ago, I was thinking that for something like this it would be best to use a dedicated device like Raspberry Pi. even if you need to have different versions of the OS, microSD cards are cheap, you can have as many as you need for different apps. 2FA, staking wallet, whatever...
due to limited power, it will not be a challenge to play a game or use it for other internet things.
legendary
Activity: 2968
Merit: 3406
Crypto Swap Exchange
January 18, 2022, 03:55:15 PM
#18
They re-enabled "address whitelisting" around 10 hours ago, but the interesting part is the fact that they just added delayed protection now! I'm quite surprised that a platform of that size, never had such protection in place [there are certain platforms out there that have a 48 to 72-hour hold for withdrawing to new addresses and they're not that popular] and in addition to that, most of their users are complaining about the added layer of security [SMH]!

legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
January 18, 2022, 02:50:39 PM
#17
Is there a better way to go about this, then? I'm also guilty of this, though I haven't had any issues since I started using GA as a 2FA tool on my device for years now.

Just use different devices. 2FA is supposed to be an extra layer of security. If your computer gets infected by malware, and you're accessing Authy's 2FA through the desktop app on the same computer that you're logging in to exchanges with, then what's the point? A hacker could simply log in and authorize the withdrawals himself.

Beyond different devices, your 2FA device should not be used for anything else other than 2FA. No games, no surfing the web, just 2FA.
Now, the other thing is it also depends a lot on the amount of money being discussed.

I have an insecure hot wallet on my phone but, the amount of crypto in that wallet is not enough to make a difference in my life, it's not even enough to make a difference in my spending habits this week.

I have a 2nd device with GA and Authy on it along with a Google Voice number for getting SMS messages that does have access to more funds. But, to get to those I have to go to my PC log into an exchange and then enter the 2FA info.

Everything else uses a hardware wallet.

You will have different levels of what you need for security depending on your financial situation and the amounts involved.

-Dave
hero member
Activity: 2366
Merit: 793
Bitcoin = Financial freedom
January 18, 2022, 02:12:43 AM
#16
Is there a better way to go about this, then? I'm also guilty of this, though I haven't had any issues since I started using GA as a 2FA tool on my device for years now.

Just use different devices. 2FA is supposed to be an extra layer of security. If your computer gets infected by malware, and you're accessing Authy's 2FA through the desktop app on the same computer that you're logging in to exchanges with, then what's the point? A hacker could simply log in and authorize the withdrawals himself.
Myself installed 2FA on my primary device and used to login and make withdrawal from exchanges on my desktop just for the sake of avoiding those malware attacks but never really used to Hold huge amount on exchange wallet for very long time, either I will convert into fiat or simply withdraw into the wallet, but for day traders they have no other choice than keeping multiple devices and add all the security features to avoid malware and phishing attacks.
staff
Activity: 3500
Merit: 6152
January 18, 2022, 01:48:34 AM
#15
Is there a better way to go about this, then? I'm also guilty of this, though I haven't had any issues since I started using GA as a 2FA tool on my device for years now.

Just use different devices. 2FA is supposed to be an extra layer of security. If your computer gets infected by malware, and you're accessing Authy's 2FA through the desktop app on the same computer that you're logging in to exchanges with, then what's the point? A hacker could simply log in and authorize the withdrawals himself.
legendary
Activity: 2716
Merit: 1225
Once a man, twice a child!
January 18, 2022, 12:56:38 AM
#14
I really love people that use something like Google Authenticator or Authy and then also SMS both on the same phone.
Is there a better way to go about this, then? I'm also guilty of this, though I haven't had any issues since I started using GA as a 2FA tool on my device for years now.

personally, I never keep funds in exchanges. If I want to sell, I send my coins and sell. If I want to buy, I send the fiat, buy and withdrawal.
I guess you're more of a hodler than a trader (or someone who doesn't trade for a living) as that method won't work for active traders who need to have running funds on exchange(s) to execute trades.
legendary
Activity: 3528
Merit: 7005
Top Crypto Casino
January 17, 2022, 07:13:59 PM
#13
Makes you wonder yet again how safe 2FA really is when people have their APP & Email & 2FA all on the same device.
Depends on how safe that particular device is, but I wouldn't call that a proper 2FA setup!
Totally not safe, but the thing is that a lot of us were brought up with trust in financial institutions ingrained in us (or at least to the extent that your money won't disappear overnight or suddenly be locked up).  But crypto exchanges are a different beast altogether, and the level of trust you have in your local bank shouldn't be equal to that of any crypto exchange, casino, DeFi site, or whatever.  No matter how reputable those sites seem to be, that same golden rule always holds: not your keys, not your crypto.

Apparently, both withdrawals and deposits are back:
That's good to hear.  I'm not very familiar with crypto.com, but I recognize them as being a fairly big (but new) player in the crypto biz.  It'd really suck if a site with that domain name was hacked so badly that their customers' funds were gone for good.  I bet the mainstream shithead news outlets would have a field day with that one.
copper member
Activity: 2170
Merit: 1827
Top Crypto Casino
January 17, 2022, 06:47:00 PM
#12
Exchanges are never 100%, even if you use 2FA.

I don't trust exchanges software. I think it may be possible that a hacker find a way to bypass the 2FA and log into the account directly without using 2FA.
Not just that. I think I have heard of a couple of exchange hacks which involved the hacker gaining access to the private keys of the exchange wallets. In these cases, all other security measure can not stop the hacker from moving funds except asking creators of centralized tokens like USDT to freeze the stolen assets and mint new ones.


personally, I never keep funds in exchanges. If I want to sell, I send my coins and sell. If I want to buy, I send the fiat, buy and withdrawal.

Mining and withdrawal fees are the price of a good security. I think it is worth.
Works perfect if you are trading spot markets and HODLing for weeks or months, but trust me, if you are a day trader or a scalp trader, this is not possible. You have to set up stop losses, take profits and other conditional orders which noncustodial wallets don't support.
legendary
Activity: 2212
Merit: 7064
January 17, 2022, 04:32:29 PM
#11
Not sure how serious this is but it appears that some users' accounts are being emptied[1][2][3] (even with 2FA) and withdrawals have been suspended for now.
 
It's nothing strange about this when you know that they are the one fully controlling all the funds and number of coins their customers see on their screens.
2FA should protect against breach from third parties or hackers, but they can always pull the plug whenever they want, and access everyone accounts from the inside.
Even if they restored withdrawals and deposits, I would still not trust them in future.
 
staff
Activity: 3500
Merit: 6152
January 17, 2022, 03:06:25 PM
#10
Apparently, both withdrawals and deposits are back:

https://twitter.com/cryptocom/status/14831325595300290616

Except for whitelisting:

Investigating - Withdrawal whitelisting is temporarily paused, but withdrawals are still enabled. We appreciate your patience and will work on unpausing whitelisting as soon as possible. Thank you.
full member
Activity: 367
Merit: 136
January 17, 2022, 01:45:11 PM
#9
It made us sad to know that big exchangers are getting hacked and more surprising to know that hackers can pass the authentication. If 2fa authentication can be passed, then it really stressful. However, whenever any exchange got hacked they never seem to be fucked, they always ensure the users that their funds are safe. Hackers may hack the intern security, otherwise, they cant hack the 2fa.
That's right: Never a dull day in the world of crypto.
legendary
Activity: 3654
Merit: 8909
https://bpip.org
January 17, 2022, 01:04:37 PM
#8
I am not sure what would "all funds are safe" mean after an "unauthorized activity", still, it doesn't look too bad (yet).
Let's see whether there will be complains after the update they're rolling out now.

I would guess it's either that they have enough funds to cover any losses or they have insurance to cover any losses.
Or this was internal DB work that went very poorly.

Every exchange says that and you can't really expect them to say "we're fucked, your money's gone". The real answer will come if and when everyone will be able to withdraw any part of their funds, i.e. no holds, limits, haircuts, spurious KYC, compensation with stupid tokens, etc.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
January 17, 2022, 11:52:58 AM
#7
Earlier today a small number of users experienced unauthorized activity in their accounts. All funds are safe.
 
In an abundance of caution, security on all accounts is being enhanced, requiring users to:
 
-Sign back into their App & Exchange accounts
-Reset their 2FA

I am not sure what would "all funds are safe" mean after an "unauthorized activity", still, it doesn't look too bad (yet).
Let's see whether there will be complains after the update they're rolling out now.

I would guess it's either that they have enough funds to cover any losses or they have insurance to cover any losses.
Or this was internal DB work that went very poorly.

Looks like some people have gotten access back after not being able to login from what I have seen online but still can't withdraw.

-Dave


legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
January 17, 2022, 09:27:39 AM
#6
Earlier today a small number of users experienced unauthorized activity in their accounts. All funds are safe.
 
In an abundance of caution, security on all accounts is being enhanced, requiring users to:
 
-Sign back into their App & Exchange accounts
-Reset their 2FA

I am not sure what would "all funds are safe" mean after an "unauthorized activity", still, it doesn't look too bad (yet).
Let's see whether there will be complains after the update they're rolling out now.
hero member
Activity: 3038
Merit: 617
January 17, 2022, 09:15:53 AM
#5

Glad that I got out from them so timely.  You think they are hacked?
They seem to be very big whjch I gjess a hacker will be determined to get so much incentive in doing so. Seem not safe for all of us if a hacker can bypass 2fa, such a useless security. I hope they can guarantee refunding users funds that are lost.
Pages:
Jump to: