Author

Topic: How can an online exchange account be hacked with 2FA turned on? (Read 236 times)

legendary
Activity: 1652
Merit: 1483
As you read the article, it was a phishing website where a new site is created as a copy of the old one to scam people.
Basically what it did was it logged in the fake website owner to the real bittrex, how ?

Let me explain.
1- Enter fake site
2- enter email and pass
3- fake site logs into real bittrex and enters the data you typed exactly
4- real site sends you 2fa code to make sure it's you
5- you only see the fake site
6- fake site asks you for the code and you enter it
7- fake site goes to real site and enters that code.

Congratulations, fake site owner is in your account and can withdraw all your coins easily.

Always be cautious and check the url more than once. Not only in exchanges but generally in anything that involves your money/assets/identity.


in this scenario, can they successfully withdraw coins, though? i've been on many exchanges, and there is always another 2FA entry (and often, email confirmation) upon withdrawal request. a TOTP code is only good once, and one code is not nearly enough for them to start figuring out how to crack the 2FA token itself. so i think this plan needs some additional sophistication to pull off.

if an account gets hacked with 2FA enabled, my first assumption is that the site may have had a database leak in which both passwords (or weak hashes of passwords) and 2FA tokens were compromised.
hero member
Activity: 728
Merit: 537
As you read the article, it was a phishing website where a new site is created as a copy of the old one to scam people.
Basically what it did was it logged in the fake website owner to the real bittrex, how ?

Let me explain.
1- Enter fake site
2- enter email and pass
3- fake site logs into real bittrex and enters the data you typed exactly
4- real site sends you 2fa code to make sure it's you
5- you only see the fake site
6- fake site asks you for the code and you enter it
7- fake site goes to real site and enters that code.

Congratulations, fake site owner is in your account and can withdraw all your coins easily.

Always be cautious and check the url more than once. Not only in exchanges but generally in anything that involves your money/assets/identity.
newbie
Activity: 35
Merit: 0
Can someone please explain to me how your account can be hacked if you have 2FA turned on? Does that not mean they would need access to both your bittrex login and your cellphone where the 2FA code is sent?

Link to the article describing a phishing scam is provided here:

https://www.hackread.com/fake-bittrex-cryptocurrency-exchange-site-stealing-user-funds/

Quote from article: "And they will get your password and authenticator code once you try to log in on their website! It all happens in less than five minutes!"

Jump to: