Binance recent hack (aka 'Stealing Incident'). Security and other lessons we can and should learn. Security rules we should follow in the future to manage our Bitcoins and other cryptos safely.
SHORT DISCLAIMER: everything described below about Binance hack are only assumptions, based not on the own experience but on the available open sources of information regarding the recent Binance hack (aka Stealing Incident). It cannot be considered as an undisputed true about how real things were going that day. The main intention of the topic is not to praise or criticize Binance and their level of security and spread FUD or something like that, but just to analyze the events and try to understand what could really have happened that day and why; take the events as an example of possible losses and form the lessons we can learn out of them.
TL;DR version: Our security is solely our own responsibility. The more security measures we take, the better.We'll use the following sources of information for our brief 'Stealing Incident' analysis:
[1] Official Binance report regarding the 'Stealing Incident'.
https://support.binance.com/hc/en-us/articles/360001547431-Summary-of-the-Phishing-and-Attempted-Stealing-Incident-on-Binance[2] Reddit thread, created by Binance, with users' reports about the situation and their observations before, during and after the events.
https://www.reddit.com/r/BinanceExchange/comments/82pj5p/please_read_regarding_unauthorized_market_sells/[3] Another extensive Reddit thread with lots of users' reports.
https://www.reddit.com/r/BinanceExchange/comments/82ou1d/binance_sold_all_my_alt_coins_at_market_rate/[4] Binance Hacker Bounty.
https://support.binance.com/hc/en-us/articles/360001615252-Binance-Hacker-Bounty[5] Official Binance 'Stealing Incident' update.
https://steemit.com/cryptocurrency/@binanceexchange/binance-bounty-progress-update-march-19th-2018We'll try to analyze the Binance report [1] (marked with quotes) step by step; will use some information from the recent update [5]; will compare their official statements with the users' reports according to [2] and [3]; will try to form some lessons for improving our security and taking preventive security measures in the future.
It's strongly recommended though to read all the sources of information by yourself and make your own conclusions as there is no point to copy all the users' reports from [2] and [3] here.
Let's start.
Fellow Binancians,
On Mar 7, UTC 14:58-14:59, within this 2 minute period, the VIA/BTC market experienced abnormal trading activity.
Crypto market is well known for it's unpredictability and it's high-volatility (at least for now). Experienced traders can really make profits on such abnormal activities (up to x100 rise in VIA/BTC price on Binance (from ~0.00023 at start of the attack and up to 0.025 on the top in bitcoin value) but unfortunately not all of us can read the market well and react fast enough (only 2 minutes (!) of price fluctuation) in all of the situations, so:
Lesson 1
If you're new in crypto, not an experienced trader and you see abnormally high price spikes, better not try to jump into that rushing train buying or selling your coins without any (or at least some basic) analysis. It could be just some bad signs of something bad happening like with the VIA/BTC market on Binance, so you can become one of the indirect victims of someone's malicious activity. Not well configured trading bot can also cause a lot of losses in such situation.
If the temptation to trade during some abnormal activity is too high, try at least to read some fresh crypto news and compare coin price charts on different high liquidity exchanges. If charts don't follow each other, that could be one of the red flags for you. and
Lesson 2
Often repeated one. Don't go 'all in' all the time. If you decided to risk, then risk only with amounts you can afford to lose in case of bad situation happens no matter you're trading or conducting any other risky operations. If you bought VIA coins on the highest price that day you would have to wait for undefined period of time now for at least be able to sell them at the buying price and get your money back.Our automatic risk management system was triggered, and all withdrawals were halted immediately.
According to the one of the users replies, he was able to withdraw his coins five-ten minutes after the events took place. Another user states that it took them almost an hour to halt withdrawals. We cannot be sure whether their risk management system system exists, whether it is so advanced as they say so and whether it is automatic. Maybe they blocked the hackers somehow manually otherwise why do they needed so much time to halt withdrawals. Manual halt could be the reason it have been made not as quickly as it's stated.
It's also hard to believe in existence of that fully automatic system which blocks withdrawals automatically right after detecting the suspicious trading activity, as this way some of the dishonest competitors can buy some cheap coins with low liquidity, make some wash trading to rise that coin's price abnormally high and try to initiate false alarms and withdrawal halts this way.
Nevertheless, we'll try to believe to Binance here, as the most important thing regarding this part is that Binance team managed to react fast in hard situation, they prevented any losses and proved their competence, so:
Lesson 3
More general one, but we'll place it here in order to maximize the potential reads counts and increase it's teaching value in case someone won't read the topic till the end. The lesson is simple - choose the most reliable and secure exchanges for trading as your funds safety will fully depend on professional competence of the team you'll allow to keep your coins to.and
Lesson 4
Keeping all of your funds on exchanges (or other third services) is a bad idea. By the time of writing you could have heard that caution probably thousand of times but I think it worth to be mentioned one more time.
You can not only become some hackers' victim but can also get into situation when you haven't been affected directly by the hack but still cannot withdraw all your coins from the exchange anywhere as all the withdrawals would be halted for undefined period of time in case of the any serious issue. You'll have to keep your coins on the hacked (!) exchange, sit, wait and pray for the team to be able to resolve everything or make you a refund if the worst possible scenario occurs. Not the best situation, right?
Think seriously about start using cold storage or hardware wallets. It's better to spend some money on transfer fees rather then loose everything. This was part of a large scale phishing and stealing attempt.
So far: All funds are safe and no funds have been stolen.
Despite Binance is quite a young exchange, from this statement we can see that they have an advanced security system and professional team that allowed them to prevent losses and prove their status of reliable and secure exchange, which can resist against well-prepared attacks, so:
You can repeat
Lesson 3 one more time.
The hackers accumulated user account credentials over a long period of time. The earliest phishing attack seems to have dated back to early Jan. However it was around Feb 22, where a heavy concentration of phishing attacks were seen using unicode domains, looking very much like binance.com, with the only difference being 2 dots at the bottom of 2 characters. Many users fell for these traps and phishing attempts.
It's hard to say how many times it has been said that we have to check a website URL we visit before entering any private information there, but despite that we cannot see any decrease in phishing victims number. Taking all that sad reality into account we'll repeat one more time all of the basic rules we must follow to counter against most of the known phishing attacks, so:
Lesson 5
First of all you need to triple check the correctness of the website URL you're visiting. It mustn't contain any unicode characters, the URL characters mustn't be replaced with a similar ones, also any other character(s) mustn't be added or deleted.
The best way to visit a right website is to enter it's address manually rather than follow any links from emails, search results, forums and other sources of information. If you experience any difficulties in keeping all the websites' URLs in your mind, just simply use bookmarks in your web browser.
In order to check whether your URL contains any unicode characters you can also use a service like http://graphemica.com, which will show you all the unicode characters from your URL if there are any. The appearance of such characters like 'ị' (instead of 'i') or 'ė' ( instead of 'e') definitely should warn you. It's pretty normal that it'll show you a ':','\', '-' and some other symbols as they are allowed for use in URL (you can easily google for the allowed characters, numbers and symbols in URL and check them somewhere, like https://tools.ietf.org/html/rfc3986#appendix-A).
Another simple tip to check your URL for unicode characters presence is to paste an URL link into a new txt file and try to save it (in ANSI format). If the link contains any unicode character you'll see a notification asking you for save confirmation and it'll warn you about unicode characters presence.
Secondly, you should check the website SSL certificate presence via your web browser. If there is no any (depending on the web browser you use, you don't see any green icon or your address bar is not green) or your browser says that connection is not secure, that must be e red flag for you. Phishing website owners sometimes even manage to get a SSL certificate (!) as there is a free SSL services, so it's presence shouldn't be treated as a 100% assurance of visiting a true website. SSL certificate can only be used as one of the security checks in your checklist.
Thirdly, try to read news regularly in order to be aware of the new phishing tactics and new phishing websites as phishers become more and more trickier with every day that passed.After acquiring these user accounts, the hacker then simply created a trading API key for each account but took no further actions, until yesterday.
Yesterday, within the aforementioned 2 minute period, the hackers used the API keys, placed a large number of market buys on the VIA/BTC market, pushing the price high, while 31 pre-deposited accounts were there selling VIA at the top.
Here we've reached the most controversial part of the Biniance report. According to the report, right after stealing users' login credentials, hackers created API keys for each of the hacked accounts to use them for further simultaneous VIA/BTC trading.
The most interesting in this part is that according to the users' reports on the Reddit, at least some of the users had 2FA enabled for their accounts but despite even that, they also has been hacked. That can lead us to the conclusion that Binance could allow login from the new IPs and devices without any email confirmation (!) if 2FA was enabled. Not had been asked to make any confirmations by email, hackers probably signed in into accounts using users' credentials right after they've been phished (2FA codes usually stay valid only for 30 sec). That leads us to the next lesson, so:
Lesson 6
2FA is definitely great security feature for improving the security of your account and you should enable it right after signing up. Unfortunately it can also be bypassed in some of the cases, or if it's implemented not the best way. You should enable and use as many security features as are available for you on the service you use.Next, according to the report, after signing in into victims' accounts, API keys have been created by the hackers. Everything would have been nice if there were no reports which stated that users don't have any 'login from new IP' logs in their accounts, didn't receive any emails about any suspicious login attempts (every successful and failed sign in attempts being recorded in form of logs and can be viewed in the login history section of the account). Moreover, users not only didn't see any suspicious logins in their accounts but also didn't receive any confirmation notifications regarding new API keys creation. If you try to create an API key now, you'll be asked to enter 2FA code (if you use 2FA) and confirm the creation of the key by clicking a link in the confirmation email. Let's suppose hackers managed to login into accounts with 2FA enabled. How did they managed to initiate API keys creation. They had only 30 sec and one phished 2FA code for each account. There are no reports about compromised emails, only Binance accounts. It leads us to the conclusion that either Binance allowed users to use the same 2FA code many times for different action confirmations and had (you won't be allowed to do so now) poor 2FA implementation and/or API keys could be created without any confirmation (you have to confirm this action by entering the 2FA code now and following the confirmation link sent by email). Or both of the issues at the same time. Users got API keys created to their accounts without any knowledge or permissions from their sides for such actions. They didn't receive any emails for any kind of suspicious activities, didn't see any illegal login attempts in their accounts.
As we can see from one of the Binance team member's reply on the Reddit, users could create new API keys without email confirmation before the incident if the API keys which was created didn't have 'withdrawal' access. That's the reason hackers couldn't directly withdraw all the funds from the phished users' accounts. They created and used API keys which had only 'trading' access for their attack.
The theory about the use of some vulnerable trading bots by the users does not find confirmation among users' reports. Many of the victims didn't use any trading bots and took their accounts security very seriously.
Taking into account all the above information we can suppose the first scenario of the 'Stealing Incident' - Due to the poor implementation of the login process, 2FA verification, vulnerable implementation of the API keys creation process by Binance, due to the users irresponsibility, having phished credentials, hackers created API keys with trading functionality access to the users' accounts which allowed them to trade users' coins against VIA coin and steal the users' funds this way (2FA confirmation is not needed if you have an API key with trading access), so:
Lesson 7
Don't activate API functional if you don't need it. If you create an API key, don't grant it unnecessary access. For example, if you want to use API to check you account balance or get some other statistics, create 'view only' API key. It won't allow anyone to make any trading or withdrawal operations even if the key will be compromised. Think twice before granting a full access to your account for any kind of trading bots or third parties.The second possible, but less likely, scenario for the 'Stealing Incident' - Besides the phishing attacks there were more severe vulnerabilities in Binance platform which allowed hackers to create API keys for users' accounts without a need to sign in into accounts or allowed them to overtake any account they could get some credentials on (login or email, for example).
The third and the least likely scenario - funds were stolen via malicious trading bots.
The official Binance reports states that 'Stealing Incident' is a result of a phishing attack and don't provide any additional details, so:
We can do nothing but repeat
Lesson 3 and
Lesson 4 and form one more:
Lesson 8
Try to make at least basic research and find a different points of view in any situation which can allow you to get a more detailed picture of the events you've became part of, you've been involved in or you're interested in, and which can teach you some lessons or provide useful additional information. It's always good to know at least two different opinions on the situation.This was an attempt to move the BTC from the phished accounts to the 31 accounts. Withdrawal requests were then attempted from these accounts immediately afterwards.
However, as withdrawals were already automatically disabled by our risk management system, none of the withdrawals successfully went out. Additionally, the VIA coins deposited by the hackers were also frozen. Not only did the hacker not steal any coins out, their own coins have also been withheld.
We don't see any numbers here except the number of hackers' accounts (and some more numbers from update). Most likely the amount of coins hackers attempted to steal (or stole) was quite significant so Binance decided to omit that number in order to prevent FUD spreading among the users, so:
We repeat again
Lesson 8 and will try to analyze the users' reports and sources of information to get some rough possible potential funds amount which was or could have been stolen by the hackers.
We know that hackers had 31 accounts and 31 suspicious VIA deposit transactions were detected, which contained 4,000 VIA each. That's a 124,000 VIA on the 31 hackers accounts (we assume that they didn't have any more).
If the hackers had sold all their VIA coins at the market price, they would have received 124,000 x 0.00022 ~ 27 in bitcoin or 27 x $10,500 ~ $280,000 (as of the time of attack). If they had sold most of thier VIA coins on the top, they would have received 124,000 x 0.025 ~ 3100 in bitcoin or 3100 x $10,500 ~ $32.5 million. The real amount probably lays somewhere in that range. We don't know for sure whether hackers withdrew some of the stolen funds or not. Binance team says 'No' so let's believe it's true.
The launch of $10 million bounty campaign and $250,000 reward seems like justified and necessary measure. It's good that Binance team takes additional security steps and try to avoid similar or even worse 'Stealing Incidents' in the future.
The hackers were well organized. They were patient enough to not take any immediate action, and waited for the most opportune moment to act. They also selected VIA, a coin with smaller liquidity, to maximize their own gains.
As we can see, sooner or later hackers always find a new way or new place if not to steal, but at least to try to steal something. From the Binance 'Stealing Incident' case we can see that they can not only conduct fast hacks but can also implement some delayed hacks, so:
Lesson 9
We need to constantly review our security settings. Such a simple security measure like changing an account password from time to time, can sometimes save all your funds.After a thorough security check by Binance, we resumed withdrawals. Trading functionality was never affected. There are still some users whose accounts where phished by these hackers and their BTC were used to buy VIA or other coins. Unfortunately, those trades did not execute against any of the hackers’ accounts as counterpart. As such, we are not in a position to reverse those trades. We again advise all traders to take special precaution to secure their account credentials.
Despite that fact that Binance manged to resolve all the situation, there are still users who won't receive any compensation, so:
Repeat
Lesson 3 and
Lesson 4 one more time.
Protecting our traders is and has always been our highest priority.
Thanks for your support!
Binance Team
Binance team proved themselves as a team of professionals and managed to prevent the 'Stealing Incident' and resolve the situation. Despite that we shouldn't fully delegate our own security to third parties, so:
Lesson 10
The final one. Our own security is solely our own responsibility. We should take as many security measures as we can in any situation, then revise them all and take one more.Thanks for your attention, hope this topic will help someone to re-evaluate their attitude to safety and will help to prevent at least some of the possible funds losses.