Crypto.com hack exposes shortcomings of multifactor authentication

Last week, the cryptocurrency exchange Crypto.com said it had mistakenly approved roughly $35 million in fraudulent transactions, affecting 483 of its users and costing the company an unspecified amount in reimbursements.

Crypto.com representatives did not specify the precise attack vector hackers used to initiate the fraudulent transactions, saying only that it involved getting around the company’s two-factor authentication system, also known as 2FA.

Crypto dotcom Arena
Crypto.com spent a reported $700 million to rename the stadium used by the Los Angeles Lakers.
PR Newswire

An expert said the incident, which affected one of the largest crypto trading platforms in the market, shows the importance of using multiple layers of security and highlights other measures financial institutions can take to fend off a hack.

“Unfortunately, security breaches continue to happen throughout the industry,” said Zilvinas Bareisis, head of retail banking for consulting firm Celent. “Once it did happen, it looks like Crypto.com did a number of things right.”

Among the things Bareisis said Crypto.com did right was suspending withdrawals across the platform until the company addressed the security hole. He also said that reimbursing customers who were affected was “the right thing to do even though it left the company out of pocket.”

Crypto.com did not specify how many unauthorized withdrawals it prevented or how much it paid in reimbursements. Its Jan. 20 postmortem said only that it prevented unauthorized withdrawals “in the majority of cases” and provided reimbursements “in all other cases.” A company spokeswoman declined to provide further clarification on the matter.

According to the company, unauthorized transactions totaled 4,836.26 Ethereum (roughly $15.5 million as of early last week), 443.93 Bitcoin (roughly $19 million) and approximately $66,200 in other cryptocurrencies. Company CEO Kris Marszalek told Bloomberg two days later that, given the size of the business, “these numbers are not particularly material.”

The Singapore-based cryptocurrency exchange app is a private company and does not publicly disclose financial statements. Marszalek told TechCrunch in 2018 it had close to $200 million on its balance sheet, and a Los Angeles Times report said a deal last year to rename the Los Angeles Lakers’s home stadium the Crypto.com Arena cost about $700 million.

One problem leading to the attack last week appeared to be a gap in the company’s multi-factor authentication system. The Jan. 20 statement said “transactions were being approved without the 2FA authentication control being inputted by the user.”

In other words, Crypto.com apparently provided one-time passwords — these are usually six-digit codes provided via text message or in a multi-factor authentication app — to affected users after hackers initiated a transaction from their compromised account.

However, the company mistakenly allowed the transactions to go through without the users providing the one-time password. The company did not specify whether hackers intercepted one-time passwords, whether Crypto.com’s system allowed transactions to go through without the passwords, or whether something else happened.

Regardless of how exactly hackers got in, Bareisis said a strong two-factor authentication system is helpful but “usually not sufficient” to prevent attacks. He said “other tools are needed to constantly monitor the risk,” and institutions need ways to flexibly “step up” security as needed.

In the case of Crypto.com, the company said its risk monitoring systems identified the problem during the attack, which then “triggered an immediate response from multiple teams to assess the impact.” The platform halted withdrawals for approximately 14 hours as it investigated and responded.

In its statement about the attack, the company said it had “revamped and migrated to a completely new 2FA infrastructure,” and it announced new conditions on which it would insure accounts in the future.

The program, which it has dubbed its Worldwide Account Protection Program, will launch Feb. 1 “in select markets.” The conditions users must follow to have their accounts insured include enabling multi-factor authentication “on all transaction types where it is available,” setting up an anti-phishing code on their account, and not using jailbroken devices.

Customers who follow all those conditions and properly report an account breach will qualify for the insurance program, and Crypto.com said it would restore funds up to $250,000 for such users in the case of a hack in the future. It is not clear whether customers will pay extra for this coverage, or what will happen to people who lose more than $250,000.

For reprint and licensing requests for this article, click here.
Cyber security
MORE FROM AMERICAN BANKER