> 2FA tokens for all users worldwide were subsequently revoked to ensure the new infrastructure was in effect. We have mandatory 2FA policies on both the frontend and backend to protect users during this revocation phase, as outflows such as withdrawals have a requirement to setup and use 2FA in order to withdraw.
How is this supposed to work? They revoked all of their 2FA for all accounts? Doesn't this just open them up to credential stuffing attacks? This is a really, really odd response to me. I can understand migrating to a new 2FA system, but they'd have to re-establish the chain-of-trust somehow. Are they just hoping that users don't have compromised email/SMS accounts in order to enable the new 2FA system?
crypto.com is a little mysterious when it comes to authentication honestly. I still have not understood it.
But basically in this case, you didn't even need a password to log back in, it was just an email to click a link, then FaceId/PIN and logged in and prompt to re-add 2fa. The app must store the password itself somehow and auto use it.
Anyone know how the do auth on the app?
For users in the US there is no way to change the password, because the webapp (which might have that feature) is not allowed to be used from US.
Once I asked how to change password and support said I can change the PIN on phone and dont worry your funds are safe.
I use crypto.com and they removed 2FA from me earlier in the week, asking me to set it up again. It was worrying as I wasn't sure if it was a scam, there was no reasoning behind it.
Based on them saying they migrated to a new 2FA system, I think it's the latter - they disabled the current 2FA option and required everyone to register a new 2FA method.
> In an abundance of caution, we revamped and migrated to a completely new 2FA infrastructure.
That was exactly my question when I read this. How do they establish trust, when 2FA is revoked? How they prevent that the bad guy enables now 2FA and the god guy is locked out of his account?
May the god guy didn't get the message that Crypto.com had an issue, because s/he is unavailable.
Given that apparently their previous system simply allowed login/payments without the configured mandatory 2FA, per their statements about the root cause of the issue, this may have been a move of desperation...
Is anyone else getting the feeling from this press release that it seems they actually don't (yet?) know how their previous 2FA system was circumvented by the attackers?
My exact thoughts, umm where is the root cause and explanation of the breach? They just reset 2FA as a reactionary measure. The attackers have compromised more than 2FA to be able to initiate withdrawals. This doesn’t add up.
Time to play the classic crypto exchange game: hack or exit scam? Disabling 2FA in this scenario is dumb enough to raise the question of malfeasance of the part of this theft.
Somehow I doubt a fraudulent company on the verge of an exit scam would spend $700 million to rename an arena right before pulling the plug. Incompetent? Probably. Fraudulent? Unlikely.
> No customers experienced a loss of funds. In the majority of cases we prevented the unauthorized withdrawal, and in all other cases customers were fully reimbursed.
> No customers experienced a loss of funds. In the majority of cases we prevented the unauthorized withdrawal, and in all other cases customers were fully reimbursed.
so which is it? no one lost funds or everyone that lost funds got paid back? where did that money come from?
> transactions were being approved without the 2FA authentication control being inputted by the user.
the withdrawal system allows for non-2fa when its enabled, but informs the risk system when it happens? what kind of feature is that?
> While Crypto.com already performs internal and external penetration tests, Crypto.com has immediately engaged with third-party security firms to perform additional security checks
ah yes. the "we already had 7 double checkers, better add an 8th" solution. sounds like maybe the problem is not with the testing and auditing suite.
> releasing additional end-user security features as we move away from 2-Factor Authentication and to true Multi-Factor Authentication (MFA)
2fa isnt true MFA? did we evolve some new jargon im not aware of?
> WAPP is designed to protect user funds in cases where a third party gains unauthorized access to their account and withdraws funds without the user’s permission. WAPP restores funds
wait i thought they said they already did this? are they gonna start charging for it now because they lost money?
> To qualify for the WAPP program, users must: Set up an anti-phishing code at least 21 days prior to the reported unauthorized transaction
wtf is that? a PSK? a TOTP?
> File a police report and provide a copy of it to Crypto.com; and
hello, local police department? i need to file a report - my cryptocurrency wallet just had an unauthorized funds withdrawal. no, i dont have a suspect, or evidence, or any action for you to take. just come down here and write down that i said this happened please.
They got paid back from company treasury. CeFi (incorporated, custodial, web 2.0 financial services operating in the crypto space) makes alot of money, it isn’t that hard.
Crypto.com is on par with FTX, Binance, Celsius, Coinbase and we have many varying examples of their valuations and supporting revenues and balance sheets.
$30mm irrecoverably stolen with zero liability for the hacker? No problem for the user experience or health of the company these days.
The whole thing is really unclear, but it sounds like if they are hacked and you lose funds, they will only reimburse you if you file a police report... even though they would know if you lost funds, and only they would know the circumstances and have any evidence.
I wouldn't touch crypto.com with a very long barge pole...
> the withdrawal system allows for non-2fa when its enabled, but informs the risk system when it happens? what kind of feature is that?
I don't know about crypto.com but this is how binance does it. You can enable 2FA for everything or individually for specific actions such as logging in, withdrawals, etc. Lets everyone choose their security/inconvenience trade-off which I find reasonable.
> wtf is that? a PSK? a TOTP?
There is something similar on binance too. You set up some unique code on their website, every official email they send you will include that code as proof of authenticity. A weak form of signature I guess.
Bear in mind many private exchanges aren't ever really exchanging crypto until you cash out -- the numbers you see can be just trades on an internal stockmarket, not necessarily backed by any external crypto asset until realized.
I believe this is a system where you give a website something that you will recognize (I've seen small images used as well as text) that they agree to display to you in their layout. It is supposed to make building convincing phishing websites harder, as the attackers cannot know what content a given user has sent to the service.
The Worldwide Account Protection Program seems to be a way for Crypto.com to limit their exposure, while marketing it as "protection" for the customers.
Around $34million stolen, 483 users affected. If the funds were spread evenly, then each user would have lost about $71k. But the funds won't be evenly spread (average). It's likely some users will have lost much more, and some much less.
From the announcement, it looks like Crypto.com is making the users whole again;
> No customers experienced a loss of funds.
This means that (in some cases) Crypto.com was on the hook for much more than $71k / user. The WAPP appears to put a series of conditions on the user, and introduce an upper limit to the amount that Crypto.com will return in the future.
> WAPP restores funds up to USD$250,000 for qualified users; terms & conditions apply.
> Enable Multi-Factor Authentication (MFA) on all transaction types where MFA is currently available,
> Set up an anti-phishing code at least 21 days prior to the reported unauthorized transaction,
> Not be using jailbroken devices,
> File a police report and provide a copy of it to Crypto.com; and
> Complete a questionnaire to support a forensic investigation.
This looks more like a mechanism to limit Crypto.com's exposure to future events than it does a policy to protect users.
I mean, there's still plenty of money in other people's accounts they can use to cover the losses.
Does anybody know whether the regulatory regime they operate under is sound? If a US bank lost this kind of customer money in a theft, I'd have some confidence that the the FDIC and the Federal Reserve would make sure they actually had all the money they were claiming they had. But personally I'd hate to bank purely on the internal controls of a Singaporean subsidiary of a Maltese company.
Please explain how they can use the money from other people account to cover the losses. If i had a account there, i wouldn't allow them to use my money to cover this.
> This looks more like a mechanism to limit Crypto.com's exposure to future events than it does a policy to protect users.
That's fine. It lays out the risk exposure in concrete terms and defining their market offering. If you use a jailbroken device, or have more than $250K in funds, or are holding crypto for illegal purposes, don't put it in Crypto.com. Same as FDIC insured savings accounts that are limited to $250K.
And so what are we going to do as a society with these stolen funds? Playing a wallet mixing tracking game is a rat race and a waste of energy, otherwise we need a centralized system [on an immutable blockchain] to keep track of stolen funds, to then cross-reference every transaction with at point of sale/transfer - to then prevent it, no?
If not a centralized solution like above then what? We just allow stolen funds to be used now or any point in the future, rewarding criminal behaviour?
There's no centralized system to track stolen dollars (at least not in the sense you're talking about), so I don't know why crypto would necessarily need one.
I think you’re right, mostly. As a user I’d like to know explicitly what my risk factor is.
Any exchange or custodian has a non zero chance of getting hacked or inside-jobbed; unlike fiat currencies there is no judicial process that is going to maybe let me claw my stuff back.
A sort of fdic insurance for custodian crypto accounts, is an inevitable market solution.
By the numbers, around $34 million in funds is affected, mostly Ethereum. They say in the press release that they prevented most of the unauthorized withdrawals and reimbursed the remainder, but it’s unclear how much they had to pay for reimbursements.
For context, this is the startup that has been using Matt Damon as it’s face.
I'd love to read more about these money laundering operations like Tornado Cash. Are they just straight up 100% fraud companies? Do they have any pretense of a legitimate use case or does everyone just understand they're used for criminal activity? Are they regulated at all? I assume you have to trust your magic beans to them at some point; do the money launderers sometimes just steal them? What do they charge for their service?
Ad even earlier started out with MCO as their iconic token, then shifted to a new crypto while leaving early stakeholders in the dark. Those early maneuvers were something of a red flag.
I am a cyber security consultant for startups. The first thing that I communicate is that just by not being in crypto you have drastically lowered your risk profile.
Attackers care a lot about what they can get to if they are able to breach your security.
Eh, yes of course, what are you saying really? Is there some deeper point I miss?
Just like finance companies have a different risk profile than companies generating bingo cards, crypto companies have different risk profiles than other non-financial ones. Are people arguing that this is not true or something?
Crypto companies have a different risk profile than most finance companies.
For most finance companies, if they have a whoopsie and lose money to a software boo-boo, they'll just reverse the transaction. Times when such a transaction cannot be reversed (https://www.bloomberg.com/news/articles/2021-03-19/citigroup...) are the extremely rare exception, and are adjudicated by a civil court.
Whereas if a crypto company has their wallets breached, it's almost certainly immediately irreversible.
People generally don't understand how vast the difference is. The pro crypto narrative has pushed the idea that "Blockchain is more secure" because "it cannot be edited" when in reality that feature makes it much more of a target for attackers because once they transfer the coins the transfer cannot be edited. In comparison if an attacker gets a credit card that card could be disabled and or have transactions cancelled.
How many startups do you talk to that are "on the fence" with somehow using crypto in their product? Seems pretty core to what the company would be doing.
I dunno, I've seen a lot of mentions of different companies trying to stuff crypto/blockchain in to seem trendy and marketable when it's clear that there's absolutely nothing crypto/blockchain brings to that use case.
(In fact, I have yet to see a single genuine use case for cryptocurrencies or blockchain that aren't served at least as well by more proven technologies, aside from "separating money from fools" and "making libertarians/anarchocapitalists squee".)
I do a bit of the same and this seems to be a silly thing to communicate as part of a security audit. Ok, step 1 SMB insurance company paying me to audit - by not being in Afghanistan, you have a severely reduced risk of business invasion and extortion. Seems like a really wonky way to communicate a risk profile and first-exposure to security professionals by a SMB. Plenty of SMBs with janky POS systems get pretty nasty PII attacks.
I'm advising people at the executive level. They do not care about the details of hashing PII, they want to know how likely it is that they will be targeted and how likely that attack is to succeed. And the fact is that an insurance company gets targeted far less often than crypto companies.
Its cliche, but it doesn’t really mean that crypto.com or any other crypto exchange isn’t on the hook for stolen funds.
Crypto doesn’t mean regulation doesn’t apply or that companies are free from liability.
Obviously you can’t squeeze blood from a stone if someone were to steal most of the funds from a crypto exchange (Mt. Gox comes to mind)
But in the real world, if you use a crypto exchange in a reasonable location (e.g. US exchange adhering to US laws) then small thefts like this are going to be reimbursed one way or another.
Now if the entire exchange and their cold wallets were stolen somehow, it would be game over.
So in the real world when using a regulated crypto exchange, what's the point of a blockchain other than asset speculation (which can also be done through traditional trading instruments at this point)?
They also said they've reimbursed all funds. So if you were hacked personally, you would be out money here, vs keeping it on their exchange where you would be made whole again.
Readit News
How is this supposed to work? They revoked all of their 2FA for all accounts? Doesn't this just open them up to credential stuffing attacks? This is a really, really odd response to me. I can understand migrating to a new 2FA system, but they'd have to re-establish the chain-of-trust somehow. Are they just hoping that users don't have compromised email/SMS accounts in order to enable the new 2FA system?
If they literally removed 2FA from everyone, that's insane.
But basically in this case, you didn't even need a password to log back in, it was just an email to click a link, then FaceId/PIN and logged in and prompt to re-add 2fa. The app must store the password itself somehow and auto use it.
Anyone know how the do auth on the app?
For users in the US there is no way to change the password, because the webapp (which might have that feature) is not allowed to be used from US.
Once I asked how to change password and support said I can change the PIN on phone and dont worry your funds are safe.
> In an abundance of caution, we revamped and migrated to a completely new 2FA infrastructure.
Deleted Comment
May the god guy didn't get the message that Crypto.com had an issue, because s/he is unavailable.
IE: single factor resets, so a compromised “2FA” was actually keys to the kingdom?
But you’d think the attacker would need access to a user’s email or some such then.
As a communications person, reading between the lines tell me they've got no idea what happened. Comforting!
https://www.latimes.com/business/story/2021-11-16/crypto-sta...
> No customers experienced a loss of funds. In the majority of cases we prevented the unauthorized withdrawal, and in all other cases customers were fully reimbursed.
> No customers experienced a loss of funds. In the majority of cases we prevented the unauthorized withdrawal, and in all other cases customers were fully reimbursed.
so which is it? no one lost funds or everyone that lost funds got paid back? where did that money come from?
> transactions were being approved without the 2FA authentication control being inputted by the user.
the withdrawal system allows for non-2fa when its enabled, but informs the risk system when it happens? what kind of feature is that?
> While Crypto.com already performs internal and external penetration tests, Crypto.com has immediately engaged with third-party security firms to perform additional security checks
ah yes. the "we already had 7 double checkers, better add an 8th" solution. sounds like maybe the problem is not with the testing and auditing suite.
> releasing additional end-user security features as we move away from 2-Factor Authentication and to true Multi-Factor Authentication (MFA)
2fa isnt true MFA? did we evolve some new jargon im not aware of?
> WAPP is designed to protect user funds in cases where a third party gains unauthorized access to their account and withdraws funds without the user’s permission. WAPP restores funds
wait i thought they said they already did this? are they gonna start charging for it now because they lost money?
> To qualify for the WAPP program, users must: Set up an anti-phishing code at least 21 days prior to the reported unauthorized transaction
wtf is that? a PSK? a TOTP?
> File a police report and provide a copy of it to Crypto.com; and
hello, local police department? i need to file a report - my cryptocurrency wallet just had an unauthorized funds withdrawal. no, i dont have a suspect, or evidence, or any action for you to take. just come down here and write down that i said this happened please.
Crypto.com is on par with FTX, Binance, Celsius, Coinbase and we have many varying examples of their valuations and supporting revenues and balance sheets.
$30mm irrecoverably stolen with zero liability for the hacker? No problem for the user experience or health of the company these days.
I wouldn't touch crypto.com with a very long barge pole...
I don't know about crypto.com but this is how binance does it. You can enable 2FA for everything or individually for specific actions such as logging in, withdrawals, etc. Lets everyone choose their security/inconvenience trade-off which I find reasonable.
> wtf is that? a PSK? a TOTP?
There is something similar on binance too. You set up some unique code on their website, every official email they send you will include that code as proof of authenticity. A weak form of signature I guess.
I believe this is a system where you give a website something that you will recognize (I've seen small images used as well as text) that they agree to display to you in their layout. It is supposed to make building convincing phishing websites harder, as the attackers cannot know what content a given user has sent to the service.
Deleted Comment
Around $34million stolen, 483 users affected. If the funds were spread evenly, then each user would have lost about $71k. But the funds won't be evenly spread (average). It's likely some users will have lost much more, and some much less.
From the announcement, it looks like Crypto.com is making the users whole again;
> No customers experienced a loss of funds.
This means that (in some cases) Crypto.com was on the hook for much more than $71k / user. The WAPP appears to put a series of conditions on the user, and introduce an upper limit to the amount that Crypto.com will return in the future.
> WAPP restores funds up to USD$250,000 for qualified users; terms & conditions apply.
> Enable Multi-Factor Authentication (MFA) on all transaction types where MFA is currently available,
> Set up an anti-phishing code at least 21 days prior to the reported unauthorized transaction,
> Not be using jailbroken devices,
> File a police report and provide a copy of it to Crypto.com; and
> Complete a questionnaire to support a forensic investigation.
This looks more like a mechanism to limit Crypto.com's exposure to future events than it does a policy to protect users.
I mean, there's still plenty of money in other people's accounts they can use to cover the losses.
Does anybody know whether the regulatory regime they operate under is sound? If a US bank lost this kind of customer money in a theft, I'd have some confidence that the the FDIC and the Federal Reserve would make sure they actually had all the money they were claiming they had. But personally I'd hate to bank purely on the internal controls of a Singaporean subsidiary of a Maltese company.
Dead Comment
That's fine. It lays out the risk exposure in concrete terms and defining their market offering. If you use a jailbroken device, or have more than $250K in funds, or are holding crypto for illegal purposes, don't put it in Crypto.com. Same as FDIC insured savings accounts that are limited to $250K.
>> No customers experienced a loss of funds.
Let's believe that when we hear someone other than the company saying it.
> File a police report and provide a copy of it to Crypto.com
Yeah, I'm sure tons of crypto holders will get right on that.
If not a centralized solution like above then what? We just allow stolen funds to be used now or any point in the future, rewarding criminal behaviour?
Why lead with the ponzi assumption? There are so many more quantifiable assumptions
So does a normal PC count as a jailbroken device? If not, what makes having root access on a phone any different?
Any exchange or custodian has a non zero chance of getting hacked or inside-jobbed; unlike fiat currencies there is no judicial process that is going to maybe let me claw my stuff back.
A sort of fdic insurance for custodian crypto accounts, is an inevitable market solution.
For context, this is the startup that has been using Matt Damon as it’s face.
They're also notable lately for getting the naming rights to the (former) Staples Center.
> https://en.wikipedia.org/wiki/Crypto.com_Arena
I doubt it's very cheap to advertise in F1. You need to outbid large competitors.
I'd assume any attacker would at least transfer everything to a BTC/whatever address generated offline, then figure out later how to launder it.
https://web.archive.org/web/20170611024100/http://www.crypto...
https://www.cryptovantage.com/news/opinion-the-crypto-com-mc...
Deleted Comment
Attackers care a lot about what they can get to if they are able to breach your security.
Just like finance companies have a different risk profile than companies generating bingo cards, crypto companies have different risk profiles than other non-financial ones. Are people arguing that this is not true or something?
For most finance companies, if they have a whoopsie and lose money to a software boo-boo, they'll just reverse the transaction. Times when such a transaction cannot be reversed (https://www.bloomberg.com/news/articles/2021-03-19/citigroup...) are the extremely rare exception, and are adjudicated by a civil court.
Whereas if a crypto company has their wallets breached, it's almost certainly immediately irreversible.
(In fact, I have yet to see a single genuine use case for cryptocurrencies or blockchain that aren't served at least as well by more proven technologies, aside from "separating money from fools" and "making libertarians/anarchocapitalists squee".)
Crypto doesn’t mean regulation doesn’t apply or that companies are free from liability.
Obviously you can’t squeeze blood from a stone if someone were to steal most of the funds from a crypto exchange (Mt. Gox comes to mind)
But in the real world, if you use a crypto exchange in a reasonable location (e.g. US exchange adhering to US laws) then small thefts like this are going to be reimbursed one way or another.
Now if the entire exchange and their cold wallets were stolen somehow, it would be game over.
That isn't the technical solution I was looking for...