While two-factor authentication remains the most popular and widely adopted security measure for most companies, it is not infallible. The recent bypass of 2FA which allowed thieves to drain millions across 483 Crypto.com accounts reminds us that while 2FA is an important piece in an overall security posture, traditional 2FA is often not enough.
On Thursday, Jan 16th Crypto.com tweeted regarding reports that a small number of users were experiencing suspicious activity on their accounts, stating that they were going to be pausing all withdrawals and investigating the matter further. It also originally stated that “All funds are safe.” On the following Thursday, Crypto acknowledged that a breach did occur, resulting in a loss of well over $300 million dollars, far exceeding the initially estimated number of $34.65 million– but that all customers who were affected had been reimbursed.
We have a small number of users reporting suspicious activity on their accounts.
— Crypto.com (@cryptocom) January 17, 2022
We will be pausing withdrawals shortly, as our team is investigating. All funds are safe.
Threatpost was able to confirm that before Crypto.com suspended withdrawals it lost 836.26 ETH and 443.93 BTC, which equaled around $15.54 million and $19.04 million, respectively, as of Thursday afternoon. The exchange reported that it lost $66,200 worth of other currencies, as well.
How did this crypto heist go down? Crypto.com said that the thieves attempted to bypass the exchange’s 2FA system. It was Monday, 3 days before the initial Thursday statement that the breach occurred, when the exchange’s risk monitoring system picked up on the unauthorized transactions. They also shared that “in an abundance of caution” Crypto decided to eliminate its current 2FA and migrate to a “completely new 2FA infrastructure.”
Crypto.com immediately suspended withdrawals on its platform for about 14 hours while they investigated. “2FA tokens for all users worldwide were subsequently revoked to ensure the new infrastructure was in effect,” the exchange said. “We have mandatory 2FA policies on both the frontend and backend to protect users during this revocation phase, as outflows such as withdrawals have a requirement to set up and use 2FA in order to withdraw.”
The exchange plans to release additional end-user security features as it moves away from 2FA and on to what it called “true” multifactor authentication (MFA).
What Crypto.com Could Have Done Differently
The problem with multifactor authentication is that any process with human users inevitably exposes itself to human error. As the recent Biden Administration Executive Order shows, the cybersecurity industry is moving towards phishing-resistant multifactor authentication like Twosense. Twosense MFA confirms user identity via behavioral biometrics without any user participation, removing the threat of accidental approvals while also removing interruptions from the user’s day.