Security News > 2022 > January > 2FA Bypassed in $34.6M Crypto.com Heist: What We Can Learn

In spite of customers having reported losses over the weekend, Crypto.com's Thursday statement said that the heist happened on Monday at about 12:46 a.m. UTC. That's when the exchange's risk monitoring systems picked up on unauthorized transactions coming out of 483 accounts and being approved without users' 2FA authentication.

The exchange fully restored the affected accounts, revoked all 2FA tokens and added additional security hardening measures, requiring all customers to re-login and set up their 2FA token.

Trash that 2FA. Crypto.com said that it's junked its 2FA "In an abundance of caution" and has migrated to a "Completely new 2FA infrastructure."

"We have mandatory 2FA policies on both the frontend and backend to protect users during this revocation phase, as outflows such as withdrawals have a requirement to setup and use 2FA in order to withdraw."

The exchange plans to release additional end-user security features as it moves away from 2FA and on to what it called "True" multi-factor authentication.

He gave an example: using an offline hardware wallet which he praised as "a great way to reduce the risk of losing your crypto should an exchange be compromised." However, it's easier said than done for the technically non-savvy, he noted: "Setting up one of these wallets and moving your crypto from exchanges isn't trivial, and is too high of a bar for many crypto investors. Ordinary people struggle with passwords, so using 24-word seed phrases on top of them doesn't make for the most practical user experience."

News URL

https://threatpost.com/2fa-bypassed-crypto-com-heist/177846/