Why 2FA is failing to protect cryptocurrency exchanges from account takeover hacks

Between October 2020 and May 2021, nearly 7,000 US consumers reported financial losses from cryptocurrency scams that totaled over $80 million, a 1,000% rise from the previous six months.

Attackers are also becoming bolder, carrying out larger and more complex heists. In December 2021, BitMart – marketed as ‘the most trusted cryptocurrency trading platform’ – experienced a hack where approximately $190 million in assets was stolen from user accounts.

In this blog, we’ll look at how Keyless can help exchanges stop account takeovers caused by compromised and weak credentials and SIM swapping.

How threat actors hack crypto exchanges

Compared to traditional financial institutions, fraudsters are attracted to crypto exchanges because there’s a greater opportunity to steal funds without being caught, due to a lack of industry and regulatory oversight. 

Despite this oversight, a major attack can still have serious reputational and financial repercussions for an exchange. While not obliged to pay users back, in a bid to restore its reputation, BitMart promised to reimburse victims, costing it upwards of US $150 million.

As well as this, the hack had operational consequences, with the exchange being forced to halt withdrawals until it identified the source of the attack, disgruntling customers even further. 

Often, the reputational and financial repercussions extend beyond the targeted exchange and its victims, causing a ripple effect that takes a toll on the entire crypto market.

In 2016, the price of bitcoin fell 20% overnight after hackers stole 120,000 BTC (worth approximately US $2.3 billion) from Bitfinex, a Hong Kong-based exchange. In 2018 and 2019, attacks on Binance – the largest exchange in terms of trading volume – caused the price of BTC to fall once again, followed by an SEC probe. 

Likewise, the more recent BitMart attack has led to a probe by the FTC, making it the agency's first crypto case. If the FTC discovers that BitMart misled its users over its security protections or didn’t comply with the law, this will have a major impact on consumer and regulator trust. 

Why authenticator apps and OTPs are failing the cryptocurrency industry

For years, cryptocurrency exchanges have enforced multi-factor authentication to protect users from attacks, mandating the use of authenticator apps, like Google Authenticator, or SMS 2FA. But with the evolving sophistication of cyber fraud and scams, hackers are finding ways around these security layers. 

In a display of this type of 2FA’s fallibility, in January 2022, hackers bypassed 2FA on Crypto.com and stole $36.4 million in user funds, with over 483 accounts being affected.

To execute 2FA attacks, threat actors leverage stolen personal data and credentials to hack into an email account or steal a victim’s phone number, which enables them to fraudulently capture OTPs. Hacks like these are skyrocketing, with the FBI reporting over 1,600 SIM swap complaints in 2021, resulting in losses totaling over $68 million. 

In theory, third-party authenticator apps, like Google Authenticator, put a stop to threats from SIM swapping and email account takeovers, as they require the attacker to have access to the user’s mobile phone. However, bad actors have adapted methods to capture OTPs generated by apps.

One approach is to use reverse proxy websites that trick users into imputing genuine OTPs into a scam website, enabling fraudsters to gain access to private accounts by using them in real time. It’s also becoming easier for hackers to implement OTP bots and malware scripts designed for mobiles, which enable hackers to mimic mobile push notifications and applications, and combine them with email or automated phone calls to gain OTPs from unwitting users. 

According to Binance, in the 2019 attack, hackers were able to bypass its 2FA systems by “accumulating user account credentials over a long period of time” and by “using Unicode domains, looking very much like binance.com” that enabled hackers to capture the user’s OTP. 

“After acquiring these user accounts, the hacker then simply created a trading API key for each account but took no further actions, until yesterday. Yesterday, within the aforementioned 2-minute period, the hackers used the API keys, and placed a large number of market buys”.

Passwordless authentication as a solution for crypto exchange security

When done properly, passwordless offers superior protection against account takeover attacks because bad actors have nothing to steal – no passwords, PINs, OTPs, or recovery seeds – that would enable them to otherwise fraudulently bypass authentication. 

Instead, passwordless solutions enable exchanges to:

• Strongly authenticate genuine users with high identity assurance. 

• Enhance the authentication experience, making it easier and faster for users to log in and authorize payments. 

• Protect exchanges from privacy and security compliance breaches.

However, not all passwordless solutions offer the same level of security, privacy, or consistency in terms of user experience. For example, magic links and social login have the same security risks associated with 2FA; and, due to multi-device limitations, passwordless solutions like FaceID don’t stop attackers from using stolen personal data and credentials to enroll for biometric authentication on other devices.  

The Keyless answer 

As mainstream adoption of cryptocurrency increases, account takeovers targeting exchanges will continue to rise. To combat these risks, exchanges need to move away from legacy multi-factor authentication solutions that rely on weak authentication methods.

With our advanced passwordless solutions, Keyless addresses the issues of OTPs, passwords, and magic links by removing them entirely from the authentication journey. 

Instead, we provide strong authentication with a simple look into the camera by combining our patented privacy-preserving facial recognition software with invisible device verification, anti-spoofing, and liveness detection. 

Our privacy-preserving capabilities make it possible for cryptocurrency exchanges to identify genuine users via biometric authentication, without any risk to their biometric data or identity. In doing this, we eliminate the vulnerabilities of knowledge-based authentication and legacy 2FA, helping exchanges to strengthen their compliance posture and protect their brand reputation.