Blog post

Think your Crypto is Safe at well-known Exchanges? Think Again

By Avivah Litan | January 24, 2022 | 0 Comments

My colleague just had over $30,000 worth of Ethereum stolen from his wallet at a highly regarded cryptocurrency exchange, and there’s nothing he can do about it. No one from the exchange bothered to speak with him to at least explain the situation.  In fact, the customer service was pathetic – all he had to interact with over the course of several days was email and a brain-dead chat bot.

The exchange eventually emailed him all the details of the hack and then told him they were protecting his device and email!   See email he received from their customer service desk below:

Yes, my colleague did fall for a social engineering attack after he had gone to sleep, and was aroused by loud disconcerting alerts claiming to be the exchange warning him his account was in trouble. But the hacker apparently only needed the information gathered from the social engineering for that smallest and last transaction worth $408. My colleague was socially engineered into handing over his driver’s license and selfie pictures to the bad guy.  But he didn’t interact with the hacker until 12 hours AFTER over $30,000 worth of Ethereum was withdrawn from his account.

Yes, he was duped. But the exchange should have used much stronger controls for money transfers out of his account.

This particular exchange sometimes checks a selfie picture against a driver’s license picture – and won’t transfer the funds until they verify the match. Based on the timeframe, this face verification process happened for just the third transaction, and the hacker likely replayed my friend’s picture.

This is exactly where the exchange could have stopped the hacker. The exchange should have deployed an updated version of facial recognition and verification on ALL THREE transactions – not just the last one – and  should have tested for ‘liveness’ when verifying the selfie photo.

There are plenty identify verification technologies on the market that validate the person taking a selfie is present and alive, especially since its so easy for hackers to steal and replay victim pictures. The use of these tools will become increasingly necessary as deepfakes start being used to socially engineer users into takeover of their accounts.

There are lots of troubling takeaways here:

  • The hacker was able to get the information to socially engineer my colleague in the first place.
  • Centralized cryptocurrency exchanges- even those with good reputations – are not protecting consumers as they should.
  • Many consumers are better off being their own bank by using a more secure self-hosted hardware wallet.
  • The hacker was able to get the information to socially engineer my colleague in the first place.

No doubt there is plentiful information for sale on the darknet that links a user’s blockchain wallet addresses to the exchange that hosts those wallets addresses, along with any PII information the data aggregators can scour such as name, email and phone number.

Such databases have been traded amongst criminals and nation states for decades already. They contain sensitive PII data such as credit card, bank account, passwords, emails, phone numbers, social media handles, and social security numbers. Seems like all the bad guys had to recently add so that they can keep up with current financial trends are blockchain addresses and the exchanges where they are hosted.

  • Centralized cryptocurrency exchanges- even those with good reputations – are not protecting consumers as they should.

There is no excuse for not employing the best fraud detection tools and processes in the market today. If implemented properly, they could have stopped the hacker that ripped off my colleague.  Using the best fraud detection is especially critical with immutable cryptocurrency trades where consumers have no regulatory protection.

The exchanges don’t suffer financial loss from these hacks. No doubt, if they did, they would implement stronger fraud detection controls and more responsive customer service. Perhaps stronger regulation of cryptocurrency exchanges is in order.

  • Many consumers are better off being their own bank by using a more secure self-hosted hardware wallet.

Today self-hosted hardware wallets are relatively difficult to use. If not properly managed, consumers can lose all their funds if they lose their private keys and key recovery codes. Nonetheless, self-hosted hardware wallets are getting easier to use all the time and are much better at protecting the owner’s funds. Given that there is no regulatory protection, and that exchanges don’t lose money when consumers are victimized, consumers have much stronger incentives to protect their assets than exchanges do.  Consumers are likely to carefully guard their wallets and access codes, and will benefit from additional security that comes with external hardware devices hosting their wallet.

Regulators consider self-hosted wallets suspect – but their considerations are misplaced.  If a user can handle their complexities, self-hosted wallets are much more secure and remove consumer dependency from centralized exchanges that are falling behind when it comes to protecting assets.

Bottom Line: 

Centralized exchanges are going to have to do a much better job of supporting mainstream users if they want to benefit from mainstream adoption of cryptocurrency and NFT trades. It would be best if the exchanges did this voluntarily, before regulators justifiably step in and force them to.

Comments are closed