> 2FA tokens for all users worldwide were subsequently revoked to ensure the new infrastructure was in effect. We have mandatory 2FA policies on both the frontend and backend to protect users during this revocation phase, as outflows such as withdrawals have a requirement to setup and use 2FA in order to withdraw.
How is this supposed to work? They revoked all of their 2FA for all accounts? Doesn't this just open them up to credential stuffing attacks? This is a really, really odd response to me. I can understand migrating to a new 2FA system, but they'd have to re-establish the chain-of-trust somehow. Are they just hoping that users don't have compromised email/SMS accounts in order to enable the new 2FA system?
That was exactly my question when I read this. How do they establish trust, when 2FA is revoked? How they prevent that the bad guy enables now 2FA and the god guy is locked out of his account?
May the god guy didn't get the message that Crypto.com had an issue, because s/he is unavailable.
Is anyone else getting the feeling from this press release that it seems they actually don't (yet?) know how their previous 2FA system was circumvented by the attackers?
Time to play the classic crypto exchange game: hack or exit scam? Disabling 2FA in this scenario is dumb enough to raise the question of malfeasance of the part of this theft.
> No customers experienced a loss of funds. In the majority of cases we prevented the unauthorized withdrawal, and in all other cases customers were fully reimbursed.
so which is it? no one lost funds or everyone that lost funds got paid back? where did that money come from?
> transactions were being approved without the 2FA authentication control being inputted by the user.
the withdrawal system allows for non-2fa when its enabled, but informs the risk system when it happens? what kind of feature is that?
> While Crypto.com already performs internal and external penetration tests, Crypto.com has immediately engaged with third-party security firms to perform additional security checks
ah yes. the "we already had 7 double checkers, better add an 8th" solution. sounds like maybe the problem is not with the testing and auditing suite.
> releasing additional end-user security features as we move away from 2-Factor Authentication and to true Multi-Factor Authentication (MFA)
2fa isnt true MFA? did we evolve some new jargon im not aware of?
> WAPP is designed to protect user funds in cases where a third party gains unauthorized access to their account and withdraws funds without the user’s permission. WAPP restores funds
wait i thought they said they already did this? are they gonna start charging for it now because they lost money?
> To qualify for the WAPP program, users must: Set up an anti-phishing code at least 21 days prior to the reported unauthorized transaction
wtf is that? a PSK? a TOTP?
> File a police report and provide a copy of it to Crypto.com; and
hello, local police department? i need to file a report - my cryptocurrency wallet just had an unauthorized funds withdrawal. no, i dont have a suspect, or evidence, or any action for you to take. just come down here and write down that i said this happened please.
They got paid back from company treasury. CeFi (incorporated, custodial, web 2.0 financial services operating in the crypto space) makes alot of money, it isn’t that hard.
Crypto.com is on par with FTX, Binance, Celsius, Coinbase and we have many varying examples of their valuations and supporting revenues and balance sheets.
$30mm irrecoverably stolen with zero liability for the hacker? No problem for the user experience or health of the company these days.
The whole thing is really unclear, but it sounds like if they are hacked and you lose funds, they will only reimburse you if you file a police report... even though they would know if you lost funds, and only they would know the circumstances and have any evidence.
I wouldn't touch crypto.com with a very long barge pole...
> the withdrawal system allows for non-2fa when its enabled, but informs the risk system when it happens? what kind of feature is that?
I don't know about crypto.com but this is how binance does it. You can enable 2FA for everything or individually for specific actions such as logging in, withdrawals, etc. Lets everyone choose their security/inconvenience trade-off which I find reasonable.
> wtf is that? a PSK? a TOTP?
There is something similar on binance too. You set up some unique code on their website, every official email they send you will include that code as proof of authenticity. A weak form of signature I guess.
I believe this is a system where you give a website something that you will recognize (I've seen small images used as well as text) that they agree to display to you in their layout. It is supposed to make building convincing phishing websites harder, as the attackers cannot know what content a given user has sent to the service.
The Worldwide Account Protection Program seems to be a way for Crypto.com to limit their exposure, while marketing it as "protection" for the customers.
Around $34million stolen, 483 users affected. If the funds were spread evenly, then each user would have lost about $71k. But the funds won't be evenly spread (average). It's likely some users will have lost much more, and some much less.
From the announcement, it looks like Crypto.com is making the users whole again;
> No customers experienced a loss of funds.
This means that (in some cases) Crypto.com was on the hook for much more than $71k / user. The WAPP appears to put a series of conditions on the user, and introduce an upper limit to the amount that Crypto.com will return in the future.
> WAPP restores funds up to USD$250,000 for qualified users; terms & conditions apply.
> Enable Multi-Factor Authentication (MFA) on all transaction types where MFA is currently available,
> Set up an anti-phishing code at least 21 days prior to the reported unauthorized transaction,
> Not be using jailbroken devices,
> File a police report and provide a copy of it to Crypto.com; and
> Complete a questionnaire to support a forensic investigation.
This looks more like a mechanism to limit Crypto.com's exposure to future events than it does a policy to protect users.
I mean, there's still plenty of money in other people's accounts they can use to cover the losses.
Does anybody know whether the regulatory regime they operate under is sound? If a US bank lost this kind of customer money in a theft, I'd have some confidence that the the FDIC and the Federal Reserve would make sure they actually had all the money they were claiming they had. But personally I'd hate to bank purely on the internal controls of a Singaporean subsidiary of a Maltese company.
> This looks more like a mechanism to limit Crypto.com's exposure to future events than it does a policy to protect users.
That's fine. It lays out the risk exposure in concrete terms and defining their market offering. If you use a jailbroken device, or have more than $250K in funds, or are holding crypto for illegal purposes, don't put it in Crypto.com. Same as FDIC insured savings accounts that are limited to $250K.
And so what are we going to do as a society with these stolen funds? Playing a wallet mixing tracking game is a rat race and a waste of energy, otherwise we need a centralized system [on an immutable blockchain] to keep track of stolen funds, to then cross-reference every transaction with at point of sale/transfer - to then prevent it, no?
If not a centralized solution like above then what? We just allow stolen funds to be used now or any point in the future, rewarding criminal behaviour?
I think you’re right, mostly. As a user I’d like to know explicitly what my risk factor is.
Any exchange or custodian has a non zero chance of getting hacked or inside-jobbed; unlike fiat currencies there is no judicial process that is going to maybe let me claw my stuff back.
A sort of fdic insurance for custodian crypto accounts, is an inevitable market solution.
By the numbers, around $34 million in funds is affected, mostly Ethereum. They say in the press release that they prevented most of the unauthorized withdrawals and reimbursed the remainder, but it’s unclear how much they had to pay for reimbursements.
For context, this is the startup that has been using Matt Damon as it’s face.
Ad even earlier started out with MCO as their iconic token, then shifted to a new crypto while leaving early stakeholders in the dark. Those early maneuvers were something of a red flag.
I am a cyber security consultant for startups. The first thing that I communicate is that just by not being in crypto you have drastically lowered your risk profile.
Attackers care a lot about what they can get to if they are able to breach your security.
Eh, yes of course, what are you saying really? Is there some deeper point I miss?
Just like finance companies have a different risk profile than companies generating bingo cards, crypto companies have different risk profiles than other non-financial ones. Are people arguing that this is not true or something?
How many startups do you talk to that are "on the fence" with somehow using crypto in their product? Seems pretty core to what the company would be doing.
I do a bit of the same and this seems to be a silly thing to communicate as part of a security audit. Ok, step 1 SMB insurance company paying me to audit - by not being in Afghanistan, you have a severely reduced risk of business invasion and extortion. Seems like a really wonky way to communicate a risk profile and first-exposure to security professionals by a SMB. Plenty of SMBs with janky POS systems get pretty nasty PII attacks.
Its cliche, but it doesn’t really mean that crypto.com or any other crypto exchange isn’t on the hook for stolen funds.
Crypto doesn’t mean regulation doesn’t apply or that companies are free from liability.
Obviously you can’t squeeze blood from a stone if someone were to steal most of the funds from a crypto exchange (Mt. Gox comes to mind)
But in the real world, if you use a crypto exchange in a reasonable location (e.g. US exchange adhering to US laws) then small thefts like this are going to be reimbursed one way or another.
Now if the entire exchange and their cold wallets were stolen somehow, it would be game over.
> On Monday, 17 January 2022 at approximately 12:46 AM UTC Crypto.com’s risk monitoring systems detected unauthorized activity on a small number of user accounts where transactions were being approved without the 2FA authentication control being inputted by the user. This triggered an immediate response from multiple teams to assess the impact.
I sometimes find it hard to believe these statements, but I guess I can only take them at face value.
Which seems more likely, that these "risk monitoring systems" actually caught this, or that they were inundated by sudden urgent calls from the 483 users saying "DUDE WTF WHERE'S MY MONEY?".
It seems to me that while banning crypto by western governments is politically untenable, a better way would be to have their security services keep hacking it to make it unattractive
I signed up for an account at this CEX but never actually used it. Tried to cancel/close the account, and they have the weirdest set of demands before the account is deleted/closed.
> A photo of you holding a paper with the following handwritten on it, as it states in this FAQ.
- Your name
- Today's Date
- "Crypto.com”
How did they check if a withdrawal was unauthorized (real) or not? What if I did a withdrawal, say it was unauthorized, and claim the money (and also have the crypto in a different wallet)?
I'm confused. Ostensibly the tradeoff for crypto is that only you know the secret factors that allow you to spend money, but there is no possibility of reversing a fraudulent transaction. If you give the keys to someone else, you lose the first condition, which was the benefit, but keep the second condition, which was the drawback. There was no reason to give anyone anyone else your keys!
[+] [-] Shank|4 years ago|reply
How is this supposed to work? They revoked all of their 2FA for all accounts? Doesn't this just open them up to credential stuffing attacks? This is a really, really odd response to me. I can understand migrating to a new 2FA system, but they'd have to re-establish the chain-of-trust somehow. Are they just hoping that users don't have compromised email/SMS accounts in order to enable the new 2FA system?
[+] [-] ceejayoz|4 years ago|reply
If they literally removed 2FA from everyone, that's insane.
[+] [-] PinguTS|4 years ago|reply
May the god guy didn't get the message that Crypto.com had an issue, because s/he is unavailable.
[+] [-] sparkling|4 years ago|reply
[+] [-] ashtonkem|4 years ago|reply
[+] [-] kryogen1c|4 years ago|reply
> No customers experienced a loss of funds. In the majority of cases we prevented the unauthorized withdrawal, and in all other cases customers were fully reimbursed.
so which is it? no one lost funds or everyone that lost funds got paid back? where did that money come from?
> transactions were being approved without the 2FA authentication control being inputted by the user.
the withdrawal system allows for non-2fa when its enabled, but informs the risk system when it happens? what kind of feature is that?
> While Crypto.com already performs internal and external penetration tests, Crypto.com has immediately engaged with third-party security firms to perform additional security checks
ah yes. the "we already had 7 double checkers, better add an 8th" solution. sounds like maybe the problem is not with the testing and auditing suite.
> releasing additional end-user security features as we move away from 2-Factor Authentication and to true Multi-Factor Authentication (MFA)
2fa isnt true MFA? did we evolve some new jargon im not aware of?
> WAPP is designed to protect user funds in cases where a third party gains unauthorized access to their account and withdraws funds without the user’s permission. WAPP restores funds
wait i thought they said they already did this? are they gonna start charging for it now because they lost money?
> To qualify for the WAPP program, users must: Set up an anti-phishing code at least 21 days prior to the reported unauthorized transaction
wtf is that? a PSK? a TOTP?
> File a police report and provide a copy of it to Crypto.com; and
hello, local police department? i need to file a report - my cryptocurrency wallet just had an unauthorized funds withdrawal. no, i dont have a suspect, or evidence, or any action for you to take. just come down here and write down that i said this happened please.
[+] [-] vmception|4 years ago|reply
Crypto.com is on par with FTX, Binance, Celsius, Coinbase and we have many varying examples of their valuations and supporting revenues and balance sheets.
$30mm irrecoverably stolen with zero liability for the hacker? No problem for the user experience or health of the company these days.
[+] [-] GordonS|4 years ago|reply
I wouldn't touch crypto.com with a very long barge pole...
[+] [-] matheusmoreira|4 years ago|reply
I don't know about crypto.com but this is how binance does it. You can enable 2FA for everything or individually for specific actions such as logging in, withdrawals, etc. Lets everyone choose their security/inconvenience trade-off which I find reasonable.
> wtf is that? a PSK? a TOTP?
There is something similar on binance too. You set up some unique code on their website, every official email they send you will include that code as proof of authenticity. A weak form of signature I guess.
[+] [-] john2x|4 years ago|reply
[+] [-] aeturnum|4 years ago|reply
I believe this is a system where you give a website something that you will recognize (I've seen small images used as well as text) that they agree to display to you in their layout. It is supposed to make building convincing phishing websites harder, as the attackers cannot know what content a given user has sent to the service.
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] zknill|4 years ago|reply
Around $34million stolen, 483 users affected. If the funds were spread evenly, then each user would have lost about $71k. But the funds won't be evenly spread (average). It's likely some users will have lost much more, and some much less.
From the announcement, it looks like Crypto.com is making the users whole again;
> No customers experienced a loss of funds.
This means that (in some cases) Crypto.com was on the hook for much more than $71k / user. The WAPP appears to put a series of conditions on the user, and introduce an upper limit to the amount that Crypto.com will return in the future.
> WAPP restores funds up to USD$250,000 for qualified users; terms & conditions apply.
> Enable Multi-Factor Authentication (MFA) on all transaction types where MFA is currently available,
> Set up an anti-phishing code at least 21 days prior to the reported unauthorized transaction,
> Not be using jailbroken devices,
> File a police report and provide a copy of it to Crypto.com; and
> Complete a questionnaire to support a forensic investigation.
This looks more like a mechanism to limit Crypto.com's exposure to future events than it does a policy to protect users.
[+] [-] wpietri|4 years ago|reply
I mean, there's still plenty of money in other people's accounts they can use to cover the losses.
Does anybody know whether the regulatory regime they operate under is sound? If a US bank lost this kind of customer money in a theft, I'd have some confidence that the the FDIC and the Federal Reserve would make sure they actually had all the money they were claiming they had. But personally I'd hate to bank purely on the internal controls of a Singaporean subsidiary of a Maltese company.
[+] [-] gowld|4 years ago|reply
That's fine. It lays out the risk exposure in concrete terms and defining their market offering. If you use a jailbroken device, or have more than $250K in funds, or are holding crypto for illegal purposes, don't put it in Crypto.com. Same as FDIC insured savings accounts that are limited to $250K.
[+] [-] KennyBlanken|4 years ago|reply
>> No customers experienced a loss of funds.
Let's believe that when we hear someone other than the company saying it.
> File a police report and provide a copy of it to Crypto.com
Yeah, I'm sure tons of crypto holders will get right on that.
[+] [-] loceng|4 years ago|reply
If not a centralized solution like above then what? We just allow stolen funds to be used now or any point in the future, rewarding criminal behaviour?
[+] [-] vmception|4 years ago|reply
Why lead with the ponzi assumption? There are so many more quantifiable assumptions
[+] [-] boring_twenties|4 years ago|reply
So does a normal PC count as a jailbroken device? If not, what makes having root access on a phone any different?
[+] [-] eof|4 years ago|reply
Any exchange or custodian has a non zero chance of getting hacked or inside-jobbed; unlike fiat currencies there is no judicial process that is going to maybe let me claw my stuff back.
A sort of fdic insurance for custodian crypto accounts, is an inevitable market solution.
[+] [-] CPLX|4 years ago|reply
[+] [-] camjohnson26|4 years ago|reply
For context, this is the startup that has been using Matt Damon as it’s face.
[+] [-] paulgb|4 years ago|reply
They're also notable lately for getting the naming rights to the (former) Staples Center.
> https://en.wikipedia.org/wiki/Crypto.com_Arena
[+] [-] josu|4 years ago|reply
[+] [-] VHRanger|4 years ago|reply
[+] [-] vgeek|4 years ago|reply
[+] [-] CodesInChaos|4 years ago|reply
https://web.archive.org/web/20170611024100/http://www.crypto...
[+] [-] ammonammonammon|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] gitfan86|4 years ago|reply
Attackers care a lot about what they can get to if they are able to breach your security.
[+] [-] capableweb|4 years ago|reply
Just like finance companies have a different risk profile than companies generating bingo cards, crypto companies have different risk profiles than other non-financial ones. Are people arguing that this is not true or something?
[+] [-] mritchie712|4 years ago|reply
[+] [-] vmception|4 years ago|reply
[+] [-] dogman144|4 years ago|reply
[+] [-] ricotico060|4 years ago|reply
[+] [-] PragmaticPulp|4 years ago|reply
Crypto doesn’t mean regulation doesn’t apply or that companies are free from liability.
Obviously you can’t squeeze blood from a stone if someone were to steal most of the funds from a crypto exchange (Mt. Gox comes to mind)
But in the real world, if you use a crypto exchange in a reasonable location (e.g. US exchange adhering to US laws) then small thefts like this are going to be reimbursed one way or another.
Now if the entire exchange and their cold wallets were stolen somehow, it would be game over.
[+] [-] smnplk|4 years ago|reply
[+] [-] dabeeeenster|4 years ago|reply
That isn't the technical solution I was looking for...
[+] [-] rvz|4 years ago|reply
But you know what I am going to say if you're storing your crypto life-savings or JPEGs on an exchange:
[+] [-] paulpauper|4 years ago|reply
[+] [-] EMM_386|4 years ago|reply
I sometimes find it hard to believe these statements, but I guess I can only take them at face value.
Which seems more likely, that these "risk monitoring systems" actually caught this, or that they were inundated by sudden urgent calls from the 483 users saying "DUDE WTF WHERE'S MY MONEY?".
[+] [-] labrador|4 years ago|reply
[+] [-] imalerba|4 years ago|reply
Can someone setup, test and rollout a _completely new_ authentication system in 3 days?
[+] [-] GiorgioG|4 years ago|reply
[+] [-] siva7|4 years ago|reply
[+] [-] xyst|4 years ago|reply
> A photo of you holding a paper with the following handwritten on it, as it states in this FAQ. - Your name - Today's Date - "Crypto.com”
src: https://help.crypto.com/en/articles/3640569-how-to-close-cry...
[+] [-] iambateman|4 years ago|reply
…
Act II: thousands of men and women sign up to be brave with semi-retired Jason Bourne.
…
Act III: “we regret to inform you that our security protocols are a disaster”.
[+] [-] 101008|4 years ago|reply
[+] [-] kingcharles|4 years ago|reply
[+] [-] ouid|4 years ago|reply