What the Binance Hack Teaches Us
- By Ceecee Wong
- May 13, 2019
Last week’s Binance hack highlighted two glaring issues in cybersecurity and the integrity of the Bitcoin network.
The crypto exchange giant suffered a severe premeditated hack on May 7, 2019. It reportedly resulted in around 7,070 Bitcoins, worth over USD 40 million at the time, lost. They were stolen from the exchange’s hot wallet in a transaction that went undetected by the firm’s security systems.
While a massive amount, this hack was eclipsed by USD 530 million Coincheck exchange hack in 2018. The last 18 months have also seen exchange thefts at Cryptopia, DragonEx, Bithumb (twice!), Zaif, BitGrail and CoinRail.
Lack of Bank Account-Like Controls
The Binance attack was reported to involve tactics such as phishing and viruses to obtain a large number of 2FA (2-factor authentication) codes and API keys.
Professor Graham Leach, School of Design, Polytechnic University of Hong Kong noted that, “Initial analysis shows that it was the ‘hot wallet’ that was hacked and that the hack was perpetrated using phishing techniques, which can often signal a lack of security discipline in the architecture or the way the architecture is operated.”
Jessica Chuah, the chief compliance officer of UDAX, another crypto exchange, offered more insight.
“When hacking an exchange, the areas that expose the vulnerability of the exchange are quite generic. Hackers target where there is a lack of bank account-like controls put in place - such as no account spending limits, no scheduled and batch payments, and no multi-level threshold approval chains. 2FA is insufficient. Multi-factor authentication is crucial for login and critical operations," she said.
"Multi-signatory is also not enough and does not fulfill business requirements. These inadequacies make an exchange vulnerable to malicious human intention," she added.
Chuah also pointed out that to enforce security as a whole, "a third-party custodian is crucial for security at every level of the system, from a hardened operating system to strict policy control."
Keeping Mum
Following the high-profile Binance security breach where sophisticated tools and methods were used, CEO CZ said he was restricted in sharing too many details.
He noted that "Hackers are reading every word we post and watching every AMA we host. Sharing too many security details actually weakens our security response strategy."
Cybersecurity software McAfee creator, John McAfee, who offered his assistance to Binance in its fund recovery initiative, could not agree more in his social media reply post. "The first rule of a cyber investigation is silence," McAfee wrote.
CZ also revealed that together with Elliptic and other partner blockchain analytics firms, Binance would be co-operating with major crypto exchanges to trace the movement of the stolen funds and attempt to freeze the funds should they land on crypto exchanges.
Latest Targets
Cybersecurity attacks are undoubtedly on the rise. According to statistics, the booming global cybercrime economy has resulted in USD 1.5 trillion in illicit annual profits acquired, laundered, spent and reinvested by cybercriminals. Major corporations such as Facebook and Marriott have not been immune. As a response to cybercrime, Global Market Insights predicted the cybersecurity market will grow from USD 120 billion in 2017 to USD 300 billion by 2024.
These findings are clearly alarming: cybercrime is both widespread and lucrative.
Crypto exchanges are not the only obvious target. Last week, a Verizon 2019 Data Breach Investigations Report issued a warning to the C-Suite that they are "the latest targets of cybercrime." According to the report, senior executives with access to the company’s most sensitive information are more likely the targets of social engineering attacks.
As enterprises increasingly use the latest cutting-edge applications to deliver credible insights and experience, security must remain front and center when implementing these new applications and architectures. The growing trend to store information within cost-effective, cloud-based solutions without the proper security safeguards also exposes companies to additional security risks.
Immutability and Decentralization Fears
While the Binance hack caused initial anxiety, fears were quickly allayed when CZ assured the community that the funds were SAFU (Secure Asset Fund for Users), Binance’s emergency insurance fund.
The real uproar that ensued was over CZ’s suggestion that the Bitcoin network could be re-organized. What that meant was that Binance could recover their funds if they could cut a deal with the majority of the miners. The miners would then reverse the chain and in return gain a share of the stolen money.
“I think the rollback discussion touched a nerve because of the forking of the Ethereum network over the DAO hack that initially stole about USD 50M,” noted Professor Graham Leach. “What happened as a consequence of that hack was a bifurcation of Ethereum that, once started, has continued with multiple ensuing forks looming over the crypto landscape. People don't like it when their so-called ‘immutable’ record can be rolled back - even if it's for the best of intentions - when exactly such an occurrence is, in theory, ‘impossible' ".
Even after CZ announced that Binance would not pursue the re-org option, the fact that this was even brought up ignited outrage in the Bitcoin and crypto community. The power of exchanges and mining groups to control what should, in essence, be a decentralized network had been unintentionally brought to light. Some have thrown out accusations of the Bitcoin network becoming centrally managed.
British-Iranian hacktivist and programmer, Amir Taaki summed it up best. “The Binance episode shows us that the Bitcoin protocol is not only protected by technology, but also by political consensus.”
Many will contend that this is unacceptable. However, we should never forget that technology is an ever-evolving landscape so who's to say the Bitcoin consensus mechanism cannot be improved?
We've put the spotlight on the problem. Now let’s bring forth the solutions.