What is Three-Factor Authentication?
The hacker attack on one of the world’s largest cryptocurrency exchanges, Binance, has highlighted several problems with the security of the platform. The 2FA (two-factor-authentication) may no longer be sufficient and the 3FA (three-factor-authentication) could be a solution.
As reported by Wired as a “large-scale security breach, hackers stole not only 7,000 bitcoin—equivalent to over $40 million—but also some user two-factor authentication codes and API tokens”, it is easy to see that this is actually one of the many thefts that have taken place in the last year.
CipherTrace, in fact, has estimated that a total of about 356 million dollars in cryptocurrencies were stolen in Q1 of 2019 alone.
Why are hackers targeting the cryptocurrency industry in particular?
Unfortunately, there’s a lot of money in the hands of people who can’t protect themselves. The huge amount of bitcoin (BTC) stolen from Binance represents only 2% of their reserve and the exchange itself has taken action in time.
Transparency is a very important factor and Binance CEO Changpeng Zhao did the right thing: he did not hesitate to announce the theft committed by the hackers and published a tweet the same day (May 7th, 2019).
“The hackers had the patience to wait, and execute well-orchestrated actions through multiple seemingly independent accounts at the most opportune time. The transaction is structured in a way that passed our existing security checks”.
Zhao subsequently announced that no wallet of Binance’s clients would be touched, because the exchange had created an insurance fund in 2018 that is able to accumulate 10% of all commissions in a cold wallet.
What happened to Binance during the theft?
At the moment, it is still not known exactly what happened. The exchange was certainly equipped with state-of-the-art information security systems. Hackers may have used stolen passwords in a phishing attack, or they have found them through a brute force attack.
Only phishing (a technique that dates back to 1987) definitely cannot have caused all this damage.
Spear phishing (attacks aimed at intercepting information of individuals considered to be of “high value”) and BEC (business-email-compromise) are worsening dramatically. Both are increasingly aimed at customers who deal with cryptocurrencies and companies that deal with crypto and blockchain.
The attack on Binance may have been caused by an employee being tricked by a fake website, or by an organised email scheme, anything is possible.
It is now time to strengthen IT security
Two-factor authentication (2FA) is no longer sufficient. According to the CipherTrace Q4 2018 reports, the SMS that is received before logging in is not as secure. However, by having an authentication app on their phone, instead of relying only on SMS codes, users are more protected.
So what do exchanges have to do to prevent these thefts? There are many solutions, and three-factor authentication (3FA) could be one of them.
What is Three-Factor Authentication?
- One-factor authentication refers to something the user knows about. A very simple example is the classic password.
- Two-factor authentication, in addition to the previous one, is something that the user “owns“. The classic Google Authenticator, the biometric fingerprint or the presence of certificates.
- Three-factor authentication, together with the two just mentioned, identifies something that is peculiar to the user, a “physical trait“. Retina scan, voice recognition, biometric (in this case the biometric is valid as in the previous one).
To access the network it is necessary to use an app on a smartphone, a certificate on a computer to connect to the company VPN and a password. This way, if criminals are able to break passwords or find them through brute force attacks, they are still unable to log in.
In addition, unlike passwords, certificates can be revoked. The hacker may also find the password and maybe steal a phone where the 2FA is present, but the certificate persists and it is still not possible to enter the system. In addition, having a certificate on a computer does not require daily effort.
User experience or security?
We can’t think of a world where, in order to access an exchange and start trading, a user has to:
- scan the retina;
- enter the Google Authenticator code;
- say a phrase for voice recognition;
- enter a password;
- confirm the biometric fingerprint;
- enter the code received via SMS;
Obviously, all these things combined (and there are many others) would result in a not very user-friendly platform. However, at least for business use, the presence of certificates costs nothing and it is a good idea to use them.
In any case, the more security systems are implemented (even at the expense of the user experience), the higher the security of any platform and, with it, the trust that it will gain in customers.