> 2FA tokens for all users worldwide were subsequently revoked to ensure the new infrastructure was in effect. We have mandatory 2FA policies on both the frontend and backend to protect users during this revocation phase, as outflows such as withdrawals have a requirement to setup and use 2FA in order to withdraw.
How is this supposed to work? They revoked all of their 2FA for all accounts? Doesn't this just open them up to credential stuffing attacks? This is a really, really odd response to me. I can understand migrating to a new 2FA system, but they'd have to re-establish the chain-of-trust somehow. Are they just hoping that users don't have compromised email/SMS accounts in order to enable the new 2FA system?
crypto.com is a little mysterious when it comes to authentication honestly. I still have not understood it.
But basically in this case, you didn't even need a password to log back in, it was just an email to click a link, then FaceId/PIN and logged in and prompt to re-add 2fa. The app must store the password itself somehow and auto use it.
Anyone know how the do auth on the app?
For users in the US there is no way to change the password, because the webapp (which might have that feature) is not allowed to be used from US.
Once I asked how to change password and support said I can change the PIN on phone and dont worry your funds are safe.
> crypto.com is a little mysterious when it comes to authentication honestly. I still have not understood it.
If you're speaking from experience as a user of their service, I strongly suggest that you use a different exchange. Gemini + Coinbase both have very easy-to-understand authentication systems. If you don't understand the authentication system, that's a good red-flag that you should take as a reason to move to a more trustable platform.
(Just my two cents, as someone who works on authentication system architecture design.)
Agreed. As someone who has integrated with dozens of crypto bank APIs, I can tell you Gemini's authentication and security is top notch (second only to Fireblocks)
An e-mail with a link to actually click? Does anyone else see those flashing red lights and hear that alarm klaxon? Please do me a favor and drop those assholes like a bad habit. They are going to cost you whatever assets of yours they have in their control.
The fight to teach users to not click links in emails had been lost, IME. And if forgot passwords can be resolved via an emailed one-time secret then email is effectively a skeleton key anyway.
I use crypto.com and they removed 2FA from me earlier in the week, asking me to set it up again. It was worrying as I wasn't sure if it was a scam, there was no reasoning behind it.
Of course it matters. Even if we assume someone figured out how to own the 2FA system, that knowledge doesn't magically make its way into the brain of every script kiddy capable of credential stuffing a login form. They're two totally different vectors with different surface area.
My thought is that it’s not really 2FA, and 2FA means temporary tokens, and there’s a method to gain entry with just login+token, e.g. via password reset.
If you want to deliver security then MFA is an interesting strategy that needs careful consideration and planning, you might end up building things like Security Keys so as to solve real threats. You might fix real problems (Google eliminated phishing) at your organisation.
But if your goal is to bamboozle fools into giving you their real money in exchange for Itchy and Scratchy money that you may or may not then "lose" then you don't need all that hard work. Take whatever nonsense you cobbled together and say it's "Two factor" because that means "good" to people who don't know any better.
This is hilarious. This company is literally at the apex of the crypto industry and this is the kind of mistake they make. Yeah, immutable smart contracts written by their fellow proponents will also save the world lol
Calling crypto.com anything near "apex of the cryptocurrency industry" is a very broad lie. Crypto.com is for people who just "wanna invest in crypto and get rich", others who are actually involved in the space (developers, companies and others) are nowhere near crypto.com as they have proven time and time again they are not serious about anything, even the basics like security.
I would argue that by you giving the torch to crypto.com as the company that caters to casual users that "just wanna invest and get rich", it is indeed one of the apexes of the industry. A product successfully marketing a fringe and specialized technology to the average consumer is just that.
Is it? I'm not sure of numbers of total accounts but anyone who knows anything about crypto is suspicious of crypto.com as a platform and I don't know anyone who uses it when things like coinbase are available. They just bought an expensive URL and spammed a bunch of ads. If that makes them the apex of the industry I guess CALL THE GENERAL AND SAVE SOME TIME is the apex of the car insurance industry.
This is a common play in several industries. Art of Shaving markets itself well to casual people interested in traditional shaving products but they take regular products, mark them up by a lot, rebrand and then upsell. Nobody claims Art of Shaving is the apex of shaving. Best Buy does similar marketing in regard to electronics, but Best Buy certainly isn't the apex of electronics retailers. What makes you think cryptocurrency companies would be any different?
It's basically a digital gold standard and the gold standard hasn't lead to an enlightened society either.
"Insanity is doing the same thing over and over again and expecting different results."
For me there are really only two alternatives. Negative interest on cash or competition among currencies (free banking). All those people shouting that Bitcoin should become the global reserve currency don't actually understand that a global reserve currency is a terrible idea and are only in it for the money.
Isn't this equivalent to saying the entire health industry is fake and untrustworthy because of Theranos? I don't it looks kind of same to me, and sounds absurd.
And you are not asked to do this while logging in again. It is assumed you know why you have to reauthenticate and that you have to re-add 2FA in your app settings…
Based on them saying they migrated to a new 2FA system, I think it's the latter - they disabled the current 2FA option and required everyone to register a new 2FA method.
> In an abundance of caution, we revamped and migrated to a completely new 2FA infrastructure.
That was exactly my question when I read this. How do they establish trust, when 2FA is revoked? How they prevent that the bad guy enables now 2FA and the god guy is locked out of his account?
May the god guy didn't get the message that Crypto.com had an issue, because s/he is unavailable.
Given that apparently their previous system simply allowed login/payments without the configured mandatory 2FA, per their statements about the root cause of the issue, this may have been a move of desperation...
Is anyone else getting the feeling from this press release that it seems they actually don't (yet?) know how their previous 2FA system was circumvented by the attackers?
My exact thoughts, umm where is the root cause and explanation of the breach? They just reset 2FA as a reactionary measure. The attackers have compromised more than 2FA to be able to initiate withdrawals. This doesn’t add up.
Time to play the classic crypto exchange game: hack or exit scam? Disabling 2FA in this scenario is dumb enough to raise the question of malfeasance of the part of this theft.
Somehow I doubt a fraudulent company on the verge of an exit scam would spend $700 million to rename an arena right before pulling the plug. Incompetent? Probably. Fraudulent? Unlikely.
The Houston Astros played at Enron Field until Enron was revealed to be a criminal enterprise and several of its leaders went to prison. The world has a short memory, it seems.
What OP was referring to was a take-the-money-and-run plan where the company knows ahead of time that the whole thing is going to explode and causes it to on purpose.
My understanding is that Enron's leaders were caught in fraud and that led to the collapse of the company—they weren't planning on it collapsing, so the investment actually made sense in that case.
No, that's normal pyramid scam behavior. I would say it was more likely that they were fraudulent if they were escalating their meaningless promo gestures to keep anybody from cracking as their scam gets too big to keep together. The bigger the risk, the bigger the colorful gesture.
I'm imagining it as '$700 million IN CRYPTO, which is of course better than money'. For a name: which could easily be restored if it turns out the payment is worthless. But that's just my fantasy of how this might have gone on.
If it's $700 million in real money that only underscores how desperate they are to make some colorful gesture.
Even your basic Ponzi schemes often involved generous and public philanthropic gifts even as the scheme was falling apart behind the scenes, just to maintain the public image.
Or rather, the scheme was being what it naturally was. Falling apart implies that there's a together for it to be, behind the scenes.
When it's designed from the start to be an expanding shell powered by new belief coming in, the philanthropy and big gestures are core to the nature of what it is.
Back in the day I read an old book by Harvey Mackay (iirc), one of those business-guy self-help books, and he had a chapter called never buy anything big in a room where there is a chandelier. :D The point being, it's normal for scamsters to influence people by making their pitch in a place all decked out to look like the most wealthy, influential place you could imagine, and there'd be a chandelier because it would look like everybody was rich. And so, never buy anything big in a room with a chandelier, because it probably meant you were being ripped off.
All this predates crypto by a loooooong way. There's nothing really new. Maybe back in the days of travelling traders on camels it was, never buy a camel in a room with a carpet that's bigger than the camel is :)
> No customers experienced a loss of funds. In the majority of cases we prevented the unauthorized withdrawal, and in all other cases customers were fully reimbursed.
How is this supposed to work? They revoked all of their 2FA for all accounts? Doesn't this just open them up to credential stuffing attacks? This is a really, really odd response to me. I can understand migrating to a new 2FA system, but they'd have to re-establish the chain-of-trust somehow. Are they just hoping that users don't have compromised email/SMS accounts in order to enable the new 2FA system?