Binance BTC Hack is due to 2FA

[TimeBits]

I mean do the two options I presented

add a throttle on withdraws (I could cook up this code and have no education in coding)

and 3fa/4fa/5fa (WARNING THIS MAY LEAD TO A WEAPON OF MASS DESTRUCTION or a WEAPON OF MASS SAFETY)
https://www.cnbc.com/2019/05/08/facebook-rolls-back-ban-on-cryptocurrency-ads.html

[1713562404]

1713562404

[examplens]

Eventually sooner or later hackers will be able to obtain new tactics or find out any loopholes of the said 3FA. Therefore the best thing to do is to always move your funds in and out from any trading platforms.

I know this is kinda toxic idea but I think that is one of the best thing we can do for now.

You have people who earn from trading. So, they need to have funds on the platform because then he can trade with them. Just think how complicated after every trade to withdraw funds and deposit it again for a new trade.

Imagine I had a blockchain of everyone and their face in my country, we could set up drone helicopter or plane to scan your face and if it does not match our data base, it kills you.

Interesting idea for new KYC method. 

[TimeBits]

Eventually sooner or later hackers will be able to obtain new tactics or find out any loopholes of the said 3FA. Therefore the best thing to do is to always move your funds in and out from any trading platforms.

I know this is kinda toxic idea but I think that is one of the best thing we can do for now.

You have people who earn from trading. So, they need to have funds on the platform because then he can trade with them. Just think how complicated after every trade to withdraw funds and deposit it again for a new trade.

Imagine I had a blockchain of everyone and their face in my country, we could set up drone helicopter or plane to scan your face and if it does not match our data base, it kills you.

Interesting idea for new KYC method.  

inb4 facebook is using it

https://www.youtube.com/watch?v=l4x0vOAu0lQ

inb4 we are all dead

[figmentofmyass]

One solution is just to use DEX, We need people to start using DEX and protect themselves from hackers, We should be responsible for our own protection.

People weren't able to protect their API-keys and 2FA codes which lead to the loss of funds.
So how should they going to be capable of protecting their private keys..

Binance's security is fine. Based on all information, it is each users fault for not protecting his 2FA codes / API keys.
It hasn't been mentioned anywhere that there was some security breach.

that's my belief based on the statements binance made, but AFAIK no details about how 2FA and API keys were compromised have been released. have they? they have urged all users to change passwords, 2FA, and most specifically API keys so i guess we can't be sure this is 100% client side yet. API keys were hacked from binance's servers last year and there have been recent suspicions of an ongoing problem.

[darylalban]

I think the million dollar question people are trying to solve is to what degree will we need to prove ones identity . 3FA would work but even something as far as 4FA would be necessary.

[bob123]

that's my belief based on the statements binance made, but AFAIK no details about how 2FA and API keys were compromised have been released. have they?

No, unfortunately not.
Currently it can only be assumed, but based on their statements it sounded like its not a security problem on their end.

they have urged all users to change passwords, 2FA, and most specifically API keys so i guess we can't be sure this is 100% client side yet.

This indeed sounds strange.
But i guess that's not a clue towards server side problems.

They might want all user to change their secret information because of a server-side security breach or because they believe there are more keys somehow laked / stolen.

API keys were hacked from binance's servers last year and there have been recent suspicions of an ongoing problem.

Were they ?

I remember that most (if not all) people had their API key entered into a 3rd party trading software/script.
And this software had maliciously used the API keys to buy (and pump) a worthless coin, which has been sold by the attacker to get lots of profit out of it.

I didn't see any news regarding the security of binance being compromised. IIRC it was 100% users fault back then.

[TheHas]

It is the user who has to use the safe (i.e. securely storing api key / 2FA codes).
Binance can't force anyone to protect their password / 2FA code / etc..

But the issue wasn't that people were careless with their 2fa or passwords. The issue was that Binance had a security breach that circumvented these security checks.

I get that in crypto you are responsible for your own security - but in this case the problem wasn't the user, it was the 'trusted' and apparently 'safu' centralized exchange, who has such an inflated sense of self importance that they were considering risking the entire integrity of Bitcoin through a roll back.

[bob123]

It is the user who has to use the safe (i.e. securely storing api key / 2FA codes).
Binance can't force anyone to protect their password / 2FA code / etc..

But the issue wasn't that people were careless with their 2fa or passwords. The issue was that Binance had a security breach that circumvented these security checks.

I get that in crypto you are responsible for your own security - but in this case the problem wasn't the user, it was the 'trusted' and apparently 'safu' centralized exchange, who has such an inflated sense of self importance that they were considering risking the entire integrity of Bitcoin through a roll back.

Do you have any source for this statement ?

I can't find any news stating that binance's security was compromised.

[LuckyBtc]

It is the user who has to use the safe (i.e. securely storing api key / 2FA codes).
Binance can't force anyone to protect their password / 2FA code / etc..

But the issue wasn't that people were careless with their 2fa or passwords. The issue was that Binance had a security breach that circumvented these security checks.

I get that in crypto you are responsible for your own security - but in this case the problem wasn't the user, it was the 'trusted' and apparently 'safu' centralized exchange, who has such an inflated sense of self importance that they were considering risking the entire integrity of Bitcoin through a roll back.

Do you have any source for this statement ?

I can't find any news stating that binance's security was compromised.

Someone on Twitter claiming he had found a glitch that could let him/her bypass 2fa and captcha on iOS devices, He had reported it to Binance but was ignored.
https://twitter.com/pacpoker/status/1094814265981190145?s=19

[bob123]

Someone on Twitter claiming he had found a glitch that could let him/her bypass 2fa and captcha on iOS devices, He had reported it to Binance but was ignored.
https://twitter.com/pacpoker/status/1094814265981190145?s=19

This was 3 months ago. And he didn't make the glitch public, which said he will do.

Furthermore the 2FA is checked server-side. So technically it is not possible to bypass 2FA by manipulating the client (in this case: the iOS app).

IMO this was just a bad joke. And far away from being a 'source' to the statement that binance had a security breach.

[Patatas]

With the recent Binance hack of 7,000 BTC cyber security firm Ciphertrace pointed out that the reason hackers were able to obtain API keys, 2FA codes and other info was due to hacking hot wallets using a two factor approach, social engineering and SIM card porting of phone numbers.

What Dave Jevans recommends moving forward is a 3FA approach. Has anyone used this or what are your thoughts?

https://cryptobriefing.com/binance-promises-to-cover-7000-btc-lost-in-hack/

Do you actually believe that news? Apart from bitcointalk, every other community thinks it's an inside job which I pretty much agree with. It's not the first time, neither last that these exchange owners like to fuck around with the traders. At this point, I've digested it.

[squatter]

Do you actually believe that news? Apart from bitcointalk, every other community thinks it's an inside job which I pretty much agree with. It's not the first time, neither last that these exchange owners like to fuck around with the traders. At this point, I've digested it.

If they're covering the lost funds from their own money, why would you assume it's an inside job? What does Binance have to gain by telling the world they got hacked?

[TravelMug]

Someone on Twitter claiming he had found a glitch that could let him/her bypass 2fa and captcha on iOS devices, He had reported it to Binance but was ignored.
https://twitter.com/pacpoker/status/1094814265981190145?s=19

This was 3 months ago. And he didn't make the glitch public, which said he will do.

Furthermore the 2FA is checked server-side. So technically it is not possible to bypass 2FA by manipulating the client (in this case: the iOS app).

IMO this was just a bad joke. And far away from being a 'source' to the statement that binance had a security breach.

I agree, as per Binance they said the hackers was able to obtain 2FA and Google authentication through phishing attack. So there's no way that Binance itself can see if indeed it was from the hacker because they were able to get entry through right channels.