How Hackers Stole So Many Coins in So Little Time
Cryptocurrencies continue to be a headlining topic in the tech space, as a decentralized, completely virtual financial system gains popularity. Unfortunately, the most well-known cryptocurrency, Bitcoin, made headlines due to a recent theft of over 119,000 coins. BBC reports that Hong Kong-based exchange, Bitfinex, lost over $65M in a recent theft.
The details of how the theft happened are still largely unknown. The exchange utilizes BitGo’s security measures. According to BitGo, their 2-of-3 multi-signature wallet removes all single points of failure by using 3 keys: an individual’s private key, an individual’s offline backup key, and BitGo’s co-signing key. Each transaction requires 2 keys for signing, giving customers full control.
According to Altcoin Today, it appears the hacker used keys to access an account and circumvented the daily spending limits. The hacker was either never subjected to the daily spending limit, or lifted the restrictions on spending, both of which should have been flagged as a problem with the configuration settings for that account.
As Bitfinex and BitGo struggle to understand how the hacker stole so many coins in so little time, other exchanges are once again reviewing their own security measures to thwart similar attacks. What should they be looking for as they update and implement new security measures? Here are 3 ways that a security automation tool could have helped prevent this theft:
User Behavior Analytics (UBA)
If the exchange was utilizing UBA, the excessive spending activities would have been flagged as anomalous. Comparing the user behavior to the established norm, UBA would identify unusual behavior indicative of a compromised account or hacker. Bringing visibility to this type of abnormal behavior is the first step to combating these types of threat vectors.
An automation tool would have sent an alert when the configurations for daily spending limits were changed or removed altogether, allowing security teams to lock down the account before a major theft occurred.
If the security measures included an integrated ticketing system or rules, they could have automatically remediated the threat following the established remediation plan or quarantine the user to prevent further purchases. Further, an automation tool could have reset the configurations to enforce the daily spending limit, making it impossible for a hacker to remove the spending limit long enough to complete a large transfer.
BitGo insists that its security protocols were working properly, meaning that hackers were able to access the accounts by bypassing the security measures with changes to the security configurations. To prevent theft, comprehensive security measures that alert and automatically remediate configuration changes are necessary.