This article is jointly published by Dilation Effect and Wu Shuo Blockchain.
It is not easy to analyze the security level of exchanges because it is difficult to know the specific security investment inside the exchanges. Dilation Effect has selected the dimension of smart contract authorization in the early stage to analyze the main wallet addresses of industry-leading exchanges and institutions, and timely disclose the discovered issues. This time, we try to analyze the account security mechanisms of these mainstream exchanges from the perspectives of attackers and users, as this directly affects the fund security of specific users.
I. Password Leakage of Mainstream Exchange Accounts
Attempt to screen the relevant domain names of mainstream exchanges through public data leakage search websites (data sources include dark web, file sharing platforms, historically leaked account datasets, etc.). You should know that attackers will also take the same actions.
First, search for Binance.com and find more than 8000 plaintext data of accounts and passwords returned! We take some fragments as examples:
From these data, randomly select some for login attempts, and find that many of the accounts and passwords are completely correct. After attempting to log in, they can directly enter the next step of two-factor authentication, such as this account mar***@gmail.com:
If the account and password of this user’s email are the same as the login email account/login password of the exchange, then the attacker can directly obtain the email verification code of two-factor authentication and log in to the user’s Binance account. Isn’t it shocking? Of course, it is worth emphasizing that our verification attempts stop here, and no further actions are taken.
Dilation Effect has initially calculated the password leakage situation of more than ten mainstream exchanges, and each of them has thousands of leakage records. The specific quantity is shown in the following table:
It feels a bit shocking.
Due to time constraints, Dilation Effect did not check the accuracy of these account passwords one by one, but through random selection of data, we found that there are correct accounts and passwords in the leaked account passwords of each exchange. The initial estimate is that the average correct ratio is about 10% to 20%.
Account and password leakage does not directly lead to user fund loss because exchanges provide additional 2FA mechanisms. However, if users have not set up comprehensive security measures, there is still a risk of fund theft, such as users only enabling email verification or other authentication factors being attacked.
Next, let’s continue to analyze the security strength of the current mainstream 2FA two-factor authentication mechanisms.
II. Security Comparison of Common 2FA Authentication Mechanisms
First, the security levels of various 2FA factors are compared:
Dilation Effect believes that ordinary user email is a relatively fragile security product, and email verification codes are not stable security verification factors. Today, if users only set up email verification codes as 2FA, the security of these accounts can be considered zero. It should be recognized that major internet service providers have been attacked in the past, resulting in massive leaks of usernames/passwords. Additionally, email service providers also have potential unknown vulnerabilities, which puts a large number of user emails in an insecure state. Overall, the security of email verification codes is very low.
SMS verification codes also face many attack scenarios. For example, in targeted attack scenarios, attackers can deploy fake base stations near high-value users to hijack their SMS messages. Another example is the SIM swapping attack that the Lapsus$ hacker organization is currently fond of. In simple terms, SIM swapping attack is when attackers use social engineering methods to impersonate users and transfer their SIM cards to the attackers’ names. With the emergence of eSIM, attackers can complete the application and activation online, making the attack even easier. Twitter founder Jack Dorsey’s Twitter account has been attacked in this way. Another issue is the problem of legal interception by telecom operators, which will not be discussed further. Those who understand, understand. Therefore, the security level of SMS verification codes is also relatively low.
TOTP and Security Key face fewer threats. Dilation Effect recommends that users at least enable Google Authenticator as a basic security setting, and users with higher security requirements can use physical Ukeys. If you only set up email verification codes or SMS verification codes, it is only a matter of time before your account is attacked.
In addition, some exchanges have started to support security keys, which is a strong security mechanism for users to replace traditional passwords. It is recommended that users gradually become familiar with and use them.
III. Suggestions for Exchanges
Exchanges should immediately initiate emergency response procedures to investigate the leakage of user account passwords, guide affected users to change passwords, and improve account security settings. At the same time, daily monitoring of user account password leaks should be actively carried out. If you do not know how to find your own user’s password leak data, you can contact Dilation Effect for communication (dilationeffect@gmail.com).
We suggest that exchanges adopt a “Secure by default” design approach and consider more about the security of user accounts. After users complete the security settings, their accounts should be in a relatively secure state. Some design principles that can be referred to include requiring users to complete Google Authenticator binding to meet security benchmarks. Therefore, during user registration, efforts should be made to guide users to complete the settings as much as possible, and sensitive operations including withdrawals can only be performed after completing the settings.
IV. Suggestions for Ordinary Users
Have a sense of awe towards network security. Attackers are diligent, while most users have a relatively limited understanding of network security. For example, V God’s Twitter account was hacked a few days ago. Users should not neglect their account security settings just for the convenience of making withdrawals. Often, they regret it after being attacked. So, at least bind your account with Google Authenticator.
In addition, there is another treasure website where users can regularly check the leakage of their email passwords. It is worth bookmarking:
https://haveibeenpwned.com
About Dilation Effect
Dilation Effect is a newly established Web3 security community, composed of network security experts from around the world, focusing on sharing objective and neutral Web3 security perspectives.
-
Dilation Effect is the first team in the industry to propose the risk of asset theft when using a shared Apple ID to download wallet applications on the iPhone. They have also conducted exclusive analysis and disclosure on:
-
The smart contract authorization risks of major wallet addresses of top institutions such as Binance, KuCoin, and Jump
-
The security risks of Prime Protocol, a DeFi cross-chain lending protocol invested by Jump
-
The risks brought to the lending protocol by using GMX’s GLP and related tokens (mGLP, etc.) as collateral assets
-
The centralized security risks of the most popular aggregated cross-chain bridge protocol, Bungee
Dilation Effect will continue to release various Web3 security perspectives, comment on the security of Web3 products and protocols in the industry, and provide timely and effective security reminders to ordinary users.
Feel free to follow:
Like what you're reading? Subscribe to our top stories.
We will continue to update Gambling Chain; if you have any questions or suggestions, please contact us!
