Exchange Hacks, Who's Responsible?
We hear about hacks on cryptocurrency exchanges almost regularly these days. Might it be a hack of their wallets directly or their infrastructure just as website, support e-mail server, etc.
Whenever I read about it in the news the only thing that comes into my mind is who's responsible to cover all the losses that occur? Especially as the concerned parties are many times pushing responsibility towards the user to change their password, etc. while the actual security breach doesn't have to do anything with the users behaviour or security setup.
Just yesterday the Openledger websites have been affected and most likely lead to phishing attacks on users. So who'll come up for those losses? The only official statement I saw so far was "If you're hacked, change your keys..."
It's a bit concerning to me how low of a priority the security seems to be for crypto companies and how it seems to be always the responsibility of the user in case he or she lost any funds. I'm sorry to say but if you provide a insecure service and your customers suffer any losses through it then you are the one who has to cover them! That's my take on the whole topic.
I'm definitely curious to follow up these cases a bit more as I'm really interested on how companies handle such cases and whether they stand up to their mistakes.
What's your take on this topic?
A Crypto Startup Revolutionizing Steem! |
|---|
 |
I think it really depends on who was at fault. When people fall for the phishing scams, unfortunately they weren't careful enough.
Sometimes it is the carelessness of the users that bring in attacks. For instance, Binance hack allowed customers API keys to be compromised when they fell victim to phishing. The hackers used a massive collection of API keys that they collected over a couple months. Then all at once the hackers launched an attack to buy up a coin with compromised accounts and artificially create a pump.
The interesting thing that Binance did was that they discovered something was going on and froze all the accounts. The hackers invested about $350,000 into the coin that they were trying to pump. Since Binance froze all the accounts, they were able to take time to figure out what was going on. Binance ended up keeping the hackers money and reversing all the malicious transactions. Then they gave that money to charity.
I think that Binance failed to address the hacker's phishing website that looked just like the Binance website.
In the Steemit website phishing scam there were copies of Steemit that were created. There were people complaining about it and lots of warnings, but was anyone going after the hackers? I'm not sure. Every time the hackers compromise an account, they take whatever SBD and Steem out of the account and send it to the exchange. Obviously, that money is gone, but the record remains. If STEEM Inc were to coordinate with the exchange to after the hackers, the hacker accounts on the exchange can be closed and the account investigated. Sometimes the hackers slip up and leave a trace. Then they can be reported to their local law enforcement.
I think at minimum, coordination to go after hackers is needed.
I also think that the websites should monitor the web for any copies and go after the host. This would help reduce the source of the phishing links.
One thing Binance did that was ingenious was that they put a bounty on any hacker that makes an attempt to attack them. They put aside 10 million dollars for future bounties. I think STEEM can do the same and they wouldn't even have to pay for it. It can be done in various ways. One way is to create a system that Steemians can load an account that collects voting power and interest just like SP with the exception that if a bounty is needed to be paid, the monies come from these accounts. It would be optional to use. Think of it like the savings account that nobody ever uses. It would be a bounty savings account. Another way is to have an active account that does some service in which users can delegate SP to that account which allows that account to generate SBD and SP for future bounties. And yet another way is that STEEM Inc just fronts the delegation or the SP towards future hacker bounties.
Sure a user is definitely responsible for phishing attacks through deviating urls or other stuff that's created to just look 100% alike in order to get on the keys. But in the case of OL their actual domains got hacked and used for phishing, so a user could never ever have noticed it.
Good point. The exchanges are all competing for the market share of volume. In that case, OL should pay back any losses. Other exchanges have done it even if it puts them out of business. In the case of Coincheck, Japan vowed to cover the cost of the hack to pay back losses. It was over $400 million.
Unfortunately thats the same problem we are dealing with on Steemit as well. Many accounts were stolen and the hackers are still active spreading their phishing links, but nobody can take action against them. Users are always responsible for their behaviors, but thats not fair :(
Well it's fair as long as it's not a failure of the company itself. The steemit phishing attacks took & take place via fake urls that just look alike, which is just the usual thing that happens all the time & needs your personal attention.
A compromised url of a company itself is a different story as there you as user don't see any sign / are unable to recognize the phishing.
I believe that a company is responsible for the quality of its service, and the security of the processes are part of that quality, not taking responsibility for its failures only increases its disrespect and incompetence as a company.
Do you have more info on the openledger hack. I have a local wallet and my understanding was that the only way I was at risk was if someone had my password and was using my computer. Am I wrong on this or would this mainly be a concern for people who are set up on web-based account (notlocal wallet).
Thanks
Are those also successful hacks you read about regularly?
I am believing that crypto never might become mainstream because of such kind of things. First thing I think when I read a story like this is : see, there you go.
But the next thing I think is, that I kind of want to read this and interpret it in the way it suits me best. Which is concluding I will be right and these kind of things prevent that crypto will become mainstream.
Last but not least I go back to my roots. Which is analyzing data and especially numbers. So that makes me ask this question and try to investigate a bit further.
In the end it will just be time that learns us who's gonna be right.
About the subject, I think if there are great losses with a hack, the damage can't be paid by the exchange. Because them they would go bankrupt. So that might be an issue in who's gonna pay for it.