Author: OneKey Source: X, @OneKeyCN
Recently, both Binance and OKEx have been facing turmoil. Binance users reported that a malicious plugin called Aggr bypassed Binance’s Multi-Factor Authentication (MFA) and stole users’ assets through keystroke theft. On the other hand, OKEx users claimed that hackers used AI deepfake technology to bypass MFA, changing phone numbers, emails, and Google authenticators, subsequently stealing user assets.
Affected users penned vivid narratives, causing a stir in the community. Rumors and screenshots circulated rapidly, urging people to quickly withdraw their tokens. But is simply moving tokens enough? Perhaps the question itself reflects a flawed mindset.
Security has never been a straightforward choice.
Understanding the defensive line of Web2 account security: MFA
If you had to choose between a cold wallet and an exchange, essentially, you are choosing between “private key” and “MFA Multi-Factor Authentication.”
For MFA, if you are a seasoned internet user, you may already know that a simple password is no longer sufficient. SMS verification codes, email codes, even facial recognition, and Google authenticators are now the main players. Some Chinese apps don’t even require passwords, only phone verification codes.
This is understandable because most people’s passwords are not secure enough (many password databases have been leaked numerous times by major websites worldwide), so they need layers of protection:
– The first layer: information only you know, such as passwords and security questions;
– The second layer: items only you possess, like SIM cards, phones, and Google authenticator dynamic passwords;
– The third layer: personal features only you have, such as fingerprints, irises, faces, and voices.
A common authentication factor combination: password + email code + phone code + Google authenticator dynamic password + user facial identity information.
Sounds foolproof, right? In theory, with full MFA enabled, an account should be very secure. Even if one layer is breached, hackers cannot access the account unless they also obtain other authentication factors.
However, this is not always the case.
In the operational processes of major internet companies, they may opt for dynamic and selectively verified methods to simplify user operations. The key here is whether their risk control measures (such as remote login and abnormal operation recognition) can cover the edge cases of user operations.
For instance, in September 2023, Ethereum founder Vitalik fell victim to a SimSwap attack on Twitter—hackers social engineered T-mobile to transfer Vitalik’s phone number to their device. Subsequently, fake messages were posted on Vitalik’s Twitter account, resulting in a loss of around $690,000.
Vitalik later lamented on Warcast (a decentralized social platform) that a phone number alone could reset a Twitter account password, indicating that phone numbers are not secure. SlowMist’s Chief Information Security Officer also stated that SimSwap attacks are low-cost, with quotes even available on the black market.
This demonstrates that even with MFA in place, if phone number verification has excessive permissions and fails to detect abnormal logins, Twitter cannot stop hackers’ attacks. Of course, this may also reflect Twitter’s balance between efficiency and security.
This balance is even more challenging for exchanges that manage user assets.
Take the example of Binance users losing assets due to a malicious plugin. Hackers cannot directly steal users’ assets by withdrawing to the blockchain since that would require passing through MFA. Therefore, hackers engage in wash trading through repeated buying and selling of low market cap tokens to profit from the volatility. They then swiftly withdraw from another account to complete the theft.
However, for exchanges with logged-in trading, most users undoubtedly prefer timely and fast transactions. No one wants to go through several layers of MFA verification during quick trades. In this regard, Binance can only address this by upgrading more complex risk control measures (such as identifying wash trading) instead of using MFA to impact user transaction efficiency.
Giving up a one-size-fits-all approach, multiple layers of defense are essential
After reading the previous sections, you now understand that MFA alone is not perfect and requires a balance between efficiency and security through risk control measures. Even world-class giants need constant upgrades.
Choosing a private key means taking the first step in self-assuming risk control measures. The pressure to upgrade now falls on you.
Are you prepared to fully control your crypto assets? Perhaps you initially copied the private key from a software wallet to a piece of paper, but soon realized that this was not enough.
You still need to:
– Protect your computer from hackers with the same intensity;
– Be vigilant against the latest phishing and social engineering attacks;
– Allocate funds between commonly used hot wallets and cold wallets while managing authorization;
– Incur additional costs, such as using a hardware wallet to protect and isolate private keys, or even more advanced solutions.
At this point, you will realize that the question of “should I keep my assets in a cold wallet or an exchange?” is not straightforward. Both private keys and MFA have their benefits and trade-offs.
For systematic asset security management, it is more important to consider the following questions:
– What are the risks? For most users, preventing hacking and phishing attacks is crucial;
– How to diversify risks? Lowering the risk of a single point of failure through diverse and redundant strategies; in the DeFi community, there is a saying, “one mine, one address,” which you can appreciate;
– How to mitigate risks? Implement various preventive and control measures within your capabilities, such as installing security plugins, using hardware wallets, or implementing multi-signature authentication;
– How to respond to risks? Develop an emergency response plan and disaster recovery plan, such as quickly contacting security organizations like SlowMist in case of asset theft.
These questions vary for users with different asset sizes and needs.
Once you clarify these questions, you may no longer ask the question posed in the title and refrain from actions like storing all assets in one exchange or using wallets holding large assets to interact with unfamiliar websites.
In conclusion: Security goes against human nature
Investing is usually counterintuitive, and security is no different.
When security is breached by hackers, it often happens due to the exploitation of human weaknesses—such as laziness, greed, and underestimation.
We understand that some users seek a simple answer, like using a specific app for safety or buying a particular hardware wallet to solve all problems. It’s akin to always asking which coin will make you wealthy.
As a responsible provider of crypto security solutions, we must honestly say—security is not a simple outcome but a process of thinking and practice.
Some say that cognition determines the height of wealth acquisition.
Similarly, cognition also determines the bottom line of wealth protection.