This hack happened on October 14, 2018. I woke up early in the morning my local time. Right away I turned on the laptop and checked my inbox where I discovered the abnormally large volume of letters from the COSS Exchange. There were a few thousands of them. Each letter informed me about a failed attempt to enter my account on the Exchange.
All the security measures were taken properly:
I received all of the e-mails when I slept. I rushed to check the account and discovered that all my holdings were gone. More specifically, they were sold on low-liquid markets at the rates substantially lower than the market ones.
In no time I turned to the support of the Exchange and informed about the incident. I wrote about this situation on Reddit and in the public Telegram group of the Exchange. Naturally, the first reaction that I experienced from the community was humiliation and accusations of stupidity. Many called me a dumb fool because I stored funds on the Exchange and so on. No need to point out how I kept the funds. I have what I have now. So on a weekly basis, the Exchange shares the trading fees with the holders of its tokens. The profit is distributed among token holders proportionally to the number of tokens they possess. That’s why I decided to keep my tokens with COSS exchange.
The exchange claims:
They forgot to mention one small fact that access to my account was received using vulnerability which allowed hacker to perform brute force attack on my 2FA.
I was not the only victim as COSS declares in their medium blog and hacker indeed used exchange’s vulnerability:
COSS Exchange was under DDOS + Brute force attack
They’ve shut down an entire exchange for ~24 hours:
What was that if not an exchange’s vulnerability?
The Exchange claims that the hacker had my password. Of course, the most natural and the easiest thing is to accuse the user of being responsible for the accident. But I can assure you that it is far from being the case. I have been in this industry since the end of 2011, and I do know how to generate and store wallets, passwords etc. I neither use Android smartphones, nor computers with Windows OS. I do not use SMS 2FA. I am meticulous and do not do bullshit. What if it was some internal job? Or users data base leaked? Ok, let’s assume that I happened to become a victim/target of a hacker, who somehow managed to access my login and password (what I doubt A LOT). However, I had a 2FA verification installed for this occasion.
It was designed exactly for the situations like the one I described above. 2FA enables to keep the funds safe even if the password/login was compromised. Recently I received a report from COSS compliance, in which they admitted that the brute force attack took place. After 25,000 trials the attack was successfully completed.
The hacker got the access to my account and sold all my funds for nothing. After all the Exchange ignores my messages about refund and steps towards that. They’ve only stated amount of assets they were able to recover and
claiming that it was the user’s (mine) fault that the hacker managed to access the funds.
How come? How would the hacker have accessed the funds if the Exchange had not allowed to perform the brute force attack? Even if it was me who had compromised the password in some magic way, 2FA had to serve the last stand. The hacker managed to brute force it using Exchange’s vulnerability and the Exchange has not stopped the brute force attack. Remember, there were 25,000 trials
If I had additional time, I would manage to respond and prevent the hack. Even if there was my fault, but only 50%, the other half is that exchange gave the opportunity to the hacker to brute force 2FA. In this regard, I publicly call the COSS Exchange to refund me at least 50% of my account’s balance.
Assets I had:
~11 700 000 coss tokens (30kk$ at ATH period)
19 000 eos to refund in full (EOS node was down and hacker wasn’t able to withdraw EOS)
~ 22 ETH
The Exchange should bear the sole responsibility for the accident if its internal vulnerability allowed the hacker to accomplish his/her brute force attack.
If it would be possible to bypass 2FA protection with a brute force attack, every exchange/platform, as well as 2FA providers (generally Google), would be brought into disrepute and would face severe claims from their users. Basically, the whole industry would become a mess. If the case, exchanges/platforms would suffer multi-billion dollar losses, in particular, translating into even more significant losses for the industry as a whole.
No matter what decision COSS exchange will take I call other exchanges to add an extra security feature to protect user’s funds. TRADING PASSWORD. This will prevent anybody to sell user’s assets on the low liquidity markets for cents even if the password was compromised and exchange grants brute force attacks.
I’m not promoting anybody, just facts:
Bitfinex doesn’t have it
Binance doesn’t have it
Poloniex doesn’t have it
Gate.io HAS IT.
English is not my native language so sorry about typo and other mistakes.