Users unwittingly had two-factor authentication codes (2FA) compromised via malware and phishing attempts along with API keys that were used to automate trading. It highlights the problems of relying on security credentials that can be compromised. In recent weeks we’ve been talking to Forcepoint, a security company that adds behavioural analysis to the mix, in order to understand whether this level of security would have helped stop the exfiltration of data which, in this case, meant Bitcoins.
According to Binance, the nature of the user behaviour didn’t raise any flags and security only kicked in once the Bitcoins had left the site.
iTWire spoke to Nico Fischbach, Forcepoint chief technology officer, to find out how better behavioural analysis could have helped. He pointed us to a case study of Metro Bank in the UK whereby the bank uses Forcepoint’s CASB (Cloud Access Security Broker) software to “analyse and enforce appropriate controls for SaaS and production applications.” The bank integrated it with their online banking application. It analysed workflows and user behavioural analytics – going beyond a traditional Web Application Firewall (WAF) – to scan for behaviours that were uncommon. He said, “It could be infections, compromised browsers, it could be users trying to do weird things and all of that… [all while] billions of transactions were running through the system.”
Fischbach also emphasised the importance of using analytics in the back-end for “insider threat monitoring.” He said, “This is another angle that is super important.” It was a core focus of the investigation into the major New Zealand Cryptopia exchange hack which, just days ago, went into liquidation having lost huge amounts of customer funds. There were also concerns regarding the QuadrigaCX exchange collapse, whereby access to all wallets was lost when a single employee “went missing.” If this was an exit scam, behavioural analytics could potentially have raised alarms beforehand.
However, the crux of the Binance problem is that alarms only sounded once the Bitcoins had been withdrawn (especially as many went to just several address). While it’s not clear exactly what security layers were in place, it’s not unreasonable to assume that many users suddenly wanting to transfer coins to the same unusual addresses should have flagged security BEFORE being transferred.
Fischbach surmises “Would another security layer of defence that uses CASB and analytics have raised a risk score or a flag earlier for somebody to look into? We can only speculate.”
Whatever the truth is behind the hack, behavioural analytics is looking like a reasonable minimum security standard in a world where online currency transactions is only exploding.
The writer attended the Forcepoint conference in Malaysia as a guest of the company