> 2FA tokens for all users worldwide were subsequently revoked to ensure the new infrastructure was in effect. We have mandatory 2FA policies on both the frontend and backend to protect users during this revocation phase, as outflows such as withdrawals have a requirement to setup and use 2FA in order to withdraw.
How is this supposed to work? They revoked all of their 2FA for all accounts? Doesn't this just open them up to credential stuffing attacks? This is a really, really odd response to me. I can understand migrating to a new 2FA system, but they'd have to re-establish the chain-of-trust somehow. Are they just hoping that users don't have compromised email/SMS accounts in order to enable the new 2FA system?
crypto.com is a little mysterious when it comes to authentication honestly. I still have not understood it.
But basically in this case, you didn't even need a password to log back in, it was just an email to click a link, then FaceId/PIN and logged in and prompt to re-add 2fa. The app must store the password itself somehow and auto use it.
Anyone know how the do auth on the app?
For users in the US there is no way to change the password, because the webapp (which might have that feature) is not allowed to be used from US.
Once I asked how to change password and support said I can change the PIN on phone and dont worry your funds are safe.
> crypto.com is a little mysterious when it comes to authentication honestly. I still have not understood it.
If you're speaking from experience as a user of their service, I strongly suggest that you use a different exchange. Gemini + Coinbase both have very easy-to-understand authentication systems. If you don't understand the authentication system, that's a good red-flag that you should take as a reason to move to a more trustable platform.
(Just my two cents, as someone who works on authentication system architecture design.)
Agreed. As someone who has integrated with dozens of crypto bank APIs, I can tell you Gemini's authentication and security is top notch (second only to Fireblocks)
An e-mail with a link to actually click? Does anyone else see those flashing red lights and hear that alarm klaxon? Please do me a favor and drop those assholes like a bad habit. They are going to cost you whatever assets of yours they have in their control.
The fight to teach users to not click links in emails had been lost, IME. And if forgot passwords can be resolved via an emailed one-time secret then email is effectively a skeleton key anyway.
I use crypto.com and they removed 2FA from me earlier in the week, asking me to set it up again. It was worrying as I wasn't sure if it was a scam, there was no reasoning behind it.
Of course it matters. Even if we assume someone figured out how to own the 2FA system, that knowledge doesn't magically make its way into the brain of every script kiddy capable of credential stuffing a login form. They're two totally different vectors with different surface area.
My thought is that it’s not really 2FA, and 2FA means temporary tokens, and there’s a method to gain entry with just login+token, e.g. via password reset.
If you want to deliver security then MFA is an interesting strategy that needs careful consideration and planning, you might end up building things like Security Keys so as to solve real threats. You might fix real problems (Google eliminated phishing) at your organisation.
But if your goal is to bamboozle fools into giving you their real money in exchange for Itchy and Scratchy money that you may or may not then "lose" then you don't need all that hard work. Take whatever nonsense you cobbled together and say it's "Two factor" because that means "good" to people who don't know any better.
This is hilarious. This company is literally at the apex of the crypto industry and this is the kind of mistake they make. Yeah, immutable smart contracts written by their fellow proponents will also save the world lol
Calling crypto.com anything near "apex of the cryptocurrency industry" is a very broad lie. Crypto.com is for people who just "wanna invest in crypto and get rich", others who are actually involved in the space (developers, companies and others) are nowhere near crypto.com as they have proven time and time again they are not serious about anything, even the basics like security.
I would argue that by you giving the torch to crypto.com as the company that caters to casual users that "just wanna invest and get rich", it is indeed one of the apexes of the industry. A product successfully marketing a fringe and specialized technology to the average consumer is just that.
Is it? I'm not sure of numbers of total accounts but anyone who knows anything about crypto is suspicious of crypto.com as a platform and I don't know anyone who uses it when things like coinbase are available. They just bought an expensive URL and spammed a bunch of ads. If that makes them the apex of the industry I guess CALL THE GENERAL AND SAVE SOME TIME is the apex of the car insurance industry.
This is a common play in several industries. Art of Shaving markets itself well to casual people interested in traditional shaving products but they take regular products, mark them up by a lot, rebrand and then upsell. Nobody claims Art of Shaving is the apex of shaving. Best Buy does similar marketing in regard to electronics, but Best Buy certainly isn't the apex of electronics retailers. What makes you think cryptocurrency companies would be any different?
It's basically a digital gold standard and the gold standard hasn't lead to an enlightened society either.
"Insanity is doing the same thing over and over again and expecting different results."
For me there are really only two alternatives. Negative interest on cash or competition among currencies (free banking). All those people shouting that Bitcoin should become the global reserve currency don't actually understand that a global reserve currency is a terrible idea and are only in it for the money.
Isn't this equivalent to saying the entire health industry is fake and untrustworthy because of Theranos? I don't it looks kind of same to me, and sounds absurd.
And you are not asked to do this while logging in again. It is assumed you know why you have to reauthenticate and that you have to re-add 2FA in your app settings…
Based on them saying they migrated to a new 2FA system, I think it's the latter - they disabled the current 2FA option and required everyone to register a new 2FA method.
> In an abundance of caution, we revamped and migrated to a completely new 2FA infrastructure.
That was exactly my question when I read this. How do they establish trust, when 2FA is revoked? How they prevent that the bad guy enables now 2FA and the god guy is locked out of his account?
May the god guy didn't get the message that Crypto.com had an issue, because s/he is unavailable.
Given that apparently their previous system simply allowed login/payments without the configured mandatory 2FA, per their statements about the root cause of the issue, this may have been a move of desperation...
Is anyone else getting the feeling from this press release that it seems they actually don't (yet?) know how their previous 2FA system was circumvented by the attackers?
My exact thoughts, umm where is the root cause and explanation of the breach? They just reset 2FA as a reactionary measure. The attackers have compromised more than 2FA to be able to initiate withdrawals. This doesn’t add up.
Time to play the classic crypto exchange game: hack or exit scam? Disabling 2FA in this scenario is dumb enough to raise the question of malfeasance of the part of this theft.
Somehow I doubt a fraudulent company on the verge of an exit scam would spend $700 million to rename an arena right before pulling the plug. Incompetent? Probably. Fraudulent? Unlikely.
The Houston Astros played at Enron Field until Enron was revealed to be a criminal enterprise and several of its leaders went to prison. The world has a short memory, it seems.
What OP was referring to was a take-the-money-and-run plan where the company knows ahead of time that the whole thing is going to explode and causes it to on purpose.
My understanding is that Enron's leaders were caught in fraud and that led to the collapse of the company—they weren't planning on it collapsing, so the investment actually made sense in that case.
No, that's normal pyramid scam behavior. I would say it was more likely that they were fraudulent if they were escalating their meaningless promo gestures to keep anybody from cracking as their scam gets too big to keep together. The bigger the risk, the bigger the colorful gesture.
I'm imagining it as '$700 million IN CRYPTO, which is of course better than money'. For a name: which could easily be restored if it turns out the payment is worthless. But that's just my fantasy of how this might have gone on.
If it's $700 million in real money that only underscores how desperate they are to make some colorful gesture.
Even your basic Ponzi schemes often involved generous and public philanthropic gifts even as the scheme was falling apart behind the scenes, just to maintain the public image.
Or rather, the scheme was being what it naturally was. Falling apart implies that there's a together for it to be, behind the scenes.
When it's designed from the start to be an expanding shell powered by new belief coming in, the philanthropy and big gestures are core to the nature of what it is.
Back in the day I read an old book by Harvey Mackay (iirc), one of those business-guy self-help books, and he had a chapter called never buy anything big in a room where there is a chandelier. :D The point being, it's normal for scamsters to influence people by making their pitch in a place all decked out to look like the most wealthy, influential place you could imagine, and there'd be a chandelier because it would look like everybody was rich. And so, never buy anything big in a room with a chandelier, because it probably meant you were being ripped off.
All this predates crypto by a loooooong way. There's nothing really new. Maybe back in the days of travelling traders on camels it was, never buy a camel in a room with a carpet that's bigger than the camel is :)
> No customers experienced a loss of funds. In the majority of cases we prevented the unauthorized withdrawal, and in all other cases customers were fully reimbursed.
> No customers experienced a loss of funds. In the majority of cases we prevented the unauthorized withdrawal, and in all other cases customers were fully reimbursed.
so which is it? no one lost funds or everyone that lost funds got paid back? where did that money come from?
> transactions were being approved without the 2FA authentication control being inputted by the user.
the withdrawal system allows for non-2fa when its enabled, but informs the risk system when it happens? what kind of feature is that?
> While Crypto.com already performs internal and external penetration tests, Crypto.com has immediately engaged with third-party security firms to perform additional security checks
ah yes. the "we already had 7 double checkers, better add an 8th" solution. sounds like maybe the problem is not with the testing and auditing suite.
> releasing additional end-user security features as we move away from 2-Factor Authentication and to true Multi-Factor Authentication (MFA)
2fa isnt true MFA? did we evolve some new jargon im not aware of?
> WAPP is designed to protect user funds in cases where a third party gains unauthorized access to their account and withdraws funds without the user’s permission. WAPP restores funds
wait i thought they said they already did this? are they gonna start charging for it now because they lost money?
> To qualify for the WAPP program, users must: Set up an anti-phishing code at least 21 days prior to the reported unauthorized transaction
wtf is that? a PSK? a TOTP?
> File a police report and provide a copy of it to Crypto.com; and
hello, local police department? i need to file a report - my cryptocurrency wallet just had an unauthorized funds withdrawal. no, i dont have a suspect, or evidence, or any action for you to take. just come down here and write down that i said this happened please.
They got paid back from company treasury. CeFi (incorporated, custodial, web 2.0 financial services operating in the crypto space) makes alot of money, it isn’t that hard.
Crypto.com is on par with FTX, Binance, Celsius, Coinbase and we have many varying examples of their valuations and supporting revenues and balance sheets.
$30mm irrecoverably stolen with zero liability for the hacker? No problem for the user experience or health of the company these days.
The whole thing is really unclear, but it sounds like if they are hacked and you lose funds, they will only reimburse you if you file a police report... even though they would know if you lost funds, and only they would know the circumstances and have any evidence.
I wouldn't touch crypto.com with a very long barge pole...
> the withdrawal system allows for non-2fa when its enabled, but informs the risk system when it happens? what kind of feature is that?
I don't know about crypto.com but this is how binance does it. You can enable 2FA for everything or individually for specific actions such as logging in, withdrawals, etc. Lets everyone choose their security/inconvenience trade-off which I find reasonable.
> wtf is that? a PSK? a TOTP?
There is something similar on binance too. You set up some unique code on their website, every official email they send you will include that code as proof of authenticity. A weak form of signature I guess.
Bear in mind many private exchanges aren't ever really exchanging crypto until you cash out -- the numbers you see can be just trades on an internal stockmarket, not necessarily backed by any external crypto asset until realized.
I believe this is a system where you give a website something that you will recognize (I've seen small images used as well as text) that they agree to display to you in their layout. It is supposed to make building convincing phishing websites harder, as the attackers cannot know what content a given user has sent to the service.
In this case you set the anti-phishing code in your account settings (arbitrary string). Then they include it in all email comms (in the top right of the email body). So if you get an email from what looks like "Crypto.com", but with a different anti-phishing code - then you can be certain that it's phishing.
The Worldwide Account Protection Program seems to be a way for Crypto.com to limit their exposure, while marketing it as "protection" for the customers.
Around $34million stolen, 483 users affected. If the funds were spread evenly, then each user would have lost about $71k. But the funds won't be evenly spread (average). It's likely some users will have lost much more, and some much less.
From the announcement, it looks like Crypto.com is making the users whole again;
> No customers experienced a loss of funds.
This means that (in some cases) Crypto.com was on the hook for much more than $71k / user. The WAPP appears to put a series of conditions on the user, and introduce an upper limit to the amount that Crypto.com will return in the future.
> WAPP restores funds up to USD$250,000 for qualified users; terms & conditions apply.
> Enable Multi-Factor Authentication (MFA) on all transaction types where MFA is currently available,
> Set up an anti-phishing code at least 21 days prior to the reported unauthorized transaction,
> Not be using jailbroken devices,
> File a police report and provide a copy of it to Crypto.com; and
> Complete a questionnaire to support a forensic investigation.
This looks more like a mechanism to limit Crypto.com's exposure to future events than it does a policy to protect users.
I mean, there's still plenty of money in other people's accounts they can use to cover the losses.
Does anybody know whether the regulatory regime they operate under is sound? If a US bank lost this kind of customer money in a theft, I'd have some confidence that the the FDIC and the Federal Reserve would make sure they actually had all the money they were claiming they had. But personally I'd hate to bank purely on the internal controls of a Singaporean subsidiary of a Maltese company.
Please explain how they can use the money from other people account to cover the losses. If i had a account there, i wouldn't allow them to use my money to cover this.
As an example, take Bernie Madoff. He took in people's cash and then sent them regular statements about how much money they had. But they were just statements doctored to look good. When some people withdrew money, he just gave them money that was handy. At some point, the difference between the numbers on the statements and the actual assets was over $50 billion. More details here: https://en.wikipedia.org/wiki/Madoff_investment_scandal
None of the Madoff investors "allowed" it. I don't know anything about Crypto.com, but the same thing is surely happening with other "crypto" companies. It doesn't even have to be malice; often a failure starts out with some event like a sudden loss to theft. Insiders believe they can make the money back, so they just keep on operating and hope nobody notices.
This opportunity for divergence between reported and actual funds is one of the big reasons US banks are highly regulated. The FDIC is on the hook for large sums in the event of failures, so they're quite vigorous in making making sure that doesn't happen too often.
> If i had a account there, i wouldn't allow them to use my money to cover this.
They're...not going to ask your permission?
If you have an account there, they have a large central pile of assets, and a database row saying that you are entitled to X amount of those assets. Someone else has a database row saying that they are entitled to Y amount of those assets.
If someone breaks into the other account, and makes an illicit transfer, then Y goes down and the central pile of assets goes down. If crypto.com makes the other account whole, they simply increase Y back to the original amount. But the central pile of assets hasn't gone up accordingly. They just used "your money" to cover this, and they don't ask you for permission.
When you go to them later and say: "I want to withdraw my X somewhere else", they might say: "I'm sorry, we don't have X right now". That's a run on the bank.
Fortunately, we have protections around specific institutions to prevent these kinds of situations. Capitalization requirements, FDIC, etc. Unfortunately, if you have an account with crypto.com, none of those protections exist for you. You're banking on them having the funds when you ask to withdraw them.
This is exactly what Bitfinex did back in 2016. They were 'hacked' for $72M, or about 36% of their assets at the time. They logged in, and removed 36% of everyone's account balances and replaced them with IOU tokens. [1] In fact it was believed that Coinbase was a Bitfinex customer at that time - and that they were one of the few accounts not actually given a haircut because I assume their lawyers mumbled something about 'fraudulent conversion.' [2]
> Please explain how they can use the money from other people account to cover the losses.
Once it enters their hands, the money isn't really “from” a particular account in any tangible way.
> If i had a account there, i wouldn't allow them to use my money to cover this.
An account is just a record of funds to which you are entitled; there are certain types of relations where someone keeping money for you legally needs to keep it segregated from other funds of theirs, but crypto.com doesn't have that kind of relationship with account holders. If they don't provide you with your funds when you ask, you can try legal action to recover it, but you don't have a veto on whether they update the entry recording someone else's balance to make them whole after a hack, even if that increases the risk that they won't have your money when you want to withdraw it.
Easy: imagine one of the poor sobs decides to withdraw, hop a bit of creative accounting and your money is borrowed to pay for the withdrawal.
It s not each of the user individually seeing their balance go down, it s the company lying even more about its ability to liquidate all accounts.
Your number on their html page they graciously present to you will go unchanged. It s not a new phenomenon, every bank does it, except crypto.com does it to pay losses for a theft while banks would do it to lend to a baker buying a bakery on mortgage. If said baker screws up and cant repay, and many more others as well, clients cant all withdraw the pretty number.
Another interesting difference is that a bank pays you for lending to them with your savings account, at market rate (very low these days), while I dont think crypto ponzis do because you re suppose to just wait and moon.
Also, banks are insured by the government (FDIC) and heavily regulated to reduce the risk of failure. Crypto exchanges are not, which is why they seem to fail about as often as a 19th century bank would.
Being insured by the gov for up to a certain amount will not solve the default issue (this is what crypto.com is pretending with their eerily similar worldwide protection thing), it was made to save poor people from complete ruin, not protect your savings.
If you re retiring and expect the bank to be good on a million $ worth of some sort of instrument, you're fucked minus 250k.
And this is totally fine: you re compensated for a low risk of default when you lend to your "savings account" and must accept this could happen. There s no way to make money waiting doing nothing risklessly. Creeptards know that well, they all in on wind, there s no worse risk.
You're aware your bank (not crypto bank, just Bank of America or whatever competitor) uses your money to invest and doesn't just keep in into a vault, right?
> Banks have insurance policies, both private and federal, that would cover the losses.
The federal insurance policy covers you if, after operating this way (or for some other reason) the bank ends up without money to cover your account (and, the regulation that comes with the insurance means that it's more likely that the Federal government will force the sale of your bank to one that does have extra money to cover your account even before that happens.)
But banks still operate as described (and using some of their pool of assets to buy private insurance is functionally the same as just adjusting the balances of people it is compensating for losses and increasing risk to others by doing so, except it smooths things a bit over time at the expense of higher average cost.)
Banks do not take money from other accounts to cover operating losses, lol, thats almost certainly several crimes. [citation needed].
> But banks still operate as described (and using some of their pool of assets to buy private insurance is functionally the same as just adjusting the balances of people it is compensating for losses and increasing risk to others by doing so, except it smooths things a bit over time at the expense of higher average cost.)
It's really not. Customer deposits are segregated from the operating accounts in accordance with applicable law. You're not suggesting they're taking payroll out of customer deposits are you?
> Banks do not take money from other accounts to cover operating losses
Banks don't keep money segregated in accounts.
Banks have reserves, and accounts basically record the right of people to draw money.
When they cover a fraud loss from one account by increasing the balance for that account to make the owner whole, they are doing exactly what crypto.com would be doing. Neither involves taking balances from others accounts, but both increase the risk of inability to cover accounts (including those of other people) as a result. Now, yes, banks provide consumers with more protection against the risk this creates, and are regulated in ways which make them less likely to do it to an extent which would create as much risk as a hype driven crypto exchange in the first place, but in terms of the basic mechanics, it is not any different than what has been suggested.
The model of money actually being held segregated in an account works for things like lawyers holding client funds and a very few other specific things, but it doesn't really capture what goes on with banks at all.
Banks might be protected under some federal legislation, but overall it doesn't really make much sense for any sizeable bank to insure themselves with some other party. For any non-rare event it's much easier to just keep some emergency money at hand. The only thing it'd make sense to insure themselves against are large scale damages that exceed the amount they can reasonably write off, but if the damages exceed the amount of funds a bank has readily available then there's little chance anyone else can cough up that amount of money other than the government.
> This looks more like a mechanism to limit Crypto.com's exposure to future events than it does a policy to protect users.
That's fine. It lays out the risk exposure in concrete terms and defining their market offering. If you use a jailbroken device, or have more than $250K in funds, or are holding crypto for illegal purposes, don't put it in Crypto.com. Same as FDIC insured savings accounts that are limited to $250K.
And so what are we going to do as a society with these stolen funds? Playing a wallet mixing tracking game is a rat race and a waste of energy, otherwise we need a centralized system [on an immutable blockchain] to keep track of stolen funds, to then cross-reference every transaction with at point of sale/transfer - to then prevent it, no?
If not a centralized solution like above then what? We just allow stolen funds to be used now or any point in the future, rewarding criminal behaviour?
There's no centralized system to track stolen dollars (at least not in the sense you're talking about), so I don't know why crypto would necessarily need one.
Doesn't the USD have a unique serial number associated with each bill? I'm sure when banks make in-transport transfers between entities, they know exactly which series they are transporting, and if a robbery happen, they share those series that got stolen with the police. If the police makes some unrelated arrest and find a bunch of bills, they can probably trivially look up if that money have been involved in anything before that.
I think you’re right, mostly. As a user I’d like to know explicitly what my risk factor is.
Any exchange or custodian has a non zero chance of getting hacked or inside-jobbed; unlike fiat currencies there is no judicial process that is going to maybe let me claw my stuff back.
A sort of fdic insurance for custodian crypto accounts, is an inevitable market solution.
By the numbers, around $34 million in funds is affected, mostly Ethereum. They say in the press release that they prevented most of the unauthorized withdrawals and reimbursed the remainder, but it’s unclear how much they had to pay for reimbursements.
For context, this is the startup that has been using Matt Damon as it’s face.
Venture capital used to be about placing small, diverse bets on a lot promising startups - everybody in the process was trying to make the world a better place
Since about 2018, VC game changed - now it's about brazenly placing massive bets on a small set of startups of increasingly questionable utility, using the funds and clout to ram their way through into monopoly positions. Not a speck of morality involved anymore - and nobody is even trying to pretend otherwise
Public image hasn't yet caught up with this reality
It feels like a bubble to me. When I see Matt Damon shilling crypto, it reminds me of pets.com Superbowl ads. I think reality will catch up sooner or later.
>everybody in the process was trying to make the world a better place
I think "everybody" here is a pretty substantial overstatement. Plenty of folks were just trying to make money, without much regard for whether it made the world better or worse.
It's irrelevant what the funding comes from or how you define it. VC, PE and Hedge funds all have fairly loose definitions. But, someone is funding it because it sure ain't coming from profits.
Technically, they agreed to pay $700M over 20 years for arena naming rights -- no idea what the deal actually looks like but if you flat-line it, they're "only" paying $35M/year. Which is still a ton of money but much more reasonable in terms of cash out the door for a startup.
I hope this doesn't mean we have to endure 20 years of this name on the nba court. With all this gambling (sports betting) sponsoring of the NBA and now these crypto sponsors, it really does look like the NBA has sold out (also new trikot sponsor deals). It's a shame how much they feast on hooking impressionable men on gambling. Actually, thinking about it, there should be more ads for f2p/mobile games, would fit perfectly in this portfolio. (sorry for this rant but it really disturbs me and I hope I'm not the only one)
You'll have to endure it if you believe that Crypto.com will exist 20 years from now. I'd bet even money they won't exist in 5 years and the court is renamed in ~3 years.
I mostly agree on the gambling front too - gambling was bad enough when you had to lure people to a casino but at least that gave them the excuse of "It's my form of entertainment, it's like going to a nightclub."
"The best minds of my generation are thinking about how to make people click ads" -- not any more! Now they're trying to find the shortest distance between users' wallets and their RSUs. On the plus side, they can use all of the targeting and persuasion techniques that have been used to make TikTok/Instagram so addictive on directly separating users from their money. Forget selling a product!
Yeah, seeing huge marketing spend by an organisation that's not a massive brand with deep pockets always makes me wonder where the money is coming from
I'd love to read more about these money laundering operations like Tornado Cash. Are they just straight up 100% fraud companies? Do they have any pretense of a legitimate use case or does everyone just understand they're used for criminal activity? Are they regulated at all? I assume you have to trust your magic beans to them at some point; do the money launderers sometimes just steal them? What do they charge for their service?
Tornado Cash is a smart contract system that allows you to send fixed denominations of Ethereum, and receive a cryptographic "note" that allows someone who knows the note to withdraw the same amount of Ethereum from the smart contract.
Since zero-knowledge cryptography is used to ensure the generated note cannot be linked to the depositing transaction, it can be used to send money to yourself or another person without revealing the identity of the sender. There are criminal and non-criminal reasons to do this.
Because it is a smart contract system, you do not have to trust a person or organization with the money. You do have to trust the smart contracts defining the system are correct. The smart contracts are publicly available to read and have been reviewed by many people, including software audit organizations.
Interesting! I’m surprised the regulated exchanges don’t blacklist coins connected to that smartcontract because of the ease of facilitating laundering.
Since all crypto on smart contract platforms tumbles around in defi and the various decentralized exchanges all the time, this would effectively prevent anyone from depositing their crypto to those exchanges, which would make the exchange unusable.
To expand on that, say someone withdraws ETH from Tornado cash and purchases an NFT with it. The seller of the NFT then swaps their ETH for USDC on a decentralized exchange (the ETH then goes into a pool). Later, a liquidity provider to the ETH/USDC pool withdraws liquidity from that pool, and sends their ETH to an exchange, let's say Binance. If Binance blocked such deposits (and especially if they did so without refunding the user on-chain), no one would use Binance, and they'd also be the target of a lot of lawsuits.
It requires users to pay gas fees when making deposits, as well as for the services that "obfuscate" the withdrawals. Thats the payment. You trust that the nodes will obfuscate the transactions to receive the fees. The rest is basic smart contracts execution.
The compliance topic is tricky and deceptive.
Only the user with a "Note" is able to link deposit and withdrawal.
With this note the user can generate a proof of origin. This makes tornado cash compliant enough.
E.G. If the withdrawal address is under Money laundry suspicion, it may be urged to provide the origin of the transaction. That is possible [1] but there is no way of a 3rd party to Tag an account as "suspicious" based on the Tornado chain information (due to the obfuscation done by the Nodes that are getting the fees).
As far as I understand there is no accountability. The regulators would have to persecute all the nodes for helping out with the laundry. But there is no way for the nodes to know they're participating in laundry. So they cant be persecuted. Regulations needs to be invented for this kind of schema.
Please someone correct me if I said anything wrong. Im not an expert is just my conclusion based on some reading.
That's quite an evasion of the question. Yet more evidence that there's approximately no legitimate use.
But I'm on record as being in favor of full financial transparency for everybody. Every charge, every bank statement. Money, after all, is inherently social. And full transparency, while causing some problems, would eliminate a ton of others. So if you can get a legislator to submit a bill, I'll happy call them up to back it.
Odd statement. It is on par that all your bank statement should be public and easily viewable. It is on par saying that people do need digital privacy at all, as they have nothing to hide. And those are trying to hide are really 'bad people'.
Monero/Zcash/Dash/Firo/etc are used by legitimate users to hide their transactions from public blockchain.
Your bank statement is not private, your bank has it. You can pay with cash, but the other customers can see you right there paying, so that's not private either. I understand the need for private communications, but private transactions don't seem to make a lot of sense.
Ad even earlier started out with MCO as their iconic token, then shifted to a new crypto while leaving early stakeholders in the dark. Those early maneuvers were something of a red flag.
I am a cyber security consultant for startups. The first thing that I communicate is that just by not being in crypto you have drastically lowered your risk profile.
Attackers care a lot about what they can get to if they are able to breach your security.
Eh, yes of course, what are you saying really? Is there some deeper point I miss?
Just like finance companies have a different risk profile than companies generating bingo cards, crypto companies have different risk profiles than other non-financial ones. Are people arguing that this is not true or something?
Crypto companies have a different risk profile than most finance companies.
For most finance companies, if they have a whoopsie and lose money to a software boo-boo, they'll just reverse the transaction. Times when such a transaction cannot be reversed (https://www.bloomberg.com/news/articles/2021-03-19/citigroup...) are the extremely rare exception, and are adjudicated by a civil court.
Whereas if a crypto company has their wallets breached, it's almost certainly immediately irreversible.
People generally don't understand how vast the difference is. The pro crypto narrative has pushed the idea that "Blockchain is more secure" because "it cannot be edited" when in reality that feature makes it much more of a target for attackers because once they transfer the coins the transfer cannot be edited. In comparison if an attacker gets a credit card that card could be disabled and or have transactions cancelled.
> In comparison if an attacker gets a credit card that card could be disabled and or have transactions cancelled.
That's why attackers never go after credit card numbers, right?
I think non-revertible payments do not really make a big difference to attackers, it just makes value extraction more efficient. Some percentage of fraudulent transactions will always make it through. So long as the funds accessible to the attacker are sufficiently large, it's still a juicy target. 10% of 200 megadollars is still 20 megadollars.
I agree with @capableweb2. They're an attractive target because they are a financial company with control over lots of value, not because of anything to do with cryptocurrencies in particular.
How many startups do you talk to that are "on the fence" with somehow using crypto in their product? Seems pretty core to what the company would be doing.
I dunno, I've seen a lot of mentions of different companies trying to stuff crypto/blockchain in to seem trendy and marketable when it's clear that there's absolutely nothing crypto/blockchain brings to that use case.
(In fact, I have yet to see a single genuine use case for cryptocurrencies or blockchain that aren't served at least as well by more proven technologies, aside from "separating money from fools" and "making libertarians/anarchocapitalists squee".)
I do a bit of the same and this seems to be a silly thing to communicate as part of a security audit. Ok, step 1 SMB insurance company paying me to audit - by not being in Afghanistan, you have a severely reduced risk of business invasion and extortion. Seems like a really wonky way to communicate a risk profile and first-exposure to security professionals by a SMB. Plenty of SMBs with janky POS systems get pretty nasty PII attacks.
I'm advising people at the executive level. They do not care about the details of hashing PII, they want to know how likely it is that they will be targeted and how likely that attack is to succeed. And the fact is that an insurance company gets targeted far less often than crypto companies.
You can probably trust startup executives with digesting nuanced security advice; again I do similar consulting. It's also a fact that insurance companies are targeted less than <a lot of things>.
If you're auditing startup insurance fintechs in that case, the PII they have and platform exposure to all the APIs they are pulling from or pushing too (a) looks a lot like a crypto company spanning web2/web3, and (b) puts them square in the target of software supply chain hacks. An attacker cares about <insurance startup>, but they do care about attacking the Equifax API that the insurance startup has an integration with. Excluding the crypto companies that do their own custody or run their own smart contracts, their risk profile and why ends up looking a lot like the fintech insurance startup haha.
Is that true? Are there metrics of how many attacks are completed on an SMB that does and does not have crypto? And how is it known that those with crypto are suddenly easier targets than those without it?
Edit: For the downvotes, if this is such an obvious question then be proactive and share the metrics - I'm skeptical this is the case but happy to be proved wrong.
It's a good question. Crypto companies aren't a monolith, but using crypto as a comparison to an SMB, and in this case sounds like SMB==startup, then requires some nuance if you want facts behind that claim.
SMB vs. web3/Defi, 30 person teams, no security engineers? The web3 company probably is a lot more vulnerable.
SMB/startup vs. generic crypto exchange like Poloniex? This gets harder to parse. Poloniex gets the malicious traffic and has a pretty small security team I think. But, they and companies similar are a tech company in the cloud and with a solid infra engineering team and leveraging AWS tooling, it's not like they're totally exposed. The SMB/startup has none of this, so arguably they are a similar risk profile in surprising ways, or maybe even more exposed than the exchange.
SMB/startup vs. a Tier 1 exchange like Coinbase? Very silly comparison, CB has a pretty large security team, knows their stuff, etc. etc, very good track record until very recently, and as a industry group the Tier 1 exchanges do well on the security front.
Compare this to the SMB instances of malware sitting on a Point-of-sale system for months/years until it gets discovered? Family dentists getting ransomwared fairly consistently? The retail/SMB space is a bit of a security nightmare. For someone building a product here and is able to sell the "so what" of it to a dentist, there's opportunity. If SMB == startup, well that's likely a startup with 10 hires, extremely product focused, especially with fintech integrations, and presumably a lot of PII as an insurance fintech? If a consultant isn't explaining the fairly large inherent risks there for the SMB/startup and using crypto as a comparison of something worse, that's wonky to me.
Its cliche, but it doesn’t really mean that crypto.com or any other crypto exchange isn’t on the hook for stolen funds.
Crypto doesn’t mean regulation doesn’t apply or that companies are free from liability.
Obviously you can’t squeeze blood from a stone if someone were to steal most of the funds from a crypto exchange (Mt. Gox comes to mind)
But in the real world, if you use a crypto exchange in a reasonable location (e.g. US exchange adhering to US laws) then small thefts like this are going to be reimbursed one way or another.
Now if the entire exchange and their cold wallets were stolen somehow, it would be game over.
So in the real world when using a regulated crypto exchange, what's the point of a blockchain other than asset speculation (which can also be done through traditional trading instruments at this point)?
When you think about it, liquidity is the source of speculation.
This is because liquidity is the ability to quickly trade your thing for other things. Lending money via a certificate of deposit reduces liquidity because you are locking up your funds. Lending via demand deposits increases liquidity because the original deposit and the loan are both available to be spent immediately. Spending money on physical things is very time consuming. First you must pick what you want to buy among billions of product choices that are available to you. Even if you buy something, it takes time to drive to the store or for it to be delivered. The real world is quite illiquid which means that fiat currency is less volatile and has greater stability than Bitcoin.
Now there are two exceptions. Trading money vs financial assets and money vs other money. In the financial sector you are trading liquidity for liquidity. Buying an iPhone and selling it takes time. Buying Bitcoin and selling it does not. It can happen as quickly as technology allows it. This inevitably leads to speculation because it is possible to instantly react to any other transaction. Someone buys Bitcoin? Buy more! Someone sells Bitcoin? Sell!
To be more specific, the problem isn't liquidity itself but excessive amounts of liquidity that go way beyond what the real economy needs. This is a huge problem with fiat currency but it's also a problem with Bitcoin because the "Bitcoin economy" is absolutely tiny.
Good question. I only wanna add that traditional trading instruments suck and are not fun to scale. Highly centralized points of failure with truly mind numbing consequences that are difficult to predict and respond to. I've worked on forex systems and when the feeds get iffy things get real uncomfortable, real fast.
Blockchains could, maybe, provide an interesting global platform for fintech to migrate cross-border stuff to. That stuff is not reliable, the engineers are just hella talented
They also said they've reimbursed all funds. So if you were hacked personally, you would be out money here, vs keeping it on their exchange where you would be made whole again.
In practice, there’s often so much complexity that finding a path isn’t all that hard. Some examples:
- abuse the logic flow and simply don’t submit the 2FA step
- submit an empty 2FA token (I’ve seen it work)
- get a signed transaction from a legitimate transfer and replay it in a compromised account
- find the admin API that their help desk uses that doesn’t require 2FA
- brute force 2FA code. If you get 3x attempts at a 6-digit pin you have a 1/333,333 chance. Multiply by a few thousand accounts you can find reused creds for
- Find an API to abuse to disable 2FA (maybe via CSRF?)
- move the money into an account that doesn’t require 2FA (some kind of whitelisted arbitrage account maybe?) then cash out from there
- keep transfers under a 2FA threshold but then either script up the transfer to repeat or change the transfer amount after the threshold check has occurred
I could riff on for ages. Some more plausible than others. Some I’ve definitely seen (and used in legal testing)
Seems really unlikely, but maybe someone guessed or discovered the keys? Would likely only happen if Crypto.com somehow was generating them insecurely or if someone had inside access to their systems or something. Maybe a leak?
Since it is across multiple currencies, I think it is unlikely it has to do with generation. Maybe could still be a leak or something.
> On Monday, 17 January 2022 at approximately 12:46 AM UTC Crypto.com’s risk monitoring systems detected unauthorized activity on a small number of user accounts where transactions were being approved without the 2FA authentication control being inputted by the user. This triggered an immediate response from multiple teams to assess the impact.
I sometimes find it hard to believe these statements, but I guess I can only take them at face value.
Which seems more likely, that these "risk monitoring systems" actually caught this, or that they were inundated by sudden urgent calls from the 483 users saying "DUDE WTF WHERE'S MY MONEY?".
> Which seems more likely, that these "risk monitoring systems" actually caught this, or that they were inundated by sudden urgent calls from the 483 users saying "DUDE WTF WHERE'S MY MONEY?".
For better or for worse, a lot of insight can be gained from a sudden influx of tickets from normally-quiet users, all with the same general story. This is definitely how many critical bugs in production are caught, because even a small number of disparate users that suddenly write in about the same issue is a huge red flag.
But, most likely, they have metrics on average withdrawal amounts, deposit amounts, etc., hooked up to something like datadog, with an off-the-shelf anomaly detection monitor.
> But, most likely, they have metrics on average withdrawal amounts, deposit amounts, etc., hooked up to something like datadog, with an off-the-shelf anomaly detection monitor.
How are we estimating the likelihood here? I agree that would be desirable. I agree a very together company might have something like that. But given the average level of competence and professionalism in the cryptocurrency sector [1], I would not bet against EMM_386's theory in this case.
> detected unauthorized activity on a small number of user accounts where transactions were being approved without the 2FA authentication control being inputted by the user.
How am I supposed to read it: is it a 2FA compromise (attacker replaced 2FA codes with their own) or 2FA bypass (attacker found a way to conduct a transaction bypassing a need for 2FA)? These are two very different scenarios.
This may be their only risk monitoring system. I’ve seen many DR plans that had this kind of detail written up in “consultant speak” with a straight face. Where they would detect server crashes by users calling them and their systematic method to failover was to manually rebuild.
If it's true, there's this funny situation where the exchange/banking software didn't require 2FA to withdraw funds, BUT their monitoring noticed this situation.
So their monitoring is smarter than their main application? Wow, just wow.
It seems to me that while banning crypto by western governments is politically untenable, a better way would be to have their security services keep hacking it to make it unattractive
Why would they not be doing both, if getting replaced as a money standard by an anarchist cybercurrency was an existential threat to these western governments?
...It's totally politically tenable if it's nigh impossible to wrangle necks to wring to hold service providers accountable. What? Do you think Principles of System Architecture are completely absent in the public space?
Why do you think everything tends to centralize? To keep things localizable.
Unless they were working on this already for other reasons, I imagine a lot of corners were cut to make it happen so quickly. We might be hearing from crypto.com again soon.
I signed up for an account at this CEX but never actually used it. Tried to cancel/close the account, and they have the weirdest set of demands before the account is deleted/closed.
> A photo of you holding a paper with the following handwritten on it, as it states in this FAQ.
- Your name
- Today's Date
- "Crypto.com”
How did they check if a withdrawal was unauthorized (real) or not? What if I did a withdrawal, say it was unauthorized, and claim the money (and also have the crypto in a different wallet)?
The year is 2022 and companies managing >$100B in assets are STILL using SMS 2FA for protecting their life savings, despite SIM hijacking and SIM swapping still about.
These companies want more cash heavy users. Like those older than 50.
There is absolutely no way my parents could figure out 2fa in any way other than phone call/sms. They would be cutting out the less technical crowd, which is exactly who they're trying to convince to buy in
It's one thing to offer SMS in addition to other 2FA options. It's completely another when SMS is the only 2FA option at these institutions. See also: Canadian banks (at least the ones that even support 2FA of any kind).
I'm confused. Ostensibly the tradeoff for crypto is that only you know the secret factors that allow you to spend money, but there is no possibility of reversing a fraudulent transaction. If you give the keys to someone else, you lose the first condition, which was the benefit, but keep the second condition, which was the drawback. There was no reason to give anyone anyone else your keys!
This is the downside of decentralization that doesn't get enough attention. Digital wallets are just too cumbersome to use on their own for the vast majority of people and carry a lot of risks.
I like how when my credit card gets a fraudulent transaction, all I have to do is push a button on my phone and it magically goes away. This is a major, major benefit of having a central authority.
Decentralized crypto currency is a benefit for everyone willing to take a shot at how much they can collect before they themselves get hacked.
Its a human coordination mechanism that forces other humans to make it increasingly more resilient when under pressure.
It is Machiavellian with no evolutionary dead ends, just mutating and hardening due to the needs of all of its ever growing participants. Rapid market based iteration on steroids.
There's no reason you cannot construct a token that can be frozen and reversed - USDT (other issues as side) being an example.
Accounts as we know them don't have to be at the level of public address-private key but rather a smart contract as seen by Loopring.
The difference is what was centralised is now decentralised, what was implicit and required trust is now explicit and requires formal verification.
It's funny how many comments are about Matt Damon. That must be a pretty sticky ad campaign. It's also bizarre that I never heard of them before this marketing blitz although they seemingly have enough cash to hire Matt Damon and buy naming rights to an NFL stadium. I guess all their budget went to marketing instead of hardening their platform.
The ad campaign is notable because, much like most Perfume ads, it's downright bizarre. The ad sells a concept extremely well and then makes the leap of a lifetime for the subject that is a crazy let down.
Edit: the funny thing for me is that if the ad ended with the SpaceX (or Boeing, or Northrop, or USAF) logo and gave the SpaceX employment site at the end, I'm sure it would be seen as one of the best ads of the last few years. The leap is what kills it.
>I guess all their budget went to marketing instead of hardening their platform.
That's par for the course in the cryptocurrency space. Why develop good technology with well-defined valuable use cases when you can hype your rocketship to the moon?
“Crypto.com will be releasing additional end-user security features as we move away from 2-Factor Authentication and to true Multi-Factor Authentication (MFA), providing added strength for our global user base.”
What does this mean? Does MFA means xFA for x > 2?
They certainly have similar requirements. ACH transfers take days, wire transfers require you to jump through verification hoops, ATMs have low daily limits.
At least one US investment banks I've used require a waiting period before transacting with a newly added account/routing number for wires/ACH. I've even got calls from customer service manually confirming transfers/withdrawals if it's a new account or one that's been unused for a long period of time.
That said, there is no waiting period on me withdrawing from my checking account.
Pretty sure crypto.com doesn't actually hold some of the stuff they allow you to trade. Chia coin would be the example, they allow you to 'purchase' but not withdraw it to your own wallet.
Maybe, but I think you can make a case for the opposite too. Without exchanges, there'd be no crypto. Exchanges are the only reason 99% of people who have crypto can figure out how.
Especially with mobile devices taking over. An increasing number of people don't even have a laptop or desktop to hold a whole blockchain on. Even an iPhone 13 Pro with 1TB of storage would lose 10-20% of its space to that. That isn't going to improve. The more popular it gets, the faster it grows, and it would compete with all the other storage needs that also grow.
Get someone to load up and maintain a whole blockchain on their 1TB phone, and you lose them the moment they need more room for photos or offline synced music and files.
Not everyone needs a full copy of the blockchain to run a node.
A pruned full node downloads and validated all blocks, then discard everything not relevant to its own wallet.
A variety of “light clients” are also available for most chains, which fetch transaction data from peers as needed (usually using something like bloom filters to increase privacy).
Most ethereum apps just go through Infura. That’s a horrible centralized single point of failure that I’m not advocating, but the point is there are many ways a wallet app can connect to a remote full node.
not sure about how big the ETH blockchain is, but the bitcoin blockchain fits in under 6GB if you enable prune mode. I still wouldn't run a full node on my phone, but disk space isn't the limiting factor.
Agreed. And even if the storage issue isn't the main blocker, there's also energy usage, bandwidth, security and usability issues when it comes to phones.
And I think that's exactly the point. Cryptocurrency promoters endlessly talk up how it's part of a decentralized wave of the future. But in practice it's quite centralized, and the incentives point in that direction for the future. That's one of the points made very well recently by Moxie Marlinspike: https://moxie.org/2022/01/07/web3-first-impressions.html
It’s not centralized though, crypto.com is one of many exchanges. Anybody can create an exchange, and a failure in one exchange doesn’t propagate to the rest of the network.
Do you consider a website breaking a single point of failure for the internet?
The original vision of Bitcoin was "a peer-to-peer electronic cash system" "allowing any two willing parties to transact directly with each other without the need for a trusted third party". So yes, something like crypto.com represents significant centralization.
Crypto.com and its customers are willing parties who can transact with each other using this system, I'm not sure what your point is. The problem here is that one party trusted another party to hold on to their funds, and the holding party lost the funds. How is that an indictment of the protocol itself?
Or put another way, how does Crypto.com and other centralized systems prevent me from using Bitcoin the "right" way?
Did you read the Marlinspike post? I think he's pretty clear on the issues.
But in brief my point is that as with internet itself, a protocol that allows for decentralization is not sufficient for something to be truly decentralized. Despite the vast amounts of hype about the decentralization of cryptocurrency and "web3", in practice we are seeing that it's tending toward centralization. Which personally I don't care about except the extent to which I still have to listen to the hype that has less and less connection to the practical reality.
It’s not an indictment of the protocol, so much as it is saying that the protocol is too low-level for average users and therefore centralized players (like Coinbase) tend to step in and provide the desired service.
I'm not sure, is the x86 instruction set too low level? Yes if you expect users to interact with it directly, but not for user facing products to be built on top of.
You can point to centralized products built on top of blockchain, but also decentralized ones.
An important difference being that nobody ever expected users to use the x86 instruction set directly. Whereas the very clear initial expectation for Bitcoin was that it was an actual currency used for transactions by end users.
On what part of the stack exactly? Are they crafting RPC requests to a BTC node manually? Using wallet software? Using more advanced wallet software with social recovery features and named addresses?
I think you may be forgetting, earlier users of computers were using punchcards..
Are you... asking me to explain what the Bitcoin folks were thinking when they claimed they were creating a viable peer-to-peer electronic cash system? Sorry, you'll have to ask them that. About 80% of what cryptocurrency advocates claim to believe seems unrealistic to me. But given that they published that paper in 2008, I suspect punch cards were not what they had in mind.
Yes. A few years ago decentralized exchanges did not exist, now one of the largest exchanges is fully decentralized..Obviously simple payments could always be made in a decentralized way but creating actual applications wasn't possible until recently.
It’s not centralized though, chase.com is one of many banks. Anybody can create a bank, and a failure in one bank doesn’t propagate to the rest of the market.
Yup, in that sense banks are decentralized in a way..although there is a bank called the "central bank" that creates the base monetary supply, so not sure I totally agree with the comparison..
But yes, I would agree that banks are about as decentralized as crypto exchanges. But that's kind of the point, you shouldn't conflate exchanges (or banks) with the currency itself.
It’s objectively dumb to look at a service provider and conflate that with what the proponents are talking about.
Have you considered that you are in the wrong decade? Its year .. 13..? Its time to be up to speed on this.
If you run into a proponent that is also conflating these things you should simply correct them about the difference between onchain activities and third party centralized service providers, which means educating yourself first.
The only reason the hacker gets to keep the funds and have no civil or criminal liability is because of them using the actual decentralized rails and uncensorable contracts such as Tornado.cash
I believe in bitcoin, works well and I don't blame the consumer for the producer's problems when it comes to power.
But exchanges have become a key part of the implementation.
That's not the real issue though. The issue is the _need_ for exchanges. They provide a host of services, mostly all of which are antithetical to the loftier ideals espoused by bitcoin.
Too many crypto fans waltz passed this glaringly obvious issue and these kinds of stories will never go away as a result.
If banks get hacked, nobody blames the internet. "a small sub section of the system" applies as aptly to the blockchain as it does the global financial system, and I'm pretty confident being a locally popular trading commodity amongst edge communities is not the central goal for bitcoin
> and I'm pretty confident being a locally popular trading commodity amongst edge communities is not the central goal for bitcoin
Given the transaction fees needed for a distributed-enough network, and the bureaucracy needed when trading, it is not very useful as a currency, at least not for small payments, excluding Lightning.
I agree. Imagine if a centralized system was compromised and every single account holder was at risk. Instead there is only a small sub-section of accounts that were vulnerable, thank goodness for that.
The allude from my naive point of view is that n_time thinks we're lucky the network is decentralized and that users are spread out over various wallet software and services, so the impact of the issue was only related to a sub-section of the network as a whole. But I might just misunderstand the sarcasm or something.
Well, traditional banking is much more decentralized in this sense, as there are many more banks than crypto exchanges, and the vast majority offer payment apps etc.
How is this supposed to work? They revoked all of their 2FA for all accounts? Doesn't this just open them up to credential stuffing attacks? This is a really, really odd response to me. I can understand migrating to a new 2FA system, but they'd have to re-establish the chain-of-trust somehow. Are they just hoping that users don't have compromised email/SMS accounts in order to enable the new 2FA system?
If they literally removed 2FA from everyone, that's insane.
But basically in this case, you didn't even need a password to log back in, it was just an email to click a link, then FaceId/PIN and logged in and prompt to re-add 2fa. The app must store the password itself somehow and auto use it.
Anyone know how the do auth on the app?
For users in the US there is no way to change the password, because the webapp (which might have that feature) is not allowed to be used from US.
Once I asked how to change password and support said I can change the PIN on phone and dont worry your funds are safe.
If you're speaking from experience as a user of their service, I strongly suggest that you use a different exchange. Gemini + Coinbase both have very easy-to-understand authentication systems. If you don't understand the authentication system, that's a good red-flag that you should take as a reason to move to a more trustable platform.
(Just my two cents, as someone who works on authentication system architecture design.)
I mean the app is tons better then Coinbase and I think a big reason that crypto.com is growing tremendously. Users like it.
An e-mail with a link to actually click? Does anyone else see those flashing red lights and hear that alarm klaxon? Please do me a favor and drop those assholes like a bad habit. They are going to cost you whatever assets of yours they have in their control.
https://magic.link/
If you want to deliver security then MFA is an interesting strategy that needs careful consideration and planning, you might end up building things like Security Keys so as to solve real threats. You might fix real problems (Google eliminated phishing) at your organisation.
But if your goal is to bamboozle fools into giving you their real money in exchange for Itchy and Scratchy money that you may or may not then "lose" then you don't need all that hard work. Take whatever nonsense you cobbled together and say it's "Two factor" because that means "good" to people who don't know any better.
EDIT: They're #3 (bigger than Coinbase). Only OKX and Binance are bigger[1].
1. https://www.coingecko.com/en/exchanges
Coinbase is a large exchange...
Crypto.com is the #3 exchange and bigger than Coinbase[1].
1. https://www.coingecko.com/en/exchanges
It's definitely more established than crypto.com though.
Do you think crypto.com is larger than Binance?
Cryptocurrency was not even supposed to have these pseudobanks called exchanges leading this space. It wasn't even supposed to be an "industry".
People were supposed to mine cryptocurrency on their own commodity hardware and use that to transact amongst themselves.
"Insanity is doing the same thing over and over again and expecting different results."
For me there are really only two alternatives. Negative interest on cash or competition among currencies (free banking). All those people shouting that Bitcoin should become the global reserve currency don't actually understand that a global reserve currency is a terrible idea and are only in it for the money.
crypto.com is a two bit player in comparison.
And you are not asked to do this while logging in again. It is assumed you know why you have to reauthenticate and that you have to re-add 2FA in your app settings…
> In an abundance of caution, we revamped and migrated to a completely new 2FA infrastructure.
May the god guy didn't get the message that Crypto.com had an issue, because s/he is unavailable.
IE: single factor resets, so a compromised “2FA” was actually keys to the kingdom?
But you’d think the attacker would need access to a user’s email or some such then.
As a communications person, reading between the lines tell me they've got no idea what happened. Comforting!
https://www.latimes.com/business/story/2021-11-16/crypto-sta...
My understanding is that Enron's leaders were caught in fraud and that led to the collapse of the company—they weren't planning on it collapsing, so the investment actually made sense in that case.
I'm imagining it as '$700 million IN CRYPTO, which is of course better than money'. For a name: which could easily be restored if it turns out the payment is worthless. But that's just my fantasy of how this might have gone on.
If it's $700 million in real money that only underscores how desperate they are to make some colorful gesture.
When it's designed from the start to be an expanding shell powered by new belief coming in, the philanthropy and big gestures are core to the nature of what it is.
Back in the day I read an old book by Harvey Mackay (iirc), one of those business-guy self-help books, and he had a chapter called never buy anything big in a room where there is a chandelier. :D The point being, it's normal for scamsters to influence people by making their pitch in a place all decked out to look like the most wealthy, influential place you could imagine, and there'd be a chandelier because it would look like everybody was rich. And so, never buy anything big in a room with a chandelier, because it probably meant you were being ripped off.
All this predates crypto by a loooooong way. There's nothing really new. Maybe back in the days of travelling traders on camels it was, never buy a camel in a room with a carpet that's bigger than the camel is :)
> No customers experienced a loss of funds. In the majority of cases we prevented the unauthorized withdrawal, and in all other cases customers were fully reimbursed.
> No customers experienced a loss of funds. In the majority of cases we prevented the unauthorized withdrawal, and in all other cases customers were fully reimbursed.
so which is it? no one lost funds or everyone that lost funds got paid back? where did that money come from?
> transactions were being approved without the 2FA authentication control being inputted by the user.
the withdrawal system allows for non-2fa when its enabled, but informs the risk system when it happens? what kind of feature is that?
> While Crypto.com already performs internal and external penetration tests, Crypto.com has immediately engaged with third-party security firms to perform additional security checks
ah yes. the "we already had 7 double checkers, better add an 8th" solution. sounds like maybe the problem is not with the testing and auditing suite.
> releasing additional end-user security features as we move away from 2-Factor Authentication and to true Multi-Factor Authentication (MFA)
2fa isnt true MFA? did we evolve some new jargon im not aware of?
> WAPP is designed to protect user funds in cases where a third party gains unauthorized access to their account and withdraws funds without the user’s permission. WAPP restores funds
wait i thought they said they already did this? are they gonna start charging for it now because they lost money?
> To qualify for the WAPP program, users must: Set up an anti-phishing code at least 21 days prior to the reported unauthorized transaction
wtf is that? a PSK? a TOTP?
> File a police report and provide a copy of it to Crypto.com; and
hello, local police department? i need to file a report - my cryptocurrency wallet just had an unauthorized funds withdrawal. no, i dont have a suspect, or evidence, or any action for you to take. just come down here and write down that i said this happened please.
Crypto.com is on par with FTX, Binance, Celsius, Coinbase and we have many varying examples of their valuations and supporting revenues and balance sheets.
$30mm irrecoverably stolen with zero liability for the hacker? No problem for the user experience or health of the company these days.
I wouldn't touch crypto.com with a very long barge pole...
I don't know about crypto.com but this is how binance does it. You can enable 2FA for everything or individually for specific actions such as logging in, withdrawals, etc. Lets everyone choose their security/inconvenience trade-off which I find reasonable.
> wtf is that? a PSK? a TOTP?
There is something similar on binance too. You set up some unique code on their website, every official email they send you will include that code as proof of authenticity. A weak form of signature I guess.
Cryptocurrencies traded on exchanges are basically paper gold at this point.
I believe this is a system where you give a website something that you will recognize (I've seen small images used as well as text) that they agree to display to you in their layout. It is supposed to make building convincing phishing websites harder, as the attackers cannot know what content a given user has sent to the service.
Around $34million stolen, 483 users affected. If the funds were spread evenly, then each user would have lost about $71k. But the funds won't be evenly spread (average). It's likely some users will have lost much more, and some much less.
From the announcement, it looks like Crypto.com is making the users whole again;
> No customers experienced a loss of funds.
This means that (in some cases) Crypto.com was on the hook for much more than $71k / user. The WAPP appears to put a series of conditions on the user, and introduce an upper limit to the amount that Crypto.com will return in the future.
> WAPP restores funds up to USD$250,000 for qualified users; terms & conditions apply.
> Enable Multi-Factor Authentication (MFA) on all transaction types where MFA is currently available,
> Set up an anti-phishing code at least 21 days prior to the reported unauthorized transaction,
> Not be using jailbroken devices,
> File a police report and provide a copy of it to Crypto.com; and
> Complete a questionnaire to support a forensic investigation.
This looks more like a mechanism to limit Crypto.com's exposure to future events than it does a policy to protect users.
I mean, there's still plenty of money in other people's accounts they can use to cover the losses.
Does anybody know whether the regulatory regime they operate under is sound? If a US bank lost this kind of customer money in a theft, I'd have some confidence that the the FDIC and the Federal Reserve would make sure they actually had all the money they were claiming they had. But personally I'd hate to bank purely on the internal controls of a Singaporean subsidiary of a Maltese company.
As an example, take Bernie Madoff. He took in people's cash and then sent them regular statements about how much money they had. But they were just statements doctored to look good. When some people withdrew money, he just gave them money that was handy. At some point, the difference between the numbers on the statements and the actual assets was over $50 billion. More details here: https://en.wikipedia.org/wiki/Madoff_investment_scandal
None of the Madoff investors "allowed" it. I don't know anything about Crypto.com, but the same thing is surely happening with other "crypto" companies. It doesn't even have to be malice; often a failure starts out with some event like a sudden loss to theft. Insiders believe they can make the money back, so they just keep on operating and hope nobody notices.
This opportunity for divergence between reported and actual funds is one of the big reasons US banks are highly regulated. The FDIC is on the hook for large sums in the event of failures, so they're quite vigorous in making making sure that doesn't happen too often.
They're...not going to ask your permission?
If you have an account there, they have a large central pile of assets, and a database row saying that you are entitled to X amount of those assets. Someone else has a database row saying that they are entitled to Y amount of those assets.
If someone breaks into the other account, and makes an illicit transfer, then Y goes down and the central pile of assets goes down. If crypto.com makes the other account whole, they simply increase Y back to the original amount. But the central pile of assets hasn't gone up accordingly. They just used "your money" to cover this, and they don't ask you for permission.
When you go to them later and say: "I want to withdraw my X somewhere else", they might say: "I'm sorry, we don't have X right now". That's a run on the bank.
Fortunately, we have protections around specific institutions to prevent these kinds of situations. Capitalization requirements, FDIC, etc. Unfortunately, if you have an account with crypto.com, none of those protections exist for you. You're banking on them having the funds when you ask to withdraw them.
[1] https://www.reuters.com/article/us-bitfinex-hacked-hongkong/...
[2] https://definitions.uslegal.com/f/fraudulent-conversion
Once it enters their hands, the money isn't really “from” a particular account in any tangible way.
> If i had a account there, i wouldn't allow them to use my money to cover this.
An account is just a record of funds to which you are entitled; there are certain types of relations where someone keeping money for you legally needs to keep it segregated from other funds of theirs, but crypto.com doesn't have that kind of relationship with account holders. If they don't provide you with your funds when you ask, you can try legal action to recover it, but you don't have a veto on whether they update the entry recording someone else's balance to make them whole after a hack, even if that increases the risk that they won't have your money when you want to withdraw it.
It s not each of the user individually seeing their balance go down, it s the company lying even more about its ability to liquidate all accounts.
Your number on their html page they graciously present to you will go unchanged. It s not a new phenomenon, every bank does it, except crypto.com does it to pay losses for a theft while banks would do it to lend to a baker buying a bakery on mortgage. If said baker screws up and cant repay, and many more others as well, clients cant all withdraw the pretty number.
Another interesting difference is that a bank pays you for lending to them with your savings account, at market rate (very low these days), while I dont think crypto ponzis do because you re suppose to just wait and moon.
If you re retiring and expect the bank to be good on a million $ worth of some sort of instrument, you're fucked minus 250k.
And this is totally fine: you re compensated for a low risk of default when you lend to your "savings account" and must accept this could happen. There s no way to make money waiting doing nothing risklessly. Creeptards know that well, they all in on wind, there s no worse risk.
Yes, they do.
> Banks have insurance policies, both private and federal, that would cover the losses.
The federal insurance policy covers you if, after operating this way (or for some other reason) the bank ends up without money to cover your account (and, the regulation that comes with the insurance means that it's more likely that the Federal government will force the sale of your bank to one that does have extra money to cover your account even before that happens.)
But banks still operate as described (and using some of their pool of assets to buy private insurance is functionally the same as just adjusting the balances of people it is compensating for losses and increasing risk to others by doing so, except it smooths things a bit over time at the expense of higher average cost.)
> But banks still operate as described (and using some of their pool of assets to buy private insurance is functionally the same as just adjusting the balances of people it is compensating for losses and increasing risk to others by doing so, except it smooths things a bit over time at the expense of higher average cost.)
It's really not. Customer deposits are segregated from the operating accounts in accordance with applicable law. You're not suggesting they're taking payroll out of customer deposits are you?
Banks don't keep money segregated in accounts.
Banks have reserves, and accounts basically record the right of people to draw money.
When they cover a fraud loss from one account by increasing the balance for that account to make the owner whole, they are doing exactly what crypto.com would be doing. Neither involves taking balances from others accounts, but both increase the risk of inability to cover accounts (including those of other people) as a result. Now, yes, banks provide consumers with more protection against the risk this creates, and are regulated in ways which make them less likely to do it to an extent which would create as much risk as a hype driven crypto exchange in the first place, but in terms of the basic mechanics, it is not any different than what has been suggested.
The model of money actually being held segregated in an account works for things like lawyers holding client funds and a very few other specific things, but it doesn't really capture what goes on with banks at all.
That's fine. It lays out the risk exposure in concrete terms and defining their market offering. If you use a jailbroken device, or have more than $250K in funds, or are holding crypto for illegal purposes, don't put it in Crypto.com. Same as FDIC insured savings accounts that are limited to $250K.
>> No customers experienced a loss of funds.
Let's believe that when we hear someone other than the company saying it.
> File a police report and provide a copy of it to Crypto.com
Yeah, I'm sure tons of crypto holders will get right on that.
If not a centralized solution like above then what? We just allow stolen funds to be used now or any point in the future, rewarding criminal behaviour?
Why lead with the ponzi assumption? There are so many more quantifiable assumptions
So does a normal PC count as a jailbroken device? If not, what makes having root access on a phone any different?
Any exchange or custodian has a non zero chance of getting hacked or inside-jobbed; unlike fiat currencies there is no judicial process that is going to maybe let me claw my stuff back.
A sort of fdic insurance for custodian crypto accounts, is an inevitable market solution.
For context, this is the startup that has been using Matt Damon as it’s face.
They're also notable lately for getting the naming rights to the (former) Staples Center.
> https://en.wikipedia.org/wiki/Crypto.com_Arena
Since about 2018, VC game changed - now it's about brazenly placing massive bets on a small set of startups of increasingly questionable utility, using the funds and clout to ram their way through into monopoly positions. Not a speck of morality involved anymore - and nobody is even trying to pretend otherwise
Public image hasn't yet caught up with this reality
have you actually met any VCs?
I think "everybody" here is a pretty substantial overstatement. Plenty of folks were just trying to make money, without much regard for whether it made the world better or worse.
I mostly agree on the gambling front too - gambling was bad enough when you had to lure people to a casino but at least that gave them the excuse of "It's my form of entertainment, it's like going to a nightclub."
"The best minds of my generation are thinking about how to make people click ads" -- not any more! Now they're trying to find the shortest distance between users' wallets and their RSUs. On the plus side, they can use all of the targeting and persuasion techniques that have been used to make TikTok/Instagram so addictive on directly separating users from their money. Forget selling a product!
For some historic context, Enron Field lasted two seasons and CMGI Field less than one, from what I can tell? I wonder who holds the record.
https://news.ycombinator.com/item?id=11162052
I doubt it's very cheap to advertise in F1. You need to outbid large competitors.
I'd assume any attacker would at least transfer everything to a BTC/whatever address generated offline, then figure out later how to launder it.
Since zero-knowledge cryptography is used to ensure the generated note cannot be linked to the depositing transaction, it can be used to send money to yourself or another person without revealing the identity of the sender. There are criminal and non-criminal reasons to do this.
Because it is a smart contract system, you do not have to trust a person or organization with the money. You do have to trust the smart contracts defining the system are correct. The smart contracts are publicly available to read and have been reviewed by many people, including software audit organizations.
To expand on that, say someone withdraws ETH from Tornado cash and purchases an NFT with it. The seller of the NFT then swaps their ETH for USDC on a decentralized exchange (the ETH then goes into a pool). Later, a liquidity provider to the ETH/USDC pool withdraws liquidity from that pool, and sends their ETH to an exchange, let's say Binance. If Binance blocked such deposits (and especially if they did so without refunding the user on-chain), no one would use Binance, and they'd also be the target of a lot of lawsuits.
The compliance topic is tricky and deceptive. Only the user with a "Note" is able to link deposit and withdrawal. With this note the user can generate a proof of origin. This makes tornado cash compliant enough.
E.G. If the withdrawal address is under Money laundry suspicion, it may be urged to provide the origin of the transaction. That is possible [1] but there is no way of a 3rd party to Tag an account as "suspicious" based on the Tornado chain information (due to the obfuscation done by the Nodes that are getting the fees).
As far as I understand there is no accountability. The regulators would have to persecute all the nodes for helping out with the laundry. But there is no way for the nodes to know they're participating in laundry. So they cant be persecuted. Regulations needs to be invented for this kind of schema.
Please someone correct me if I said anything wrong. Im not an expert is just my conclusion based on some reading.
[1]: https://tornadocash.eth.link/compliance/
Check out their code on github.
But I'm on record as being in favor of full financial transparency for everybody. Every charge, every bank statement. Money, after all, is inherently social. And full transparency, while causing some problems, would eliminate a ton of others. So if you can get a legislator to submit a bill, I'll happy call them up to back it.
There are plenty of examples of that: https://github.com/jlopp/physical-bitcoin-attacks
https://web.archive.org/web/20170611024100/http://www.crypto...
https://www.cryptovantage.com/news/opinion-the-crypto-com-mc...
Attackers care a lot about what they can get to if they are able to breach your security.
Just like finance companies have a different risk profile than companies generating bingo cards, crypto companies have different risk profiles than other non-financial ones. Are people arguing that this is not true or something?
For most finance companies, if they have a whoopsie and lose money to a software boo-boo, they'll just reverse the transaction. Times when such a transaction cannot be reversed (https://www.bloomberg.com/news/articles/2021-03-19/citigroup...) are the extremely rare exception, and are adjudicated by a civil court.
Whereas if a crypto company has their wallets breached, it's almost certainly immediately irreversible.
That's why attackers never go after credit card numbers, right?
I think non-revertible payments do not really make a big difference to attackers, it just makes value extraction more efficient. Some percentage of fraudulent transactions will always make it through. So long as the funds accessible to the attacker are sufficiently large, it's still a juicy target. 10% of 200 megadollars is still 20 megadollars.
I agree with @capableweb2. They're an attractive target because they are a financial company with control over lots of value, not because of anything to do with cryptocurrencies in particular.
(In fact, I have yet to see a single genuine use case for cryptocurrencies or blockchain that aren't served at least as well by more proven technologies, aside from "separating money from fools" and "making libertarians/anarchocapitalists squee".)
If you're auditing startup insurance fintechs in that case, the PII they have and platform exposure to all the APIs they are pulling from or pushing too (a) looks a lot like a crypto company spanning web2/web3, and (b) puts them square in the target of software supply chain hacks. An attacker cares about <insurance startup>, but they do care about attacking the Equifax API that the insurance startup has an integration with. Excluding the crypto companies that do their own custody or run their own smart contracts, their risk profile and why ends up looking a lot like the fintech insurance startup haha.
Edit: For the downvotes, if this is such an obvious question then be proactive and share the metrics - I'm skeptical this is the case but happy to be proved wrong.
SMB vs. web3/Defi, 30 person teams, no security engineers? The web3 company probably is a lot more vulnerable.
SMB/startup vs. generic crypto exchange like Poloniex? This gets harder to parse. Poloniex gets the malicious traffic and has a pretty small security team I think. But, they and companies similar are a tech company in the cloud and with a solid infra engineering team and leveraging AWS tooling, it's not like they're totally exposed. The SMB/startup has none of this, so arguably they are a similar risk profile in surprising ways, or maybe even more exposed than the exchange.
SMB/startup vs. a Tier 1 exchange like Coinbase? Very silly comparison, CB has a pretty large security team, knows their stuff, etc. etc, very good track record until very recently, and as a industry group the Tier 1 exchanges do well on the security front.
Compare this to the SMB instances of malware sitting on a Point-of-sale system for months/years until it gets discovered? Family dentists getting ransomwared fairly consistently? The retail/SMB space is a bit of a security nightmare. For someone building a product here and is able to sell the "so what" of it to a dentist, there's opportunity. If SMB == startup, well that's likely a startup with 10 hires, extremely product focused, especially with fintech integrations, and presumably a lot of PII as an insurance fintech? If a consultant isn't explaining the fairly large inherent risks there for the SMB/startup and using crypto as a comparison of something worse, that's wonky to me.
Crypto doesn’t mean regulation doesn’t apply or that companies are free from liability.
Obviously you can’t squeeze blood from a stone if someone were to steal most of the funds from a crypto exchange (Mt. Gox comes to mind)
But in the real world, if you use a crypto exchange in a reasonable location (e.g. US exchange adhering to US laws) then small thefts like this are going to be reimbursed one way or another.
Now if the entire exchange and their cold wallets were stolen somehow, it would be game over.
But that’s about it. It’s basically another game to play with new financial assets printed out of thin air.
This is because liquidity is the ability to quickly trade your thing for other things. Lending money via a certificate of deposit reduces liquidity because you are locking up your funds. Lending via demand deposits increases liquidity because the original deposit and the loan are both available to be spent immediately. Spending money on physical things is very time consuming. First you must pick what you want to buy among billions of product choices that are available to you. Even if you buy something, it takes time to drive to the store or for it to be delivered. The real world is quite illiquid which means that fiat currency is less volatile and has greater stability than Bitcoin.
Now there are two exceptions. Trading money vs financial assets and money vs other money. In the financial sector you are trading liquidity for liquidity. Buying an iPhone and selling it takes time. Buying Bitcoin and selling it does not. It can happen as quickly as technology allows it. This inevitably leads to speculation because it is possible to instantly react to any other transaction. Someone buys Bitcoin? Buy more! Someone sells Bitcoin? Sell!
To be more specific, the problem isn't liquidity itself but excessive amounts of liquidity that go way beyond what the real economy needs. This is a huge problem with fiat currency but it's also a problem with Bitcoin because the "Bitcoin economy" is absolutely tiny.
Blockchains could, maybe, provide an interesting global platform for fintech to migrate cross-border stuff to. That stuff is not reliable, the engineers are just hella talented
That isn't the technical solution I was looking for...
But you know what I am going to say if you're storing your crypto life-savings or JPEGs on an exchange:
- abuse the logic flow and simply don’t submit the 2FA step
- submit an empty 2FA token (I’ve seen it work)
- get a signed transaction from a legitimate transfer and replay it in a compromised account
- find the admin API that their help desk uses that doesn’t require 2FA
- brute force 2FA code. If you get 3x attempts at a 6-digit pin you have a 1/333,333 chance. Multiply by a few thousand accounts you can find reused creds for
- Find an API to abuse to disable 2FA (maybe via CSRF?)
- move the money into an account that doesn’t require 2FA (some kind of whitelisted arbitrage account maybe?) then cash out from there
- keep transfers under a 2FA threshold but then either script up the transfer to repeat or change the transfer amount after the threshold check has occurred
I could riff on for ages. Some more plausible than others. Some I’ve definitely seen (and used in legal testing)
Since it is across multiple currencies, I think it is unlikely it has to do with generation. Maybe could still be a leak or something.
They'd just pop it in any wallet and sign withdrawal transactions.
There's no 2FA or whitelisted withdrawal addresses (for most tokens) or emails on-chain.
> In an abundance of caution, we revamped and migrated to a completely new 2FA infrastructure.
> 2FA tokens for all users worldwide were subsequently revoked to ensure the new infrastructure was in effect.
I sometimes find it hard to believe these statements, but I guess I can only take them at face value.
Which seems more likely, that these "risk monitoring systems" actually caught this, or that they were inundated by sudden urgent calls from the 483 users saying "DUDE WTF WHERE'S MY MONEY?".
For better or for worse, a lot of insight can be gained from a sudden influx of tickets from normally-quiet users, all with the same general story. This is definitely how many critical bugs in production are caught, because even a small number of disparate users that suddenly write in about the same issue is a huge red flag.
But, most likely, they have metrics on average withdrawal amounts, deposit amounts, etc., hooked up to something like datadog, with an off-the-shelf anomaly detection monitor.
How are we estimating the likelihood here? I agree that would be desirable. I agree a very together company might have something like that. But given the average level of competence and professionalism in the cryptocurrency sector [1], I would not bet against EMM_386's theory in this case.
[1] See, e.g., https://web3isgoinggreat.com/ or https://bravenewcoin.com/insights/36-bitcoin-exchanges-that-...
How am I supposed to read it: is it a 2FA compromise (attacker replaced 2FA codes with their own) or 2FA bypass (attacker found a way to conduct a transaction bypassing a need for 2FA)? These are two very different scenarios.
This may be their only risk monitoring system. I’ve seen many DR plans that had this kind of detail written up in “consultant speak” with a straight face. Where they would detect server crashes by users calling them and their systematic method to failover was to manually rebuild.
So their monitoring is smarter than their main application? Wow, just wow.
Why do you think everything tends to centralize? To keep things localizable.
...Until that backfires anyway. Thank you 2008.
Can someone setup, test and rollout a _completely new_ authentication system in 3 days?
> A photo of you holding a paper with the following handwritten on it, as it states in this FAQ. - Your name - Today's Date - "Crypto.com”
src: https://help.crypto.com/en/articles/3640569-how-to-close-cry...
…
Act II: thousands of men and women sign up to be brave with semi-retired Jason Bourne.
…
Act III: “we regret to inform you that our security protocols are a disaster”.
I hope not, if that is true.
The year is 2022 and companies managing >$100B in assets are STILL using SMS 2FA for protecting their life savings, despite SIM hijacking and SIM swapping still about.
Quite pathetic really.
There is absolutely no way my parents could figure out 2fa in any way other than phone call/sms. They would be cutting out the less technical crowd, which is exactly who they're trying to convince to buy in
I like how when my credit card gets a fraudulent transaction, all I have to do is push a button on my phone and it magically goes away. This is a major, major benefit of having a central authority.
Its a human coordination mechanism that forces other humans to make it increasingly more resilient when under pressure.
It is Machiavellian with no evolutionary dead ends, just mutating and hardening due to the needs of all of its ever growing participants. Rapid market based iteration on steroids.
The difference is what was centralised is now decentralised, what was implicit and required trust is now explicit and requires formal verification.
> with enhancements we’ve made to our security infrastructure and the introduction of the Worldwide Account Protection Program.
Edit: the funny thing for me is that if the ad ended with the SpaceX (or Boeing, or Northrop, or USAF) logo and gave the SpaceX employment site at the end, I'm sure it would be seen as one of the best ads of the last few years. The leap is what kills it.
Remember, not your keys, not your coins!
The community ethos and ideas seem pretty disconnected from what actually happens.
That's par for the course in the cryptocurrency space. Why develop good technology with well-defined valuable use cases when you can hype your rocketship to the moon?
What does this mean? Does MFA means xFA for x > 2?
https://twitter.com/Kris_HK/status/1483383030387408897
That said, there is no waiting period on me withdrawing from my checking account.
I’ve got long term investment accounts that I hardly touch … I would have no problem with such a rule/ extra validation of any moves of money.
Granted crypto.com might not be / want to operate like that.
Ethereum seems to be the token most prized during a breach, most likely to be used on tornado.cash.
Cheers
Get someone to load up and maintain a whole blockchain on their 1TB phone, and you lose them the moment they need more room for photos or offline synced music and files.
A pruned full node downloads and validated all blocks, then discard everything not relevant to its own wallet.
A variety of “light clients” are also available for most chains, which fetch transaction data from peers as needed (usually using something like bloom filters to increase privacy).
Most ethereum apps just go through Infura. That’s a horrible centralized single point of failure that I’m not advocating, but the point is there are many ways a wallet app can connect to a remote full node.
(and missed out on settlement too! and domain name apparently is being re-used, ugh)
Nah... Probably never catch on.
We all have our price.
Unless by "it" you mean crypto.com and not Ethereum. Crypto.com is not decentralized.
Do you consider a website breaking a single point of failure for the internet?
Or put another way, how does Crypto.com and other centralized systems prevent me from using Bitcoin the "right" way?
But in brief my point is that as with internet itself, a protocol that allows for decentralization is not sufficient for something to be truly decentralized. Despite the vast amounts of hype about the decentralization of cryptocurrency and "web3", in practice we are seeing that it's tending toward centralization. Which personally I don't care about except the extent to which I still have to listen to the hype that has less and less connection to the practical reality.
You can point to centralized products built on top of blockchain, but also decentralized ones.
I think you may be forgetting, earlier users of computers were using punchcards..
But yes, I would agree that banks are about as decentralized as crypto exchanges. But that's kind of the point, you shouldn't conflate exchanges (or banks) with the currency itself.
Have you considered that you are in the wrong decade? Its year .. 13..? Its time to be up to speed on this.
If you run into a proponent that is also conflating these things you should simply correct them about the difference between onchain activities and third party centralized service providers, which means educating yourself first.
The only reason the hacker gets to keep the funds and have no civil or criminal liability is because of them using the actual decentralized rails and uncensorable contracts such as Tornado.cash
I believe in bitcoin, works well and I don't blame the consumer for the producer's problems when it comes to power.
But exchanges have become a key part of the implementation.
That's not the real issue though. The issue is the _need_ for exchanges. They provide a host of services, mostly all of which are antithetical to the loftier ideals espoused by bitcoin.
Too many crypto fans waltz passed this glaringly obvious issue and these kinds of stories will never go away as a result.
If banks get hacked, nobody blames the internet. "a small sub section of the system" applies as aptly to the blockchain as it does the global financial system, and I'm pretty confident being a locally popular trading commodity amongst edge communities is not the central goal for bitcoin
Given the transaction fees needed for a distributed-enough network, and the bureaucracy needed when trading, it is not very useful as a currency, at least not for small payments, excluding Lightning.
So it's a commodity.