Nash users are at risk too? [edited]

(Alex) #1

A little dramatic title to raise awareness that hacks can happen to Nash users too. isn’t it ?

Seen the recent exchange hacks, Its not a coincidence Malwarebytes released a blogpost today about vulnerabilities in financial mobile apps. (pretty sure the mobile app was part of Binance weak link)

From what I heared the Binance hack was also an attack where many individual accounts got compromised over time. All compromised accounts went trough a net-worth selection process and then at the same moment, at the right time, the hackers executed withdrawal commands on behalf of the users. (While simulating normal user interactions too) Binance got alerted because many of their high net-worth accounts were withdrawing accross different timezones at the same time. (outside the usual users activity timezones; raising suspicion)

I wonder if Nash would even be able to detect such attack. (until users start to complain on social media)

_https://twitter.com/joviannfeed/status/1126168910448005120

1 Like
(Mao Mao) #2

Click bait much?

2 Likes
(Olu ) #3

Stop creating click bait! Looks too desperate.

1 Like
(Crypto Fox) #4

This statement doesn’t even make any sense :man_shrugging:

(Alex) #5

Its not click bait. Its based on what I’ve seen on Equilibrium. Glad to hear Nash is considering safer 2FA.

(Alex) #6

It does. As long as Nash haven’t showed a safer method. I’m highlighting MOBILE for a reason.

(Mao Mao) #7

I think so far, nash approach priority is customer security and UX. This approach makes users feel extremely safe while using nash exchange compared to other current exchanges. It is good that nash has thought out this anti phishing approach. Cant wait to see it.

Thumbs up nash team!

1 Like
(Kazanchev) #8

“Color” option is for this kind of stuff. So stop this.

(Alex) #9

Hmmm that shows Nash is indeed concerned about the matter. Correct. :+1:
Yet, you are also the reason I’m bringing this topic up. It could also create this false feeling of safety.

So I’ll stop here.

(Pzy) #10

Bittrex and Poloniex have the IP change security, they send you an email everytime your IP changes.

(FCC) #11

Client side security is a big concern of us, that includes phishing, specially given the self-custody nature of our products. As far as I know Binance has not published any post-morten analysis from their hacks so I can only speculate. From July-18 and May-19 it seems that their alert is a far simpler lock if a transaction hits >7,000 BTC in vouts, instead of the complex behavior checking you refer. As in both cases right after the transaction deposits and withdraws in all markets were automatically closed.

Also without a detailed post-morten I can’t say if and how the accounts were compromised. Phishing is a big problem, not only in cryptocurrency but for all online services - there are a few set of solutions that help but there is always the issue of user experience, for example we tested the frequency of 2FA checks on Equilibrium to see user timing, that is something that can stop phishing attacks but causes user friction. But with it even in Equilibrium the described attack would not have worked. We have several other ideas and some will be deployed online when the services are public.

9 Likes
(Alex) #12

_https://www.adyen.com/blog/psd2-understanding-strong-customer-authentication :wink:

(Mao Mao) #13

would love it if nash can implement the third, that is, “Something you are” features… it looks more secure than the others.