As a cryptocurrency holder, you might think your funds are basically safe on an exchange as long as you’ve set up two-factor authentication (2FA). How could anyone access the ever-changing, unique randomized codes being sent to your personal cellphone?
According to a post on Reddit, hackers are taking advantage of the KYC (Know Your Customer) procedure that many centralized exchanges now require. The process consists of identity verification techniques, usually including some combination of passport photos, ID photos, utility bills and selfies with the customer holding any one of these documents.
The uploaded documents, such as passports, can become valuable on the dark web. According to darkreading.com, the typical cost of an illegal passport scan is $14.71, while the price jumps up to $61.27 when proof of ID (selfie, utility bill, etc.) is included.
Paul Bischoff, editor of Comparitech, says,
“The reason for this is because multiple forms of ID are usually required to pass proof-of-address and proof-of-identification checks on websites. These checks are often part of the account recovery process in which a user has somehow lost access to their account and must prove who they are to regain access.”
According to Reddit user Gamm86, a hacker can circumvent the 2FA by posing as a user who lost their 2FA access (which can happen to anyone who loses a phone). The crypto exchange will then ask for proof of identity from the user, which the hacker can access via the dark web. Once a hacker sends in the requested documents, the exchange either resets or removes the 2FA codes. The hacker can then gain access and effectively drain a crypto account.
There’s also the possibility that a user’s information and paperwork could be leaked from a fraudulent ICO airdrop that requires KYC documents. Given how easy it is to spin up a fake website promoting a cryptocurrency or an ICO – as illustrated by the “HoweyCoins” website created by the US Securities and Exchange Commission to educate the public about fake offerings – investors need to be vigilant and always perform due diligence before making any investments.
Use extreme caution when giving out any of your personal information or uploading any documents, and be sure to use different passwords for all of your financial accounts.
As the Reddit post also recommends, using cold wallets whenever possible can reduce exposure to the internet and bad actors.