Morioh
Login
Wilford Pagac

Wilford Pagac

3 years ago

**_What was the mistake of a startup, cost another business $2 million! _**In February 2020, we learned that MoonPay, a relatively new cryptocurrency company was hacked. Interestingly, this cost IOTA and their customers a fortune!

IOTA, which is “the first distributed ledger built for the Internet of Things” had been relying on MoonPay’s infrastructure to provide features related to their cryptocurrency wallet called Trinity.

In an interview with CoinTelegraph, David Sønstebø, the founder of Iota said, “The hack itself was on MoonPay’s infrastructure, but due to the way it was integrated into the Iota wallet, there was a vulnerability that was exploited by the hacker. The total amount of iotas siphoned out of accounts [was] 8.52 Ti.”

MoonPay describes itself as “The new standard for fiat to crypto. We build developer tools to make cryptocurrencies accessible to everyone.”

And, things are looking pretty bright for MoonPay. This month, the company announced they’d be providing “direct access to Apple Pay, Samsung Pay, Visa, Mastercard & other payment processors” in over 160 countries.

CDN or NPM?

At the time of the IOTA hack, MoonPay had inadequate security controls and factors on IOTA’s end like “release pressure and human error,” are what led to this breach.

A detailed analysis by IOTA shared on their blog traced back the issue to MoonPay’s SDK hosted on a Content Delivery Network (CDN), subject to potential abuse by hackers.

Although MoonPay, at IOTA’s request, did provide a Node.js module that would mitigate such security risks potentially arising from their CDN infrastructure, it was done towards the end of the integration process, which caused an oversight of the security issue.

“At the time of its integration into Trinity, Moonpay was only available as bundled code delivered by a CDN, so the IOTA Foundation integrated it as such. Although widely used in web technologies, CDN delivery has inherent risks. One of those risks is that the code expected by the device could be unknowingly replaced with code that is not expected,” explains the blog post.

“The IOTA Foundation flagged the risks involved and requested an NPM (Node package manager) module to mitigate it. This was later published by MoonPay, after most of the integration work had already been done, but release pressure and human error added up to the Foundation not switching to the more secure NPM package prior to launch.”

“This was the weakness leveraged by the attacker and one that could likely have been resolved if the Foundation had had a more extensive, cross-team review process for larger releases,” the post further explained.

Regardless, it was IOTA that took the responsibility for the breach and the appropriate steps and action in compensating the victims of the breach.

The takeaways

Although Iota’s founder has been magnanimous in taking responsibility and personally volunteering to offer compensation to the victims of the breach, the following best practices could help save your business from mishaps like these.

Vet your partners carefully

Just because a solutions provider or a potential corporate partner is new in the market isn’t an automatic disqualification. Had businesses not giving startups a chance, we’d have none left in the game!

However, it doesn’t hurt to vet your partners properly and ensure they adhere to proper industry standards when it comes to basic security practices.

In working with MoonPay, IOTA overlooked performing security audits of their infrastructure due to the pressure of releasing a working product fast. A thorough security audit and pen-testing would have revealed any security vulnerabilities lurking in the CDN.

Ignoring best practices can backfire, as we saw in this case.

Perform thorough security audits

…of your own infrastructure, and your partner companies!

To the previous point, postmortem analysis of the breach demonstrates the vulnerability existed in the CDN. Attackers had altered the CDN code on the MoonPay’s infrastructure with malicious code which was then loaded by IOTA’s systems.

“Trinity caches found irrefutable proof that they had been compromised with one of several illicit versions of Moonpay’s software development kit (SDK), which was being loaded automatically from Moonpay’s servers (their CDN) when a user opened Trinity,” the blog post explains.

“The code was loaded into the local Trinity instance, and, after the user’s wallet was unlocked, decrypted the user’s seed and sent the seed and password to a server controlled by the attacker. Before transferring tokens out, the attacker awaited the release of a new Trinity version, which would overwrite Trinity’s cache files and thus remove the remaining traces of the hacker’s exploit. With this realization and code samples in hand, the IOTA Foundation immediately filed a report with the Berlin Police Cyber Division.”

History has shown us even those companies who constantly brag about “taking users’ privacy and security seriously” get breached all the time, despite their best efforts.

This means, while the integration aspect of business and expanding your company might be important and have stringent deadlines, doing so at the risk of a potential security trade-off is really taking chances, in today’s world.

#cryptocurrency #hacking #information-security #cyber-security #iot-applications #data-breach #security #privacy

What the 2020 MoonPay Hack Taught the Crypto Industry

hackernoon.com

What the 2020 MoonPay Hack Taught the Crypto Industry

What was the mistake of a startup, cost another business $2 million! In February 2020, we learned that MoonPay, a relatively new cryptocurrency company was hacked. Interestingly, this cost IOTA and their customers a fortune!

33.80 GEEK