Security researchers have discovered an unprotected database that manages access to services from some of the world’s largest technology companies. The database belongs to Meta, Google and Short Message Service (SMS) routing operators that send two-factor authentication (2FA) codes to users of cryptocurrency companies.
Researcher Anurag Sen discovered that the company’s YX International database was exposed without a password on the public Internet. Anyone who knows your public Internet Protocol (IP) address can view your data.
Users Affected by 2-Step Verification Leak
YX International sends security codes to people who log in to platforms belonging to Meta, Google and TikTok. The company ensures that users’ messages are quickly routed through mobile networks around the world. Among the messages it sends is a security code that forms part of the two-factor authentication scheme that many large companies use to protect user accounts.
Some service providers, such as Google, may send you an SMS code after you enter your password to verify your authenticity. Other authentication options include generating a code in an authenticator app to supplement your password.
Read more: 15 most common cryptocurrency scams to watch out for
Two-factor authentication improves security, but it’s not a panacea. Accordingly, cryptocurrency exchange Coinbase warns that although 2FA is a minimum security measure, it is not perfect. Hackers can still find ways to steal funds from cryptocurrency wallets.
“2FA improves security, but it’s not perfect. Hackers who obtain the authentication factor can still gain unauthorized access to your account. Common ways to do this include phishing attacks, account recovery procedures, and malware. Hackers can also intercept text messages used for 2FA,” Coinbase said.
Criminals are using these methods to defeat 2FA.
Last year, reports emerged of criminals bypassing 2FA on Apple devices. Hackers can access Apple’s cloud platform, iCloud, and replace your phone number with their own. The scheme put funds in cryptocurrency wallet apps on Apple devices at risk because some of the applications were able to send verification codes to compromised phone numbers.
Criminals can also use SIM swaps to commit two-factor authentication encryption fraud. In this attack method, criminals persuade mobile carriers, such as AT&T or Verizon, to transfer the legitimate owner’s phone number to the fraudster. After that, criminals only need one piece of information to access a self-managed wallet app owned by the actual owner of the phone number.
Considering the surge in quantum technology, Apple recently improved the security of the Secure Enclave hardware device built into iPhone. Post-quantum cryptography generates new keys every time a malicious actor compromises an existing key.
This feature can help crypto wallet developers improve their clients’ crypto security by storing sensitive information in Secure Enclaves. So far, at least one vendor has already used Secure Enclave to grant access to wallet apps.
Read more: What is a cryptocurrency private key?
BeInCrypto has reached out to Binance and Coinbase, the world’s largest cryptocurrency exchanges, for comment on whether the XY International data breach affected users. Neither company responded by press time.
disclaimer
All information contained on our website is published in good faith and for general information purposes only. Any action you take upon the information on our website is strictly at your own risk.