- J McGlynn and M Bacina
Crypto companies praised by NYDFS for rapid response to recent Twitter Hack
In July 2020, a 17-year old hacker and his mates invaded Twitter and took control of dozens of high-profile users' accounts, using them to tweet out a “double your bitcoin” scam which resulted in the theft of over USD$118,000 worth of Bitcoin. To the disbelief of many, the Twitter Hack did not involve any of the high-tech or sophisticated techniques often used in cyberattacks–no malware, no exploits, and no back-doors.
Beyond its immediate monetary impact, the “garden-variety” nature of the hack exposed inherent cybersecurity weaknesses in Twitter, a social platform valued at over $37 billion dollars and counting over 330 million active users. Sparking a need for serious review and investigation, the New York Department of Financial Services (NYDFS) resolved to issue a report dissecting the hack - evaluating its surrounding facts, the reasons it occurred, and what could be done to prevent future incidents.
Crypto firms quick to take up arms
A number of accounts the attackers targeted included companies regulated by the NYDFS. the companies which due to their robust programs around cybersecurity, fraud-prevention, and anti-money laundering (as required by DFS regulations) were found to respond the best to the widespread disruption.
According to the NYDFS , the crypto firms’ responses were swift and effective, prompting the NYDFS to dedicate two of the report's key sections (part IV and part VI) to the impact of the hack on the department’s cryptocurrency licensees, and how these companies acted to protect their clients from the fraud. To reduce the likelihood that a similar cyberattack will succeed in the future, the NYDFS also surveyed twenty-two crypto firms and compiled their recommendations on the security measures others could use to improve their cybersecurity.
Swift efforts to protect the customer
In the review of phase 3 of the hack, which was aimed squarely at digital currency exchanges, the NYDFS found that 15 of the 22 crypto firms blocked the Twitter hackers' crypto addresses within 40 minutes. Although the report noted that the inaction of 7 companies could be attributed to their different business models which does not allow for the direct handling of transfer services and custody, according to NYDFS:
[The majority of crypto firms] responded quickly to block impacted addresses, demonstrating the maturity of New York’s cryptocurrency marketplace and those authorised to engage within it. Their actions show that New York continues to set a high standard and attract only the most responsible actors.
To validate its claims the report detailed how a number cryptocurrency firms, separately but in unison, rapidly blocked bitcoin addresses the Hackers posted on Twitter:
Coinbase blocked around 5,670 transfers, valued at roughly $1,294,000;
Bitstamp blocked one transfer, valued at $250;
Gemini blocked two transfers, valued at $1,80000, and;
Square blocked 358 transfers, valued at approximately $51,000.
This was in stark contrast to other victim organisations like Apple and Uber and other high profile politicians, celebrities, and entrepreneurs, who failed to prevent unsophisticated hackers on account of there being no regulatory regime that reflects social media as critical infrastructure . Posing a large risk to society, the large and globally influential social media companies, not just limited to Twitter, essentially regulate themselves.
The path to improved cybersecurity
As a way of learning from the incident, the NYFDS reported which security measures the crypto firms took to protect their social media accounts, making key recommendations to improve cybersecurity going forward.
The key responses included:
Using strong, unique passwords;
Using multi-factor authentication (MFA);
Avoiding using SMS-based MFA, which is more susceptible to hacks;
Limiting employee access to social media accounts;
Actively monitoring the social media accounts for unauthorised posts;
Employing a social media security monitoring provider to monitor an account and its high-profile principals’ accounts; and
Storing credentials with a third-party password management provider.
Notwithstanding that most of the above recommendations should be second nature to most in the technology space, the report concludes by drawing an interesting comparison between the response of "Cryptocurrency Companies" and "social media companies" (aka, Twitter).
The report notes that:
the [Cryptocurrency] Companies reacted within minutes to block transactions between customers’ and the Hackers’ bitcoin addresses. This swift action blocked over 6,000 attempted transfers worth approximately $1.5 million to the Hackers’ bitcoin addresses. These actions were made possible because the Cryptocurrency Companies had robust programs around cybersecurity, fraud-prevention, and anti-money laundering programs–as required by DFS regulations. As the Department has shown, a balance can be struck between encouraging innovation and promulgating regulation to protect consumers.
The report then draws an unflattering comparison with "large and globally influential social media companies", which "essentially regulate themselves", suggesting that a if companies such as Coinbase, Gemini and others can operate sustainably under the New York BitLicense framework, then there is no reason why social media giants shouldn't also be able to operate in a more regulated environment.