This article has been updated to correct that BitMEX is not Hong Kong-based.
Peer-to-peer (P2P) cryptocurrency exchange BitMEX has reported an influx of attacks on user account credentials, according to an official blog post on June 11.
In addition to covering a litany of best practices for user security, the cryptocurrency exchange stressed the importance of using two-factor authentication (2FA) in particular. The report summarizes 2FA as follows:
“2FA, sometimes referred to as ‘two-step verification’ or ‘multi-factor authentication’, adds an additional layer of security to your account by requiring not only your username and password at login, but also the input of a unique, time-based token. Tokens can be stored on a cell phone within a software-based authenticator app such as Google Authenticator or Authy.”
According to BitMEX, research at Google has shown that virtually all attempts to steal account credentials can be prevented by enabling 2FA. BitMEX concurred that 2FA is the best way to prevent such attacks, and is considering making 2FA authentication mandatory on its platform.
BitMEX also noted that compromised accounts on the exchange are typically associated with weak or reused passwords, hacked emails, or computers infected with malware. Additionally, the exchange discovered some new tactics being deployed in these account hacks, and have updated its policies accordingly.
First, there is no longer an option to disable email notifications about account logins, since hackers were disabling these notifications in order to further hide their tracks. Second, withdrawal requests must now be verified by email, since attackers were making API keys with the hacked accounts, which could be used on their own to authenticate withdrawals.
As previously reported by Cointelegraph, United States-based crypto exchange Kraken made 2FA mandatory for its platform at the end of March. According to Kraken’s announcement, 2FA has been optional on the platform since its inception in 2013. The exchange particularly supports 2FA programs Google Authenticator and YubiKey, as per the announcement.