Security Researcher, Engineer, Tech Columnist | https://hey.ax/
What was the mistake of a startup, cost another business $2 million! In February 2020, we learned that MoonPay, a relatively new cryptocurrency company was hacked. Interestingly, this cost IOTA and their customers a fortune!
MoonPay describes itself as “The new standard for fiat to crypto. We build developer tools to make cryptocurrencies accessible to everyone.”
CDN or NPM?
At the time of the IOTA hack, MoonPay had inadequate security controls and factors on IOTA’s end like “release pressure and human error,” are what led to this breach.
Although MoonPay, at IOTA’s request, did provide a Node.js module that would mitigate such security risks potentially arising from their CDN infrastructure, it was done towards the end of the integration process, which caused an oversight of the security issue.
“At the time of its integration into Trinity, Moonpay was only available as bundled code delivered by a CDN, so the IOTA Foundation integrated it as such. Although widely used in web technologies, CDN delivery has inherent risks. One of those risks is that the code expected by the device could be unknowingly replaced with code that is not expected,” explains the blog post.
“The IOTA Foundation flagged the risks involved and requested an NPM (Node package manager) module to mitigate it. This was later published by MoonPay, after most of the integration work had already been done, but release pressure and human error added up to the Foundation not switching to the more secure NPM package prior to launch.”
“This was the weakness leveraged by the attacker and one that could likely have been resolved if the Foundation had had a more extensive, cross-team review process for larger releases,” the post further explained.
Regardless, it was IOTA that took the responsibility for the breach and the appropriate steps and action in compensating the victims of the breach.
Although Iota’s founder has been magnanimous in taking responsibility and personally volunteering to offer compensation to the victims of the breach, the following best practices could help save your business from mishaps like these.
Vet your partners carefully
However, it doesn’t hurt to vet your partners properly and ensure they adhere to proper industry standards when it comes to basic security practices.
In working with MoonPay, IOTA overlooked performing security audits of their infrastructure due to the pressure of releasing a working product fast. A thorough security audit and pen-testing would have revealed any security vulnerabilities lurking in the CDN.
Ignoring best practices can backfire, as we saw in this case.
Perform thorough security audits
…of your own infrastructure, and your partner companies!
To the previous point, postmortem analysis of the breach demonstrates the vulnerability existed in the CDN. Attackers had altered the CDN code on the MoonPay’s infrastructure with malicious code which was then loaded by IOTA’s systems.
“Trinity caches found irrefutable proof that they had been compromised with one of several illicit versions of Moonpay’s software development kit (SDK), which was being loaded automatically from Moonpay’s servers (their CDN) when a user opened Trinity,” the blog post explains.
“The code was loaded into the local Trinity instance, and, after the user’s wallet was unlocked, decrypted the user’s seed and sent the seed and password to a server controlled by the attacker. Before transferring tokens out, the attacker awaited the release of a new Trinity version, which would overwrite Trinity’s cache files and thus remove the remaining traces of the hacker’s exploit. With this realization and code samples in hand, the IOTA Foundation immediately filed a report with the Berlin Police Cyber Division.”
This means, while the integration aspect of business and expanding your company might be important and have stringent deadlines, doing so at the risk of a potential security trade-off is really taking chances, in today’s world.
FinTech is a high liability industry
Data leaks and breaches are already an everyday nuisance for digital businesses. But when you are dealing in cryptocurrency or FinTech, you are not only the guardians of people’s data but their real money! And that can get ugly fast.
Data breaches already bring with them lawsuits and hefty fines, especially if GDPR applies to your business. However, data breaches involving financial loss to the customer are two times the trouble.
Accept responsibility when things go wrong
I cannot stress less, the responsibility demonstrated by IOTA leadership is commendable. As opposed to pointing fingers, the founder himself stepped up to pacify the situation by offering a solution that’d make everyone, including MoonPay happy.
IOTA’s founder, Sønstebø himself paid $2m to the victims of the breach, although this might be regarded as questionable in the business world.
He continued, “It will cost around ~2 million USD. This is definitely a lot of money, but if my primary motive was money I have had ample opportunity over the last 2 years to maximize my profits. I have not. For me, the chief goal is to build this future, based on our vision. Hopefully, the culprit will be held accountable one day and the funds recovered. The chances are low, but we did it once before.”
In conclusion, the various lessons learned in this case can help both established FinTech companies and newer startups in understanding the risks from trading off security in the favor of faster releases, and how can these issues be prevented.