Background
At least 40 top crypto exchanges provide API access to their trading systems. For these exchanges, users can choose to access their accounts in two ways:
Manually login to the exchange website with their username+password each time they want to access their account.
Or, users can configure their account to permit access from external applications using a set of 2 values specific to their account and defined by the exchange for use with the exchange API: a.k.a. API key+secret.
On March 8th 2018, we’ve learned that Binance was able to thwart a phishing+API attack by an unidentified individual or group.
According to reports, the attacker(s) phished out regular user credentials (name+password); then created API keys in those cracked accounts (key+secret); and finally attempted to use these API keys to execute their attack.
Binance did not detect compromised accounts nor the unauthorized creation or API keys. Instead, Binance detected unusual trading activity in their market for the target coin and then Binance suspend all withdrawals until they were able to neutralize the attack.
The crux of the attack was that real users GAVE AWAY their own usernames & passwords to a site running on a very similar domain name. Their credentials were later used by the attackers to manually login into accounts and configure them to be accessible via Binance’s API.
API Key+secret Is More Secure
Theoretically speaking, this attack would have been more unlikely if the uses were accessing their accounts exclusively via the API key+secret protocol:
- API keys are used with an endpoint domain which is almost always hardcoded in the client application. Therefore, API domain is much less susceptible to domain-name phishing attacks than the exchange website “home” domain. Moreover, users might type the web domain name and end up on a phishing site by their own error or click on a malicious link in a spam email.
- Even if the API endpoint is compromised, the attacker can not use the API information to hijack the actual user account on the exchange server. API based communication uses the key-secret to sign the message cryptographically but the key-secret value is never sent in the message in any form. Therefore, the attacker inspecting the messages between the user and the exchanges is not able to reconstruct the key-secret it would need to generate “impostor” messages to make bad trades or transfer assets. On the other hand, username+password communication protocols do send the password value itself which can be copied and stored by the attacker in the middle for later malicious use.
- Assuming that exchanges’ own iOS and Android apps use API key+secret protocols, is it safe to say that they are more secure than accessing the accounts via exchanges’ websites.