If you don’t control the Private Keys for your own crypto then you don’t control what happens to them. How true this statement is. There are many examples online of how people have had their Exchange account’s hacked. Some of these are a result of:
- Social engineering — Never share your password
- User Security settings- Always take advantage of strong security settings such as 2FA and IP whitelisting.
- Crypto Exchange Security Architecture- Only use exchanges with best practice security architectures
I am not a big user of the Quoine (now called Liquid.com) exchange but have used it for some trading in the past. As a result I still held a small balance of Ether on the exchange.
At first I didn’t quite believe what happened but I now believe my Quoine/Liquid account may have been compromised.
How did this happen?
Quoine/Liquid Security Settings
First of all I have enabled all of Quoine exchange’s security settings which they allow.
The exchange security measures allows for a login password, Google 2FA, email confirmation on login and whitelisting of withdrawal addresses. The 2FA is set up in a strange way for some reason where you don’t have the ability to disable it without contacting staff.
As an exchange that typically facilitates trading volumes that puts it in the top 20 exchanges I would however expect more in the security area. Specifically login session and IP details.
Compare Liquid to the security settings on Binance:
- Protection from fake Binance websites
2. Whitelisting of withdrawal addresses
3. SMS and/or Google authentication
4. Approved devices for accessing the Binance website
5. Details of your last login sessions
So What Happened to Me?
Now with the security settings in place I wouldn’t expect unauthorised access on my account. Considering 2FA is enabled and email notifications for logins. Theoretically I should have received an email on 17/10/2018 from Liquid similar to the following:
I did not receive an email that day. Instead on 17/10/2018 my 0.32 Ether balance on Liquid was sold for Monaco (MCO) for next to nothing.
This is a tactic that hackers will use since they are unable to withdraw to an address:
- Using their own accounts pick a low volume liquidity token (MCO/ETH in this case)
- Price the random token at a higher price (0.0398 Ether when market price is 0.02 Ether)
- Using your account Buy those tokens at that high price
- Now you are left with worthless tokens on your account (0.5 MCO ~USD $2.40)
- They are left with your higher value tokens (0.32 Ether)
Believe me I thank the stars I did not have a higher ETH balance on Liquid but that’s not the most important thing here.
If this can happen to me, can this happen to you?
After I noticed this irregularity I got in touch with Liquid support who responded with:
Obviously this is insufficient since I did not make these trades. What is also very worrying is that I did not even receive email notification on 17/10 for a login on Liquid.com.
They have since said they are investigating this further but have not responded since I asked for an update.
Exchange security breaches have major implications not just for the person affected but the industry as a whole. I take this as a serious matter and am not satisfied with the current way in which the team is handling my complaint.
If there is a security loophole present and I and maybe others are affected then the Liquid team needs to immediately make a public announcement on the situation.
What Liquid Can Do
It would be nice if I can get my Ether balance restored as a start. To go with that I would also expect an explanation of what happened on 17/10/2018.
In the meantime what they can easily do is find out:
- IP and location of the computer used to login to my account 17/10
- Account of the person who sold the MCO tokens on 17/10
- Why no email notification for login was sent on 17/10
Going forward it is highly unlikely I will use the Liquid exchange unless I get a satisfactory explanation of what happened. They must also implement stronger security features on their platform. Displaying past login session details would be a start.
If you have holdings on Liquid and believe you have taken the appropriate measures to secure your them, I recommend you reconcile that things are fine.