IRA Financial vs. Gemini – security issues to ponder from a crypto IRA hack

The cryptocurrency world has been the scene of some *wild* stuff lately… and a recent lawsuit filed by IRA Financial Trust against Winkelvossian crypto exchange Gemini is no exception. Before I get into my take on this interesting story, let me point out that all information in this article is taken from IRA Financial’s complaint against Gemini and is therefore meant to persuade a future jury to award them a mega dollar (actual fiat) settlement and we haven’t really heard from Gemini’s side on this yet. Nonetheless, there are some interesting questions to ponder.

IRA Financial Trust helps people administer their retirement savings accounts and has decided to participate in the crypto boom by allowing their account holders to put their funds in cryptocurrency. (I personally would put my retirement funds in unregistered Belizean penny stocks before crypto, but that’s not the issue here).

IRA Financial has signed a contract with Gemini to manage the crypto side of things and hold their clients’ coins for them, based on Gemini’s reputation and assurances of the high level of security measures taken by the company.

A beautiful day, the police show up at the offices of IRA Financial with a SWAT team after learning that a kidnapping was in progress. (Spoiler alert – no abduction was taking place). While all of this is going on, strangers are taking advantage of the confusion to use an API key (a kind of password that allows application program interfaces – the language used by computers to talk to each other – to do sensitive things security) to transfer funds from many Gemini accounts of IRA Financial into a single Gemini account and then transfer that money to unknown parties. A total of $36 million was allegedly stolen.

IRA Financial claims they were never given a phone number to call to report security issues and when they sent repeated emails, Gemini’s response was delayed and partial, leaving attackers with more time to get away with the funds.

One of the main claims in the complaint relates to this API key – IRA Financial claims that it was “pressured” by Gemini to use the API, that Gemini never explained the API key’s potential power to transfer funds between accounts, and that Gemini caused it to fail to take appropriate steps to secure the API key when providing it to IRA Financial. It looks like the attack was enabled, at least in part, by someone who got this API key (perhaps by accessing their email and snarfing it from there?) and I’m sure that one of the main questions in the minds of the jury is whether the disclosure of the key was the result of negligence on the part of IRA Financial, Gemini, or a combination of the two.

The design of the API also appears to be in question – the API key provided access to a master account with all IRA Financial client funds held in sub-accounts. With the API key it was possible to transfer funds from one sub-account to another (no second factor required) and IRA Financial considers this to be a design flaw in the API because in their business model these types transfers are not necessary. . Another question for the jury to consider.

There’s more here – questions about hot wallet storage claims versus cold wallet storage and the veracity of Gemini’s marketing regarding its security measures.

I’m so sorry for any potential jury that has to solve this one – there are some really complex and thorny security questions that need to be answered, and I’m sure if this goes to trial each side will bring expert witnesses who will swear on a stack of bibles that it was all the fault of the other side. I would really like to be one of those trying to solve this puzzle, but our jury system will ensure that those selected to do so are utterly unequipped for the challenge. I have a feeling that both sides will see the risk of putting this case to a jury of ordinary people and that will result in a settlement.

Nevertheless, this complaint is excellent reading for security professionals – it is thought-provoking on a number of topics: the security claims that companies make in their marketing materials, the establishment of a process to deal with security vulnerabilities, designing APIs that are secure and suitable for business purposes, and communicating important security information to customers. Again, the presentation is very one-sided (that’s the job of this paper) but the issues raised are worth considering and trying to learn from.

*** This is a syndicated blog from the Security Bloggers Network of The paranoid prose of Al Berg written by Al Berg. Read the original post at: https://paranoidprose.blog/2022/06/18/ira-financial-versus-gemini-security-questions-to-ponder-from-a-crypto-ira-hack/


Source link