Unocoin, one of the India’s leading Bitcoin exchange got hacked. A user lost INR 1,20,000 from his account.
A Bangalore based computer scientist, purchased Bitcoin through Unocoin’s mobile app. Within minutes, his account was hacked and funds was moved out of his wallet.
When the user purchased Bitcoins, a password reset link was received in the user’s email address. Successively, another mail was received confirming the new password which meant, now the hacker has gained the access to the user’s Unocoin wallet.
Two transaction took place where 0.40049 Bitcoin , followed by another one for 0.3005 Bitcoin was debited. And then a third transaction for the same amount was attempted but it got blocked.
A local news resource FactorDaily reports, the whole story.
“I have been using Google Authenticator for two-factor authentication in my Gmail account for years and my mobile number has not been compromised,” the user told the publication.
“The hack seems to have happened on the Unocoin server where both the password reset link and OTP are generated.”
“I spoke to [the representative] and explained what had happened,” the victim recounted.
“He went inside the office and came back after about 10-15 minutes later and said that my account was blocked and the two later transactions) were also blocked, but the first two transactions had gone through.”
“Given that the total number of user we have is about 2.7 lakhs, three to four (hacked accounts) are very less and we were able to handle that. So we try to analyse and see where the issue is and explain how it happened and how they can secure their account going forward,” says Sathvik Vishwanath, who cofounded Unocoin in 2013
“Most of the users who got hacked were using OTPs and not the Google Authenticator”, says Sathvik Vishwanath,
“Most of the time, what we have seen is whenever there is a report of an account being hacked, the user, instead of activating Google Authenticator, would’ve opted for OTP (SMS-based) and also have opted to get it on the email. The email would then be a single point of failure because the hacker will just use the forget password and then through the OTP which is coming to the same email, he will be able to log in and do a transaction,” says Vishwanath. “This, of course, assumes that your email has been hacked in the first place.”
There has been spike in hacks. Unocoin decided to change the default setting to send OTP to users via SMS only and not emails.
“Initially, we were sending to both (email and SMS) and even now we sent to both but the only change is that by default OTP to email will be off in the settings now,” says Vishwanath. The default was “on” before this. “It is not like a policy change but just a change in the default setting.
KryptoMoney.com strongly suggests and recommends our readers that they should adopt adequate security measures. Use google two factor authenticator. Also, never leave your funds on an exchange. Blockchain wallet is advised to store Bitcoins
KryptoMoney.com posts latest news and updates about Bitcoin, Cryptocurrencies and Blockchain. Subscribe to our newsletters and never miss any story.
More Bitcoin controversies in India:
Keep in mind that we may receive commissions when you click our links and make purchases. However, this does not impact our reviews and comparisons. We try our best to keep things fair and balanced, in order to help you make the best choice for you.
