When users register on an exchange, they usually activate 2FA to increase security: they receive a random code on their phone that is used to access the exchange.
Using a personal mobile phone might sound safe, but it isn’t.
On the Dark Web, it’s easy to buy identity documents at absolutely affordable prices: a passport costs just over 14 dollars, a proof of identity, complete with photos and utility bill, costs just over 60 dollars.
At this point, the wealth in cryptocurrencies is in danger, because hackers can simply take possession of it.
First of all, the hacker obtains the password through traditional phishing methods or by stealing a mobile phone or PC. He then clones the phone and uses it to call the exchange complaining about the loss of the 2FA code, which is possible if, for example, you have changed or lost your smartphone.
The exchange, in order to provide the information, will ask for proof of identity, which the hacker will already have at his disposal and at this point the exchange will provide a new 2FA key or delete the protection, giving the attacker access to the cryptocurrencies.
How do documents and proofs of identity end up on the Dark Web?
Often this type of information is provided directly by the victim, perhaps to participate in a fraudulent ICO or an airdrop.
The same SEC has created the Howeycoins website to show in a tangible way how easy it is to create a fake token sale, but also legitimate websites related to the presentation of crypto initiatives can be violated, as happened in the past.
The same exchanges can be penetrated by hackers: usually in these cases they learn of the disappearance of cryptocurrencies, but nothing prevents them from accessing confidential data as well.
In general, the 2FA, or Two Factor Authentication, although safer than a single password, is not absolutely secure and can be circumvented in different ways, so it is safer to hold your own tokens in a proprietary wallet rather than in those of the exchanges.