Biz Builder Mike

You can't sail Today's boat on Yesterdays wind - Michael Noel

custody

Gemini Becomes World’s First Digital Assets Custodian and Exchange to Complete SOC 1 Type 2 and SOC 2 Type 2 Examinations

US-based digital assets exchange Gemini has completed SOC 1 Type 2 and SOC 2 Type 2 examinations.

The Gemini team noted in a blog post published on January 19, 2021 that they’ve successfully cleared the SOC 1 Type 2 and SOC 2 Type 2 examinations, which covers their exchange operations and Gemini Custody products as well.

As confirmed by Gemini, the exams were carried out by Deloitte & Touche LLP and reportedly make the digital assets firm “the world’s first cryptocurrency custodian and exchange to demonstrate this standard of financial operations and security compliance.”

The cryptocurrency exchange and custodian stated:

“At Gemini, we aim to foster trust by demonstrating through action that as a company we follow through on the commitments we’ve made to upholding the highest levels of security and compliance for the benefit of our customers. We have done so by showing definitively through these independent third-party SOC evaluations that our operations and security compliance structures meet robust industry standards. We believe that these standards should be upheld by any cryptocurrency exchange and custodian.”

Gemini confirmed that in January 2019, they notably became the first digital asset exchange and custodian in the world to successfully complete a SOC 2 Type 1 examination, and followed it up with a SOC 2 Type 2 examination in January of last year. Gemini further noted that “building on these milestones, we completed a SOC 1 Type 1 examination in April 2020 and recently completed our SOC 1 Type 2 examination in December 2020.”

As explained by Gemini, the SOC 1 aims to assess or evaluate the overall design and implementation of their financial operations and related reporting controls, meanwhile, the SOC 2 aims to evaluate the effectiveness of the design and implementation of their “security, availability, and confidentiality controls.” As noted by the crypto exchange, the Type 1 examinations “assessed those processes at a point in time while our Type 2 examinations test that our system controls across our exchange and custody product have been operating over the period covering 2020.”

The US-headquartered firm confirmed:

“Gemini will continue to uphold the highest standards of security and operational compliance by undergoing SOC 1 Type 2 and SOC 2 Type 2 examinations on a yearly basis moving forward.”

As reported recently, Gemini, a New York Trust Company and Qualified Custodian, now has over $10 billion in digital assets under custody

Source

Elaborate Scam App Impersonates Leading Asian Bank; Victims Duped into ‘Investing’

Elaborate Scam App Impersonates Leading Asian Bank; Victims Duped into ‘Investing’Elaborate Scam App Impersonates Leading Asian Bank; Victims Duped into ‘Investing’

Zimperium, in collaboration with a leading Asian bank, have uncovered the early stages of a coordinated effort by scammers to defraud existing and new bank customers. In this blog, we will:

  • Alert the general public about the scam before it gains traction; 
  • Outline the entire scam around the fake bank app; and
  • Show how it is also targeting other financial services, including another bank.

The campaign coincided with the bank’s announcement about its development of a digital exchange, enabling institutional investors and accredited investors to tap into a fully integrated tokenization, trading, and custody ecosystem for digital assets. 

Thus far, dozens have downloaded the app and have lost an average of $1,500 each. The app – first seen on VirusTotal on December 22, 2020 – has still not been identified as malware or scamware by any anti-virus companies. 

The campaign remains active and is, in fact, growing:

  • It appears to be downloadable via third party sites and/or phishing links;
  • The command and control servers are still operational;
  • The elaborate scam itself features, among other aspects, active customer support; and 
  • We’ve learned of a similar campaign targeting a second bank. We are reaching out to that bank directly, before revealing the name.  

Downloading the app

Once the app is downloaded from a third party store or phishing link and is opened, the victim is presented with the following login page:

Figures 1, 2: Fake login and registration page along with the “password retrieval” option

As part of the registration process, users are asked to provide an email address, account number, “rganization code” (note the typo appears in the app itself) and other details. 

In an attempt to appear legitimate, registration generates an automated email containing a verification code trying to impersonate a legitimate email from the bank (including using the bank’s name in the email address). We received verification codes when we registered with legitimate and fake information.  

Figure 3: Fake email for registration with verification code. (Note: “If not my operation”)

The entire communication takes place with a server that does not belong to the impersonated institution. Instead, the user has unknowingly shared personal and financial information with the attackers. 

Figure 4: The communication with C&C when trying to login with credentials

App experience

Once logged in, the application presents the victim with a seemingly legit cryptocurrency trading platform using the brand value of the impersonated organization as a lure. It looks more convincing with the dynamically changing prices.

Figures 5, 6: The Home and Trade pages that make use of information from Figure 8

Figure 7: The continuous pings to get the updated prices as seen in Figure 7

Customer support

Moreover, the presence of a customer support option provides the victim with additional confidence of being able to contact the financial institution (the scammers) with any questions or issues.

When we attempted this, we received the following:

Figures 8, 9: The customer support chat box presents the offer image and convincing text

Figure 10: Scam poster encouraging victims to “invest”

Customer support would be the first choice for the victim to complain about discrepancies, but the scammers cleverly set it up in such a way that it convinces the victim to “Recharge” and invest to reap (non-existent) benefits.

Making use of legitimate platforms that offer services to communicate with customers through customer support, the scammers offer “Customer Service Solutions” as seen below with this command and control’s response:

Figure 11: The URL for customer support as received from the C&C server

If the upward trend makes the victim interested in investing, the scammers have set up a “Funds Management” page allowing for the continued exploitation of the victim as seen below:

Figures 12, 13: The option to recharge and add funds to the account

The Recharge option mentioned above is the first go-to for a new victim to begin investing through the platform. 

The two investment options offered are “Online Pay” and “USDT,” where the victims were asked to chat with the customer support and pay online or transfer the funds to a provided BTC or ETH wallet and attach proof of the transaction.

Figures 14, 15, 16: The recharge options- Online Pay, BTC, ETH with “Important Notice”

Figures 17, 18: The BTC and ETH wallet’s transactions

What can you do?

It’s clear this campaign is just beginning and – as we mentioned – targeting a different bank already. Here’s what you can do:

From a consumer perspective, never download apps from third-party sites; rely solely on the App Store and Google Play. Be leery of apps that may have grammatical or other errors  – like “rganization code” which appeared in the app itself.  

From an enterprise perspective, Zimperium is the global leader in mobile device and app security, offering the only real-time, on-device, machine learning-based protection against Android, iOS and Chromebooks threats. We detect this attack and others like it. 

Please contact us to learn more. 

Previous Zimperium Mobile Security Blog PostPrevious Zimperium Mobile Security Blog Post Automate Mobile Application Security Testing from Jenkins

Elaborate Scam App Impersonates Leading Asian Bank; Victims Duped into ‘Investing’

Source

Huobi Global Partners with BCB Group to Better Globalize Offerings

Huobi Global has partnered with BCB Group, to “better globalize” its offerings, according to a release. Huobi is a large digital asset firm based in Asia.

BCB Group is a payment services provider that enables clients with European fiat the ability to send fiat to crypto counterparties via “BLINC” in real-time, 24/7, 365 days a year.  BCB Group is a multi-jurisdictional regulated cryptocurrency service firms managed by an executive team have that has worked for incumbent financial services firms. BCB currently serves clients including Bitstamp, Coinbase, Galaxy, and Kraken. BCB Group provides payment services in 20+ currencies, FX, cryptocurrency liquidity, and digital asset custody.

Huobi states that working with BCB will enable it to bank its OTC desk with the firm as well as let them handle foreign exchange flow.

Ciara Sun, the VP and Head of Global Business at Huobi commented on the arrangement:

“We understand the importance of both a compliant, and streamlined service. Partnering with BCB allows us to offer a European fiat on and off ramping service that we know is in line with the laws of that area, but it also allows our customers in Europe to experience a smooth and hassle-free user experience.”

Oliver von Landsberg-Sadie, founder and CEO of BCB called the partnership important in furthering BCB’s mission to “promote future-friendly growth of the industry.”

“We are excited to play a part in Huobi’s global project.”

Source

Grayscale and BitGo Hold $16 Billion In Crypto Assets Under Custody

Bitcoin assets under management (AUC) at BitGo and Grayscale have crossed $16 billion owing to increasing interest from institutional investors and the staggering price movement of the world’s largest cryptocurrency. The two now have a combined total of over $32 billion in AUC.

BitGo becomes the second company to hit $16 billion

Yesterday, California-based digital assets firm BitGo announced that it has reached the $16 billion mark for assets under custody. A day ago, another prominent crypto investment firm Grayscale announced that it now holds $16 billion in AUC. The rising number of crypto deposits at the two firms are a direct result of increasing institutional interest in the crypto market.

Grayscale and BitGo Hold $16 Billion In Crypto Assets Under Custody

The trend was highlighted by MicroStrategy’s $425 million investment in Bitcoin in August and September. The US-based business intelligence firm now owns $1 billion in Bitcoin. Companies offering investment and custody services in cryptocurrencies are now quickly growing in demand.

An unusual rise in institutional interest

BitGo CEO Mike Belshe commented on the rising institutional interest in digital currencies and said, “We’re seeing unprecedented interest from institutional investors as a result of the pandemic’s economic impact, as well as Bitcoin’s extraordinary performance.”  BitGo provides custody services to users and also offers $100 million in investment insurance for the coins it holds.

Grayscale allows users to invest in Bitcoin via the Grayscale Bitcoin Trust. The Trust is traded on the stock market. Bybt.com a website that tracks holdings of Grayscale, suggests that the firm have more than $16 billion in AUC. It holds about 550,000 Bitcoin in total worth upwards of $13.91 billion. This stack represents 70% of the total Bitcoin held by publicly traded companies.

BitGo, on the other hand, holds 115,000 Bitcoin worth more than $2.6 billion in custody. It also provides prime brokerage services to institutional investors.

The flagship cryptocurrency reached a new lifetime high of $24,000 earlier this month, breaking past the $20,000 record its hit during the December 2020 crypto-mania.

Grayscale and BitGo Hold $16 Billion In Crypto Assets Under Custody

Source

The SEC shows some mercy to broker-dealers handling security tokens

The U.S. Securities and Exchange Commission is listening.

At least, per a Dec. 23 announcement, the SEC is responding to long-term industry complaints that nobody knows who can handle security token trading. 

The SEC is both requesting comment on the issue and extending a hand to the crypto industry. Perhaps most notably, the commission’s announcement will keep broker-dealers safe from enforcement for the next five year: 

“In particular, the Commission’s position, which will expire after a period of five years from the publication date of this statement, is that a broker-dealer operating under the circumstances set forth in Section IV will not be subject to a Commission enforcement action.”

The “circumstances” specified basically boil down to keeping security tokens the primary focus of the operation and doing due diligence in terms of cybersecurity and disclosures to clients, including making sure every potential customer is aware that the broker-dealer in question is handling digital asset securities.

Alongside the announcement, the SEC is asking for comments on a number of issues related to proper requirements for security token trading. One of the questions suggests that the commission is looking to let investors use non-security tokens like Bitcoin and Ether to pay for security tokens: “Should this position be expanded to include the use of non-security digital assets as a means of payment for digital asset securities?”

Just weeks ago, a number of congresspeople signed a letter to the SEC asking the commission for clarity on this very issue. Despite long-term hopes that security tokens can upgrade the traditional equities markets, the industry has been plagued with siloed trading and low volumes.

The SEC shows some mercy to broker-dealers handling security tokens

Source