51% attack cryptocurrency hacker

51% attacks. Merely mentioning them makes crypto traders a little fidgety, and with good reason. 

A successful 51% attack against a cryptocurrency would, at best, take a big chunk out of that cryptocurrency’s price. And, at worst, could end use of the cryptocurrency altogether. 

When you look at it that way, a 51% attack sounds terrifying. Let’s look at how they happen, and how blockchain projects keep them safe.

51% Attacks, Explained in Simple Terms

Put simply, a 51% attack could occur when a malicious actor (or group of actors) commands more than half the mining or hashing power on a blockchain.

As you can see in the chart below, many different mining pools are at work on the Bitcoin blockchain. If one of those pools reached a 51% majority, they could, hypothetically, initiate a 51% attack.

51% attack bitcoin mining pools
The proportional makeup of bitcoin miners of the network. Credit: CoinDance

But What Does a 51% Attack Do?

A 51% attack, also known as a “double-spend attack”, allows the attacker to rewrite history on a blockchain. 

In practical terms, it means the attacker can spend that particular cryptocurrency twice. 

As an attacker, I would buy something with bitcoin, then initiate a 51% attack to create a new version of the blockchain – one that doesn’t include my transaction.

Sounds pretty scary when you put it like that. That said, it is rather difficult to actually pull off a 51% attack on an established network. Bitcoin, for example, has never been hit by a 51% attack. Most large cryptocurrencies are safe, software bugs notwithstanding. 

And, even if you can pull one off, you only become a time traveler. You do not have the ability to break the rules of the network, steal cryptocurrency from others, or create new currency out of thin air.

To understand more, let’s go over how we might perform a 51% attack (hypothetically, of course).

A 51% Attack Requires a New Blockchain “Fork”

To initiate a 51% attack, we need to “fork” the blockchain, which means splitting it in two. Then we need to convince the network that our malicious forked blockchain is the real one.

Background reading: What is a hard fork in cryptocurrency?

But there’s a problem:

Cryptocurrencies need to have a way of knowing which blockchain is the ‘real’ one. 

Working this out is very simple – the longest one wins. By going with the longest blockchain on the network, the network can always be sure that the current blockchain is what the majority of the mining power wants. 

The longest blockchain being the ‘real’ one has some other benefits too. 

For example, cryptocurrencies are often community driven. If the community does not like a particular update, miners won’t switch to the new software. If miners don’t switch to the new software, the old chain continues and remains the ‘real’ blockchain for the network.

Making Our Malicious Forked Chain the Dominant One

Essentially, to perform a 51% attack, we need to keep our fork secret. 

We can keep our fork either secret to one computer, or let it go between the nodes we control. Once we have our fork, we need to keep it up to date with the rest of the network.

Essentially we create a mirror image of the original blockchain.

51% attack fork
Credit: CoinMonks

You can think of our secret blockchain as a reset button. Once we have it, we can do something on the live blockchain and not copy it into our secret one. 

Then, we can mine a bit harder on our secret blockchain and have it be a little longer than the real one. That’s why we need 51% of the hashing power on the network.

Nodes in a cryptocurrency network always follow the longest chain, as it usually indicates what the network at large wants to do. Once we release our secret blockchain to the network, all the nodes grab it and see it as the real one, as it’s the longest. 

And once our blockchain is the real one, whatever we did before is undone.

How Double Spending Comes In

Often the thing undone in 51% attacks is a transaction. We can pay for something and then switch out the old blockchain with our secret one where the cryptocurrency is instead transferred to a different address. 

This is referred to as a double spend. The network will reject the original transaction, as it will occur after the new transaction from the perspective of the new blockchain.

What a 51% Attack Can and Can’t Do

As mentioned above, the attack does not give us the power to do whatever we want. 

We must still follow the rules on the network. If we don’t follow the rules, our new blockchain is rejected by the network, and the attack fails. The requirement to following rules makes for an interesting combination of what we can and can’t do during the attack.

What the Attacker Can Do

Cause double spends

This is one of the main reasons to perform a 51% attack. It allows us to spend currency twice, essentially stealing it back from the first address it is sent to. Note that this cannot occur without cooperation from whoever owns the currency in the double spend.

Collect block rewards and cause other miners to have invalid blocks

As the attackers, we are mining all the blocks on our malicious blockchain and therefore get to select where the rewards for mining those blocks go. Depending on the price of the cryptocurrency in question, this may provide a nice counterbalance to the inevitable price-collapse of the cryptocurrency when the attack is revealed. 

Other than some counterbalance, the block rewards are unlikely to completely negate the cost. For this reason, an attack is unlikely to take place solely for the reason of collecting block rewards.

Stop transactions for a time, or remove confirmations from being added to the blockchain

As we control all the blocks in our chain, we can choose what transactions go into those blocks, much in the same way regular miners can. We simply instruct our miners to not include a specific transaction in their blocks. 

The transactions that are kept out of blocks will remain in the transaction pool. After the attack, any miner can pick up the transaction and include it in a block. This means we can delay a transaction for as long as we are in control.

What the Attacker Can Not Do

Steal cryptocurrency from others

As an attacker, we may control the blockchain itself during the time in the attack, but we do not control wallets we don’t own. Having control over the blockchain does not magically give us the private keys required to spend currency we don’t own.

Create cryptocurrency out of nothing

As mentioned above, we must still follow the rules of the network. That means mining blocks and receiving rewards as normal. We can’t magically create non-existent transactions or create cryptocurrency out of nothing.

Completely stop a transaction from occurring

We can keep a given transaction out of the blocks on our chain. But, this does not mean the transaction no longer exists, it simply means it remains in the transaction pool as an unconfirmed transaction. As soon as the attack stops, other miners may pick up the transaction and include it in their next block. Assuming it’s not a double spend transaction at that point.

Monero logo

A huge upgrade to Monero, the 10th largest cryptocurrency network, just made transactions 97% cheaper while maintaining its privacy features. Monero, which is best-known for its anonymous transfers, now uses technology called “Bullet Proofs” to scale up. Armin Davis explains further.

Another six months have gone by, and as such, Monero has performed its bi-yearly network upgrade hard fork. Specifically, the hard fork took place on the 18th of October, at block height 1685555. 

Of the numerous changes made over this upgrade, a few stand out:

  • “Bullet Proofs” greatly reduce transaction size (and therefore transaction fees)
  • Monero’s upgrade further discourages specialist mining tools like ASICs.
  • To maintain privacy, the ring size for all transactions on the Monero network has been fixed to 11.
Monero infographic
Credit: Reddit u/cryptoKL

Explaining Monero’s New “Bullet Proofs”

Prior to this upgrade, Monero used a version of what is called a “range proof”, or zero-knowledge proof”. 

A zero-knowledge proof means that something can be proven true without knowing the actual data. For example, I can prove that it is less than 0°c outside without knowing the actual temperature data. All that I need to do is place some water outside and see if it freezes.

For Monero, range proofs allow outside observers, like other Monero nodes, to confirm that a transaction took place using cryptocurrency that already existed. Rather than currency created out of thin air, or currency already spent elsewhere.

The Downside of the Previous Monero System

The downside of these range proofs is that they are large, each transaction takes up somewhere around 13 kilobytes, which is significantly larger than Bitcoin’s ~ 300-byte transactions. 

With large transactions comes large fees, as the fee you pay is (mostly) based on the size of your transaction in the block. And, while not an issue for Monero, larger transactions can cause network congestion on blockchains with small, fixed size blocks.

bullet proofs

Enter Bullet Proofs: A great improvement on the previous range proofs, reducing transaction size by as much as 80% while maintaining the same level of privacy and ensuring that no foul play occurs. 

As discussed above, the size of your transaction is what determines your fee (mostly). By reducing the transaction size, transaction fees are also greatly reduced (as much as 97%)

A Two-Stage Monero Upgrade

The upgrade to Bullet Proof based transactions will happen in two stages. Starting at height 1685555, the Monero network will be upgraded to v8. On v8, transactions using both the old range proof and the new Bullet Proof system will be accepted on the network. 

Shortly after, at height 1686275, a second hard fork will occur that upgrades Monero to v9. This will cause the Monero network to reject any non-Bullet-Proof based transactions and implements a number of patches to Bullet Proofs.

Crucial Monero Audit Halts Threat of 51% Attack

On the 22nd of October, an embargo was lifted on some major bugs found during an audit of the code around Bullet Proofs. 

Of the few bugs found, the most major involves a method to perform a 51% attack on the Monero network. Due to the magnitude of this bug, information around it was embargoed until a patch was live. As is standard practice for most major bugs. 

The flaw was discovered by OSTIF (The Open Source Technology Improvement Fund) during its audit of Monero’s Bullet Proofs.

A 51% attack involves gaining the lion’s share of mining power on a given blockchain. Once you have the most mining power, you can begin to rewrite history, and otherwise change the blockchain. This is because most blockchain nodes follow the longest chain. If you have the lion’s share of mining power, you control the longest chain.

51% attack explained

There are various methods one can use to gain 51% mining power on a given network. In Monero’s case, a vulnerability was discovered that would allow malicious actors to crash other nodes remotely.

By crashing nodes other than yours, you can begin to chip away at the mining power that is not yours. Once you have removed enough rival mining power, you gain two things; most of the mining profits on the blockchain, and the ability to perform a 51% attack.

Monero Continues to Deter Mining Hardware (ASICs)

Monero developers purposely try to deter giant mining companies (like Bitmain) from monopolizing, and therefore centralizing, the network.

Earlier this year, specifically just before the previous hard fork, Monero’s network “difficulty” (a measure of how difficult it is to mine a block) began to rise uncharacteristically quickly.

It was discovered that the cause of this was that Bitmain had developed a working mining device (ASIC) for the CryptoNight algorithm – the backbone of Monero’s network. 

At the time, a small change to the algorithm was made as a hotfix to make the ASICs unusable on Monero. Said change was referred to as CryptoNight v7.

Monero blocks ASIC miners

Fast forward to this month, and the Beryllium Bullet network upgrade, Monero’s algorithm has once again been changed. Now called CryptoNight v8, it is intended to make producing an ASIC for Monero even more difficult.

How Does CryptoNight Prevent ASIC Miners?

CryptoNight v8 continues the work done by v7, in that it further increases the amount of memory bandwidth used by the algorithm. Specifically, the increase is by a factor of four. 

Unfortunately along with this comes with a slight performance hit to regular CPUs of around 5-20%. The Monero developers and community feel that the performance drop is worth the gained protection from ASICs. And the performance may be gained back through optimizations of mining software.

This change works on the basis that it is prohibitively expensive to add large amounts of fast and high-speed memory to ASICs. A regular desktop CPU usually has somewhere between 4-64MB of cache, of which 2MB will be used per CryptoNight mining thread. 

So for an ASIC looking to run a large number of threads, a large amount of high-speed, cache-like memory will be required. And further still, v8 now requires a 64-byte wide memory access. Which, for a desktop CPU is easy as it should already have the required hardware.

Keeping Monero Private With Fixed Ring Size

Beryllium Bullet changes two things about how Monero users can structure their transactions.

Fixed Ring Size: First off, Monero users can no longer select the ring size of their transactions. Ring size is the number of decoy transactions added to every Monero transaction in order to hide which transfer is the real one in the transaction.

monero-ring-signature
Credit: BitcoinKeskus

This change, while controversial, is intended to help keep all users on the network private. Specifically, keeping transactions private while also keeping some transaction sizes down.

Ring Size Increased to 11: Secondly, the minimum (and now fixed) ring size has been set to 11. This is greater than the previous minimum of 5.

The rationale behind locking the ring size to 11 is that by making all transactions look exactly the same, it’s harder still to trace a given transaction across the network. You want to look the same as everyone else, rather than making a transaction with a massive ring size, which will stand out. While it is true that a larger ring size makes the transaction more private, it also makes the transaction as a whole a lot easier to spot.

Conclusion

Together, these upgrades combine to make Monero transactions 97% cheaper, while deterring mining centralization and maintaining its core privacy features. The upgrades make Monero truly bulletproof.

Learned something new in this article? Subscribe to the Block Explorer newsletter.

Five million bitcoins.

That’s how many have been lost or stolen since bitcoin was created. 

Unless you take the right precautions, cryptocurrency theft and hacking is still a very real threat. 

And then there’s the risk of losing your cryptocurrency by failing to back it up. (Just ask the man who threw away a hard-drive with $75 million of bitcoin on it).

Luckily, there’s plenty you can do to protect yourself. In this article, we’ll go over eight best-practices you should follow when using cryptocurrency.

Stay safe.

1. Don’t Tell People How Much Cryptocurrency You Own

Or better yet, don’t tell anyone that you own cryptocurrency at all. If pressed about this, a good answer is that you own “some” or any other non-answer.

The reasoning behind this is pretty simple. Telling people how much cryptocurrency you own is a great way to turn you into a target, even to people you trust. There’s a reason one of the first things lottery winners are always told is to contact a lawyer before telling those around them. 

bitcoin best practices

Unfortunately, money makes some people greedy, and those people will stop at nothing to get what they want.

Unlike a bank account or other fiat cash storage, cryptocurrency is almost always stored close to you (on a computer or hard-drive in your home). It can be stolen relatively easily. And while your password may be strong, rubber-hose cryptanalysis or social engineering means that a strong password may not be enough when thieves are in close proximity to you.

2. Cold Wallets Are an Awesome Idea

Keeping all your currency in a hot wallet is asking for trouble. A hot wallet (one connected to the internet) is great for day-to-day transactions, but they are easier to steal from. A “cold wallet” means storing your crypto offline. Keeping most of your cryptocurrency safe in cold storage is just plain good practice.

Read more: What is cold storage for cryptocurrency?

Additionally, for an extra step of protection, you can use a hardware wallet. Hardware wallets are like an external hard-drive but designed specifically to store cryptocurrency. 

ledger nano cold storage bitcoin wallet plugged into a laptop
Pictured: a Ledger Nano hardware wallet

Most hardware wallets are tamper resistant. Meaning they will erase themselves if someone tries to break into them, either physically or by attempting many passwords. This is much better than a laptop or other general-purpose device because if the laptop is stolen, any wallets on there can be attacked forever.

The most popular cold storage hardware wallets are Ledger and Trezor. 

3. Never Use Exchange Wallets for Longer Than You Need To

In other words, don’t keep your bitcoin on Coinbase, Bitpanda, Binance, or any other exchange.

This one doesn’t make sense on the surface. Why wouldn’t you want all your currency ready to trade at a moment’s notice?

First off, online wallets, in general, are dangerous. You are not the only person with access to your funds. In fact, you don’t even have total control over the wallet. Not having full control over your wallet is a pretty glaring security issue, and should be avoided if possible.

Secondly, cryptocurrency exchanges can fail incredibly quickly. There is no fallback for crypto exchanges other than the ones they make. If the exchange fails, you may never get your cryptocurrency back. Your money may have even been used without your knowledge in an attempt to prop up the failing exchange.

And lastly, due to their extremely large turnover, exchanges are a much bigger target for hackers and other malicious people than a single wallet.

4. Always Encrypt Your Wallets

Now that your crypto is safely in a private wallet, your next challenge is keeping your wallet secure should the files themselves be stolen by someone across the internet.

The first line of defense for the wallet is a strong password. As with most passwords, length trumps complexity, and the combination of both is best.

how to make strong passwords
Credit: 360 Total Security

That said, if you believe your wallet has been compromised, move all the cryptocurrency from the compromised addresses to new (hopefully secure) addresses. The fees you will pay to move them to the new address is worth the peace of mind. 

Some wallets have one-click options to do this, often referred to as “sweeping”.

5. Use Separate Addresses Where Possible

Staying private in the cryptocurrency world is, in general, a good idea. Bitcoin has a reputation for being anonymous, but that’s not actually true.

When you transact with someone, they can see your “public address.” It looks something like this:

1GsOmhLr0FbBpNco1NDar6sSV8tsHaKF6kd.

It doesn’t tell anyone your name, but if they search for this address (on a block explorer), they’ll see every transaction you’ve ever made using that address.

It means you’re effectively sharing your transaction history with someone else. You’re also showing that person who else you have transacted with and how much was transferred. That last one falls under the first rule we have, as sharing how much cryptocurrency you have makes you a target.

When transacting with non-private cryptocurrencies like bitcoin or litecoin, be sure to use separate addresses for each transaction.

An alternative is using a truly anonymous cryptocurrency like monero.

6. Double Check Everything

One easy way to lose currency is to send it to the wrong place or to use the wrong wallet. 

Cryptocurrency transactions are “immutable” – they can’t be reversed. So if you send money to the wrong wallet, it’s gone forever.

For this reason, you should always verify that you know what you’re doing, and everything is correct.

For addresses, this is pretty simple. Check that the first few and last few characters are the same as your intended target. If the first and last characters are correct the rest probably are. 

Though, there is some malware out there that will switch out addresses for lookalikes in your clipboard. For this reason, you may want to verify that the entire address is correct before sending large amounts. 

If you’re still worried, try sending a test transaction first.

7. Always Make Backups (Use the 3-2-1 Rule)

Keeping backups of everything is a good idea in general, but it’s an especially good idea when it comes to cryptocurrency.

For most use-cases, the 3-2-1 rule for backups should be followed; three copies, two different media, one off-site. 

321-Backup
Credit: ISG Tech

That could mean keeping your private keys on:

  1. Hardware wallet.
  2. CD or flash drive.
  3. Paper wallet.

That’s three versions stored on at least two different devices or media.

Next, you should keep one off-site. In other words, nowhere near the other two. 

A nice off-site location is a safety deposit box at a bank. Either hardware or paper wallets are good here, though paper wallets are (in this case) the safer bet. Note that this requires you to trust that the bank will not open your box for any reason.

For large amounts of cryptocurrency, you can even utilize a former military bunker in the Swiss Alps.

The two separate media means that if one is damaged in some way, the other is likely not. And one off-site means that in the event of a house fire or otherwise, you still have a backup.

Remember that you should always encrypt your backups. If you back up a wallet file and someone malicious gets a hold of it, your currency is theirs to steal.

8. Never Spend Money You Can’t Afford to Lose

Finally, cryptocurrencies are incredibly volatile. This means the price can swing up very high, and fall very low. 40% swings of value in a single day are not unheard of, especially for smaller coins.

Much like with regular investments, storing value in cryptocurrencies is a calculated risk, and, there is always the chance that cryptocurrencies “go to zero”. And if you’ve put in every cent you have, you could end up in trouble.

Conclusion

The best-practices outlined here require a little extra work, but it’s well worth the effort. Keeping your crypto safe and secure is the most important thing you’ll do.

Gatecoin's interface

Founded in 2013, Gatecoin is a Hong Kong based cryptocurrency exchange that finds itself at #25 on BlockExplorer’s top 25 exchanges of 2017 list. Gatecoin offers a good number of trading pairs and an API for programmatic trading. Of the 90 trading pairs Gatecoin offers, there are both crypto/fiat and crypto/crypto offered, with the crypto/fiat pair’s fiat side being one of USD, EUR, or HKD.

Gatecoin has a respectable number of trading pairs and offers an API for programmatic trading. Which makes it a good choice for any traders located in Hong Kong, especially those looking to trade programmatically.

Gatecoin

gatecoin cryptoURL: gatecoin.com
Launched: 2013
Trading pairs: 60
Deposit Fees: Yes
Withdrawal Fees: Yes
Trading fees: Yes
Verification: Yes (Three levels)
Margin Trading: No

Fees and Limits

Fee wise, Gatecoin charges fees based on the trader’s volume over the last 31 days. Unlike some other exchanges, the 31 day period is a rolling one, meaning that you do not have to wait an entire period if you have significantly changed the volume of your trades. Fee levels are broken into the standard maker/taker distribution, where the taker pays a higher percentage than the maker. On the low end, 50BTC/31d, makers pay a fee of 0.25% and takers pay a fee of 0.35%. And on the high end, 20,000+BTC/31d, makers pay 0.02% and takers pay 0.1%. A complete breakdown of the trading fees charged can be found on Gatecoin’s fee page.

For deposit and withdrawal, Gatecoin only seems to charge fees for fiat. The fees paid depends on the transfer method, for example, there is a 1EUR deposit and 5EUR withdrawal fee for SEPA based deposits and withdrawals. The full list of fees can be found on Gatecoin’s transfer costs page.

Limit wise, accounts are limited based on their verification level. For crypto, you can transfer an unlimited amount as soon as you have completed tier 1 verification. And for fiat, tier 1 accounts are limited to $50,000USD or equivalent, which is upped to $100,000USD or equivalent for tier 2. There is no indicated timeframe for these limits.

Registration

Gatecoin’s registration method is a multi-step process that requires a decent amount of personal information. Registration cannot be completed without providing said information.

The first step is an email and password and is input from the normal registration form. Once you have completed the initial registration, you will be required to go through a further five steps on login. Each step requires some personal information from you. With the first step requiring your first and last name, your date of birth, and your current nationality. Following step 1, step 2 requires contact details, specifically, your address and phone number. Step three is simple and requires you to confirm an email address for your account. While step four is essentially verification for level 1, requiring a scanned copy of a photo ID and some proof of residence. And lastly, step five is a questionnaire asking for information regarding your source of funds.

Verification

Gatecoin has three verification tiers, where the first is no verification, the second is “verified”, and the third is “Certified”

Tier 2 verification requires a photo ID no older than ten years, and a proof of residence no older than three months, and a filled out ‘source of funds questionnaire’. Tier 2 is completed as a part of the initial account registration process.

“Certified” verification requires the same documents from Tier 2 to be mailed in as certified hard copies. Once the certified copies of the documents have been received, a video conference based verification takes place. During the Skype call, you will need to show your ID to prove that you are who you say you are. Alternatively, Hong Kong residents can have their documents certified at Gatecoin’s office.

Interface

Gatecoin’s interface is a bright white with two-toned blues for highlights, there is no dark mode offered. The bright background makes the interface difficult to use at night or in dark settings. The trading interface itself is well balanced, with a decent amount of information provided. As for the layout of the trading interface, it is split into four sections. The upper left section holds an order submission form. And on its right is the currently selected trading pair’s order book. On the lower half, there is a trade history on the left and a chart on the right. Along the top of the page is the pair selection dropdown, as well as a small overview of the current ask, bid, volume, high, low, and last trade for the currently selected pair.

Security

Account security wise, Gatecoin offers 2FA by means of Google Authenticator. Gatecoin offers a very granular account security configuration tool that allows you to specify what account actions will be logged via email, require confirmation via email, and require confirmation via 2FA. Granular controls are a welcome sight and make securing your account very easy. Gatecoin also states that all user funds are stored in per-user accounts on their side.

Founded in 2016, ACX is an Australian cryptocurrency exchange that offers 8 trading pairs. Of the 8 pairs ACX offers, 5 are against AUD and 3 are against BTC. ACX supports a daily volume of 471 BTC/d, making it a medium size exchange. That daily volume, along with the fact that it offers a full API for trading programmatically makes ACX a good choice for any Australian traders looking for a local exchange. Traders from other countries are encouraged to consider other exchanges closer to them for latency and fee reasons.

ACX currently finds itself at #24 on BlockExplorer’s list of the top 25 cryptocurrency exchanges of 2017.

ACX

acx cryptoURL: ACX.io
Launched: 2016
Trading pairs: 8
Deposit Fees: No
Withdrawal Fees: No
Trading fees: Yes
Verification: Yes
Margin Trading: No

Fees and Limits

ACX charges a flat fee of 0.2% on all trades for both makers and takers and does not charge any deposit or withdrawal fees.

Limit wise, ACX has a withdrawal limit of $10,000 AUD per day for individual accounts and $30,000 AUD per day for corporate accounts. Both account types have a $100 AUD minimum deposit. For cryptocurrency withdrawals, anything over $50,000 AUD equivalent must occur during ACX business hours for security reasons.

Registration

Registering an account on ACX is a simple process, which starts with providing an email and password, and ends with confirming said email, setting up 2FA, and the verification process. Note that all three final steps are required in order to trade.

Verification

Verification on ACX follows ‘normal’ Know Your Customer rules for verification. Meaning that a photo ID with at least 6 months of validity remaining, proof of residence, and a bank statement are required for verification. The bank statement must come from the bank you will be using to credit the account. For non-Australian traders, only a passport can be used to satisfy the ID requirement, while Australian traders may use their passport, drivers licence, or proof of age card.

Interface

ACX’s interface has a jarring mix of light and dark elements, with the homepage switching between the styles in bars as you scroll down. The trading interface continues this trend but to a lesser extent. At the top of the page is a bright white bar with some account information and a place to select trading pairs. The rest of the trading interface has a dark theme with muted colours for highlights.

Otherwise, the layout of the trading interface is well thought and takes advantage of the full width of your screen. Front and center is a pair of charts stacked on top of each other. Specifically, a price chart and a market depth chart. And on either side of the charts is both a market history list and a current order book, with a personal order book below the pair wide one. Trades can be input on the left of the page.

Security

ACX offers 2FA in a variety of ways, of which the recommended is Google Authenticator. Otherwise, ACX requires that all large crypto trades (over $50,000 AUD equivalent) occur during business hours.