As a recent victim of the MyAlgo hack who lost funds due to an unauthorized transaction, I suggest some additional security be added to Pera wallet.
My understanding of the mechanics of all this is limited, so just bear with me as I suggest a possible solution to a technical problem without knowing the level of implementation difficulty. Many applications require a second form of authentication beyond “something you know” - the nature of 2FA is to require “something you know” as well as “something you have” - for example, a physical RSA token, or a physical ledger device that must be used to secure each and every transaction, whether that is a login attempt, an account recovery, or whatever.
The simplest form of this is to require a rotating code be sent to a specific device or endpoint - either an SMS text to a mobile phone, or an email with a key sent to a linked email account. I prefer using SMS to a mobile device, because an email address is I think at least theoretically just as easy to compromise as the recovery passphrase of a wallet, but let’s ignore that for now.
What would it take to add a feature to Pera that would require a rotating key challenge for every transaction - login, account recovery, account creation, and sending (but maybe not receiving). If an account is created in Pera, then it seems that the application should be able to enable a 2FA feature that would send a rotating key to an SMS or email endpoint, and require that key to match to proceed with any transaction. This is an optional feature on many financial or otherwise secured applications. Particularly for a cryptocurrency environment, where there is no “FDIC” or fraud protection at all, as you would get with a bank account or a credit card, surely there must be an optional additional layer of security that requires something you have to allow any given transaction to proceed.
If this would require a smart contract to be enabled for every single transaction with 2FA so enabled, or if it could be implemented purely as a feature within the Pera wallet itself, I’m not sure - but one way or another, this needs to be thought through and implemented as a response to the MyAlgo hack.
If 2FA were required, then these unauthorized transactions could have been initiated, but they would not have proceeded, unless the threat actors were also able to somehow obtain access to the linked 2FA email account or SMS text number. I’m sure that could be done one way or another, but it would be at least twice as difficult, and potentially orders of magnitude more difficult to do at the scale we have witnessed. A handful of unprotected accounts would still have been affected, but it is unlikely that ANY 2FA protected account would have been affected, because the attack vector exposed (obviously) the unsecured recovery passphrase of accounts that had been linked to an irresponsible third party - but that would not have exposed the 2FA email address required to authenticate a transaction, or if it had, it almost certainly would not have exposed the password to that account, which is required to access the rotating pin.
A sophisticated implementation would allow email or text/SMS auth, or an authenticator app such as Google or Microsoft Authenticator, which could then be enabled to require either the rotating key value, or biometric validation (face ID, etc), in order for transactions of any kind to proceed.
Please criticize this suggestion freely with technical “gotchas”, but then consider at a higher level that something like this needs to be implemented regardless of the technical difficulty - again, even if it requires an additional smart contract or other paid service in order to facilitate the 2FA feature, it really is critical that Pera do something to address the blatant vunlerability of a simple “passphrase hack” in the future.
Just my 0.02.