Cryptocurrency Security

Updated: Sep 1, 2018

This article is originally published at BitIRA and it has been posted here with their permission.

Link to original post: https://www.bitira.com/cryptocurrency-security/


When bitcoin, the first cryptocurrency, was launched, its developers and earliest adopters were filled with optimism about blockchain technology as a way to counter the powerful distrust that they held for banks and middlemen. Designed with sophisticated encryption, irreversible transactions and a decentralized structure, cryptocurrency technology was supposed to be unhackable.

Unfortunately, the system upon which it is built has proven to be vulnerable to resourceful criminals and human error.

The security gaps that have become apparent over time have made cryptocurrency owners ask:

This guide is designed to provide current and prospective cryptocurrency owners with answers to these questions and other information that reduces security risk.

Table of Contents:

Keeping Your Cryptocurrency Safe

From the beginning, when the software underlying the Bitcoin protocol was launched in 2009, cryptocurrency ownership has provided investors with an exciting experience. Much of that excitement came from factors such as extreme potential for gain (or loss) in coin value or the possibility of government regulation. These factors were and are beyond investor control.

The risk of security breaches is another matter. Investors have significant control over the risk of losing their coins in a security breach. There are no guarantees, of course. But every cryptocurrency investor can dramatically reduce the risk of security-related losses by using a combination of vigilance, knowledge and discipline.

As Cryptocurrency Values Rise, So Does the Need for Security

Someone once asked Willie Sutton, a famous American bank robber, why he robbed banks. He supposedly replied, “That’s where the money is!”

In much the same spirit, the frequency and value of security breaches against cryptocurrency owners and service providers are going up. Why? Because the number of users and the value of digital coin are increasing, too.

Consider these 2017 cryptocurrency statistics gathered by The Telegraph newspaper in the UK:

  • As the price of bitcoin rose from less than $1,000 to nearly $20,000 during 2017, crimes linked to it more than tripled from 320 to 999 in one year.

  • 1 in 10: That’s the chance that an owner of cryptocurrency would be affected by a scam.

  • $225 million, the total investor losses to phishing scams.

  • 30,000 owners scammed by Ethereum-related cybercrime alone. Losses averaged $7,500 per owner.

  • $390 million of wealth lost to cybercriminals.

Keeping coins safe is an essential part of investment success. This guide is designed to help current or prospective cryptocurrency investors detect, avoid and (sometimes) recover from security vulnerabilities.

How Cryptocurrency Holders Lose Their Investment

While cryptocurrency promoters accentuate only the positive aspects of owning coin, this guide has a different purpose. We’ve assembled a comprehensive list of security problems, which could occur when you invest in cryptocurrencies. No, we’re not being cruel. In future sections, we’ll also mention how you can detect or avoid cryptocurrency-related loss and crime.

Here are the scenarios of the dark side of cryptocurrency investing—the different ways that individuals and service providers fall victim to security vulnerabilities:

Investors can lose their coin by:

  • Forgetting or losing coded access information.

  • Lacking the security awareness or resources that help keep their investment safe.

Criminals, increasingly specialized and sophisticated ones, are the more likely culprits. They:   

  • Get access to cryptocoin validation codes and don’t give them back until the coin owner pays a fee.

  • Divert computer resources of cryptocurrency owners (often without their knowledge) and use them in money-making schemes.

  • Trick owners into thinking that criminals are legitimate service providers, cryptocurrency startups or other owners of coin.

  • Break into digital storage spaces and divert cryptocurrency to their own storage accounts.

  • Fool cryptocurrency owners into behavior that helps the crooks get information about coin accounts, access to it or coin itself.

  • Engage investors of cryptocurrency startups in Ponzi schemes.

  • Infect otherwise benign websites or ads with malware, which gets access to cryptocurrency keys.

These scams and misfortunes are variations on the themes of theft, deception and malicious software. You’ll find descriptions of each problem and ways to detect or prevent it in Section 3, “Facing the Challenges of Cryptocurrency Security.”

Cryptocurrency Concepts You Should Know

Before diving in to the how-to details of Section 3, “Facing the Challenges of Cryptocurrency Security,” you might want to review some basic ideas that cryptocurrency security is based on. In each case, we’ll provide the basic idea, how it relates to security methods and refer you to other sources if you want more details.

“Sources and Resources,” Section 4 of this guide, will point you to this additional information.

Cryptocurrencies and the Blockchain

We’re assuming that you are familiar with these essential concepts. But, if you need to refresh your memory, you can find excellent materials here.

Cryptocurrency Encryption and Storage

In cryptocurrency markets, protecting and storing coins are vital elements of the currencies’ success. Complex codes provide the protection, and digital exchanges and wallets provide storage between currency transactions.


Encryption

Encryption “hides” data by converting data only a computer can read to encrypted data that humans can read. The coded version can be useful only if users have another code, which transforms the data back into a format that humans can read. These codes are called keys.

Asymmetric cryptography

In two-key encryption (also known as public key encryption), security is based on two pieces of information, a public-private key pair.

The first or public key provides the location of cryptocurrency stored on the internet. The second or private key decrypts the content of stored cryptocurrency. This data, which is stored on the blockchain, validates the location, ownership and amount of currency at that location.

Private key data is the object of cybercriminals’ desire. Many of the tactics we describe in Section 3 involve breaking through security measures to possess private keys. That’s because cryptocurrency has no physical form, such as dollars or euros do.

The key to understanding cryptocurrency security is this: Whoever has this private key validation information owns the currency.

Wallets

No matter which type of cryptocurrency you invest in, you’ll need to store the all-important private key information somewhere.

The “something” you store it in is a digital wallet, a must-have part of cryptocurrency investment. That “somewhere” can be online storage in a wallet or with a third-party storage service, called an exchange. Offline storage on paper or a hardware device are other (many say more prudent) alternatives.

Level of security risk. The longer that the device that stores your private key is connected to the internet, the higher the risk of losing your cryptocurrency investment.

  • Hot wallets are stored at online exchanges and accessed with apps or a Web browser. They are “hot” because they are connected to the internet, which makes them more vulnerable to security breaches and malware attacks.

  • Cold wallet is a method of storing coins offline (not connected to internet). This approach eliminates the opportunity for hackers to use an internet connection to break into a digital wallet and steal private key information.

  • Hardware wallets are small cold wallet devices that often look like USB drives. They are physical storage devices you can use for cryptocurrency transactions. Each hardware wallet comes paired with a private key, which gives you access to the transaction validation data. Without access to the blockchain and its information, your coins are inaccessible.

  • Paper wallets.  This term describes the practice of writing private key information onto paper and storing it in a safe place offline.

Ideally, you would use two digital wallets, each for a different purpose. Use a hot wallet briefly to perform coin trades and transactions. Use the cold wallet (also known as cold storage) approach when you want to store your savings long-term.

Also, it’s a security best practice to back up both wallets’ private keys and store them offline in a safe place.

Cryptomining

When the first cryptocurrency system was set up and launched in 2009, it included a potential for up to 21 million bitcoins. Since then, only 17 million BTC are in use.

Cryptomining is the way that new cryptocurrency coins (also known as tokens) are released into circulation. The cryptomining process includes gathering and verifying recent transactions of bitcoin or other forms of cryptocurrency into blocks and adding them to the blockchain digital ledger.

The process requires miners to solve an extremely complex  puzzle—whoever solves the puzzle first gets the coin. Staying competitive with other crypto miners, however, requires a computer with specialized hardware, lots of computer processing power and energy resources.

The opportunity for cryptomining fraud lies in:

  • Hackers stealing coin directly from legitimate cryptomining companies.

  • Tricking current or potential cryptominers to buying nonexistent computer hardware (phishing attacks).

  • Cloud mining companies renting their equipment to cryptocurrency miners at prices higher than what they will actually earn. They provide “profits” by taking the coin’s value from new investors (equipment renters). This is a classic Ponzi scheme.

Cryptocrime Tactics

If you keep track of cryptocurrency technology and business news, you know there’s a long list of crimes, spoofs and shady dealings that relate to cryptocurrency. Here’s a list of terms to help you stay informed. How many do you recognize?

  • Social engineering. This is a general term that describes a criminal entity fooling a target into doing something to the criminal’s advantage. Because social engineering is a means to an end, it is the prelude to other tactics such as ransomware or cryptojacking.

  • Phishing. This tactic occurs when a criminal presents a target with a false pretext that can be a person, company, government agency or organization. In cryptocurrency investments, phishing attacks can progress to ransomware or various types of digital wallet break-ins that involve stealing credentials or private keys.

  • Cryptojacking. This tactic involves diverting a target’s resources, without their permission. In cryptocurrency environments, cryptojacking usually involves diverting the computer CPU resources of coin holders to mine cryptocurrencies.

  • Breaking into online wallets and exchanges. This tactic involves using different means (false identities in phishing attacks for example), to get private key information.

  • Malvertising. The name tells the story. In this tactic, malicious ads are used to spread malware through criminally controlled online advertisements. The goal: to compromise web browsers and their plug-ins.                                                    

  • ICO exit scams. Establish a new cryptocurrency. Publicize it and persuade investors to buy some. Reward folks who refer new investors with cash and tokens. Then, disappear. That’s the recipe of a standard initial coin offering (ICO) scam. If it sounds like a Ponzi scheme, you’re right.  

  • Poisoned website. This term describes a website that delivers malware as an ad on a website.

  • Phone porting. This tactic is a wild mix of phishing, hacking and outright breaking and entering into wallets. Hackers snoop around social media, looking for cryptocurrency-related conversations, in which investors post their phone and email information. Then, posing as the victim, scammers call up the target’s phone provider. The goal: to fool the customer service representative into transferring the phone number to a device that the hacker controls.

  • When the hackers take over the phone number, they can go into the victim’s cryptocurrency exchange account. They compromise the password and use the phone number for second-factor authentication. After that, it’s a matter of diverting investor funds to their wallets.

  • Spear phishing. This is a focused phishing scam targeted at a specific person or organization. The phishing attack can precede data theft, or cybercriminals might use it to install malware on a target’s computer.

Securing Your Coin at Home and When You Trade

Some analysts consider offline (cold storage) wallets the only safe way to invest in cryptocurrency. If you’re talking about holding coin for the long term, offline storage is the safe way to go. But sooner or later, your coin must emerge from hibernation and be transferred to another wallet or an exchange.

Here are general tips that will help you keep your coin safe, wherever it might be.

Isolate Your Investment

There are ways to keep your coins safe, when you store them at home or transfer them during a transaction.

When security measures refer to using a dedicated computer—one that only transfers cryptocurrency into and out of a digital wallet—the computer is protected by an air gap. This security measure refers to computers or networks that are not connected directly to the internet or to any other computers that are connected to the internet.

Securing your coin this way is a simple process. You connect the (ideally new and unused) computer to the internet, complete the cryptocurrency transaction, disconnect the computer from the web immediately and use it for nothing else—ever.

Protect Yourself When You Trade Cryptocurrency

In addition to the isolation methods described above, use these tactics when you move coin into or out of your digital wallet:

  • Secure your operating system. Install it on a new computer or scrub your hard drive and reinstall your OS on a machine you already own.