Cyptoasset Security: Be Paranoid! Be very Paranoid!!

by Charles OkaforMbah

Cryptocurrency security describes attempts to obtain digital currencies by illegal means, for instance through phishing, scamming, a supply chain attack or hacking, or the measures to prevent unauthorized cryptocurrency transactions, and storage technologies.

Reports like that of Ian Belina who lost over $2million during a live-stream ICO review on his channel or the ICO Advisor that thought the app given to him to test was harmless but it ended up wiping all the coin in his metamask will give you an idea of how deep BlackHat hackers can go to make you want to cry. There is even a hush-story of a big-time Bitcoin Expert that lost a fortune of his cryptoasset stored on an online platform.

Stories abound about online hacks and wiping out of crypto-assets from wallets. BlackHat Hackers are out there to hack you either for fun, to challenge themselves or cause you harm by stealing your crypto-asset through any means possible. One of which is social engineering if they find it hard to gain access to your platform or wallet provided you have an asset of value, you are a targeted. You can be targeted to divulge useful information through ‘mere’ conversation. The SIM card or email you use for your bank or crypto account can be a valuable attack vector for a hacker that wants to SIM SWAP your SIM card which will grant them access to SMS OTP(One Time Pin) authentication on platforms you use. I am sure you must have heard stories of users of a particular network having their SIM swapped and being used by someone else without their authorization. You also expose your asset by merely downloading an application to test-run for a startup/individual that wants you to be an Advisor or just want you to test-run, this could expose your system for a RAT (Remote Access Trojan) malware attack.

Hackers can employ the following social engineering attack;

  1. The Attack Cycle: A four-step sequence of attacks typically referred to as an attack cycle: information gathering, establishing relationship and rapport, exploitation, and execution. This could go on and on until the attacker has gotten much needed information before striking. This is also known as a privilege escalation attack, making use of previously gained familiarity/referral from within the target company or exploiting information gained from previous interactions
  1. Phishing: “practice of sending emails appearing to be from reputable sources with the goal of influencing or gaining personal information,” (Hadnagy & Fincher 2). In a phishing attack, the attacker claims to be who they are not in order to gain personal information from their target via email and URL.

You also need to beware of PunyCode attack, a phishing attack that is designed to fool you into thinking that you are dealing with the main site. Punycode is a special encoding used to convert Unicode characters to ASCII, which is a smaller, restricted character set. Punycode is used to encode internationalized domain names (IDN). The latest of such attack was on Binance exchange.

(Notice the “n”?)

  1. 3. Vishing: This is like Phishing but this time it is via phone calls. Nigerians are fast catching up to their antics. Scammers that attempt this method are either frustrated by wasting their time, giving them wrong information and outrightly calling them out. My personal best method is to give them hope that I am following and willing to comply, just to waste their time and subsquently sharing the phone number to my contact to equally call and waste their time as well.
  1. 4. SMiShing: According to  social-engineer.org, SMiShing as “the act of using mobile phone text messages (SMS) to lure victims into immediate action such as downloading mobile malware, visiting a malicious website or calling a fraudulent phone number.” SMiShing messages are usually crafted to elicit an immediate action from the target, requiring them to hand over personally identifying information and account details. They will often do so by using fear or greed based terminology such as “impending account suspension,” “fraudulent account activity detected,” or by offering some type of award or discount.

POSSIBLE WAYS OF PROTECTING YOUR CRYPTO-ASSETS

  • Shamir’s Secret Sharing: The only way this method can work is if there is only one copy of your Private Key and mostly used when an asset is meant to be stored for a long time. This is a key distribution system that involves splitting of your private key and storing it in different locations, a Trust or giving the different parts to people you trust not to collude and steal your cryptoasset. You can also specify how many parts of the key needs to be available for the key to be complete. For example, splitting the key into 3 parts and it needs 2 parts for it to be used or complete.

Kindly do your own research but I find this site(https://cryptostorage.com/) and opensource software(https://github.com/oed/seedsplit) useful for such purpose.

  • Multi-Sig wallet: A multi-Signature wallet also known as multi-sig is a kind of wallet that needs two or more Private Keys to approve a transaction before it gets sent. So one person can not send money/cryptoasset in the account. It is just like a company’s check that needs the signature of 3 persons in order for the amount on the check to be withdrawn. Depending on the blockchain your cryptoassest is running on, you can get the multisig wallet that is perfect for your use. Don’t forget to do your own research.
  • Cold wallet Storage: Simply lock it away offline. The only way your cryptoasset can be stolen from you at this point is via gunpoint or as a ransom condition. A cold wallet is a dongle(like a flashdrive) which you can plug into your system and transfer your cryptoasset into. This is like going to the bank as Dangote did and withdraw your $10million with them, put it in your car and drive home with it and saving it in an underground bunker. You come online with it only when you want to spend any cryptoasset stored in it and yes, you can store different cryptoassets in it. Industry known cold wallets are Ledger (https://www.ledger.com/) and Trezor (https://trezor.io/)
  • 2-Factor Authentication: If you still feel strongly about keeping your cryptoasset for easy transactions or you are into crypto-trading and you ‘trust’ the exchange where your assets are kept, ensure you make use of 2FA. This is adding another security layer to your account which is needed when a withdrawal is instantiated on your account. This is also dependent on your SIM not being swapped or phone wasn’t stolen. Always remember “Not your Private Key, Not your Bitcoin/CryptoAsset”.
  • Dedicated email account: Having a dedicated email address for all your crypto dealing is highly advised. Separation of concerns. This is to prevent any unwanted access to your account. Downloading documents could expose your system for a hack so avoid such at all cost.
  • Mindful of your discussions: If you are like me that likes talking even though I look very quiet, then you need to be mindful of the information you give out especially to an acquaintance or in a networking circle. You know alcohol can make a loose tongue trying to stay quiet run like tap water, so beware of it especially when it is FREE.
  • Install Punycode detector on Browsers: This method is needed to help you from falling into fake domain and phishing website just like what happened to Binance. Once installed on your browser, it automatically detects whenever you visit a phishing website with such fake domain. Extensions like Punycode and MetaCert are industry known solutions. You can search on Chrome extension and install.
  • Install Antivirus: This is pretty straight-forward. Try and get an antivirus installed so as to help with malware detention.

The list above is not extensive nor does it cover all scenarios being employed by nefarious individuals to steal other people’s sweat but apply caution with your dealings online and offline. Being security conscious should be taken very seriously, in fact, be paranoid about your crypto-asset, be very paranoid. You should also make plans to attend #CyberChain2019, a cybersecurity and blockchain event. For details here https://cyberchain.vaultbridge.org/

Charles OkaforMbah

Charles OkaforMbah is a techpreneur with strong interest in Blockchain Architect Solution, token economy and Cryptocurrencies, SmartContracts development (Ethereum and Private/permissioned DLTs), Mobile and Web technologies with over 12years technical and startup experience on ERPs, SaaS and Business growth solutions. CoreTeam Lead and Technical Project manager at SuperDAO; A decentralized organization creating tokenized games on blockchain – developers of www.KittieFight.io. He is also CoFounder of Vesseltrust.com; a blockchain-inspired secure B2B commodity trading platform focusing on Oil and Gas Industry. Passionate about seeing ideas that have established ‘proof of concept’ and value proposition come to life. A goal-driven individual with a passion for productivity and human development, fun-loving and entrepreneurship driven. He is a member of SiBAN.

Leave a comment