How to protect yourself against cryptocurrency theft
When times are stressful, you may react more than think. You may, in a moment of exhaustion, be tempted to react and click on a link which can deliver a nightmare to your computer. A virus, some ransomware or malware.
Cyber risk hasn’t disappeared with the economy largely shut down across the world. In certain areas, it has accelerated. Cybercriminals have adjusted their tactics and focus. After all, when their criminal activities are more lucrative than drugs and human trafficking, you should expect them to get creative as conditions change.
As a cryptocurrency holder, trader or investor, you are your own bank and a target for cyber thieves. And these criminals are working overtime trying to figure out how to get their mitts on your cryptocurrency.
And that means it’s time to review some simple practices to keep your digital life and assets safer.
Why is cybersecurity important?
You lock your car and park it where it will be safe. You wait for the garage door to go down in your building to prevent unwanted intruders. You lock up your bike. You lock your home. Or, if you live in a building, access to the building is restricted. And on top of that, access to your floor is probably restricted to residents of that floor…and you also have a lock on your door.
But your identity details? Well, you might be sharing many of those with unknown criminals on the internet through social media posts and comments. Savvy criminals can use these to formulate a profile in 30 minutes, do a sim swap, steal your phone account and everything you have. All with the help of their “new” phone’s handy access to your SMS text 2-factor authentication.
Because cybersecurity is virtual, it’s often taken for granted. The problem is, that virtual crime can have a dramatic negative impact on your life, and crypto holdings if you don’t protect yourself. Now is the time to review security issues, reiterate best practices and get a sense of what’s going on.
The Bitvo team got in touch with two cybersecurity experts to help get the lowdown.
A clean computer is a cybersecurity best practice
While it is laudable that so many businesses were able to go remote so quickly, the cybersecurity that should also accompany them may not be ideal. With everyone at home, many people are operating in an environment that does not have the same level of security as they do at work. This means that they may not be aware of the added risks they face from scam artists, phishers and hackers.
Dominic reminds us that one gateway to that risk is your computer. “Keep your work computer clean and just for work,” says Dominic. “It’s a bad idea to do your work on your teenager’s computer where they’ve been downloading all kinds of games, unknown apps, programs…and potentially some malware and viruses. A secure, dedicated, work only computer at home is a key thing some people overlook.”
Our current move to remote work outside of the digitally secure office is similar to the difference between banking and personal crypto holdings. Banks have strict, regulated security, protections and insurance for your traditional assets. But with crypto assets, you are your own bank carrying all of the responsibilities yourself. So a clean dedicated computer is a key component to securing your crypto assets.
Social engineering by cybercriminals is going viral
Dominic also talked about the power of social engineering during COVID-19/Coronavirus. Hackers, phishers and scammers use peoples fear and heightened stress to exploit their propensity to react rather than stop and think.
“Social engineering is big right now. People are downloading apps and clicking links about COVID that unleash malware programs onto their computers. And the messages for these attacks are frequently changing right now. Daily even, making them look legitimate and often very hard to spot as scams.”
Dominic recommended any time you get strange emails (or texts), anything out of the ordinary, stop and breath. “It sounds a bit corny, but by stopping, breathing and take a second before you click that link or open that email is effective, especially when stressed or tired. Sometimes something just doesn’t seem right. Taking that extra few seconds and that breath can save you a lot of time and trouble.”
He reminded us that this is also a good time to make sure those passwords don’t overlap with others by taking full advantage of a proven password manager. A VPN would also be a good measure in addition to a reliable antivirus program and a two-factor hardware key like Yubikey.
A hardware wallet and a paper wallet
For cryptocurrency traders, enthusiasts and holders, additional measures may be required. We talked to Farshad Abasi, Founder and Chief Security Officer at Forward Security Inc., about other security measures crypto-enthusiasts should keep in mind.
Farshad recommended hardware wallets as an effective security option for crypto storage, provided the keys are also backed up on a piece of paper and kept somewhere safe. Combining a hard and paper wallet storage approach can save you a world of hurt if your hardware wallet gets lost, fails, or you forget the password or keys.
Cryptocurrency holders shouldn’t do “funny stuff” with their phone
He also emphasized security related to your phone in particular, since a lot of trading these days is done through the mobile device and apps. And some phones like those produced by Samsung, also act as a hardware wallet making phone security practices even more important.
Like Dominic, Farshad emphasized keeping your access point, in this case, the phone, clean.
“Now, if you’re keeping it (your crypto keys) on your phone, there’s a lot of responsibility that falls on you, so you better think carefully before modifying your phone in any way,” says Farshad. “Because if you go and root your phone or jailbreak your phone or do funny things on your phone, that’s when attackers can come in and look in your phone. If you root or jailbreak your phone, you will be susceptible to all kinds of malware. If they get in there it’s game over, they can take everything, including potentially your private keys.”
Like the clean computer for your work, applying a similar methodology to your phone is helpful too. Be careful of the apps you download to your phone. Are they really safe and secure?
Maybe you’re about to download some fleecewear. If you have any reservations, stop and consider if you really need that download, app or extension. There are still known cases where extensions and sometimes legitimate apps are vulnerable to intrusion, just ask Bezos.
“If you have a ton of cryptocurrency, don’t put it on your phone, because ultimately, the phone is an openish system,” Farshad warns.
The security procedures of your crypto exchange matter
Some traders will keep some of their holdings on crypto exchanges to allow for faster, easier access to volatile trading opportunities. When you keep crypto on an exchange, it’s the equivalent of using a bank.
There are various ways to assess risk associated with a crypto exchange, and there are some specific security items you can look out for.
Farshad points out that there’s going to be a private key assigned to protect the assets of that exchange. As we’ve seen with Quadriga, it’s essential to understand how that private key is being protected and who has access to it.
He points out that in legacy banking, regulation requires the use of a hardware cryptography module to comply with Federal Information Processing Act (FIPS) 142. That means a tamper-proof box where the private key is stored, and no unauthorized people can access it. It’s the equivalent of a vault of vaults in a physical bank.
In the virtual world, the equivalents are hardware security modules.
Farshad advises understanding if the exchange use HSM or hardware security modules to protect keys and secrets. You should get an idea if they do application security assessments, design reviews and pen testing, and whether these reviews are conducted annually.
You should also look for robust AML/KYC procedures at cryptocurrency exchanges, that can act as a deterrent to crypto criminals. According to Chainalysis.com, AML/KYC checks can reduce or prevent the use of stolen cryptocurrency by discouraging distribution through the exchange by criminals.
Is that email legit? Maybe not.
On the subject of social engineering, Farshad echos Dominic’s advice to take a moment when opening an email, clicking on any links or unusual attachments.
“I got an email from someone that I was working with awhile back. It was a response to an existing chain of conversation. So I received this, and I’m like, OK, he’s replying to something from a month ago. And I see our messages back and forth below it. And there was an attachment, and it was an invoice because I’d actually done work with his company. But I had already paid the invoice.”
“So I double click on it, and it popped up with: Hey, would you like to allow Excel to run macros? And I was like, I’m going to stop right here. There’s something fishy going on. So I pause, thought about it and decided to contact the person. Guess what, they said, they never sent me that email.”
So take a breath or 30 seconds to think about your next actions before you open those files or emails or attachments. Then call the person or institution directly, but never use the number listed in the text or email. Go and find the number directly on the official site instead.
Credential stuffing with stolen passwords
If you’ve been sloppy about your passwords, because you have many and you don’t use a password manager (yet), you might get stuffed. Farshad goes on to describe credential stuffing.
“So criminals are basically buying a list of your passwords that got exposed in one place, hoping that you will be using the same password somewhere else. And most of the time, people have used the same passwords on different sites in the past. Then they’’ll test the passwords they bought and be like, cool, I just hacked Farshad on whatever site because he was using the same password as he did on Adobe.”
Protect your digital assets with better two-factor authentication
Two-factor authentication is an important element of digital security. As Farshad pointed out, the SMS version isn’t ideal, but it’s better than nothing. Both Dominic and Farshad recommend some form of two-factor authentication, with a kind of hard key solution from a trusted source being best.
Because if someone gets control of your phone somehow, it’s a lot harder to take control of all your accounts when 2FA is hardware and not SMS.
As more and more of our life goes digital, the threats will continue to be there. A secure work environment provides a sense of security and means that digital security and hygiene isn’t always top of mind.
For the digital currency holder and trader, the responsibilities are even more significant. You are your own bank. There is no CDIC insurance coverage on your BTC or ETH like there is on your CAD at the bank. And since your access point is your desktop or your phone, you must be even more diligent to protect yourself and your digital assets from cybercriminals.
Bitvo is a secure, fast and easy to use, 24/7 cryptocurrency exchange providing the gateway for Canadians to buy, sell and trade BTC, ETH, XRP, QCAD and more.
Clients also get exclusive access to the Bitvo Cash Card and the Bitvo Same Day Guarantee.