Crypto asset is often associated with numerous advantages, including the transparency and security of transactions. However, these don’t mean that cryptographic assets have immunity from theft. They can be stolen by cybercriminals in more ways than one.
According to a report by cybersecurity firm CipherTrace, cryptocurrency theft amounted to $1.7 billion in 2018. This figure is more than 400% higher than the amount of stolen crypto money in the previous year. The bulk of the amounts stolen is attributed to thefts from cryptocurrency exchanges and cryptocurrency infrastructure services — online wallets in particular.
On the other hand, cybersecurity company Carbon Black reported that while the most common targets of cryptocurrency theft are exchanges (27%), businesses are a close second (21%). It only makes sense for cryptocurrency-owning businesses to put security measures in place as a growing number of businesses are already accepting bitcoins and some other crypto asset as payments. These include Microsoft, Overstock, and Expedia. Even KFC-Canada, Virgin Galactic, and several branches of Subway already include cryptocurrency in their list of payment options.
The Nature of Crypto Asset Theft
How are cryptocurrencies and other cryptography-based assets stolen? Before going into the details of this topic, it’s important to know the basics of how the supposedly unbreakable encryption behind bitcoin and other cryptography-based assets is defeated. With all the long strings of characters used to identify a transaction and the similarly kilometric private keys needed to access wallets, how come cryptocurrencies are still compromised?
A good way to answer this question is by comparing cryptocurrency to a fortress with indestructible walls. Attacks may not be able to pierce through the walls, but the fortress has openings intentionally added for the entry and exit of the users. These points of entry/exit are what hackers exploit. Cryptography, at least before quantum computers become viable, is still virtually impenetrable. That’s why it’s not what cybercriminals attack, it’s the specific accounts whose owners fail to take advantage of security measures.
One of the common ways to steal cryptocurrency is clipboard hijacking. This is done by introducing “clipper” malware to computers. These “clippers” copy and submit data stored in the clipboard, which may include the private keys for cryptocurrency wallets. Many of the malware used to steal crypto asset details are concealed as cryptocurrency trading add-ons, slack bots, and supposedly mundane apps laced with malicious codes.
Some attacks may be on a web-based level, performing SQL injection to read details entered in online forms or details inputted into web pages. These target websites so their prevention is different from what is done to defend computers from malicious software.
Another method is the use of website clones. These clones are designed to simulate the functions of an online cryptocurrency wallet service, for example, to steal data that can be used to access the wallet of a cryptocurrency owner.
Social engineering may also be employed by cybercriminals to trick people into revealing their wallet details or to transfer funds. These include phishing, baiting, pretexting, tailgating, and the use of ransomware. Cryptocurrency is the preferred ransom in ransomware attacks because of the confidentiality and irreversibility of transactions.
Again, in all of these methods, the key is not to defeat encryption and blockchain technology. It is more on exploiting system vulnerabilities and the tendency of most people to disregard prudence as they install apps or interact with messages that deceptively tell them to do things that imperil their digital assets.
Strategies for Securing Crypto Assets
The methods for securing crypto assets are based on the nature of attacks and strategies used by cybercriminals. Here’s a summary of what needs to be done to secure cryptocurrency and other similar assets.
Don’t rely on online wallets. As stated earlier, cryptocurrency exchanges and wallets are among the most popular targets of attacks. It’s only logical to avoid them and have your assets secured in hardware stores. Hardware or cold wallets such as Nano S and Trezor are not connected to the internet, so they can’t become the subject of cyber-attacks.
It’s important, however, to never lose the PIN and seed associated with your hardware wallet. Otherwise, you will end up losing access to your own wallet and the value of the cryptocurrency you are keeping.
Use malware protection software. Since cyber attackers make use of malicious software to steal information that can be used to access crypto accounts, having an anti-malware system is a must. What’s great about most antiviruses or malware protection solutions at present is that they are not only good at detecting and preventing malicious software. They also perform other cybersecurity functions including the scrutiny and tagging of web links to prevent the inadvertent opening of potentially harmful web pages. Some also block the unwitting installation of apps deceptively introduced by online ads or bundled with other supposedly innocent applications.
Clippers and other malicious software used to obtain information that leads to the stealing of crypto assets can be prevented by using reputable and regularly updated malware defense systems. Even the unwitting installation of ransomware is prevented by having a malware protection system in place.
Be mindful of the online forms you use and implement multi-factor authentication. Phishing is a highly effective way of stealing information that can be used to steal real assets. As such, it’s important to always examine the online forms you use especially when processing purchases or making payments. Scrutinize the URLs to make sure that they are the addresses you should be using for the transaction you want to undertake. Also, only use HTTPS sites whenever you do transactions online.
Additionally, always use multi-factor authentication (or two-factor authentication at minimum). Doing this guarantees that even if your password is compromised, hackers are still prevented access if they fail to obtain the other factor (a code sent to a mobile phone number or email) necessary to enable account access.
Secure websites. It’s not only computers that need to be protected from malware that can become instrumental to cryptocurrency theft. SQL injection, which attacks websites, can be used to steal cryptocurrency and other digital assets. To prevent such attacks on websites, it is advisable to use input validation or sanitization and a web application firewall (WAF).
Consider using the services of a third-party custodian. Not every business or organization has the savviness to secure crypto assets. If you are not sure how to protect your relatively new kind of digital assets, it’s not a bad idea to enlist the help of third-party crypto asset custodians. They have the expertise and experience in dealing with cryptocurrency theft, so they can be doubtlessly more competent in doing the job. Many even provide insurance so you are guaranteed reimbursement in case a breach happens and the assets you entrusted are siphoned away.
Crypto assets are designed to be confidential and secure, but hackers constantly evolve and they will always find vulnerabilities to exploit. Modern encryption and blockchain technologies are difficult to tamper with. However, the human tendency to be unmindful of security measures always presents a significant risk. To ensure cyber asset protection, always be wary of online storage, make sure you have adequate malware protection, secure your websites, be familiar with social engineering strategies, and consider third-party custodianship if necessary.