Crypto Security in 2016: A Tale of Two Weaknesses
Crypto Security in 2016: A Tale of Two Weaknesses
Bill Shihara is the CEO and co-founder of cryptocurrency exchange Bittrex, and a former security engineer at Amazon, Blackberry and Microsoft.
In the CoinDesk 2016 in Review special feature, Shihara reviews the major cybersecurity events in the industry this year, drawing clear trends that could inform firms and individuals seeking to better protect their funds in 2017.
Bitfinex, The DAO, Gatecoin…
Security has always been a concern in the bitcoin and larger cryptocurrency community, and unsurprisingly, there was no shortage of malicious attacks on industry companies in 2016.
This year, we saw several hacks on major business that suggest malicious attackers are likely to continue to be a threat to cryptocurrency startups, putting users and investors in the blockchain industry at risk.
As startups and investors prepare for 2017, let’s look at some of the major incidents in the hope that hackers will have less luck in the year ahead.
First Half of 2016: Centralized Services Attacked
Centralized services (or large pools of cryptocurrencies) have always been enticing targets for hackers.
But what’s notable is that the three cryptocurrency exchanges that were hacked during this period were compromised using very different methods. I would argue the development raises issues for customers trying to manage the risk of putting their digital assets in centralized services.
ShapeShift, for example, lost its own funds through multiple hacks by an insider, while both Gatecoin and Bitfinex lost user funds through external hacks (and have been working to repay their customers).
We can’t forget the biggest hack of the year though: The DAO.
The DAO, a decentralized venture capital fund, raised approximately $150m in March from digital currency investors across the globe.
Unfortunately, the promise of smart contracts and “code as law” was put to the test when a hacker was able to use The DAO code to withdraw $50m worth of ethereum. Remember, smart contracts are software and not immune from logic bugs that can lead to security flaws.
Just as with putting your money into exchanges, you should think carefully about smart contracts and decentralized solutions, and how they work, to understand how your funds are protected.
Second Half of 2016: Individuals Targeted
As the services built in the cryptocurrency industry have raised the bar on security, hackers have moved on to easier targets, attacking individual users.
In the second half of 2016, several people in the cryptocurrency space had their phone numbers stolen. Hackers were able to “socially engineer” their phone carriers and convince support engineers to switch their phone number to one that the hacker controls.
This is particularly insidious because SMS text messages and phone numbers are used as an authentication mechanism by many services that you rely on daily such as Google, Facebook and a few cryptocurrency services.
In some cases, your phone can be used as a single factor to reset a password or otherwise get into an account. Your phone company protects your digital life with the cheapest labor they can find, and those support engineers don’t always follow their security processes.
The best thing to do is to remove your phone number from any services that it may currently be tied to. Another best practice – although not always foolproof because your phone carrier may not follow their own security processes – is to put a password on your account and require that any SIM swap or carrier change only happen if valid identification is shown in a store.
On the topic of social engineering, be careful of where you put your credentials and any information about yourself – on LinkedIn, Facebook and Twitter, for example.
Hackers can collect this information and use it to social engineer their way into your accounts. Think of the answers to your security questions and whether someone could determine them by looking at your Facebook profile.
And, obviously, if you are reusing the same username and passwords across multiple sites, you should consider alternatives. Use hardware- or device-based two-factor authentication on every site that supports it.
Keep in mind that there are fake sites designed to trick you into giving your credentials. Hackers routinely buy Adwords so that their malicious sites are at the top of web searches.
Looking to the Year Ahead: 2017
2016 was a big year for hackers, but 2017 doesn’t have to be that way.
By paying attention to trends and protecting your business and personal accounts with advanced protective measures, we can all benefit from a safer, more secure cryptocurrency ecosystem.
Yet, we’re not exactly there yet. In 2017, I’m expecting the industry to heavily invest in privacy technology and identity solutions in blockchains.
Article Source: http://www.coindesk.com
Russia’s central bank is preparing new legislation focused on bitcoin and other digital currencies. While the plan doesn’t yet appear …
May 31, 2017 8:47 am | Jit Sutradhar
The Internet of Things (IoT) – the vast web of connected devices which is becoming a fundamental part of the …
January 27, 2017 10:32 pm | Jit Sutradhar
Microsoft has just rolled out an additional consensus mechanism for clients building ethereum-based apps on Azure that does away with …
August 10, 2018 4:10 am | Jit Sutradhar
One of the leaders of a Ponzi scheme that involved a fictitious cryptocurrency has been ordered to pay $74m in …
March 15, 2017 6:54 pm | Jit Sutradhar
- UK Crypto Futures Exchange Adds Bitcoin Cash Contract
August 17, 2018 8:55 AM | By Jit Sutradhar
- Unstoppable Scams? Ethereum’s Gambling Problem Is Only Getting Worse
August 17, 2018 8:45 AM | By Jit Sutradhar
- Mark Cuban-Backed Unikrn ICO Hit by Class Action Lawsuit
August 17, 2018 8:34 AM | By Jit Sutradhar
- Coinbase Wins Patent for Secure Bitcoin Payments System
August 17, 2018 8:21 AM | By Jit Sutradhar
Plz No Cat: The Future of Crypto Disputes Is Being Decided By Doges
What Intel’s Foreshadow Flaw Means for the Future of Cryptocurrency
Bitcoin’s Taproot Privacy Tech Is Ready – But There’s a Catch
Coders Renew Efforts to Fork Mining Giant Bitmain Off Siacoin Blockchain
You Can Now Get Paid (A Little) For Using Bitcoin’s Lightning Network