Protecting your crypto wallet from hackers, thieves and bots
By Alex McConnell / 13th Aug 2021
Over the past five years, blockchain technology has gone mainstream. More and more investors, businesses and opportunistic hobbyists are filling their cryptocurrency wallets with crypto assets like Bitcoin and Ethereum. In fact, the global user base of all cryptocurrencies increased by an estimated 190 percent between 2018 and 2020.
There is undoubtedly money to be made, ushering newcomers into the world of blockchain. However, this has also attracted fraudsters and criminals looking to take advantage of newbies who may not appreciate the security risks.
Just this week, blockchain site Poly Network was hit by the largest cryptocurrency heist to date, with hackers making off with $600m after exploiting a technical vulnerability.
In this post, we will take a look at how to protect your cryptocurrency.
Thieves on the prowl for cryptocurrency targets
Exchanges are not the only targets of cryptocurrency theft. Individuals and their crypto wallets (online wallets where crypto assets are stored) are also targeted regularly by fraudsters, not just using hacks and exploits but also though business logic attacks like account takeover (ATO). So the question looms large: How do we protect our cryptocurrency? First, we need to know how crypto wallets are vulnerable.
At Netacea we have developed the BLADE (Business Logic Attack Definition) framework to define how attacks are carried out. The early stages are usually resource development and reconnaissance. In the case of cryptocurrency fraud, the adversary will often scour the internet for public conversations about blockchain, cryptocurrency or exchanges like Binance, Coinbase and Bisq.
Once a target is acquired, the adversary will look for any clues as to their email address or other personally identifiable information (PII) to launch their attack. This is often easy to come by, as many people willingly and publicly share contact details to connect with experts or advisors on the latest crypto investment tips.
From there the attacker will try to gain access to passwords and private keys, either using brute force credential stuffing bots, data dumps, or even by buying stolen credentials from sites like Genesis Market.
Account takeover tactics are hugely effective in crypto theft. It is even speculated that the FBI used such techniques to recover $2.3 million in Bitcoin taken as a ransom from Colonial Pipeline. Although decentralized transactions are tough to trace, Deputy Attorney General Lisa O. Monaco stated that the agency’s tactic to “follow the money” is still effective in crypto thefts.
How to protect your crypto wallet from thieves
In cryptocurrency terms, your wallet’s private key is your money, so anyone who has access to it essentially has access to your funds. Private keys are frequently encrypted by a password so keeping both safe is essential.
Here are a few precautions you need to consider to secure your cryptocurrency.
Use multifactor authentication using an app
Multifactor authentication (MFA) is an additional step to protect accounts that may have their passwords compromised, adding an extra hoop for criminals to jump through. However, with an attractive reward inside your crypto wallet, there are ways around SMS verification as a form of MFA.
If an adversary knows your phone number along with other PII to get past security questions (often obtained through social engineering), they can fool your mobile network provider over the phone in an attack called phone porting. The network is persuaded to swap the victim’s SIM card to another phone, allowing the attacker to access SMS verification and clear MFA.
The solution is to use dedicated authenticator apps like Google Authenticator or Authy instead of just a phone number as multifactor authentication.
Use a strong, unique password, or even separate email addresses for each wallet
If an attacker gains access to one account, quite often they can access other accounts owned by the same person due to many people reusing the same passwords. This is unsurprising since the average person has 191 passwords to remember for their online accounts.
The way to protect against this is to always use a strong, unique password for every service. Password managers are an essential tool for this purpose, ensuring only strong passwords are generated and keeping them safe with one master password.
You must be extremely careful with any password storage you rely on, as there is no way to recover lost passwords for crypto wallets due to the decentralized nature of cryptocurrency.
You might also want to create a totally separate email address for each crypto wallet, so there is even less risk of losing access to your whole balance should one service be compromised.
Protect your private key with cold storage
Your public key is like an address others use to transfer money to your account, while you need your private key to send money to others. It’s essential to keep your private key away from prying eyes. Cold storage is one way to achieve this.
Cold storage of a private key involves physically writing down the key on a piece of paper, locking it away in a safe or deposit box, and erasing all digital traces of it. Just be extremely careful you don’t lose this physical copy or put it anywhere it can be lost, destroyed or stolen.
Use a hardware wallet
A similar tactic to cold storage of your private key is using a hardware (or cold) wallet. These are physical devices which cryptocurrency can be transferred onto, which are then kept offline, like withdrawing cash from an ATM and keeping it in a traditional wallet.
The advantage of doing this is it keeps your balance offline and safe from being withdrawn remotely by anyone else. But, as with a traditional wallet, theft is always possible, and if lost, the funds on the device will be irretrievable.
Learn more about account takeover attacks
At Netacea, we regularly help clients detect and mitigate attempts to undertake account takeover attacks.
Our Intent Analytics™ technology uses AI and machine learning to determine the intent of every user, blocking malicious bot activity in real time.