Posted on

Op Ed: Lessons From a Cryptocurrency Hack (A Public Service Announcement)

At the end of the day, the damage done to myself was limited to being spooked. Unfortunately, however, at least one of the recipients of my fake Facebook messages was later the target of the same attack. I’ve decided to learn from these events and share those lessons, and hopefully help some avert the worst. First and foremost is eliminating this specific and trivially easy attack vector completely.How to Stop It Before It HappensText message two-factor authentication (2FA) is the default security precaution for most online accounts today, and cellular service providers are woefully unprepared for this reality. It is almost trivially easy for an attacker to contact your service provider and pretend to be you.In all the cases I’ve personally observed, it began with the attacker identifying an individual likely to have cryptocurrency and contacting their cell provider. They impersonate their target using personal information like social security numbers and home addresses from any number of possible leaks, Equifax being the most obvious and concerning source.After successfully convincing your cell provider that they are you, they then port your SIM card to a phone they control. This approach is known as a social engineering attack, and with today’s common security default of using text messages for 2FA, they immediately have the keys to the kingdom. With your phone number they can now reset the password to any account you have with text 2FA enabled, including cryptocurrency wallets and accounts.The minimal action you should take right now to prevent this: Contact your cellular service provider and request restrictions to be placed on your account so that no changes can be made to it without special verification. This can include setting a password on your account or requiring you to physically visit a store with your ID to make any account changes. Call again once this is in place and attempt to change your own SIM card as a test to ensure the restrictions have indeed been put in place and are being properly enforced by your cellular provider.This simple step means that no matter what information an attacker may have on you, socially engineering a takeover of your SIM card is no longer a trivially simple endeavor. However, this precaution isn’t ironclad, and there’s also a variety of other attacks you can be the target of.Taking It a Step FurtherBlack hat actors tend to focus on the low-hanging fruit, which is why the social engineering SIM attack has become so prevalent. But it is by no means the only way to compromise your accounts, and as the low-hanging fruit become harder to find, attackers will move on to these other methods. I highly recommend everyone implement these precautionary steps to further secure yourselves. The upfront investment needed to set up these measures may seem tedious now, but can pay invaluable dividends in the future.1. If you hold any significant amounts of cryptocurrency, invest in an offline hardware storage solution. These devices contain your cryptocurrency private keys and can remain completely disconnected from the internet or any computer until you need to make transactions, so that your funds remain totally safe regardless of any of your other devices or accounts being compromised. These devices include OpenDime, TREZOR and Ledger. Even if you do not opt for any of these solutions, at a bare minimum do not store funds on third-party services such as Coinbase or exchanges, especially on any service or wallet that integrates email or a phone number to authorize access to funds.2. Ditch text messaging 2FA. Placing verification restrictions on your cellular service account is a big step up in security, but can still be circumvented by an insider or even just a careless customer service rep who doesn’t do their job properly. Text message authorization is also still too incredibly insecure to be relied on in any way, period. Recent research shows that intercepting text messages is a trivial task for someone with the right tools, and many other exploits are likely to be discovered in the future.The first item on this list will protect your personal funds from theft, but as I learned the hard way your money isn’t the only thing at risk. With access to your social media accounts and emails, an attacker can trick your friends into giving them funds or exposing themselves in other ways. They’ll also obviously have a clear look into all your messaging and file history on those accounts, which can expose you and your social circle even more. Shoring up your 2FA is a big step in preventing this.Eliminate all of your text messaging–based 2FA and at a minimum replace it with Google Authenticator. However, like storing cryptocurrency, you can take it a step further with a dedicated hardware solution. I highly recommend YubiKeys.You can configure many major online accounts (not Coinbase yet) to require you to physically insert and activate your YubiKey as your 2FA authorization, eliminating the risk of a remotely compromised phone.3. Use multiple emails with interlinked recovery options, and use completely different and robust passwords for those emails and other online accounts alike. Luckily I did not have text messaging 2FA enabled on the email account associated with my Facebook profile; otherwise my attacker could have seized control of that as well. If they did, I have a chain of recovery emails I could have used to regain control of it, all with different passwords. This practice also means that having your password being captured or leaked for any one of your accounts won’t jeopardize all of them.4. Stay vigilant, stay paranoid. To quote the Onion Knight, “Safety is never a permanent state of affairs.” Don’t get lazy and begin recycling passwords or leaving funds on Coinbase or other third-party accounts. Be aware of the technology you are using and the tradeoffs you are making or exposure you are generating by doing so. Stay up to date on the latest breaches, exploits and technology. Opt to use end-to-end encrypted messaging services like Signal, Telegram or WhatsApp. Don’t answer calls from strange phone numbers, and use apps like Hiya to filter out known spam numbers to reduce the risk that you do. Ultimately, however, there is no easy fix for security and no list that can guarantee you won’t get hacked.Make no mistake, there are individuals out there who want to harm you and are actively working to do so. The time needed to reasonably secure yourself can seem tedious and time-consuming up front, but can easily and quickly become a priceless investment as I and many others have learned firsthand. This guest post by Ariel Deschapell was originally published on Medium and is reproduced here under a Creative Commons License. The views expressed do not necessarily reflect those of BTC Media or Bitcoin Magazine.The post Op Ed: Lessons From a Cryptocurrency Hack (A Public Service Announcement) appeared first on Bitcoin Magazine.