Hollywood will feed moviegoers stories about how a hacker or spy might ply advanced technology to underscore the efforts of their espionage. While it's true micro-transmitters that are ridiculously small and easy to plant do exist, as well as devices that can read the RFID chips in credit cards without invitation, the methods of most hackers might be surprisingly low-tech when compared to their counterparts on the silver screen.
Although it makes sensational headlines when platforms fall under siege of hackers, reports of individual users who find themselves the targets of malicious actors often go ignored. ETHNews previously discussed the some of the attack vectors that may threaten cryptocurrency systems. In this foray into cybersecurity, we’ll focus on socially engineered attempts to get information from a person or commercial service; malicious software like key-loggers and others that create exploitable glitches, or make it possible obtain private information from various devices; and centralized databases that have previously been hacked and are subject to data dumps.
Paul Walsh, CEO MetaCert, a data loss prevention company, has personal experience with socially engineered exploitation. He told ETHNews, "Specifically when it comes to social engineering, the biggest attack in the crypto-world right now is where the attackers will have your phone number changed to a new SIM [card]." To do this, attackers fool an employee of a service provider to by providing information that can be found in social media accounts or elsewhere, in order to impersonate a customer. Once the phone number has been paired with a new SIM card, the imposter can easily access other private accounts because they can bypass any 2-factor authentication associated through that phone number; the texts will be sent to the phone with the new sim card. When this happens the customer is often unaware until it is too late.
"Ironically, I gave a talk on this topic at the tech-focused MoNnage conference in LA ... and my biggest point was: please don't use SMS based two-factor authentication," Walsh said. "Four hours later they did it to me. So, literally that evening I got a text message saying, “Your number has been changed to a new SIM card. If it wasn't you, please call us.” And of course, when I called T-Mobile said it wasn't me they couldn't verify me because they actually changed my password. That was a complete nightmare."
Walsh was totally prepared for the attack:
"I knew I would be a target, so I made sure some time ago that I didn't have root access to anything that could compromise MetaCert or any of our customers' data. I highly recommend high profile teams within the space do the same."
When Walsh went into one of the mobile carrier's brick and mortar locations, he found the resident staff’s expertise to be severely lacking. "They didn't even know what I meant when I said my number has been hijacked and is compromised ... They had no idea what they were talking about."
Walsh said he was told that the employee wasn’t able to immediately contact the fraud department, but someone would be in touch with him. Walsh waited, and didn't hear from anyone so he took his frustration to twitter:
Suffice it to say, Walsh was nonplussed by T-Mobile's emoji laden response. Since he had yet to receive a phone call from the company's fraud department, he continued to reach out to the cellular provider. With some prodding, however, he finally received more communication from T-Mobile regarding, well, the lack of communication:
Walsh's ordeal with T-Mobile is still ongoing, and he said the company has told him he’ll need to file an FOIA request to discover just how his number was hijacked. However, he did confirm that a representative of the CEO’s office had spoken to him and said he would be receiving a letter in the mail indicating whether he had been compromised. The message seems to have missed the mark; Walsh had obviously been compromised. The situation is a great case for users in the crypto-space to heed Walsh’s warning and utilize ulterior methods of two-factor authentication other than SMS for accounts.
Moving on, a step up on the tech-scale from socially engineered attacks is a world of malware designed to spy on users. Some pieces of malware gather data or act behind the scenes, such as stealth mining software that commandeers CPUs or graphics cards. Other malware might encrypt a computer's files and ask for a ransom, often payable in some form of cryptocurrency. Sometimes the malware changes the way a computer's clipboard works, switching out complicated hex codes it identifies as wallet addresses for the hacker's. When the unknowing user copies and pastes an address, a different one that is controlled by the hacker gets pasted instead.
Constant vigilance is the key to surviving malware attacks. Just as a virus evolves in its host, malware engineers are constantly tweaking their programs to exploit bugs, glitches, or other holes in cybersecurity systems. Keeping a finger on the pulse of the community is a good way to learn about these security flaws.
Knowledge is power, but sometimes it's best to fight fire with fire, and there are many available options in the marketplace of security software. However, in order to be most effective, it may be necessary to utilize several pieces of software – and that can become expensive.
Hardware is another option users might employ; a computer with a closed architecture operating system (OS) offers users a chance to mitigate the types of software that can run within that OS's structure. This method helps protect against malware, but it may come at the cost of limiting the types of plugins and other software that machine is capable of running.
Why go through the trouble of hacking someone when others have already done the hard work? Many large institutions with centralized databases are prime targets for hackers. Precious user information including payment channels, pin numbers, and various other private data are stored within these databases. It spells bad news for consumers, and many times when a hack affects a company's network, disclosure comes months or years later. In some cases, the individuals put at risk have no choice in their participation with the platform, such being the case with the hacks of Equifax, which put the personal information of over 143 million users at risk.
Sometimes hackers hold on to the information they steal for whatever nefarious purpose it may serve, but all too often, the data is dumped onto public servers where anyone can find it. When that happens, the only thing to do is reset every password that might have been affected. It's very difficult to work around these types of situations since many factors, including reliance on a centralized database, limit the user's ability to play it safe.
Everyone in the cryptocurrency community needs to consider themselves targets for phishing, socially engineered attacks, and malware. The attention that the industry is beginning to draw from mainstream media will also attract malicious actors. It is up to us to individually assess the threats that are out there and take care to protect ourselves and others, whenever possible, from transgression.