Cryptocurrency
5 Ways Your Cryptocurrency Can Be Stolen – Is Your Bitcoin Safe?
Bitcoin is not a safe investment. Its future is uncertain because people don’t pay with bitcoin. Big transaction fees are one reason. Another is that all its trades are public. In December last year, the average cost per transaction was $26. This means that some would’ve paid more in fees than what they transferred. Plus, there are cheaper tokens that keep trades anonymous (such as Monero). So, why bother with Bitcoin at all then? And why is it so damned expensive?
Bitcoin is what the media, your parents, and well meaning friends sit and speculate about. It’s the original, granddaddy of all cryptos. For investors, bitcoin is used to round out a portfolio of other coins because it’s considered safe and is limited in supply. Also, it might be worth as much as $65,000 per coin in 2018.
But fortunes could be lost. Not through a horrific price correction, a bubble bursting, or even a hack by North Korea. Trusting in online security could make you broke. How? What about plugging in a hardware wallet? Or your phone carrier screwing you out of all your bitcoin? These things have happened before. And it could happen to you.
1. Your Cell Phone Carrier Will (Gladly) Hand Over Your Coinbase Account
In a famous reddit post, someone lost more than $8,000 in bitcoin, with no thanks to Verizon or Coinbase. Using the customer’s billing address, an intruder accessed the Coinbase account, changed the password, and emptied the wallet. All within 15 minutes.
The troubles began when the victim tried to help a friend. A sympathetic tweet led the hackers to his Coinbase account, and they found his postal address online. His full name and address was all it took to hijack the victim’s phone number. They then accessed an email account that was linked to his Coinbase wallet. A few moments later, all his bitcoin was gone.
Coinbase and Verizon are accountable for this. The victim tried to call Verizon when he noticed the attack. A recorded message told him to call again during business hours. The same thing happened when he dialed the fraud prevention hotline. Unusually, it was a text message by Verizon that tipped him off about his compromised account, and requested he call them immediately. And Coinbase? They made it easy for the criminals to get in and out. No proof was asked for to transfer more than $8,000 worth of cryptocurrencies.
So what could the victim have done differently? Tweeting about his Coinbase account was a dumb idea; that made him a target. Using 2 Factor Authentication (2FA) and moving his coins to cold storage would’ve been smart.
But don’t count on 2FA to protect your account, as most of the world’s largest cell phone networks are unsafe to use. This lets criminals read your text messages and listen to your calls. And this is just the start of the problem.
2. Hackers Will Steal Your Bitcoin Via Cell Phone
The technology used to encrypt and transmit SMS messages and phone calls has been around since the 1980s. It’s called Signaling System 7 (SS7) and there are loads of problems with it.
SS7 has already been breached by cyber criminals to steal bank accounts. Other hackers have managed to steal email accounts and put Coinbase balances to zero.
The bad news is that 800 the world’s major telecos make use of SS7. The really bad news is that even apps like Telegram and Whatsapp are vulnerable to this attack. Intruders can even listen in on phone calls, regardless of the kind of encryption you deploy.
So what would a hack involving SS7 look like? First, an attacker would try to access your email account and google some information about you. All they’d need is your mobile number and an email account. Then they’d snoop on your phone’s text messages and intercept your access code. At that point it’d be impossible to stop them, and has shown to work for stealing large amounts of bitcoin.
The only remedy for this attack is to not use SMS for authenticating your account, and perhaps use your home’s WiFi instead of mobile data.
However, the issues for online security and crypto gets even worse. Because if your WiFi is using WPA encryption, you’re not safe at home either.
3. WPA (Wireless) Encryption Has Been Compromised
The ramifications of WPA losing its security are huge. Most WiFi networks at home and in businesses are now susceptible to a range of attacks, which includes decrypting your data. This makes WPA useless for protecting your most sensitive information, like online banking sessions or when you access your bitcoin wallet.
The vulnerability of WPA first came to light in October of 2017 on the website called Krack Attacks. The author apparently broke WPA’s encryption by “forcing nonce encryption in algorithms used by Wi-Fi”.
How the attack can be performed is not entirely clear, but several theories have been thrown around. One is a weakness of WPA’s random number generator. To put it simply, these numbers are not unique enough to be used for encryption, but could be used by criminals to view and inject data across a victim’s WiFi network. If an intruder can get in range of your WiFi, this vulnerability could let them steal your private key – and the rest of your bitcoin along with it.
The good news is that WPA can be updated to provide stronger encryption. The question is will you do it?
4. You Trust Your Hardware Wallet
Hardware wallets can be a great idea, especially if you are storing large sums of coins. However, this could make them unsafe for use.
There are a raft of security issues of these devices, which include the following:
Malware Changes The Bitcoin Address:
Hardware wallets can’t protect the user from sending coins to an incorrect address. A virus on your computer could change the destination address a moment before you click send. This furthers the need for a multi-step process for large sums.
Unreliable Random Number Generator:
Like WPA encryption, Random Number Generators are used by hardware wallets to create private keys. The downside to RNGs is that producing a number that’s secure enough can be difficult. Criminals could recreate your private key if there’s a fault with your wallet’s RNG algorithm. The fault could be the result of a mistake by the manufacturer or malicious weakening so that the coins can be stolen later.
Inadequate Implementation:
Faults at the software, firmware, or hardware level of a wallet can create an opening for attackers. Although manufacturers make the devices as secure as possible, no wallet in existence has proven to be 100% safe.
Tampering With Production:
The possibility of backdoors being installed into hardware wallets is a real possibility. It may not even be the company itself, but a distributor, shipping company, or employee who deploys them. Hardware wallets are, after all, used by people who want secure large amounts of virtual currencies, which makes them an ideal target for fraud.
So while hardware wallets are probably safer to store your coins in than say, an online wallet service, they aren’t the perfect solution. There are too many variables at play, and too much money at stake to be careless with security.
This isn’t the most paranoid thing you should worry about, either. Because pools have been set up to take down bitcoin’s “invincible” security. People have already started to lose their bitcoin to this surreal project.
5. Your Private Key Gets Obliterated By The Large Bitcoin Collider
The Large Bitcoin Collider (LBC) is an experiment to break bitcoin’s encryption, and has managed to do so, albeit only a handful of times. The LBC describes its purpose on the project’s website:
“The Large Bitcoin Collider is a distributed experiment to find 1 collision of private keys and known BTC addresses. In a rare event of a collision, the funds on the address would be available to the collision finder.”
The LBC tries to find a match between a private key and a public key that contains bitcoins.
The LBC makes more than 450 trillion checks per second. That sounds a lot, but as of today, there are still 32487405889012096286998956955.87 trillion keys to go before they break the bitcoin network.
Although it would be a case of unfathomable bad luck that your key would end up stolen via the LBC, the bodies are starting to pile up. Two addresses already have lost up to half a bitcoin each ($8,000). And the experiment has only run for a year. There are efforts to scale the amount of checks the LBC is able to do, which would further compromise bitcoin’s security.
The LBC project does not appear to have a malicious intent, but rather one to prove a point. People should not take bitcoin’s security for granted, and that nothing on the blockchain is untouchable or 100% secure.
So whether its deception, theft, or brute force, there is no lack of variety when it comes being screwed out of your bitcoin. Nothing can replace the value of common sense when it’s about protecting your digital assets. And If you aren’t ready to take the ‘trustless’ nature of the blockchain literally, then these assets probably aren’t for you. Stay frosty out there.