In brief
- If you're thinking of trading cryptocurrency, you should consider an audit of your cyber-security.
- First-time crypto traders should protect their private key and transfer address.
- You should also take steps to protect against ransomware attacks and phishing attacks.
Sure, Bitcoin trading sounds fun, but trading cryptocurrency comes with a whole host of cyber-security risks that could prove just as disastrous as a price crash. Equally as important as stacking sats is ensuring that your computer is protected against hackers, and that you aren’t vulnerable to phishing attacks, ransomware bots or scams.
So, how to gear up for your adventure down the digital yellow brick road? Decrypt spoke to security experts to identify the chinks in your virtual armor and how to prepare for the worst.
What’s at risk?
“There are two primary things that first-time crypto traders should protect: a private key and transfer address. If a crypto trader can keep these two basic things safe, the possibility of becoming a victim of scammers reduces significantly,” Evgeny Lopatin, an anti-malware research security expert at Kaspersky, told Decrypt.
A private key is a 64-character key that's used to sign crypto transactions. And the transfer address is analogous to an email address that can send or receive Bitcoin.
There’s more to keep an eye on, too. Among other things, you also need to protect your seed phrase, a string of (usually 12 or 24) words that functions as a backup to your private key, as well as any login details that grant you access to crypto exchanges or wallets. Also at risk are any email accounts, cloud storage services, phones or computers in which you’ve stashed any seed phrases, passwords or private keys.
First things first: Practice “cyber-hygiene”
Before eying up Bitcoin, Ian Porteous, a director of security engineering at cybersecurity firm Check Point, recommends that crypto traders practise good “cyber-hygiene.”
“The first step,” he told Decrypt, is not dousing your computer with bleach, but rather ensuring that “your existing PCs and networks don’t have any existing infections that could be used for logging keystrokes, capturing passwords, or downloading further malware infections.”
Hackers often go for the low-hanging fruit, he said. Instead of targeting individuals, many hackers “create large networks of infected PCs to maximise their chances of being able to steal credentials and data: for them, it’s just a numbers game.”
How to avoid the meat grinder? “Use a reputable anti-malware package, ensure it is running the latest malware signature updates, and do a full scan of all your machines,” he said. Any of the popular home anti-malware packages, such as (Porteous’s) ZoneAlarm, Malwarebytes and AVG, all regularly update to check for the latest virus signatures. Moreover, consider using a browser extension that can block zero-day malware downloads and phishing sites, said Porteous.
Finally, Porteous advises that you review all of the passwords you use for important accounts, like your bank accounts, crypto trading accounts, and Wi-Fi passwords, to make sure you don’t re-use the same password. Use two-factor authentication where possible, since “it minimizes the risk of hackers being able to access your account even if they have the password,” he said.
How to protect against crypto scams and hacks
Ah, but hackers target those very things, and they’ve spent decades perfecting special tricks to con even the most cyber-hygenic traders. As soon as you expose sensitive information to hackers, it’s game over.
There are two really obvious, common attacks. The first threat is ransomware attacks, which encrypt your PC or your cryptocurrency wallet until you pay a ransom—usually in crypto. “In this case, you will lose access to your wallet while fraudsters will receive all its data,” said Lopatin.
In October 2020, research from Check Point showed that the number of ransomware attacks increased by 50% in July, August, and September of 2020 compared to the first half of the year. In the US, the number of ransomware attacks increased by 98% in the same time frame. And phishing email volumes have spiked recently, too. In November 2020, Black Friday triggered a 13-fold increase in sales and discount-related phishing attacks, Check Point found.
The majority of ransomware attacks rely on the victim clicking a link or opening an attachment, said Porteous. “So, it’s wise to be wary of emails with attachments that you weren’t expecting, even If you recognise the sender,” said Porteous. If in doubt, trust the anti-malware program.
To avoid ransomware attacks completely, Lopatin recommends the use of hardware wallets. A hardware wallet is a cryptocurrency wallet that isn’t connected to the internet and stores your private key offline. They are “almost impossible to hack,” he said.
The second type of threat is phishing attacks. Phishers cast a variety of different nets, but Lopatin said that one of the most popular targets are crypto exchanges or wallets. Recently, hardware wallet manufacturer Ledger was the victim of a hack that exposed the personal details of a million customers, leaving them vulnerable to phishing attacks designed to steal their seed phrase.
Phishers trick victims into clicking on links that promise to bring them to an exchange or wallet, whereas in reality it’s a fake version of the website created by the hacker. These websites need not be complicated: a log-in screen may be the extent of the site, but even that’s enough to con some people into entering sensitive information such as passwords or seed phrases.
🚨 WARNING: STAY VIGILANT OF ONGOING PHISHING SCAMS! 🚨
Remember that Ledger will never ask for your 24-word recovery phrase or PIN. Never share it!
Check out this page to verify if the communication you have received is a scam: https://t.co/9Cri0akE6v#StopTheScammers
— Ledger (@Ledger) December 16, 2020
Much the same precautions for avoiding ransomware attacks also apply to phishing attacks. Lopatin advises to “to double-check the authenticity of visited websites.” He said, “We recommend that you are skeptical about any generous offers and promotions.” Unsure? Bookmark the verified link to your crypto exchange or wallet of choice in your browser. Lopatin recommends using “trusted wallets with a good reputation. If you’ve received an email about new, appealing cryptocurrency wallets, always remember that if something looks way too good to be true, it is most likely fake.”
Ting-Fang Yen, Director of Research at DataVisor, told Decrypt that crypto traders should stay away from “non-reputable third-party apps [and] services, and avoid sharing account information and private keys,” since the crypto industry is largely unregulated and full of bad actors. “Ideally, keep your wallet offline when not in use, such as in a disconnected external hard drive or other forms of offline storage,” he said.
Lopatin points out that crypto exchanges are frequently attacked. Just this winter, hackers stole $281 million from KuCoin. Even Binance, one of the largest crypto exchanges, was hacked for $40 million in 2019. Lots of these exchanges have insurance policies in case of a hack, but many more don’t, and there’s little you can do to get your crypto back if the exchange won’t reimburse you for lost funds.
In response to the recent KuCoin Security Incident, KuCoin Global CEO Johnny Lyu @lyu_johnny hosted a livestream at 12:30 (UTC+8) on September 26, 2020, and announced more updates regarding the incident.
Read the full recap of the livestream here:https://t.co/BtrCC3w3QO pic.twitter.com/hGIc5nlxbp
— KUCOIN (@kucoincom) September 26, 2020
The issue, said Lopatin, is that crypto exchanges hold custody over your coins; if you’re storing your funds on an exchange, you’re trusting that the exchange won’t get hacked or run away with your funds. But since they sometimes do, “it is not recommended to store cryptocurrency on exchange wallets,” advised Lopatin. ”Delegating responsibility for storing cryptocurrencies to exchanges is one of the most common mistakes made by beginner crypto traders,” he said. To keep your Bitcoin safe and secure, it's best to use your own Bitcoin wallet, whether that's a software, mobile or hardware wallet.
Lastly, Lopatin advises “double-checking the departure address” when sending cryptocurrency. Here, Lopatin’s guidance is straightforward. If you don’t recognize the address to which you’re wiring cryptocurrency, you could send crypto to the wrong person. And in the wild west of crypto, there aren’t any second chances.