Five cruel truths about security of cryptocurrencies usage

in #security6 years ago

So, you think that using cold wallets, proven exchanges or even decentralized exchanges, 2FA for your account and other similar means of extra-security will make you 100% protected from hacks and thefts? Well, this is about to be the saddest article you've read for today or a couple of past days, as it will explain to you why all of those measures just do not suffice.

1. Cold wallets may also be stolen

You've probably seen tons of tutorials on "cold" storage of crypto. In other words, storing crypto in a wallet that is always offline. It would have been cool and secure, but there's a catch - regardless whether you store your coins offline, the transactions always happen online. For the last years, hacker learned, to put it simply, hack the transactions themselves. In other words, when pushing a transaction, a wallet "warms up" and stops being cold.

In order to foster secure transactions of crypto, one must make sure the software of both the computer and operating system are updated timely.

2. An exchange may not take place where expected

Geo matters a lot in legal matters, and therefore in issues of crypto-security. Taxes, consumer rights, financial and legal status of cryptocurrency, the bank’s relation to blockchain transactions — to answer each of these questions, you need to know the place of the transaction. And even the speed of cashing cryptocurrency depends on the geographical location.

In the world, there are still no approved rules and laws regulating cryptocurrency, which aggravates the position of cryptoinvestors. For example, in the United States, there are still MTGOX lawsuits in action. Due to differences in the existing legislation of different countries, the geolocation of cryptocurrency transactions can play a cruel joke with its owners. Many legal issues are related to forwarding and caching servers that confuse geolocation mechanisms.

Another group of problems associated with the location, due to the popularity and reliability of the hosting service. In this situation, services such as Azure, Amazon Web Services, Google Cloud can guarantee the best possible protection against downtime and instability of their services. Such services are also resistant to various IP blocking due to huge pools of network addresses.

In order to avoid the problems described, investors should indicate in the trade transactions the actual location of the servers, and cloud service tenants for operating with cryptocurrencies should indicate this in the service contracts. When working with financial exchanges, you should pay attention to whether the exchange confirms its actual location.

3. 2FA does not guarantee full-scale security

The recent Binance 7k BTC hack started off with hackers obtaining access to traders' 2FA services.

Additional authentication cannot guarantee full security. Vulnerabilities of program code can be both on client devices and server hardware.

User browsers are vulnerable to XSS vulnerabilities that allow authorized access to critical data (for example, to the crypto-shell of an online service where the user is logged in) and withdraw all funds from it. Such an attack doesn’t even look like a burglary - for security systems, these actions look like completely legitimate.

Server applications are subject to RCE - remote code execution. By running such a malicious script on the server, the attacker will easily bypass any two-factor authentication and steal the cryptocurrency of many users.

Nevertheless, the presence of two-factor authentication, coupled with other protection measures, significantly increases the reliability of the program or online service used.

4. Decentralized exchanges are also prone to hacks

Here the problem lies not in the type of exchange. Any exchange provides access to its services through a web interface. We're talking about XSS- and CSRF- attacks, vulnerability to hacked accounts and all kinds of attacks on transactions. All this allows invisible to the eyes of the crypto user to substitute destination addresses directly in the generated HTML request. Determining the reliability of the exchange, you should look for technical documentation and security audit of their smart contract, and security audit of front-end applications.

Each client of the exchange is a centralized user, from the point of view of the exchange. And since the user is centralized, then it is much easier to attack him than the exchange itself. This fact also falls into the treasury of vulnerabilities.

5. Importance of deeper understanding of technology and infrastructure of exchanges

Every detail, every detail of the entire transaction model, from the intention to the quality of cloud services provided, is important for the security of cryptocurrency. Incorrectly written code, insufficiently reliable communication channel, weak antivirus, excessive talkativeness - and you will remain at the broken trough.

Cryptocurrency just does not hack and steal - there must be appropriate vulnerabilities for this. They exist for both "cold" and online ways to store money.

It is extremely important to be aware of all the latest news about cryptocurrency technologies, about the crypto wallet used, about the reliability of exchange services and their location. If the portal of the exchange or the online wallet does not provide reliable information about the state of security (security audits), this is a serious reason to think about trusting such a resource.

In conclusion, we note that the latest trends in hacker attacks are aimed at finding / creating and exploiting vulnerabilities in client and server applications. In this way, in recent years, cryptocurrency exchanges are attacking. This is due to the fact that hacking specific user equipment or server hardware is usually much more complicated and costly. And this is a serious reason to check the security of the programs and services used.

Thank you for your time,
your VHCEx team!

Sort:  

those DEX hacks are always happening on the level of user's browser and OS
go buy Mac and that's all you need

yeah, never use Windows for crypto trading

at the end of the day, people just prefer to not give a shit about technology that supports their transactions, just like with banking transaction, really

this always gets them trapped

I think I got caught on phishing or similar type of fraud 5 times already. But I still love crypto. That's true feelings

the simplest way to protect an exchange or a custodial service against 2FA hacks is to remove SMS 2FA outright

are there DEXes with the option to link the cold wallet?

I think crypto has effectively dislodged conventional finances as the most attractive point for hackers