Your Money Is Your Problem.

The Importance of Security

Your Money Is Your Problem

No matter how you find yourself here today, it's a sign that you need to read it.

Here's a look at what we will go over today.

______

TL;DR

We break down 'key' security, the difference in types of wallets, how hackers attack you, and how to protect yourself from most attacks.

______

Refresher – How do cryptocurrency wallets work?

What happens if I lose my private keys?

What happens if my private key is stolen or hacked?

Comparing centralized wallets vs decentralized wallets - As it relates to security

How were these coins stolen?

               - DAO $53m  |  Parity $30m + $275m  |  Mt. Gox $460m  |  Coincheck $530m

Ways that hackers gain access to your coins.

How to protect yourself from theft?

Conclusion

Let's Have A Refresher First.. –  How do cryptocurrency wallets work?

Everything starts when you create your wallet address.

Every wallet has its own seed phrase and private/public keys.

1 Wallet = 1 Set of private/public keys + 1 seed phrase + possibility of 1 spending password.

Each wallet address, separately.

It's so simple that I've messed up before.

Moving on before writing everything down..

You have to stop and create a new wallet.

Write the stuff down before you click anything else.

The most common way to create a new wallet address is by using a software program. Ones that are dedicated for tasks such as a web, mobile or the interface of a hardware wallet.  

Examples of these programs include MyEtherWallet, Electrum, Metamask, and Ledger.  

These programs generally utilize a cryptocurrency standard (specifically, a Bitcoin Improvement Proposal) called BIP32, which utilizes a series of random words chosen from a library of 2,048 strategically selected words to construct something called a “mnemonic seed.”  The seed or phrase is essentially a 12 or 24 word combination that is then run through a cryptographic function to generate a 256-bit private key.  

To put it another way, random words are made into a long string value (long string value = your private key) that is stored in your wallet software or hardware, to enable withdrawal from your wallet.  

This private key is the key piece of information that will allow you to transact in your wallet.

The other half of the equation is your “public address.”  This is the 24-35 character alphanumeric value that is generated at the same time as the private key.  This is what you give out to other people so that they can send coins to you.  The public address is always associated with a private key that grants access to that wallet.  

This is called public key cryptography.

Now that you understand what a seed (phrase) is, and how it becomes a private key, and what the function of the private key is, we can move to the implications of this..


What happens if I lose my private keys?

Private keys are the sole and exclusive piece of information that allows one to make transactions in a wallet.  


Without keys one cannot gain access to the wallet or any of the cryptocurrency tokens held on that wallet.  

So, the loss of private keys means that any funds held on that wallet are inaccessible until the keys are found.  If the keys cannot be found, there is no restoration protocol in the Bitcoin Core code (or any other blockchain, for that matter) that allows one to regain access to their keys, therefore all tokens held in that particular wallet would be permanently lost.  

This is an important concept to understand, since every password you've ever been required to create - up until this point - can be restored or reset.  

In the case of a blockchain wallet, private keys cannot be reset or restored, therefore the importance of backing up these keys is of incredible significance.  

You must write them down the first and only you see them.

If you've already forgotten to >> Then create a new wallet and write the new key and phrase down before transferring any crypto.

Twice.


What happens if my private key is stolen or hacked?

Theft of a private key has the same practical consequence of loss of private keys –  funds will be gone forever.  

However, theft is different in that one may still have access to their private keys and therefore can still transact in the wallet.  Depending on when the theft was discovered, and how long it takes for the thieves to move funds from your wallet to theirs, it is possible to move the entirety of your holdings from a compromised wallet before the thieves can do so.  

Unfortunately, once these funds have left your wallet, historically speaking, the possibility of retrieving these funds is near zero.  

Even with significant resources, capital and an entire community searching for stolen funds, so far, recovery efforts of stolen coins have been relatively fruitless.  It is, therefore, incredibly important to understand the implications of not properly safekeeping your private keys.


Comparing centralized wallets vs decentralized wallets - As it relates to security

In the cryptocurrency space, the saying goes...

“not your keys, not your coins.”

We’ve discussed how wallets are created and the importance of securing your private keys.  

However, creating your own wallet and securing your private keys is not the only method available to warehouse your coins.  The reality is, most casual cryptocurrency holders will purchase their bitcoin or other cryptocurrency using an exchange and simply leave their funds on an exchange wallet.  Many won’t even know that another option to secure one’s funds is even available.  

     🔵 Centralized Wallets 🔵

An exchange wallet is called a “centralized wallet”.

This means a trusted intermediary or middle-man (the exchange) is responsible for securing your funds.  There are many benefits to this, such as, negating the requirement to generate and store a mnemonic seed, managing separate wallet software, or maintaining the lifelong discipline of securing your private keys.  With a centralized wallet, the entity that maintains that wallet, such as an exchange, is responsible for managing and maintaining the private keys.  

Therefore, there’s no risk to the end user of losing their keys.  

An end user, in this case, would only be required to keep a username and password to access their account, and loss of the password can be quickly resolved by a password reset and perhaps some sort of identity verification to assure the exchange that you are who you say you are.  For these reasons, the majority or cryptocurrency holders maintain their funds in a centralized wallet.

However, in the case of a significant or total loss of funds due to theft or malfeasance by the centralized entity, any funds held at the exchange may be lost forever.  Since the majority of these funds are held on behalf of the exchange’s clients, it is their funds that would be lost.  

Historically this could be due to inside jobs, theft of unsecured keys, or even the founder of an exchange absconding with their user’s funds.  

Additionally, due to the large amount of funds typically held on an exchange, they are frequent targets of theft.  Therefore, it should be assumed that the risk of loss due to theft is always higher when holding funds on an exchange.

     💫 Decentralized Wallets 💫

A decentralized wallet is one in which the end user is responsible for storing and maintaining their keys.  It is called a decentralized wallet since the governance is entirely handled by the blockchain protocol itself, and no trusted intermediary is present.  

In the case of a decentralized wallet, an attack made specifically to a single individual must occur in order to steal funds from that wallet.  

This is generally less likely simply because one single person is likely to hold fewer tokens than a centralized entity.  The same amount of effort is required to hack an individual’s wallet as a large exchange, so given the effort, the reward for attacking an individual’s wallet is potentially far less.  

In fact, a large exchange has many more potential threat vectors, such as social engineering attacks with exchange employees, or exploits targeted at many of the different points where keys are secured.


How a few coins were stolen? 👇

A big hack can only take place where a lot of funds are held.

Unfortunately, the cryptocurrency space is plagued with hacks.  And it’s worth noting that despite over USD 11 billion lost or stolen due to these hacks, the majority involved compromising a centralized system.

Whether it be an exchange, wallet software, or improperly secured smart contract.  

Below is a list of just a few high-profile hacks.


     📉 DAO, $53 million -

In the 2016 DAO hack, a developer exploited code within the DAO Smart Contract instructing it to release USD 53 million worth of Ether into his private wallet.  The hacker went so far as to write a letter to the community stating why he deserved to keep the funds, stating that he had used a function within the Smart Contract and therefore within the boundaries of the DAO.  

The result was a fork in the Ethereum blockchain which locked the tokens in the DAO, including the hacker’s.  

This was the first and only fork performed to “undo” a transaction on a major blockchain.  

     📉 Parity, $30 million + $275 million -

Parity is an extremely unlucky centralized wallet software provider.  They’ve lost over USD 300 million in two separate hacks.  

The second hack didn’t result in theft of funds, instead it killed the parent smart contract library that handled all user’s funds on the platform.  This essentially rendered all funds permanently locked.  

Parity was a well-known company at the time, founded by one of the original developers of Ethereum, and therefore considered a trusted intermediary, which explains the considerable amount of funds held on its wallet.  If these users had only used a hardware wallet, their funds would have been secure.

     📉 Mt. Gox, $460 million -

The Mt. Gox hack is perhaps one of the most well-known hacks, due to the amount stolen, and at that time, the largest loss of customer funds in history.  

The exchange handled over 70% of all bitcoin transactions at its peak.  

What is significant about this hack was that it was the first of its kind, and occurred over a long period of time without being noticed or reported.  Instead the founder, Mark Karpeles attempted to cover up the loss of funds by performing trades using two trading bots.  

Meanwhile, he continued to spend recklessly, renovating his office and even working to build a Bitcoin café with a focus on preparing quiches of all things.

The hack involved theft of a wallet.dat file.  Back in 2011 when the hack occurred, the encryption of private keys was not common, and the most widely used wallet, the Bitcoin Core Wallet, did not encrypt them.  

Therefore, gaining access to wallet.dat file would reveal the unencrypted key making it easy for a hacker to gain access to the Mt. Gox wallet.  During this time, cold storage hardware wallets did not exist, so all of the bitcoins held on the exchange would have been on a hot wallet.  It is likely that the exchange was unaware that funds were being siphoned out, as these transfers could appear like normal withdrawals without careful scrutiny.  

Today, all wallet software utilizes encryption to reduce the vulnerability to theft, and cold storage wallets are implemented to secure customer funds.

     📉 Coincheck, $530 million -

The Coincheck hack is the largest known cryptocurrency hack.  

Technically speaking, the Mt. Gox hack was larger, based on the market value of bitcoin today, but at the time of each hack, Coincheck’s loss was more substantial.  

The hack involved stolen private keys, which allowed the suspected Russian hacking group, to abscond with over half a billion USD in NEM (XEM).  The exchange held the entirety of its NEM balance in a single hot wallet, making it vulnerable to single key theft.  Had the exchange implemented several cold wallets, the theft might have been minimized.  

Coincheck did not divulge how hackers were able to obtain its private keys, but admitted “lapses in security” played a role.  This resulted in the closure of Japan’s largest exchange.


To sum up the hacks:

Centralized exchanges play a significant role in theft.  They make for desirable targets by hackers, and their complexity and design can make them difficult to protect.  Thankfully exchanges are learning from these mistakes and getting better at security.  

That being said, as we will have learned, they are far from the safest place to store your coins.

Secondly, phishing for your info via giveaways on emails or through phone is very common. Question all random requests and giveaways.

Ways that hackers gain access to your coins.

Don't trust every email.


Perhaps one of the most important aspects in securing your cryptocurrency is to be aware of the gimmicks, ploys, and mechanisms used to steal your coins.

Below are the most common examples of how thieves have managed to milk billions from cryptocurrency holders.

     🔵Theft from centralized entities –

This accounts for the bulk of funds lost due to hacking and theft. You've probably figured this one already since the first half of the article addresses this. But it’s interesting to note just how much centralization plays a role in coin theft.

     🤐 Compromising your credentials –

This involves a hacker gaining access to something like your password, authentication mechanism, or private seed.  A hacker that gains access to your credentials can move funds from your wallet from anywhere in the world, and in complete anonymity.  To compound this, these funds can be mixed, tumbled or converted to privacy coins to prevent the tracing of funds, permanently.  

     🎣 Phishing attacks -

This involves a scammer tricking an individual into misplacing their trust with a “bad actor,” usually by faking or spoofing the appearance of a trustworthy entity. A notable example is when a scammer created a URL very similar to Binance in which certain characters were modified with a diacritic (small dot under a letter).  

The fake site looked identical to the real one but would record all login information and then redirect users with the supplied credentials to the real site. Because of this it would display the user's actual account information making detection very difficult.  From there they were able to abscond with the user's funds.


A screenshot of a cell phoneDescription automatically generated


     📲 Phone porting –

In this hack, a scammer pretends to be you and calls up your mobile phone carrier asking to transfer your phone number to their SIM card or another account.

This is a form of social engineering, where a scammer will convince the phone carrier’s customer service representative that their phone was stolen, or permanently damaged, and therefore needs the SIM swap to occur.  They may feign an immediate need due to an emergency, putting pressure on the customer service representative to act.  

This may involve using information that was already compromised such as your name, address and date of birth. The scammer will call repeatedly, trying different account reps until they can get one sympathetic enough to transfer your number. They will then attempt to reset your account passwords where your phone number is used as a security backup or second factor for authentication.

This is an example of why not sharing too much information about yourself online is a good practice.

     🔧 The $5 wrench attack -

This is one of the worst kinds of attacks where a group of individuals kidnaps you and threatens bodily harm if you don’t hand over the credentials and keys to all of your wallets and exchange accounts.

This type of attack is difficult to protect against, since the threat is immediate, direct, and circumvents most security measures. These thugs almost always target individuals with a public persona.

     🦠 Copy-paste exploits –

These utilize malware programs that can be installed on your computer without your knowledge - for example, being bundled with a legit program by an unscrupulous attacker. These programs operate undetected in the background and can replace a copied wallet address with their own, resulting in you unwillingly submitting crypto into their wallet.



Here's how to protect yourself..


While reading this article, it may feel like securing one’s cryptocurrency funds is an impossibly daunting task, but in reality, if you follow a few best practices and avoid getting complacent, your funds should be fairly safe and secure.

It’s worth noting – while we’ve discussed the role of theft and hacking in the cryptocurrency space, not one common example involved brute forcing into an individual or entity’s secured wallet.  

Most exploits involve stealing information to gain access.  

If you can secure and protect this information, the chance of brute force into your wallet is next to nil.  

To qualify this statement, blockchain developer John Cantrell provided a real-world example where an investment of USD 100 billion to purchase GPU’s to perform brute force attacks would still require 422 trillion years to crack a 12-word mnemonic phrase.  As many wallets feature longer 24-word mnemonics, it’s not likely current technology will have the ability to brute force a wallet within the next several of our lifetimes.

Therefore, our best practices are centered around securing your funds from the exploits we’ve mentioned in earlier sections of this article.  While less convenient than simply storing your funds at a bank and letting them handle security on your behalf, with a little bit of discipline, you can reduce the chance of theft significantly.

Below are a list of some recommendations on how to protect your cryptocurrency holdings:

  1. Always - Use the simple KISS framework 💋
  2. Regular - Store most of your tokens offline in a hardware or paper wallet
  3. Regular - Secure your hardware, paper or steel wallet in a locked safe place when not in use
  4. Regular - Secure your private keys offline and away from where your wallet is stored, such as in a bank safe deposit box, mattress, or other secure location
  5. Regular - Limit cryptocurrency held at exchanges to what is needed for trading and exchange only; immediately secure in your private wallet when not in use
  6. Regular - Use trusted bookmarks in your web browser to access your exchanges, wallets and other online cryptocurrency service providers
  7. Regular - Implement multiple passphrases on your hardware wallet to hide your primary wallet balances and mitigate losses as a result of the $5 wrench attack
  8. Regular - Implement multifactor authentication with one form of authentication from an offline token generator like Google Authenticator
  9. Regular - Implement a multi-signature approach for funds held on wallets
  10. Regular - Where practical, limit your public exposure or avoid discussing your crypto holdings in a public forum
  11. Always double-check the wallet address after pasting it, and when supplying a wallet address to someone via email, chat or other digital communication, provide an image of the wallet address they can match it to, to verify they have received the correct address

And if that's not enough for you, you can go to reddit and really get lost in this one.. Click here.

The above list is not meant to be comprehensive, but hopefully it helps to illustrate what security practices can be implemented in order to safeguard against theft. Today we have the benefit of learning from yesterday’s high-profile attacks, so it only makes sense to implement this knowledge to avoid falling victim to a preventable hack.

5 Easy Steps to Transfer from Coinbase to Ledger (2020)




To Close It Out..

The cryptocurrency space requires a little more focus and effort when it comes to your security.  

Keep it simple, please.

Use a vpn, don't give out details online or over phone, avoid dm's generally.

It's a beautiful yet dangerous place to be.

Centralized entities are prime targets for hackers and have historically proven to be bad places to store one’s cryptocurrency.  Theft also occurs directly to end users, usually through installation of malware, or gaining access to private keys and passwords stored digitally and remotely accessible.  

Following best practices greatly reduces the chance of theft, and knowing the most common threat vectors should help you to navigate away from risky scenarios.

Stay safe out there and slow down a bit when dealing with crypto.

..safety is not promised.

To move on to the next part of your crypto knowledge journey, learning about the early days will provide a whole new perspective. Gain that vision here.

Stay safe,

#4111 "This is why we go pseudonymous"

P.s.. Our members get to ask us any question they want, anytime they want to.

Like this one..

Anytime it's on their mind.

If you wanna know what this member chose to do you can find out by email 👇.

Hint: It involves this emoji, 💋.

Next Article:  The Origin Of Crypto

Stay in touch
We'll keep you in the loop
"You'll be amazed at what happens..."

You'll understand the crypto-verse, get weekly deep dives & frameworks, PLUS network with our private little group.