When crypto first became somewhat known in 2012, it was touted as being hack-proof, making it the safest form of digital currency transfer available. From today’s point of view, that looks reminiscent of the good old days when everyone believed that Mac OS is immune to computer viruses.
Today, crypto is seen as an effective tool for ensuring data integrity but it's not completely secure. If you're using blockchain for online money transfers to suppliers, vendors, mobile casino sites, or for any other reason, you need to be aware that there are risks and how you should mitigate those dangers.
Blockchain Security: Every new application brings vulnerabilities
Distributed ledger technology, also known as the blockchain, along with the cryptocurrencies that are powered by this blockchain technology, have experienced successes and failures since they were first introduced but blockchain's biggest success is that it has become an essential method of transferring funds throughout the world.
Applications of blockchain are constantly expanding - look at stablecoins, DeFi, NFT platforms.
But new applications bring vulnerabilities to breaches in security – perhaps not the same kinds as TradFi online banking methods but still, open to compromise.
Decentralisation is not a panacea
In the early years of blockchain, it was seen as an ideal technology for cybersecurity because it is decentralized. There are a wide range of applications in distributed ledger technology in areas such as permissioned sharing of financial data, encrypted messaging platforms, medical data sharing and monitoring of credit scores or money laundering.
Today we know that, while blockchain may be a better choice security-wise than conventional money transferring platforms, there are still issues to be resolved.
- There are platform-based types of vulnerabilities such as coding errors that give hackers an entry point into the ledger.
- The complexity of some DeFi applications leads to user mistakes that can make them vulnerable to breaches.
The security of blockchain technologies, services and applications is dependent on their inherent weaknesses and while no blockchain-based large-scale hack has yet occurred, there have been small-scale hacks and it's not impossible that a larger one could occur.
In short, blockchain keeps evolving but so does the cybercrime. Hackers can look forward to more powerful tools and more sophisticated algorithms that are beginning to dominate the market that gives hackers new ways to compromise the security of the blockchain.
Security Issues from the User’s Point of View
As a DeFi user, active trader or crypto investor, here are the most important issues that you should watch out for:
-
Attack on the platform
Decentralized platforms come with all sorts of system designs, some rather poor. It is a good practice to have a security audit to any application based on smart contracts, but that does not make a DeFi platform immune to all vulnerabilities.
Custodial “DeFi” platforms, such as lending networks where you need to deposit liquidity into an exchange account, are on par with custodial exchanges. They can prevent you from accessing your money at any time, just like Celsius Network did in June 2022.
Last but not least, you might lose money even if you are not engaging in DeFi staking protocols due to the devaluation of the underlying cryptocurrency - as it happened with Luna.
The bottom line is that when a DeFi platform gets under attack, the people who used its services and held its tokens may lose their money. At the same time, as a user you cannot control the security practices deployed by the platform.
Your only security protection here is to mitigate the potential damages: DeFi is experimental, do not put in more money than you can afford to lose.
-
Phishing
Phishing attempts involve scammers who send email messages with fraudulent links, most commonly related to a crypto wallet update.
The email appears to be from a legitimate source but if the user clicks on the link, it gives the scammer access to information in the user's computer that provides the user's blockchain wallet keys and entry into the blockchain.
The most widely known example of phishing is the Ledger wallet phishing campaign that has been ongoing since Ledger’s customer database got breached in second half of 2020.
Most crypto wallets these days will let you run any software updates from the wallet’s app. Your best precaution is to always do that and just plain never click any update link in emails.
-
Cryptojacking
Cryptojacking is an illicit takeover of computational resources to mine cryptocurrencies or perform other crypto-related tasks. Crypto-malware is malicious software that is installed on a user's device.
Once the device is installed they will use the victim's computing power to mine cryptocurrencies secretly. Modern cryptojacking scripts are designed to pause when the victim’s phone wakes up and is being actively used, which means the victim will never notice anything.
The software can be disguised in an email attachment that executes as soon as the user clicks on the attachment or link, so your best protection is to not click on unexpected attachments.
Fun fact, crypto malware it can also be deployed to the computer in other ways too. So, for instance if you use your employers’ infrastructure to secretly mine crypto at work, you may be guilty of cryptojacking.
-
51% Attacks
Proof of Work blockchains involve "mining" for new coins, typically using extremely powerful, application-specific computers.
This is particularly true for large-scale public blockchains like Bitcoin and has caused much concern in the early days of it. (Some newer altcoins like Monero or Chia coin have made adjustments to remove the advantage of application-specific devices.)
When a group of miners gathers enough resources, they can seize more than 50% of the mining power of the network and then control the ledger and, if they wish, modify it. The 51% attack can't work on a private blockchain but it can work on a public blockchain.
There is nothing you can do to prevent this. Mitigating your risks is the only advice to give here.
-
Sybil Attack
"Sybil" refers to the title character in the book "Sybil" who was afflicted with a multiple personality disorder.
In blockchain jargon, Sybil attack occurs when the hacker creates and uses a number of fraudulent network identities to subvert the service's reputation system.
Bots and malicious entities simulate fake GPS reports which influences social navigation systems and clogs up the network. If the attack is successful it can bring the system down.
Again, nothing you can do to prevent it. It is safe to say that smaller blockchains are more vulnerable to this attack than large, public networks like Bitcoin.
Checklist: Precautions to Take
There are nearly 600 custodial cryptocurrency exchanges worldwide and they have varying levels of security protocols.
AscendEX was hacked in December 2021 after a compromised crypto hot wallet was breached. About USD$80 million worth of cryptocurrencies was stolen, emphasizing the fact that just because an exchange is a blockchain, it doesn't mean that it's automatically immune from hacking.
When you choose a crypto exchange and as you work with it, security should be your primary consideration. Of course a lot of it depends on the exchange, but if you're using blockchain you still want to do as much as possible to protect yourself:
- Do your research so that you are interacting with a trading platform that utilizes advanced security features. The platform should give you the option of downloading a full report of the activities of your account quickly and easily based on any period of time.
- Don't click on any links in any emails that you don't recognize, regardless of how official it looks. Never provide any information to these emails or links, especially anything that would give them information that they would need to access your crypto wallet's private keys.
- Instal anti-crypto mining ad-blockers and extensions on your computers. Disable JavaScript to safeguard your computer from cryptojacking. Install antivirus software to protect you from malware attacks.
- Don't download applications that your trading platform doesn't control.
- Use a VPN to protect your personal information and mask your location.
- Use multi-factor authentication to provide additional security.