Security Experts:

Protecting Cryptocurrencies and NFTs - What's Old is New

Five steps that end-users can take to protect themselves against cryptocurrency losses

There has been quite a bit of chatter around cryptocurrencies and non-fungible tokens (NFTs) of late. As with most topics these days, some of that chatter has been around the topic of security. Specifically, there seems to be quite a bit of interest around how attackers and fraudsters can compromise cryptocurrencies and NFTs. In particular, one topic of keen interest is how attackers and fraudsters can profit from illicit or fraudulent activities around cryptocurrencies. I would like to take a look at that along with the security of cryptocurrencies in this piece.

I should preface all of this by noting the obvious - I am no expert in cryptocurrencies. That being said, when I look at threats to cryptocurrencies, I see a case of what’s old is new again. What do I mean by that?  While there is always the possibility that a cryptocurrency itself will be compromised, that is not likely to be where we will see the vast majority of fraud loss and theft. Why is that? Attackers and fraudsters are opportunistic and coin-operated. If they can easily make money targeting weaker links than the cryptocurrencies themselves, they will do so.

To understand this concept a bit better, let’s draw a lesson from the traditional financial world. Most of us are customers of one or more credit card issuers. While card issuers themselves are compromised from time to time, the vast majority of fraud loss comes from compromising end-user devices (e.g., with banking trojans) used to make purchases, compromising card processors, and/or compromising Point-of-Sale terminals (e.g., cash registers). In other words, attackers and fraudsters know that they can make far more money in far less time by going after the end-user, the intermediary, and/or the merchant than they can going after the card issuers.

So how does this translate to the cryptocurrency world? Well, rather than go after the cryptocurrencies themselves, attackers and fraudsters have gone after and will likely continue to go after the end-users and the intermediaries just as they do in the traditional financial world. For cryptocurrencies, this means digital wallets (the end-users' means of accessing their cryptocurrencies) and exchanges (where cryptocurrencies are bought and sold). To put it another way, although the medium is different, the strategy remains the same. Go after the weakest links - not the cryptocurrencies themselves.

What’s old is indeed new again. If we look over cryptocurrency thefts that have occurred in the recent past, we see that the end-users (specifically their access to the digital wallet) and the intermediaries (the exchanges) are by and large the targets of attackers and fraudsters. Not surprising in the least.

Given this, what are some steps that end-users can take to protect themselves against cryptocurrency losses? While not an exhaustive list, here are five steps end-users can take to protect themselves:

1. Use MFA: Wherever possible, enable multi-factor authentication (MFA). Stolen credentials abound on the darkweb, and some of those credentials likely belong to you. Requiring one or more factors in addition to a username and password can help reduce the risk of attackers and fraudsters gaining unauthorized access to your accounts.

2. Use known, reputable exchanges: Cryptocurrencies are not regulated like national currencies.  This includes the exchanges used to buy and sell cryptocurrencies.  Thus, it is best to be cautious when choosing an exchange.  Choose a reputable, reliable, and respected exchange, preferably one that clearly and openly outlines its security measures.

3. Choose your cryptocurrency wisely: There are many different types of cryptocurrencies, and not all cryptocurrencies are created equal. Each has differing levels of security. Should you choose to purchase cryptocurrency, be sure to invest in one that is reputable.

4. Beware of social engineering: Phishing and other scams are a great way for attackers and fraudsters to steal credentials. Those credentials give them access to what they are after. The easiest way to gain access to the cryptocurrencies of others is to flat out ask them for the usernames and passwords to the resources that hold those assets. Don’t fall victim to it.

5. Guard your wallet: The end-user is likely the weakest link in the cryptocurrency chain. As such, access to the end-user digital wallet is exactly the type of target attackers and fraudsters eagerly pursue. Take steps with your digital wallet provider to ensure that you’ve leveraged their ability to help you lock down your account.

Although cryptocurrencies are relatively new, the strategies used by attackers and fraudsters to profit from them don’t appear to be. By understanding that end-users and intermediaries, rather than the cryptocurrencies themselves are the most likely targets for theft and fraud, end-users can take steps to protect themselves. The time invested in considering the points above and others is sure to pay dividends and help avoid fraud loss.

RelatedNorth Korean Hackers Stole $400 Million Worth of Cryptocurrency in 2021

view counter
Joshua Goldfarb (Twitter: @ananalytical) is currently a Fraud Solutions Architect - EMEA and APCJ at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.