On December 20, an exquisitely well-documented article entitled 'Hackers Have Stolen Millions Of Dollars In Bitcoin-Using Only Phone Numbers' appeared in the business publication, Forbes. The work of noted Bitcoin, blockchain and fintech columnist Laura Shin, this article continues to send aftershocks through the global bitcoin community, sparking questions about the prevailing security protocols used to secure cryptocurrencies.
This article profiles the August 11 discovery that a hacker had faked the identity of a bitcoin user, transferring his phone number from his cell phone carrier to another account in the hacker's possession. This feat gave the hacker access to his computer, banking, and bitcoin accounts.
Here is where the story gets interesting; the user kept the vast majority of his bitcoin on an encrypted hard drive while employing what he thought was a stealth level of additional security steps. According to the article, the user lost millions of dollars worth of bitcoin, a fact which has fueled growing fears among crypto holders.
Unfortunately, this is just one incident in a larger wave of bitcoin scams that have hit this year. These attacks have affected a wide swath of high-profile cryptocurrency industry names as well as businesses; in some cases resulting in financial loss.
Exploitation of businesses and individuals through security breaches tend to generate tons of media attention. But those impacting the Bitcoin space often more buzzworthy due to one simple fact - the hacks and resultant losses that have left those exploited are seen (by the nature of Bitcoin) as a huge challenge to trace.
Even more daunting as highlighted in the Forbes article, hackers do not even need to possess specialized computer knowledge to pull off a heist. Rather a phone number may now be the key element for accessing a user’s bitcoin stash. From lax phone carrier based security protocols to emerging questions about the viability of a frequented security measure known as two-factor authentication, the larger implications for global cybersecurity, in general, is immense.
Here at BTCManager, we turned to Darin Stanchfield, cyber security expert and founder of KeepKey, to offer some thoughtful perspectives to the bitcoin community on securing your cryptocurrencies. He offers a direct response to both the Forbes article as well as another timely piece that has some useful tips on phone security protection.
What are Your Thoughts on the Forbes Article Regarding the Bitcoin Hack?
“This story is gut-wrenching in so many ways. Digital security is hard. Meanwhile, cryptocurrency users have much more at stake than ordinary users. Jared, the subject in the article, was a long-term bitcoin user who knew all the pitfalls of inadequate security and got a first-row seat through bitcoin’s early days of hack after hack. Despite witnessing those events first hand, he was still unable to secure his digital assets efficiently from hackers.”
So Was there Something he Overlooked Which Increased his Vulnerability to this Hack?
“Jared apparently kept his bitcoins offline on an encrypted hard drive. The problem is that those bitcoin private keys did not remain offline, as he had recently plugged that drive into a network-connected computer."
"Digital security is not something you can do 'mostly right' and remain safe. Hackers will wait in the shadows until a mistake is made, and then they will seize the opportunity.”
A Medium Post, published December 6, Entitled Tis The Season to Be SIM Swapped, Suggests that Vulnerabilities with SIM Cards and Two-Factor Authorization Could affect the Security of your Bitcoin. Can You Respond to that?
“The author of this entry makes some great points. I would like to strongly re-emphasize one of his points. If 2FA is not hardware based, you are potentially adding security vulnerabilities to your online logins. This threat is real and it is being carried out in real time. As users, we need to re-evaluate our security practices on a frequent basis as hackers aren’t waging a war that has a static type of attack.”
What are Your Thoughts on SMS, Authy, and Other Forms of Security Authentication?
“They add a false sense of security. It is never a simple 'Enable 2FA with your phone and you're more secure.' As users, we should evaluate the attack vectors we are potentially opening by adding a phone as 2FA. For many, this is not easy to do, and that is why you should always opt for hardware base 2FA like U2F.”
How Big of a Factor is One's Email Address Relative to Security?
“Your email address is a big factor since it is usually your weakest link for all logins; you are ultimately at the mercy of the security practices of the company that provides that email address to you."
Given the Increased Concerns Regarding Potential Hacks, what sort of Additional Advice can You Offer for Securing One's Cryptocurrencies?
“Get a hardware wallet. This might not seem like a little-known tip, but I think most people are largely unaware why devices like KeepKey are needed. I still get asked why someone should purchase a hardware wallet and not just generate a paper wallet. My answer is that there is nothing wrong with paper wallets, just that you must practice perfect security creating that wallet and then later practice flawless security when you go to spend from the paper wallet.”
“A hardware device removes mistakes from the equation. The fact that the private keys stored on a hardware device like KeepKey never touch a network-connected computer, serves as an invaluable feature during these times of rampant attacks.”