Cautionary Tales on Bitcoin Security
The Bitcoin ecosystem has many different types of platforms such as exchanges, payment service providers, reporting platforms and an array of other supporting services. Every time you create a new account your online profile expands, increasing the risk of breach with one or all of your accounts. Private keys and passphrases should be managed as securely as possible, and the same for login credentials. The following tales are filled with valuable lessons for stepping up your game with digital identity management.
Paul Boyer, creator of the “Mad Money Machine” podcast on the “Let’s Talk Bitcoin” network, learned a tough lesson recently. Paul happily received donations totaling 3.3875 bitcoins, about $2,000, from loyal listeners until he discovered a zero balance in his wallet at the end of June 2014. He collected donations using a payment service provider normally paying out bitcoins in U.S. dollars on a daily basis, but he never submitted a bitcoin payout address, so the coins just accumulated, awaiting the attention of hackers. That was his first mistake.
A creative BitPay look-alike phishing scheme cleverly disguised an email with a “View Invoice” link requesting the refund of a customer payment. Unfortunately, Paul took the bait by clicking the link and unknowingly handed his password to the hacker who changed the payout address and received 3.3875 bitcoins the following day.
One last mistake: Paul hadn’t activated a security feature for his account known as “2-factor authentication,” which would have prevented hackers from cashing in his bitcoins, even if they had hacked into his computer.
Fortunately, 2-factor authentication is becoming more widely used on Bitcoin platforms. After a standard username and password login, a 2-factor box pops up asking for a code generated by a smartphone app such as Authy or Google Authenticator. If hackers obtained your login credentials, they couldn’t log in without your smartphone and the code. The lesson here is to activate every 2-factor authentication available upon setting up a new account—and beware of downloading overhyped free software.
Longtime Bitcoin evangelist Roger Ver was attending a conference when friends started messaging their suspicions of a Facebook imposter. Someone hacked into his old Hotmail account using it like a master key to retrieve logins for other accounts. The hacker demanded a 37.6-bitcoin identity ransom worth $20,000 at the time. Roger offered up a 37.6 bitcoin table-turning reward via Facebook and Twitter for info leading to the hacker’s arrest. The viral bounty was too much for the hacker to bear, so he or she quickly bowed down, handed over login credentials and disappeared.
No bitcoins were stolen, but this tale shows how a single email account can be an attack vector or weak point for exposing an entire online digital identity. When the same email is used for all accounts it effectively weaves everything together with a single thread. In addition, the more well-known and the more perceived wealth someone has, the greater the risk for getting attacked.
A Tale of Social Engineering
Sam Lee, CEO of Bitcoins Reserve, and his company were victims of a creative social engineering attack starting with the U.S. Marshals’ public email leak of the Silk Road Bitcoin auction list. Hackers were licking their chops over a juicy list of high rollers handed to them with a white glove.
Sam then got an email from a hacker asking for a media interview while proceeding to open a Google docs link supposedly containing interview questions. The link unleashed malware that sucked out all the usernames and passwords from his Chrome browser, leading to control of all the company’s email addresses. The hacker then sent an email from Lee’s account to the CTO requesting a client withdrawal of 100 bitcoins— worth about $65,000. In this case the “client” was actually the hacker and the bitcoins evaporated.
Browser-based password managers are convenient but non-secure ways to store passwords. The hackers took over Lee’s entire digital identity but still couldn’t penetrate the company’s securely stored bitcoins. However, it’s hard to defend against a hacker falsely posing as a trusted party, one of the slickest tools in a hacker’s toolbox. “This is a weakness in our internal processes and procedures; it has nothing to do with weaknesses in Bitcoin because frankly Bitcoin so far has none,” says Lee.
Keys to the Kingdom
Androklis Polymenis, aka klee, is an early Bitcoin adopter and NXT stakeholder who recently discovered his $1 million stash of bitcoin and NXT, another cryptocurrency, had vanished. The breakdown likely came from a hacker who found klee’s unencrypted plain text password file sitting in Dropbox, where klee had left it exposed. He responded by putting out a 500-bitcoin bounty, worth nearly $300,000, for return of the stolen crypto and identification of the hacker, who eventually returned 462 of 1,170 bitcoins while keeping the rest as the bounty in exchange for klee calling off the hunt. In the meantime, the NXT community was able to rally together and retrieve some of the stolen NXT tokens.
Although about two-thirds of the cryptocurrency wasn’t recovered, it could easily have been a total loss. The keys to the kingdom were practically sitting on a park bench waiting to be picked up.
It’s a painful lesson highlighting the importance of safeguarding bitcoins and other cryptocurrencies. Armory founder Alan Reiner, a self-proclaimed ultra-paranoid crypto-nerd says, “Holding your own bitcoin is like harnessing fire,” and then adds: “Sometimes the biggest threat to users is themselves.”
There are many great password managers, however LastPass has multiple two-factor authentication options with a free version available for individual users and an enterprise paid version for businesses. The paid version, only $24 per user per year, has an admin dashboard for multiple users and access controls. It even has a security scorecard showing the strength of your overall password profile. The free personal version can plug into a separate enterprise account for a seamless user experience. In addition, install anti-virus and anti-malware software on your computers.
You can’t afford to waste another day. If one account gets hacked they can all get hacked. Your password manager contains the keys to your kingdom so create and remember a good password. Start securing your digital identity and your bitcoins with these seven easy steps and go on more vacations with all the time you save. The average person has 25 logins per day, so one minute of fumbling per login multiplied by 250 working days equals 2.6 wasted weeks per year logging into websites. Enjoy peace of mind on your newfound vacation instead!
Seven Steps to Digital Security
Let’s put some golden security nuggets to use before we end up as another cautionary tale. Best practices for digital identity management are encompassed in the following seven steps.
Step 1: Choose Platform
Select a password management system such as LastPass, Secret Server, OneID or Roboform, create an account, activate two-factor authentication and start adding website and login credentials. Browser-based password managers should not be used, so just do a Google search for reviews on the best password managers. Businesses should create an enterprise level account with an admin console for managing users. You are 100% responsible for managing your bitcoins, so reducing the risk of compromising your entire online profile starts by managing one account at a time.
Step 2: Add Sites
Once the password manager is set up, you can easily add sites by logging into an account as you normally would. Most systems will prompt you to save the site with a simple click. You can also add sites manually with the URL, site nickname, username and password. If you previously saved all your usernames and passwords in a spreadsheet, adjust the columns to the import format and upload. Easy tutorials are usually available for mastering the setup.
Step 3: Test Sites
Always go back and test-click the site after saving it whether you save sites one by one or import a list. Sometimes little nuances like the login URL or username need to be adjusted. When you create new accounts the URL automatically picked up by the system is often not the login URL, so testing and correcting helps to avoid frustration.
Step 4: Delete the Old List
After you’ve successfully transitioned from a password list it’s time to delete the file. If you set up a password manager and keep your old file then you have not reduced any risk. If you’re among those who have a difficult time parting with the old for fear of losing access to something or wanting to keep it just in case, you can get over the hump by copying your old password list and pasting it into a secure note available in most password managers.
Step 5: Create a Unique Email
Email is the golden thread that weaves your entire digital identity together, and unfortunately, most folks use the same email and the same or similar passwords for all their accounts, including social media, financial accounts and everything in-between.
The critical distinction is understanding how emails are used for both communication and account creation. Securing your online identity means that these two roles must be separated by using two different email addresses.
In other words, the email you use for communication should be different from the one you use for new account setup. Create a new second email account without using your own name or a word that could be associated with you. For example, set up an email like (any word)[email protected]or use the random password generator to create an email “prefix” such as [email protected][email protected]Then swap the email on each site with the new email the next time you log in. It will be easier to change accounts one by one instead of turning it into a major all-at-once project.
Step 6: Change Passwords
Hackers can simply use brute force to break an easy-to-remember password. Change all of your passwords to a minimum 16-character, hard-to-break random password using the random generator provided within the password management software.
Password resets should be done in conjunction with the new email resets described above. If you can’t remember the password then it’s harder to break. If you use a password manager you no longer have to remember passwords because the system keeps them encrypted.
Step 7: Secure Bitcoin Wallets
Bitcoin-related sites may require special attention beyond standard login credentials. Sometimes a passphrase, a group of random words, is required to access your bitcoins. If you lose the passphrase you lose your bitcoins, period, so it must be handled very carefully.
Some sites don’t have standard login credentials and only require a passphrase. In either case, the passphrase should be saved in the encrypted password field in the password manager. Also consider writing down your passphrases and keeping them in a safe.
There are many other advanced techniques that are beyond the scope of this article, but these strategies are meant to significantly reduce risk for people who would otherwise keep login credentials in a text file, spreadsheet, on scrap paper or in draft emails.
This article originally appeared in yBitcoin magazine.