There’s a general consensus in the crypto industry that blockchain cannot be hacked. This is because blockchain transactions listed on the distributed ledgers are immutable meaning they cannot be erased, changed or configured.
The distributed general system also has accountability in place so that all transactions distributed across each node must be the same in order to achieve consensus.
The blockchain so far have proven to be impossible to hack, but organizations are using blockchain in ways that involve elements outside the blockchain itself, such as crypto wallets.
Because these elements exist outside the scope of the blockchain, they are susceptible to common web vulnerabilities, hackings, and other human errors. Therefore, if a transaction is handled improperly, it can be unintentionally listed as an official transaction.
For example, tokens stored in a wallet or an exchange whose website isn’t secure can lead to hacking episode and ultimately the withdrawal of tokens, which will be recorded on the distributed ledgers as valid transactions when they are not.
So what are companies and users left to do in protecting crypto assets?
While blockchain technology offers interesting security alternatives to cybersecurity in general, that does not mean traditional cybersecurity solutions and other cyber practices are obsolete in protecting against attacks that ultimately target cryptocurrency.
Check out our tips in protecting against some of the most common cyber hacks in the crypto world.
Wallets don’t actually contain any crypto; instead they hold a private key, which is needed to access, withdraw, or trade it. Wallets are not protected by the same technology that makes blockchain essentially “unhackable.” The same goes for crypto exchanges which is why we advise users to avoid holding significant amounts of coins on any exchange. Wallets and exchanges are also vulnerable to web attacks such as SQL injection and Cross-Site Scripting (XSS) attacks. Hackers, for example, can launch SQL attacks to exploit a vulnerability in data input forms by inputting a malicious code into the login pages of a website or web app, thus revealing sensitive data like the private keys of wallets. XSS attacks can be used by hackers to intercept information including login details between a client and server by executing a malicious code. While these attacks can easily be thwarted off with a WAF, which monitors web traffic at the web application layer in the background and blocks malicious agents automatically, there are other ways end users can protect themselves. As an end user, we highly recommend you to utilize “cold” wallets such as a ledger so that your private keys are stored offline unlike “hot” wallets which are always connected to the internet and are prone to hacking. We also recommend users to write down their private keys in a safe location since anyone that gets hold of your mnemonic phrases can access your wallets.
Wallet addresses contain a long string of both numbers and letters (up to 21 characters) and are difficult to memorize. When users want to transfer funds to another wallet, most opt to copy and paste wallet addresses, but this shortcut creates an opportunity for certain malware to exploit it. Though not entirely new in its execution, a trojan has been discovered that monitors over 2.3 million different crypto addresses and works by exploiting the clipboard function. It replaces the intended recipient wallet address with that of the attacker’s. A similar malicious software called CryptoShuffler follows this trend and is known to also manipulate wallet addresses. Unfortunately, these actions often go unnoticed by users, which puts them at risk when transferring funds. To protect against such malware, it’s important for users to keep their antivirus software and operating systems up to date, perform regular malware scans, and avoid installing untrusted software. We also recommend users to always double check the intended recipient address prior to transferring any funds. A good tip is checking the first and last characters to see if they match the rightful wallet address.
Smart contracts are commonly used to facilitate and conduct credible transactions on the blockchain without intermediaries. Because they are directly tied to these transactions, they can hold massive amounts of digital currencies, making them a lucrative target for hackers. Error codes or bugs in the smart contract can result in crypto being frozen or stolen by hackers. In some rare occasions, hackers can also gain direct access to a smart contract by obtaining the private key to steal funds and then replacing addresses with fraudulent ones. Utilizing external auditors can help to inspect the code for any vulnerabilities. For organizations, we recommend finding reputable auditors who have a track record in protecting against such attacks or errors.
Fake Apps and Classic Phishing
Phishing takes all kinds of forms in the crypto world. Most phishing scams aim to either steal credentials to access wallets or trick users into sending crypto directly to addresses of scammers or hackers. The ways in which hackers “phish” for new victims are many.This includes hackers cloning websites that mimic legitimate exchange sites or malicious crypto apps to steal personal information including wallet credentials. There are also bots that notify users about issues with their crypto but are actually malicious and used to steal crypto, and not to mention the usage of Telegram to pose as ICO team members and then asking users to invest and send crypo to fraudulent addresses. Another rising trend among scammers is figuring out how to bypass 2FA by duping telecom companies into sending verification codes to the phone numbers of scammers. This grants them access to authentication on crypto accounts and exchanges.These types of social engineering tactics are highly prevalent. Taking extra precaution while whether it’s discussing, investing, or transferring crypto is absolutely necessary as anyone can fall victim to classic phishing scams.
Unlike banks which offer standard protections and insurances for customers, the blockchain cannot offer the same luxury to crypto holders. Elements outside the blockchain make it difficult for companies and users using blockchain to remain entirely protected. Protecting these elements, namely crypto wallets and exchanges, is one of the biggest challenges in blockchain security . A proper cyber defense strategy will seek to incorporate traditional solutions like using antivirus software and running malware scans, but it’s also equally important to use common sense when dealing with anything crypto.