Sticky Blog

Cryptocurrency: storage, scams and hacks, oh my!

  • 15 April 2020
  • 0 replies
  • 332 views
Cryptocurrency: storage, scams and hacks, oh my!
Userlevel 6
Badge +17

Hey there Webroot Community,

We are back with another series of informational posts on the topic of Cryptocurrency! The world of cryptocurrency is still an enigma to most people, and we’d like to do our part to clear up some of the confusion. There are a few things that new crypto users struggle with in regard to its usage, storage, and prevention of being scammed. In this installment of the crypto series, these are the topics we will be covering:

1)    Storage
2)    How to use safely
3)    Infamous “crypto exchange mishaps” 
4)    Pros vs. cons of crypto and blockchain tech

 

Storage


Learning how to securely store your cryptocurrency is the most important process to learn before jumping into this new world. First, it’s important that you learn the difference between a “public” and a “private” key. 

Public key:

Think of this as your PO box address that you give out to people/companies in order to receive packages. Your public key in terms of cryptocurrency is a string of letters/numbers that you can freely share to others if you want them to pay/donate to you in cryptocurrency. When transferring funds from one wallet to another, make sure to double/triple check the public address you’re sending them to. You don’t want to accidentally send a big transaction to a wallet you don’t control! 

Private key:

Think of this as the physical key that opens the PO box. It is important that you keep this secret and never share it with anyone. If anyone gets access to your private key, they can steal all of the funds that exist in your crypto wallet.

 

Cryptocurrency Wallet:

Think of this as your own personal “bank” or “PO box” that only you have control of. This is where you will send your cryptocurrency after purchasing from an exchange. There are many types of wallets out there, but the most secure type is called a “hardware wallet”. The most convenient one is an exchange wallet, where all you do is remember an email address and a password. With this ease of use, you are trusting the exchange to manage the private keys to your crypto. 

Companies like “Ledger” make these devices as a straightforward and secure method of storing your crypto offline. This is a far superior method to storing your cryptocurrency when compared to simply keeping it on an exchange or in a software wallet that exists on your computer. This is because there are extra layers of security in between the internet and the device, making you less likely to be a victim of theft as a result of malware. If you have any significant amount of money invested in crypto, a hardware wallet is a “must-have” item.

 

Crypto Exchanges – How do they work?

Most cryptocurrency is bought and sold within online exchanges like Coinbase, Kraken, and Binance. Most movement of coins is simply the buying and selling of crypto on these platforms. Just like an online stock trading platform, you are required to enter banking/credit information on these websites in order to convert your fiat currency (USD, Euro, etc.) into crypto. The best way to use these exchanges (if you are an investor and not a day-trader) is to put funds on your account, buy what you want, and then withdraw the cryptocurrency to your hardware wallet. Keeping funds tied up on any of these exchanges can be risky because you are opening yourself up to the possibility of the exchange being hacked and your funds stolen. There is a phrase that is well-known in the crypto world: 

 

“Not your key, not your crypto.” 

 

This phrase sums up the fact that as long as you keep your crypto on an exchange, you do not have your own private key to that crypto. The exchange technically owns that private key and you only have access to the funds as long as the exchange is online, and your account is within your control. This is SO important to keep in mind, because there have been some very infamous mishaps with exchanges losing users funds and not being able to refund them. 

 

Crypto Exchange Mishaps

This brings me to the topic of exchange mishaps – situations in which exchanges were hacked or purposefully scammed their users out of their funds. There are many exchanges that have been through a situation in which their users’ funds were stolen with different methods, and we’re going to cover three of them: Bitgrail, Binance, and QuadrigaCX. 

 

Bitgrail

Bitgrail was an up-and-coming exchange late 2017-early 2018. It was a fairly small exchange compared to many competitors, but it saw a spike of usage in 2018 when it listed a cryptocurrency called “Nano” or XRB. This particular crypto’s value had pumped 100x in 3 weeks after the listing so there were many users that wanted to hop on the profit train. On February 2018, the CEO of Bitgrail claimed that the website was hacked an hour after a back-end update that accidentally created a vulnerability. This supposed update “accidentally” made it so the process of verifying ownership of XRB was only checked on the “client side” and not “server side”. This made it possible for anyone to change a few lines of code in the website’s HTML in order to modify how much XRB was owned by that user. 

This situation is widely seen as a scam rather than a hack, simply because it’s such a ridiculous error for any crypto exchange to make. Furthermore, the fact that $180 million worth of XRB was stolen off the website only 1 hour after the change is a bit too coincidental for most people to think it was a legitimate hack. To date, no one has received their crypto or any refunds.

 

Binance

Binance is one of the largest cryptocurrency exchanges in the world. To date, it’s also been one of the most effective at dealing with hacks and users losing cryptocurrency. One of the biggest incidents related to Binance was when a phishing website was very successful at tricking thousands of users into putting their usernames, passwords, and 2fa codes into the fake website. What’s nasty is how this phishing attack went around the security of 2FA, as the victim would enter their 2FA into the fake phishing webpage. The criminal would then enter the 2FA code into the real website before the code expired. Once in the victims account, the criminal would create API keys that had access to buy/sell and even withdraw crypto assets from the exchange. 

This entire process was automated and would only take a few seconds. After the API key was generated, the criminal would then transfer the logged in session on the real account to the victim. This would create the illusion that there never was a breach and the Binance site just took a few extra seconds to log in after sending over the 2FA codes. This is what allowed the criminals accumulate control of thousands of accounts and eventually, all at once, withdrawal all the crypto that the victims had from the exchange to the criminals wallets. 40 million was stolen in all and Binance did eventually refund all affected users.

That phishing website used “Unicode” versions of the 2 “n” letters in binance. That URL looked like this:

 

Notice the “HTTPS” and understand that SSL certificates don’t mean much anymore for security because any criminal can get them on their phishing websites for free now. 

 

People arrived at this URL because for a short time, the google search results of “Binance” came back with this:

This brings us to a very important point for web browsing in general but also for crypto activities:

CHECK YOUR URL’S!

 

QuadrigaCX

QuadrigaCX was the largest crypto exchange in Canada during until 2019. On 1/14/19, the exchange announced the CEO had died of Crohn’s disease on 12/8/18. They claimed that all of the private keys on the exchange were located on a single laptop owned by the CEO and those keys were therefore inaccessible. Even though he died on 12/8/18, they continued taking deposits from users until 1/26/19. As a result of this loss of “access to private keys”, $190 million CAD vanished from user accounts. The final sketchy information that came out from this story: this CEO was reported to die in Jaipur – a city with a mafia that is known for professionally faking deaths. No users were reimbursed as a result of this massive, unbelievable, incident and even the Canadian courts requesting for the body of the CEO to be  exhumed as evidence of a real death.
________________________________________________________________________________________

Let’s now compare some of the pros and cons of buying or using cryptocurrency:

Pros

  • Hack-resistant tech
  • High-risk/high-reward investment
  • Blockchains are decentralized
  • Most Blockchains use immutable ledgers – every transaction can be proven legitimate via math
  • Fast and cheap method of transferring value
  • When secured properly, you become your own “bank”

Cons

  • You are entirely responsible for your own coins/security
    • There are no chargebacks
    • There is no customer support for your private wallet
    • Many exchanges are not fully insured to cover hacks/stolen funds
  •  Difficult for non-tech savvy people to use
  • There are still many bugs to be resolved in different wallets/software
  • Prices rise and fall quickly so it is difficult to use as a payment unless it is immediately converted to a fiat currency

 

What do you think everyone? Have you ever bought, sold, or used cryptocurrency? Do you have any questions about how it works?

Let’s start a full crypto discussion below!
 


0 replies

Be the first to reply!

Reply