In this article, we will challenge the romanticization of bitcoin and blockchain technology, and point out some risks that everyone faces in making cryptocurrency transactions.
Since cryptocurrencies are virtual money, they share the same risks as other electronic online money services – Web Money, for example. While the limitations of conventional virtual money are known more or less, cryptocurrencies are relatively new. As such, they are still full of surprises and unforeseen nuances. Cryptocurrencies also have algorithms, which could increase the problems and make the consequences worse. In addition, they have risks that are unique to them.
Issue #1: Spoofing and phishing of wire instructions
The most common crime in online money transactions is theft. Despite the hype about blockchain safety, Bitcoin and other cryptocurrencies are equally at risk as other wire transfer systems. It should be said, however, that this is not always due to a weakness in the blockchain’s algorithm; as a rule, hackers use far simpler ways to steal money – a Trojan virus, for example.
In information and network security, a “spoofing” attack is when a person or program masquerades as another by falsifying data. Let’s imagine a situation where you want to send some BTC to a friend. Your friend sends you their BTC wallet address, which looks like a very long chain of random numbers and letters. Naturally, instead of typing it in manually, you copy-paste it into the buffer. Bingo! If you have a Trojan virus code like CryptoShuffler in your PC’s memory, it will replace your friend’s wallet number with the hackers’ in your PC’s buffer, and you (not the virus!) will send money to them. People are not careful enough to check the wallet address twice before copying and after pasting – this is the scammers’ bread and butter.
The second way is “phishing.” Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Let’s say you want to buy something from a popular online store and, unknowingly, you go to a fake site that looks like the genuine one. You type in your wallet number and password to complete the purchase, and – bingo! – your billing details have been phished.
You might say, “So what? Even conventional bank or credit card transactions are vulnerable to such crimes.” Yes, this is true. But in bank or credit card transactions, there is a chance of canceling the transaction and getting your money back. This is because the recipient has traceable bank details where the money is going. Not so with the blockchain! A transaction that happens on the blockchain stays on the blockchain forever and becomes history as soon as the block closes. You cannot cancel it, and there is no authority where you can make an appeal or claim. “It is sad but true,” as Metallica sings.
Issue #2: Hacking and taking control of client-side wallet systems
The issue of hacking and taking control of client-side wallet systems is not unique to cryptocurrencies; it’s also common in banking and virtual money online payment services.
One example is when hackers took control of https://classicetherwallet.com/. In 2017, the site was hijacked using social engineering tools. The hackers took control of the service by convincing the domain’s registry that they were the owners. Client payments were split into small amounts and redirected to multiple hackers’ wallets, using a tumbler/mixing service to conceal the money trail. According to Reddit, they stole approximately $300K in a few hours. Luckily, they started redirecting transactions right away, so it was easier to catch and stop them. If they had withdrawn the money later and in irregular intervals, they may have not been discovered for a long time.
This is not an isolated incident. There have been many such cases on various scales. Some were prevented, and some were not.
Even so, we must admit that the same things (or worse) can happen with traditional banks. In 2017, hackers took control of all electronic bank services and payment systems of a bank in Brazil. The foiled robbery would have cost approximately $250 million and was even tougher than stealing 3.5 tonnes of real paper bank notes in 2005.
Issue #3: Mistakes in the transfer details
Although making a mistake while copying transfer details is certainly not unique to cryptocurrencies, arguably it is more of a risk.
When you send money through classic banking, you have specific payment details, and the bank tracks your payment all the way to the beneficiary. If there is a mistake in the details, you can cancel the transaction or you know, at least, who received the payment since banks keep full records on their clients.
This is not the case when it comes to cryptocurrency transfers. As you know, a wallet code (the transfer details) looks something like this: “1BoatSLUHtKBngkdFEeobR76b53LETtpyT”. If you make a mistake in copying one symbol or miss it altogether, you will send money into space without the chance of ever finding out who received it. There are many examples when people sent money by mistake and are still looking for it, in the hope of getting it back. Getting it back is possible only if the recipient is honest enough to return it. Of course, the likelihood is higher if you’ve accidentally sent a small sum but close to zero when you’ve sent a few million dollars (by the current BTC rate).
To be fair, there have been cases when the sender was able to retrieve money sent to the wrong address. To accomplish this, however, you would have to be an advanced user of cryptocurrency technologies. At least one iOS/C++/Blockchain developer was able to do this (LOL).
At this point, we should point out that control technologies, which prevent such typos, are getting better year after year. Nowadays, it’s difficult to confuse wallet addresses because BTC wallet domains have a built-in wallet validity control function. However, this is still possible with other currencies such as Ethereum.
An Ethereum wallet address consists of numbers and looks something like this “0x1234567890123456789012345678901234567800”. At some point, it was discovered that the payment system would accept a shorter address but the amount would change. This is called an “ERC20 short address attack.” Let’s say you want to send the ETH equivalent of $1000 – if you forget to insert the last zero, you will send $256K instead. This problem is unique to cryptocurrencies and not possible in classic banking.
Issue #4: I lost my wallet!
According to Chain Analysis and Fortune.com, approximately 4 billion Bitcoins have been lost forever. At the moment, that’s the equivalent of ‘only’ $24 billion, but that figure was three times that not long ago.
No, not all the lost Bitcoins were stolen! This is mostly due to forgotten wallets. To illustrate, I do not need to look far for an example: My wife’s brother was among the Bitcoin pioneers, who mined on an old PC. He had an account on the blockchain (there we no wallet services yet) and mined Bitcoins at a time when the rewards were significant. After some time, he forgot about the topic and only refocused on it when it became popular. But then it was too late; he had lost the number and password for his account and could not find his old PC and hard disk. His Bitcoins will likely remain in the “Chamber of Secrets” forever. Unfortunately, this is a very typical situation.
Most people keep their wallet files on their PCs. This means that they could be compromised or lost due to HDD failure. That’s why advanced users, and those who hold significant sums, write down their secret keys on paper or use a hardware wallet like Trezor.
Centralized services provide access to virtual wallets. As in conventional banking, they use SMS confirmations with one-off codes in addition to login/password combinations. A USB token or security hardware might also be required to transfer large sums. I had one of those cool gadgets to access my Bloomberg account – it’s a small device, approximately the size of a flash drive, with a 6-digit display window. The numbers in the window changed randomly every 5-8 seconds. To log in to my account, I had to input the 6-digit code generated by the device in addition to my password. Clearly, it is impossible for someone to gain access to your account in this case. The security hardware looks like this:
Issue #5: Unreliable ICOs
In our previous article, we looked at how Ethereum contributed to the popularity of ICOs (Initial Coin Offerings) that exploded into a fever in 2017. Let’s summarize by saying that an ICO is a method of crowdfunding for projects typically related to cryptocurrencies or the blockchain. The project’s owner has an idea, which is outlined in a proposal called a “whitepaper” along with financial projections and potential rewards for investors such as dividends, a return on investment (ROI), shares in the company, etc.
Since cryptocurrencies are not regulated at this time, it’s very easy to collect a great deal of money without any accountability. According to Bloomberg, approximately $3 billion was raised by ICOs in 2017.
Sadly, we have not heard much about successful ICOs. Although some may exist, the frauds and failures certainly outweigh them. This is a major problem. The lack of regulations and risk management reduces or eliminates accountability on the part of project owners. After some time, the typical scenario is that investors are not thinking about the return ON their investments but about the return OF their investments. In the absence of any authority to oversee these investments, any return depends solely on the honor of the person who got the funding. It’s clear that this is not only a goldmine but also a golden time for all kinds of fraud.
In addition, a great idea does not mean that it will be executed successfully, or that it will generate revenue. The “chief executive officer” can spend the money as he pleases, rather than develop the project. Or he could buy a sunny island around Fiji and disappear. Tracking and catching his becomes very difficult when he has millions in his pockets.
Issue #6: Wallet spoofing
We touched on spoofing at the beginning of this article but, when it comes to ICOs, this fraud becomes simpler, faster, and juicier. ICOs are well-publicized events – everyone knows when they start. They close when the required sum has been raised. What if hackers spoofed the project owner’s details at the launch of the ICO? Yes, all the money would go to them!
At the launch of CoinDash, within half an hour, $7 million was stolen by hackers. But as we’ve already said, too many people are too eager to participate in ICOs. Driven by the lure of quick profits, most don’t even care what they are investing in. Even when an address is marked as “hacked,” people ignore or miss this and continue to send money.
Simple steps to avoid cryptocurrency pitfalls
- Always double-check wallet details.
- Do not follow unverified links to internet banking or internet wallet services.
- Double-check the receiver’s details (at least the first two and last two symbols in the wallet’s address), the sum, and the transaction fee.
- Write down on paper the mnemonic (seed) phrase that will allow you to restore your wallet if you lose your passwords or access to your PC (HDD is corrupted, stolen, etc.).
- Don’t rush into ICOs. Do your best to research the project before you send any money. Do everything carefully, gradually, and diligently.
- Know the maximum amount that you can afford to lose in an ICO and don’t exceed it.
- Diversify – divide the sum that you are willing to risk among different ICOs.
- Don’t be cheap! Spend $100-150 on a hardware wallet, such as KeepKey, Trezor, Ledger, and Nano. It’s a small price for your safety.
- And finally, antivirus software is a must!