Part 1: Hot wallets as part of computer ecosystems
Making a little effort to understand the most common threats when choosing and handling your cryptocurrency can help secure your crypto-assets in the long run.
When it comes to facing diverse threats, not every cryptocurrency wallet is the same. Each wallet is designed differently – to balance security with ease of use, privacy and other requested features, which always works against security. The security of your chosen wallet is very much the result of the robust nature (or lack) of its underlying code, which prompts the question, “How well did the developers adhere to security by design principles when building the wallet?”
Furthermore, the security-related practices of your wallet’s supply chain, including your selected wallet provider, along with the cryptocurrency exchange you use, the evolving cyber-threat environment and your cyber-hygiene habits combined, bring a lot to bear on overall security. While these considerations are relevant to all software and devices, users may appreciate their importance most acutely with respect to their own use of financial applications and their “money.”
Here, we focus on hot and cold wallets, the threats surrounding their use and some recommendations.
Enhanced privacy for cryptocurrency wallet users benefits security
It should be made clear that unlike the classic leather wallet, a cryptocurrency wallet does not actually store your money. Rather, a wallet holds the private key that lets you control your virtual coins and tokens for making transactions in a blockchain.
Many wallets use a hierarchical deterministic (HD) framework for managing keys and wallet addresses. In this framework, a unique master seed is used to generate multiple public-private key pairs along with wallet addresses, so that a different address can be used each time you make a transaction.
By constantly transacting with a different wallet address, it becomes more difficult for anyone looking at the relevant blockchain to associate all your transactions back to a single source, thus enhancing privacy. While the gain in privacy has a positive effect for security, taken alone it is not enough for security.
Hot wallets connected to today's ecosystems: a lot of trust needed
When Binance suffered a hack of one of its hot wallets in May 2019, crypto traders on the platform lost up to a combined total of 7,000 bitcoins along with multi-factor authentication (MFA) codes and API keys. The loss of MFA codes is particularly damaging for the protection of users and carries a potentially high cost to companies when, on occasion, it isn’t enough to protect data. Fortunately for its clientele, Binance had the year before set up the Secure Asset Fund for Users – a fund that collects 10 percent of all trading fees into a cold wallet, from which to reimburse victims of such a successful attack.
This hack also demonstrates how a weak point of a hot wallet resides precisely in its 'always connected to the internet' status. Hot wallets are tight-knit participants of today’s computer ecosystems, subject to the same threats and need for caution.
This means that threats to wallets can leverage the usual bad habits of internet users – reusing easy-to-guess passwords, carelessly clicking on links, failing to perform updates or downloading “free” software via torrents – and deploy the typical malware designed to steal, like fake apps, keyloggers and clippers.
Clippers: your clipboard under attack
A clipper is a type of malware that secretly replaces the content of the clipboard to take advantage of the very common 'copy and paste' action. With this strategy, the copied content, say, your wallet address, is replaced with ill-intentioned content – the attacker’s wallet address – when you paste.
The first Android clipper ever detected in the Google Play store – Android/Clipper.C – was posing as an app called MetaMask, a platform for accessing the decentralised apps built on the Ethereum blockchain. Android/Clipper.C swapped out Bitcoin and Ethereum wallet addresses copied to the clipboard with ones belonging to the attackers.
The same trick, which went undetected for years, was used by a trojanised version of the Tor Browser. Privacy-concerned users who were deceived into downloading this trojanised Tor Browser on their Windows machines had their Bitcoin wallet addresses being surreptitiously replaced whenever they visited particular darknet markets to make transactions. This allowed the operators of this malware to steal at least 4.8 bitcoins.
Fake login pages... you could've fooled me!
It is not unusual for malicious developers to supply mobile wallet versions of popular desktop wallet apps or for well-known cryptocurrency exchanges. The idea behind these types of malicious campaigns is to fill the gap left behind by the familiar brand names in crypto and attract more potential victims. In the case that a legitimate mobile app is already offered by a brand, the fake version of the app attempts to steal customers who are looking for the real deal but who likely lack awareness of such a scam.
Victims who download one of these fake cryptocurrency wallet apps are often presented with a login page that is phishing for private keys or mnemonic phrases. With even one of these pieces of information in hand, the malicious operators can quickly gain control over your wallet. Some variants of the fake MyEtherWallet app, for example, even 'double phished' for both items in sequence – just to make sure.
Another ploy used by these fake apps is to present victims with a public key for 'your' new wallet, presented as copiable text and/or a scannable QR code. Instructions are simple: “Send your coins into your new wallet!” The catch is you don’t have the private key – the operators of the malware do. After the transfer, say goodbye to your coins.
Some phony apps up the ante by offering wallets that 'manage' multiple cryptocurrencies for trading in an exchange – a perfect ruse to dip into more than one of your wallets. The fake Trezor Mobile Wallet, for example, offered one wallet for each supported cryptocurrency – 13 wallets in total – presenting victims with multiple public keys to “cover their diverse crypto needs.”
Finally, there are malicious mobile apps that attempt to overlay fake login screens on legitimate wallet or other financial apps. Luckily, via Banking & Payment Protection, ESET Mobile Security prevents apps from overlaying the screens of your financial apps. Of course, the tricks employed with fake mobile apps apply equally across the board to fake desktop apps, as well as phishing sites made to appear like real login pages to your favourite online wallet.
Coming soon! Part 2: Diverse threats to hot wallets and cold wallets.