Having just encouraged the use of 2FA as standard for custodial services, we now have to warn that choosing SMS as the 2FA can create a serious vulnerability via SMS hijacking.
If attackers know your mobile number and provider, and have harvested personal information from OSINT, they can impersonate you with your Mobile Service Provider and request a replacement SIM be sent to them.
This gives them access to the 2FA code, which would be used in conjunction with a brute force attack.
The solution is to always use an App based 2FA like Google Authenticator or Authy. The device running the App does then itself become a point of weakness, as anyone who has lost their phone will appreciate.
This can be avoided by storing your 2FA backup codes, provided when you set 2FA up. Without the 2FA back-up, get 2FA reset requires you to go through a laborious process of recording a selfie/video with some ID and a hand-written note.
Google updated Authenticator in May 2020, the first in three years, making it simple to export/import 2FA codes, which is welcome, but doesn’t help if you lose your phone or it dies.
DNS Spoofing
In November 2020 popular crypto service Celsius was the victim of a DNS attack, which involved an attacker convincing their DNS provider – Godaddy – to essentially change the site that is served behind their App.
This is difficult to mitigate against, other than being vigilant, or in the case of Celsius judging the safety of a service by how seriously they treat their DNS set-up.
In-Person Attack
We’ve left this one to last because it should only be a concern if you have a really significant amount of crypto. There have, on rare occasions, been instances where individuals known to possess large amounts of cryptocurrency have been kidnapped/extorted to give access to their funds.
As the Ledger Attack, mentioned above, leaked postal addresses of customers, there was a lot of talk on social media about this danger from irate customers. There have however, been no actual reported instances of in-person attack as it is much riskier than the online options listed.
Though this risk exists in any circumstance where portable wealth is concerned – expensive watches, jewelry and collectibles – crypto is a specific target because it is hard to insure and can be hard to trace/recover.
If this is something that concerns you, in the first instance don’t publicise the fact that you own crypto, which includes anywhere online or with anyone you don’t explicitly trust.
You should also think about something called Multi-Signature, which essentially requires more than one person to approve a crypto transaction.
This gives plausible deniability. Check out keys.casa for a cost-effective multi-sig security service.
Learning about, and investing in crypto can be a hugely liberating experience. It is an expression of financial sovereignty, but if you are cutting an authority – like a bank – out of your financial life, you become ultimately responsible, so need to at least be aware of the best practice for keeping your crypto safe and ensuring you sleep easy at night.
Leave a Reply