Posts

How to Protect Yourself Against Crypto Scammers & Hackers?

avatar of @milaan
68
milaan
@milaan
·
·
0 views
·
9 min read

We have long been accustomed to outsourcing our security to an entity, or Govt, or any kind of authority and we often take shelter under the dictum that I have a "chowkidar" for this thing and I don't have to worry about it, particularly when it comes to the security of our assets.

With the advent and proliferation of crypto, we are now quite familiar with decentralization, absolute authority, etc, which means we are the sole owner of the asset and no one else can own it unless we make it vulnerable. However, it would be unfair to call and foist accountability on someone, even if he is the sole authority unless he is properly educated and informed about the various aspects, particularly security aspects of the asset.

In that context, today we would elaborate on the various attack vector of the kind of phishing attack we may be subject to and how to protect ourselves with an informed choice. Information is wealth. If decentralization and crypto can offer absolute authority, please bear in mind that it comes with a weight of responsibility. So please cope with that otherwise your asset is always vulnerable.

I have divided this topic into two parts:- (1) What are the issues and vulnerabilities in the context of security aspects that I have faced till now and What could be the other possible vulnerabilities (2) How to protect yourself

(1) What are the issues and vulnerabilities in the context of security aspects that I have faced till now and What could be the other possible vulnerabilities?

When I started my affair with crypto, I was totally careless, and even I had a preconceived notion that if anything goes wrong, I will change the password, and if I forgot the password, I could take the help of the forgot password option anytime.

Don't laugh, when I say so, this is exactly the psychology of every new user who just starts having an affair with crypto. One more important aspect I would like to add, most of the users in developing countries like India want to take shelter under an Exchange like Binance, Huobi or Bittrex, or any other exchange for their crypto assets because they think that the management of the wallet is too complex, and their sole intention is to get in and get out to make a profit and repeat the same again and again.

But the point is that crypto is fundamentally much bigger than a mere exchange use case. Coming to the point, crypto from the get-go offers absolute authority, and that is in relation to a wallet, not with an exchange facility, naive users generally fall prey to such misconception and they think that an exchange wallet is similar to a decentralized wallet. They are different because you always own and control the key of a decentralized wallet, which is not the case in the Exchange facility.

In Blockchain protocol like Hive you can easily change the password, and you even have the recovery facility, but please bear in mind that this is not the same for all the protocols, take the example of Bitcoin, Ethereum, and many other leading Blockchain protocols, which comes with a private and public key pair, and you simply can not change the private key. So the moment it gets compromised your assets become vulnerable. In that case, if you feel that you are not sure about your key and its security you should immediately create another wallet and transfer the assets to that wallet.

Source: Image by vectorjuice on Freepik

So the first lesson that I have learned is to identify which one is a private key and which one is a public key. Practically experience how they look like. Public keys can be shared with anyone but private keys should remain private in your lifetime.

Then the next thing I got an exposure to is the 12-word mnemonic key. Unless we know the very basic uses of a crypto wallet, we can not be that familiar with its vulnerability and we can easily fall prey to phishing attempts if someday someone asks masquerading as a developer or project owner, we promptly used to give those things making the assets vulnerable.

Source: https://privacypros.io/wallets/mnemonic-phrase

So we must know how does a private key look like. Second, how many forms that are usually available and handled? The three types that I have come across are:-
(i) private key as a string( combination of numbers & alphabets, basically in the form of a string),
(ii) Private key as a Mnemonic key( usually 12 words, but it could be 16 or 24 words also),
(iii) Private key as JSON file( this is usually a downloadable file and you need to upload it when you want to access it).

Source: https://www.flaticon.com/free-icon/json-file_136525

A new user should always have a first-hand experience with all three types of keys and then the most important thing comes is its storage, because that is where and how it becomes most vulnerable.

I would always suggest a naive user take a pen and paper and note down the first two types, i.e. Private key as a string and private key as a Mnemonic key(in the case of a Mnemonic key, the correct order is important). Please don't store it in your email, don't store it in your google drive, the best way out is to write it down on a piece of paper and then save it in your locker or any other suitable place, for safety you may keep 2 or 3 copies and save it in different locations.

The third type, i.e. Private key as JSON file, you keep it in a pen drive and make sure while your manage your wallet or deal with the keys your device is free from malware, spyware, etc.

Please make it a defined rule from the outset, no one could ask for your key, if he/she does, he/she is a scammer. So simply don't share it with anyone. Your key is your inalienable and absolute and integral part of your life. At the worst if a wallet goes down in the future, if the developers do not maintain it then also don't worry, a wallet is only a dApp and your asset is not in the wallet, it is in the Blockchain. Okay. So as long as you own the kye using the same key you can switch to any other wallet of that Blockchain and access your asset. Always remember, Not your keys, not your assets. So anyone who possesses the key is the de facto owner of the asset, so make sure you and only you control that key in your lifetime.

But why do I say so??

If you are using Twitter, Telegram, or Whatsapp or have been a part of such public forums or groups, you might have encountered someone asking you for the key to making sure they can offer an airdrop or they can fix a certain thing, don't ever give your key to anyone, no matter whosoever he/she is.

What exactly happens, during this journey particularly when you are completely new to this, in Ethereum or any other wallet, when a transaction does not go through, remains pending for some time, you generally seek help from others in a group, and then the scammers take advantage of this situation, will DM you and ask for the private key, and the naive users ended of giving their key.

The internet is full of information. If a transaction is pending, try to educate yourself, try to ask someone over discord, and try to take guidance from the already documented FAQ. Don't ever give the key to anyone.

Now the third kind of vulnerability is when you are keen to get an airdrop and/or in the adventure of a quick money-making scheme, like send 0.1 ETH and get double. These are all Ponzi schemes.

In the case of an Airdrop, I was just exploring the information through Twitter, and what I noticed is that a group of people is continuously spamming the thread and asking people to DM so that they can help them get the lucrative airdrop, the problem with the naive users is that they are impatient, and that makes them vulnerable to those scammers, in the DM, generally, they ask for the private key.

In the case of the Ponzi scheme, the scammer, or rather the group of scammers, offer 2x return, that too instantly, they run a website, they also will show you the on-chain transactions where the different addresses are getting double of what they are spending. So the group, themselves keep circulating their money to render a fall impression and a new user generally gets tempted to send money(even if a small amount) and lose it forever.

So this is what I have personally experienced. Please be aware. And let me tell you one thing, many of us have made an affair with crypto with an expectation of making star and moon, but let me tell you that those who have made fortune have had patience and have traversed that path of hard work. There is no substitute for hard work and patience. Always moderate your expectation, you will be the happiest person, whatever airdrop and earning(including what you earn from Hive) will make you feel like a bonus.

Phishing Attack This could be through an email or through a comment or by persuading you in some form or the other, the idea behind is that first they will make it appear too lucrative for you to ignore, and then they will somehow make you click those links and will make you furnish certain details, and then it's done. Since it is decentralized you have very little margin to take legal recourse, you can still take legal action but a very high chance that you won't get your money back. Think about it, it is decentralized and controlled by a key, not by a third party, so it can't be frozen by an enforcement agency.

Source: Image by katemangostar on Freepik

So the very first thing you should do is to control your temptation to such offers, no matter how lucrative it is, always try to educate yourself wrt a scheme, you must be willing to gather additional information before deciding on anything.

Decentralization from the get-go demands your willingness to educate yourself because there is no third party who can do it on your behalf.

If you are hypersexual and have a tendency to engage with pornographic content, live cam, webcam, etc be careful with all such things, they usually integrate and install the malware in their content, so that when you click and access it you actually make your information vulnerable.

The other type of scam that could happen is to lure into a Ponzi scheme, they might launch a Ponzi scheme and they could in reality issue a token and distribute it but after the crowdfunding and launching of the project, they will simply inflate the supply and liquidate the market with that supply. So always read their white paper, even if it is open source, and take the help of experts and developers to get the basic details of the project, particularly in the context of supply and inflation. ATC coin did a similar thing in 2016-17 in India and looted the money of people.

(2) How to protect yourself?

(1) Right Education: This is something that will help you in every single endeavor in your life. It becomes necessary on your part to be a bit educated at least with the basic operational details of a wallet, at the least.

(2) Always use Google Authenticator or similar 2FA to ensure 2-layer protection of your assets for the assets that you keep in your Exchange wallet.

Source: Image by storyset on Freepik

(3) Don't keep too many assets in a centralized exchange, no matter how reputed the exchange is. By definition, crypto should be decentralized not just in its protocol, but also in how you handle it. Of course, you need the centralized exchanges for the reason that they have better liquidity and less fee(when you deal with a small amount), but your habit to store your asset should always be storing it in a decentralized wallet, and that too a cold wallet.

(4) Periodically check your wallet's transaction in a Block explorer, or better keep a detailed accounting of your wallet. You can take the help of Distill web monitor to get notified in case of any suspicious transaction. Distill is available as an extension in Chrome, Firefox, Opera, etc.

Source-https://distill.io/

(5) The very basic source of malware attack is Ads, so better if you could use an Adblocker plugin/extension. It not only enhances the user experience but also makes you safe in the first place against a phishing attack.

There could also be private trackers and web mining which might go unnoticed, you should better use a suitable extension and plugin to detect such thing.

Protonmail is better compared to Google, Yahoo, etc.

(6) Don't keep all the cryptos assets in a single wallet, better divide them and allocate them in different decentralized wallets with different key pairs. On the off chance that if one wallet gets hacked, the other ones will be at least safe. The probability of all the wallets being hacked simultaneously is very remote. So diversification in storing also minimize the chances of loss due to hacking and similar kind of attacks.

Conclusion

With technological advancement, attack vectors, risk, and cybersecurity affairs will take center stage, the more you become educated with the basic operational details, the better you position yourself to react at the right time, which will save your valuable assets.

Posted Using LeoFinance Beta