The best cryptoassets and their blockchains, such as Bitcoin (BTC) or Ethereum (ETH) are frequently strong against possible attacks, but the broader crypto ecosystem is reliant on much of the web support that determines legacy systems.
This case came to fore in July’s Ledger database exposure, in which the wallet manufacturer’s eCommerce database was compromised for one million client emails and more.
Nevertheless, security experts speaking to Cryptonews.com insisted that much can be done by the industry and individuals to reduce the scope for breaches. They also affirmed that the likeliest attacks, such as the Ledger breach, are the ones least likely to steal actual private key or wallet info, which is what criminals would need to steal your crypto.
Personal Crypto Keys
There are two principal classes of potential leak or attack in crypto, as explained by wallet recovery expert Dave Bitcoin.
“There is a significant difference between leaks of personal data (email address, name, date of birth, etc.) and leaks of private keys,” he said.
“If a crypto company leaks only personal data, then it is no worse than any leak in the non-crypto space – not good, but unlikely to lead to a loss of crypto funds.”
Contrary, Dave Bitcoin also warned that if a company leaks private keys or recovery phrases, crypto funds can be stolen with very little effort. “Even if the key information is encrypted with passphrases set by the customer, it is quite likely that some passphrases will be guessed, either because they are weak, in existing password lists, or derivable from the customer’s other private information.”
An instance of this latter, more severe type of breach is made by a flaw concerning Coinomi desktop wallets that were uncovered in 2019, as an example. It’s also evident in a variety of rogue browser extensions and malware, which can access a user’s private key when a hardware wallet is used.
Dave Bitcoin also warned of an intervening third category.
“These involve leaks which reveal the identity of address owners,” he said.
“For example, if a company leaked a list of customers and blockchain addresses the customer sent cryptocurrency to (for example to exchange, or to pay for goods or services), then the public transaction ledger can be used to track down other transactions by the same customer.”
As he continued, this kind of breach potentially exposes the holdings and dealings of a customer and may increase the risk of them being targeted.
Developer Daniel Ternyak said that there are a variety of things individuals can do to reduce their exposure to leaks.
“Cryptocurrency investors should make every attempt possible to maintain strong OPSEC [operational security],” he added.
“Although it’s difficult to stay constantly vigilant, investors should scrutinize each instance when they’re asking to provide personally identifiable information that can be tied to their ownership of crypto assets.”
By operational security, Ternyak recommended individuals to recognize their protection from the viewpoint of a potential hacker. That way, they can more easily pinpoint weak spots and vulnerabilities in how they manage their crypto.
“Even when users are using a hardware wallet, the ‘$5 wrench attack’ is still effective for gaining access to funds,” he added, indicating that users even need to consider their physical security and exposure.
Dave Bitcoin suggested that the biggest security decision for individual users involves the choice of their crypto wallet.
“Individual users should consider whether a custodial or non-custodial wallet is right for them, and carefully evaluate any non-custodial wallet provider for security practices,” he said. “Which is admittedly hard to do unless the company provides an independent security audit to support their claims.”
As for corporations, Marek “Slush” Palatinus, CEO of SatoshiLabs, the manufacturer of the Trezor hardware wallet, advised firms to hold only necessary personal info, and in as limited a way as possible. The company claims that they purge orders after 90 days from their e-shop database.
“The responsibility of each company should be to limit the impact of such data breaches on their clients; ideally, the amount of collected data should be as small as possible, held for as short a period as possible,” the CEO added.
Palatinus also advocates for greater privacy, so that consumers can make more informed choices.
“The industry should take customers’ privacy seriously and openly inform them what kind of data is being collected and how it is being treated afterwards,” he suggested. “Far too often there is a data leak that could have been prevented by just taking better care of it.”
Such steps may decrease the incidence of data breaches. But given that most data breaches affect non-crypto-based systems (such as Ledger’s eCommerce database), they’re likely to remain inevitable to an extent.
Dave Bitcoin said,
“Security strategies continue to evolve — one example being the requirement to encrypt all data in transit and at rest (for example in a database or file store). But there is always a means to decrypt the data, so these schemes can be broken if the keys are exposed and the data stores accessed.”
Dave has foreseen that companies will ultimately stop storing personal data indefinitely, which will limit data breaches as far as possible. Of course, crypto holders will always have to take their security as seriously as possible.