Cryptocurrency and NFTs aren’t as secure as you think!
We might be going to the moon but it turns out hackers have found multiple ways to join the caravan.
If the phrase did not ring bells then, let me be your host and plant some thoughts as to why crypto and NFT might not be as secure as you think them to be. But before we dive into the technical part let’s talk about cryptocurrencies, NFTs, and why people link security with them.
With the advent of the COVID, companies have begun to rely on work from home models and besides being beneficial to the employees (with flexible work routines), this has also given hackers one of the greatest opportunities of all times. As people have become more tech-savvy, they have also become smarter with how they handle their finances. Some have started investing their money in the stock market, mutual funds and a fair share of attention has also gone to cryptocurrencies and NFTs.
So first, let’s understand what a currency is.
Broadly speaking, a currency is something that can be used to buy goods and services. Currencies, as we all know, are regulated by the government, which means that it is centralized, and to cover for the shortage of funds, they can even print more of it which directly harms the economy of the country with a concept called inflation.
An example could be the $1.8 Trillion stimulus that was announced by the Joe Biden Govt. in the United States. They didn’t just produce that money out of thin air. This money was printed on the orders of the government. The effects might not be instantaneous but will surely show up in the upcoming years, in the form of inflation.
So as we just saw that the entire power is in the hands of the government. To challenge this, in 2009, a developer by the name of Satoshi Nakamoto came up with the concept of a decentralized cryptocurrency and developed bitcoin.
Unlike physical currency which can be held and felt, cryptocurrency is a digital currency. You can use them to buy goods and services, and since it’s decentralized, the govt. doesn’t have any sort of influence over it; but it doesn’t end there
Because they are limited in number (there are only 21 million bitcoins in the universe), except for a few like Dogecoin, their number can’t be increased and hence this removes inflation completely from the equation.
But you may wonder that since it’s a digital currency and can function only over the internet, so isn’t it prone to security glitches, loopholes, and what about hackers. Will they leave you alone with the treasure trove that you’ve just discovered?
There’s only one answer to all your questions and it’s called Blockchain. It is the backbone of cryptocurrencies, NFTs, and other technologies.
You can imagine a blockchain as a chain of blocks, where each block is a ledger that contains the details of the transactions that each individual makes, including the account number of the individual (and even of the receiver) who performed the transaction. Since they are cryptographically signed(with hashes), so they can’t be practically altered and hence cannot be faked; but the story doesn’t end here.
There isn’t only one blockchain but multiple blockchains, stored in different locations, so even if one is capable of modifying one block in the blockchain, he/she can't get away with it as it won't tally with the other blockchains. Thus making the block invalid and eventually, that block will be discarded from the chain.
As of now, there are 861 Blockchains.
Some popular cryptocurrencies are Bitcoin, Ethereum,Bitcoin Cash, Dogecoin, Binance coin, Litecoin, etc.
A token that’s not fungible!
Now, let’s talk about NFT. An NFT stands for Non-fungible token. “Non-fungible”, means that it’s unique and can’t be replaced with something else. You can trade $1 with another $1. It won’t make any difference as at the end of the day, all you’ll have is a dollar.
An NFT doesn’t work this way. It can be thought of as a virtual commodity and if you trade it for something else, you won’t have the same commodity, because it is unique. An NFT could be a song, picture, drawing, video, tweet, etc.
If you still don’t believe in the value of an NFT, get this. In an auction, a set of 9 NTFs by CryptPunk was sold at a whopping $17 million.
The next example is that of the artwork is named “Everydays: the First 5000 Days.” The more interesting part is that this auction took place at an auction house called Christie’s. The bidding actually started at $100, but it soon started to go higher and higher, and ultimately it was sold for $69.3 million!
One might be interested in NFTs because it gives them a way to sell their work that there otherwise might not be much of a market for. Also, NFTs have a feature that enables the owner to be paid a percentage every time the NFT is sold or changes hands, making sure that if it gets super popular and increases in value, the owner shall see some of that benefit.
For example, let’s consider a song as an NFT. A song can have multiple copies, so anyone in the world can have access to it, but a song registered as an NFT gives you complete ownership over the song.
Since it works over blockchain (More specifically over Ethereum blockchain), you’ll have a digital certificate proving that it belongs to you. And that certificate will not only be stored in one blockchain but multiple place blockchains. The song composer can have copyright over the song, but the owner is you. The song is digital and is therefore liable to be copied. So the copies of the songs that are possessed by the people will be considered duplicates, and the one that you possess shall only be considered original.
So, now with the knowledge in hand, let’s try to peel off some myths that we can have about them. Because they work on a blockchain, a transaction (for your benefit) can’t be faked, but hackers have found workarounds.
Breaking it Apart!
First is the people and the second is the technology for whose protection the security is implemented. In computer security, there is a saying that, “we are just as strong as our weakest link". So, if hackers can't hack blockchains (ie the technology), they go after the people.
There are multiple ways in which they can do this. Let’s understand a few of them and how you can protect yourself against them.
Just like in the stock market people trade stocks, people can trade in cryptocurrencies from a crypto exchange. You can buy and sell cryptocurrencies, including NFTs using a crypto exchange.
Now, crypto exchanges give you 2 options when it comes to storing your cryptocurrencies. The first option is to store it in with the exchange itself, referred to as a “hot wallet”, but many people do not trust the exchanges and prefer another alternative, and it’s called a “cold wallet”. It’s a place where you can store the crypto that you bought, and in return, they charge you. Just like living in a rental property. They provide you with two keys. One is called the private key (you can use it to access your wallet and take your crypto out for whatever reason you prefer) and a public key using which you can add crypto to your wallet (that you bought from the exchange).
This is one of the first weakest links that was exploited by hackers. The private keys are pretty large (about 40 characters) and therefore making it hard to remember. So, people just store it in those places where it convenient for them to retrieve it without thinking about the consequences.
One of the victims wrote the private key and saved it as an email draft and when his email was hacked, the hackers not only read his private emails and had a good time, but also used the private key to transfer all the crypto he had to their accounts.
You may wonder that this transaction may have been recorded in the blockchain, and hence they can be easily caught. Yes, it must have recorded the transaction, and the police can use it to catch the criminals.
A Hacker is Always a Step Ahead!
But the hackers are always a step ahead.
First of all, no crypto exchange can tell about a particular transaction that happened in their network, without a proper court order, and secondly, the hackers transferred the crypto via multiple exchanges (in different countries) with different rules and regulations and different compliances. Thus making it impossible for the police to catch them. To add to the problems they were using the tor network(VPN) to maintain anonymity.
The second instance is of the exchange itself where it sold its customers’ data (including the amount of crypto, IP address, email, phone numbers, ID, etc) for less than $2.
People are known to keep simple passwords as they are easy to remember. The hackers exploited this trait of people by simply brute-forcing the passwords and taking away all the crypto they had in their wallets. So, it becomes extremely necessary for people to avail at least 2-factor authentication.
Many companies provide 2FA(2-factor authentication) but many people find it tedious or simply lack the patience to wait for an OTP on their cell phones.
As technology is evolving, so are the attack models.
The next case is of an attack hard to pull off but once done can easily fool any person.
It’s called DNS hijacking. It involves routing your requested domain to that of the attacker domain, instead of the authentic one, by changing the DNS logs in the victim’s computer or the DNS server itself (The latter can be accomplished by hacking into the DNS servers).
The attackers hijacked the DNS servers and changed a few entries, which lead a user to the crypto exchange’s website. So whenever the victims tried to access his/her’s crypto exchange online, they were sent to another domain that was owned and controlled by the attacker.
Since the victims did not know this, and the site looked similar, they simply entered their credentials to log themselves in and carry on with their business. But it was a phishing site, and now the attacker had their credentials, which he then used to log himself into the crypto exchange impersonating as the victim and transferred all their crypto to their account.
Phishing is an old tactic used by hackers, but no one takes it seriously. Hackers have taken it a step further by targeting specific individuals. This tactic is referred to as Spear Phishing.
In Spear Phishing, hackers gain as much information as they can about an individual, a group, or an organization and then deliver them emails, messages, specific to their domain, which increases the probability of them opening the link or attachment more. This could be to infect the user’s computer with malware so that they can get access to their computer and look for confidential files. They could also install a keylogger, so when the next time the user logs into a crypto exchange or puts a request to buy an NFT with his/her crypto wallet, the keystrokes can be sent to the attacker.
Social Engineering is one of the most underrated tactics here. Some attackers, claiming that they are from the crypto exchange, and giving them other stupid yet luring excuses make them reveal their private keys.
There are numerous such cases. The lesson here is that as the technology is becoming more sophisticated, so are the attack models. The only remedy for a normal user is to keep himself /herself up to date with them.