The best cryptoassets and their blockchains, such as Bitcoin (BTC) or Ethereum (ETH) are mostly robust against potential attacks, but the wider crypto ecosystem is dependent on much of the web infrastructure that defines legacy systems.
This point came to fore in July’s Ledger database leak, in which the wallet manufacturer’s ecommerce database was hacked for one million customer emails and more.
However, security experts speaking to Cryptonews.com affirmed that much can be done by the industry and individuals to reduce the scope for breaches. They also affirmed that the likeliest attacks, such as the Ledger breach, are the ones least likely to steal actual private key or wallet info, which is what criminals would need to steal your crypto.
Personal data and private keys
There are two main kinds of potential leak or attack in crypto, as explained to Cryptonews.com by wallet recovery expert Dave Bitcoin.
“There is a significant difference between leaks of personal data (email address, name, date of birth, etc.) and leaks of private keys,” he said.
“If a crypto company leaks only personal data, then it is no worse than any leak in the non-crypto space – not good, but unlikely to lead to a loss of crypto funds.”
Conversely, Dave Bitcoin also warned that if a company leaks private keys or recovery phrases, crypto funds can be stolen with very little effort. “Even if the key information is encrypted with passphrases set by the customer, it is quite likely that some passphrases will be guessed, either because they are weak, in existing password lists, or derivable from the customer’s other private information.”
An example of this latter, more serious type of breach is provided by a flaw affecting Coinomi desktop wallets that was discovered in 2019, for instance. It’s also evident in a variety of rogue browser extensions and malware, which can access a user’s private key when a hardware wallet is used.
Dave Bitcoin also warned of an intermediate third category.
“These involve leaks which reveal the identity of address owners,” he said.
“For example, if a company leaked a list of customers and blockchain addresses the customer sent cryptocurrency to (for example to exchange, or to pay for goods or services), then the public transaction ledger can be used to track down other transactions by the same customer.”
As he added, this kind of breach potentially exposes the holdings and dealings of a customer and may increase the risk of them being targeted.
What can be done
Developer Daniel Ternyak said that there are a variety of things individuals can do to reduce their exposure to leaks.
“Cryptocurrency investors should make every attempt possible to maintain strong OPSEC [operational security],” he told Cryptonews.com.
“Although it’s difficult to stay constantly vigilant, investors should scrutinize each instance when they’re asking to provide personally identifiable information that can be tied to their ownership of crypto assets.”
By operational security, Ternyak advised individuals to consider their own security from the perspective of a potential hacker. That way, they can more easily pinpoint weak spots and vulnerabilities in how they handle their crypto.
“Even when users are using a hardware wallet, the ‘$5 wrench attack’ is still effective for gaining access to funds,” he added, indicating that users even need to consider their own physical security and exposure.
Dave Bitcoin suggested that the biggest security decision for individual users involves the choice of their crypto wallet.
“Individual users should consider whether a custodial or non-custodial wallet is right for them, and carefully evaluate any non-custodial wallet provider for security practices,” he said. “Which is admittedly hard to do unless the company provides an independent security audit to support their claims.”
As for companies, Marek “Slush” Palatinus, CEO of SatoshiLabs, the manufacturer of the Trezor hardware wallet, advised firms to hold only absolutely necessary personal info, and in as limited a way as possible. The company claims that they purge orders after 90 days from their e-shop database.
“The responsibility of each company should be to limit the impact of such data breaches on their clients; ideally, the amount of collected data should be as small as possible, held for as short a time period as possible,” the CEO told Cryptonews.com.
Palatinus also advocates for greater privacy, so that consumers can make more informed choices.
“The industry should take customers’ privacy seriously and openly inform them what kind of data is being collected and how it is being treated afterward,” he suggested. “Far too often there is a data leak that could have been prevented by just taking better care of it.”
Such steps may reduce the frequency of data breaches. But given that most data breaches affect non-crypto-based systems (such as Ledger’s ecommerce database), they’re likely to remain inevitable to an extent.
Dave Bitcoin said, “Security strategies continue to evolve — one example being the requirement to encrypt all data in transit and at rest (for example in a database or file store). But there is always a means to decrypt the data, so these schemes can be broken if the keys are exposed and the data stores accessed.”
Dave predicted that companies will eventually stop storing personal data indefinitely, which will limit data breaches as far as possible. Of course, crypto holders will always have to take their own personal security as seriously as possible.
Seed Phrase and Wallet Recovery Still Isn’t Idiot-Proof
How Good Are Bitcoin Recovery Services?
Researchers Find Bugs that Could Expose Crypto Wallets on Exchanges
US Banks Offering Crypto Custody is ‘Insanely’ Bullish and Risky