You’ve probably heard a little something about cryptocurrency. Does Bitcoin ring a bell? The price of this and other cryptocurrencies has been soaring, and it’s driving a mania-style frenzy on Wall Street.
There is so much hype about alt-coins lately that there are now reports of people even taking out second mortgages and home equity lines to buy them. Crazy, right?
For years, financial analysts have warned people to stay away from cryptocurrency by arguing that it was too volatile to be a safe investment. However, with prices going sky-high, it’s hard for investors and entrepreneurs to sit on the sidelines while a major new asset class emerges.
However, before you get lured in by the shiny new penny, you need to understand the risks. Cryptocurrency markets aren’t just volatile, they are also extremely murky and riddled with fraud. Since the launch of Bitcoin in 2009, these markets have been plagued with cyberattacks and scams that have cost investors millions of dollars. To make matters worse, cryptocurrency isn’t protected by the FDIC, so losses due to theft are nearly impossible to get covered.
So how do these cybercriminals do it? There are two main ways cryptocurrency investors can lose their shirts to scammers, among the many.
The first is when hackers attack the infrastructure underpinning these coin markets, for example: exchanges, digital wallets, mining companies, web host services, etc. The second is when criminals target investors directly. There are a variety of these online scams, which often use social engineering tactics, but the primary ones to worry about are initial coin offering (ICO) fraud, phone-porting, fake wallets and malware.
While there’s not much investors can do to protect themselves against attacks on the cryptocurrency system, they can take measures to lower their own risk of falling for a targeted attack.
Here’s a breakdown of these four attacks and ways to reduce the threat:
Initial Coin Offering (ICO) Fraud
An ICO is when a newly invented cryptocurrency is launched to investors. Needless to say, this is an unregulated and risky activity all by itself, but it is also plagued by scammers. There are two ways ICO fraud happens. The first is when criminals create a fake ICO and steal any money that investors give them. This is what happened in December, when the SEC shut down the PlexCoin ICO, which it alleges was a $15 million fraud.
The second type of ICO fraud is when hackers “spoof,” or impersonate, a legitimate ICO and trick investors into paying them instead of the real company. This happened recently with messaging giant Kik’s ICO, which goes to show it can affect even well-established companies. Typically, cybercriminals will create a fake website or social media account and use phishing emails to promote a phony “pre-sale” offer or other trick.
Security tip: Do sufficient research on an ICO before buying in. Check industry sites like CoinDesk to verify the legitimacy of a claimed ICO. Don’t fall for hard-sell tactics or too-good-to-be-true offers, especially when received over email or social media messaging, as these are likely phishing attempts. See the SEC’s tips on ICO investments if you’d like more information.
Phone-porting
Cell phone identity theft, also known as “phone-porting,” is when criminals commandeer a person’s phone number by tricking the mobile provider into giving them control of the account. Once they have the phone number, they can reset the password to a digital wallet and drain the account. Since these cryptocurrency transactions can’t be reversed, the investor can lose everything. According to Federal Trade Commission statistics, phone-porting attacks in general rose by 256 percent between 2013 and 2016.
Security tip: Mobile providers usually recommend adding a unique PIN and verification question to the account to improve security. However, a better solution is to switch two-factor authentication from SMS to a third-party service like Google Authenticator.
Fake digital wallets
Cryptocurrency has to be stored somewhere, and investors often use virtual wallets. The problem is that fake wallets occasionally appear online or in mobile app stores, and they may steal investors’ savings. This happened recently with the bitcoin gold wallet scam, which reportedly stole $3 million. On December 10, the popular service MyEtherWallet warned customers about a fake MyEtherWallet digital wallet app, which had risen to No. 3 in the iOS App Store’s finance category.
Security tip: Before selecting a digital wallet provider, do your homework. Only use services that have a solid track record. Another option is to use an offline hardware wallet.
Bitcoin-stealing malware
Recently, a new category of malware has emerged that specializes in one activity—stealing bitcoins. It can do this in a few different ways, such as stealing log-in credentials or the wallet itself, or getting in the middle of a transaction.
Security tip: Use a robust antivirus program and an inbound/outbound firewall to protect your computer. Use two-factor authentication and a password manager to protect the log-in.
Cryptocurrency investors face a lot of risks, not the least of which is scamming. Since this market is largely unregulated and unprotected, it is up to individual investors to account for their own security. Follow the above tips, and also take additional measures, such as encrypting the internet connection with a VPN (virtual private network). It’s also not a bad idea to consider using a dedicated computer (i.e., it does nothing else but log in to your bitcoin account) to be safer when performing these transactions.