When you decide to store your wealth in Bitcoin, security is paramount. The blockchain spares no expense in securing blocks for a reason, and you shouldn’t either. Trusting large entities with our money and assets might be the norm, but centralisation comes at a cost.
While we fortify our digital wallets with strong passwords and two-factor authentication (2FA), this is all merely security theatre that won’t stand up to scrutiny.
Evident through the exploits of a cunning foe: the social engineer.
Social engineering hacks are manipulative dances in which attackers exploit human emotions and vulnerabilities to gain access to your precious Bitcoin.
Forget fancy coding; these hackers target you as the security gap.
Social engineering swindlers aren’t interested in figuring out how to bypass all the bank’s security measures in order to raid the vault; instead, they’re focused on getting you to hand over your credentials, then walking over to the bank, withdrawing your savings, profiting off of your trust or negligence.
A primer on social engineering
I highly recommend listening to the Rachel Tobac interview on the Dark Net Diaries if you want an excellent introduction to social engineering and its tactics. She is a white hat hacker who regularly gets hired by businesses to run penetration tests on their security setups, and you might be surprised at how the gift for the gab can help you leapfrog many a firewall.
https://darknetdiaries.com/episode/144
Think you’re safe with 2FA?
A common security measure used by exchanges is 2FA. Some services might not even allow you past the account setup process without it, and to an extent, it adds a layer that needs to be bypassed, but this is not impossible.
2FA comes in many forms, such as a one-time pin to your e-mail address, phone number, or a USSD menu prompt via your mobile carrier. So, how would the attacker break your security?
Even if they have your username and password, they need that one-time PIN, which changes with every prompt.
Not necessarily.
Imagine a scenario where a scammer, pretending to be from a legitimate exchange, convinces you of a critical account issue. They pressure you to provide a one-time code from your 2FA app while setting up a SIM swap.
A SIM swap is a common practice that involves tricking your mobile carrier into transferring your phone number to a new SIM card they control. With both the code and your now-compromised phone number, they can bypass 2FA and drain your account.
Note: If you will enable 2FA on your account, consider using a service like Google Authenticator or another third-party Authentication app you can run on your smartphone. If you can add multiple 2FA options to your account, consider turning off the others and having the AUTH app as your default.
Using an AUTH app makes life a little harder for hackers, but they can still get into your account, especially if you’re easily convinced to hand over sensitive information.
These AUTH apps are also not a replacement for self-custody and should be enabled to remove funds from the custodian when you feel your balance reaches a size that makes you uncomfortable securing it only with a username, password, and 2FA.
A dive into social engineering attacks
The talk on social engineering attacks picked up this week after Junseth, a Bitcoin podcaster, released an interview confronting a scam caller. The scam involved a group of minors who have been contacting potential victims under the guise of customer support representatives from reputable companies such as Google and various Bitcoin exchanges.
After either gaining the user’s trust or pushing them into a high-pressure situation, the fake customer support scammer will “help” secure the user account or seed phrase and then sweep those funds.
While the scam isn’t very sophisticated, it is considerably profitable, with the scammer reporting to earn as much as $6000 per day while highlighting several of his biggest wins, from as little as $35 000 up to as high as $4 000 000 on a single account exploit.
Sourcing profitable blocks becomes easier with KYC
Social Engineering thrives on narrowing down your targets; if you’re just going to try to contact users talking about #Bitcoin or #crypto on social media by DM’ ing, emailing, or calling them, your hit rate is going to be pretty low, and you’ll likely be turned off from continuing this process.
But if you can find a list of suckers with a high hit rate, you’re going to be more inclined to continue. Lists of users with exchange accounts are a hot commodity, and social engineering syndicates are willing to pay top dollar for them; the leaked lists can trade on forums or employees of exchanges could even be approached and bribed into handing over data.
The more lists you can collect, the easier life becomes, as you can overlay them with your different lists, see where users overlap, and form a comprehensive profile of your targets.
The source of lists these syndicates thrive on continues growing as regulation works in their favour.
KYC feeds the beast
If you purchase Bitcoin from a regulated entity, you’ll be forced to provide identification and contact details as part of the setup process. The exchange will keep these files on record to safeguard users of the platform and ensure that no criminals use it.
However, KYC (Know Your Customer) and AML (Anti-Money Laundering) regulations are double-edged swords. While they aim to combat financial crime but do a poor job, they also create vulnerabilities that social engineers can exploit.
Here’s how:
Honeypots for Hackers:
- Data Concentration: KYC/AML obliges companies to collect a vast amount of user data, such as names, addresses, phone numbers, social security numbers, etc. This creates a treasure trove for hackers if breached, and we’ve seen several leaks from exchanges and even hardware manufacturers like Ledger.
- Vulnerability Profiling: With this data, hackers can identify and target high-value customers or those with weaker security practices. Imagine a hacker identifying someone with a large Bitcoin holding and limited knowledge of social engineering tactics – a prime target.
- Social Engineering Fuel: Personal details can be used to craft convincing social engineering attacks. Hackers can impersonate legitimate entities (banks, exchanges) and use the stolen information to build trust with the victim.
KYC/AML and Social Engineering: A Dangerous Mix
KYC/AML, while necessary for exchanges to operate, can create a scenario where:
- More Data = More Risk: The more data collected, the bigger the target hackers have.
- Security Weaknesses: Centralised storage of user data creates a single point of failure if security is compromised.
- Targeted Attacks: Stolen user data empowers hackers to tailor social engineering scams for maximum impact.
Minecraft kids are coming for your Bitcoin
Minecraft kids are growing up, and instead of dealing with the reality of minimum wage, a cohort of lawless US-based youngsters are making millions of dollars by stealing crypto assets over the phone.
It seems as if the game has become a breeding ground for those interested in hacking, and some of them have graduated from selling gaming mods, accounts, and @handles online to more lucrative ventures.
In 2019, Boston-area resident named Joel Ortiz was sentenced to a decade in a California prison in what is believed to be the country’s first-ever arrest and conviction for “SIM swapping,” commandeering victims’ smartphones to steal millions of dollars worth of Bitcoin and other tokens.
You would think a conviction like this would deter the next generation of youngsters, but what they lack in common sense, they make up for in bravado, and there is no shortage of literal children coming for your Bitcoin.
Why self-custody needs your savvy
Social engineering is a low-tech tactic that anyone can learn in their spare time. If you have the gift of the gap, all you need to do is convince victims to surrender their login credentials or send money voluntarily.
According to one estimate, 98% of cyberattacks and the number of people moving into this space will increase as word gets out on how easy it is to scam people at a healthy profit.
If you want to avoid being part of these concerning statistics, you have to take yourself and your funds out of the firing line. Self-custody wallets offer greater control over your Bitcoin; once the funds are held in an on-chain wallet, you won’t need 2FA or passwords; your private keys are offline and the only way to access your funds.
Once funds are in your control, it’s all on you to protect them.
It’s crucial to remember that even self-custody can be susceptible to attack if you fall victim to a social engineering scam. If an attacker convinces you to reveal your private keys (the master password to your Bitcoin holdings), they can easily steal your funds.
When in doubt, HODL!
Don’t be pressured into sharing sensitive information, and never click on suspicious links or download attachments from unknown senders.
I don’t know who needs to hear this, but…..
You will never be contacted about your self-custody coins, not by your bank, exchange, hardware manufacturer, or tax authority.
If anyone contacts you about your Bitcoin, tell them you lost it in a boating accident and hang up the phone.
Protecting yourself against opportunists and scammers
The best way to shield yourself from social engineering scams is not to use centralised exchanges; if you hand over data, eventually, that data could land on a list of a hacking group, and you could become a target.
While buying P2P Bitcoin can seem more complex and costly, that privacy premium looks much cheaper than seeing your account drained.
If you are an exchange user, consider having your account deleted and scrubbed from these platforms or using a burner email for accounts.
Set up an email like scambait@protonmail.com and use this for all your accounts.
That way, if someone reaches you through this mail, it’s likely a scam.
If you’re not willing to give up the ease of exchanges, consider your data leaked already and prepare for the inevitable attack. It’s always better to be safe than sorry. Be wary of unsolicited calls, messages, or links. Verify website URLs, enable transaction confirmations, and never share sensitive information under pressure.
- Be wary of unsolicited calls or messages. Legitimate companies won’t pressure you for personal details.
- Double-check website URLs. Phishing sites can mimic real ones with slight variations.
- Enable transaction confirmations. This adds a safety net before funds leave your wallet.
- Educate yourself! The more you understand social engineering tactics, the better equipped you are to identify them.
Remember, legitimate companies won’t rush you or demand personal details. So if someone contacts you mouthing off some nonsense about your account, slow down, don’t panic, verify information, HODL onto your Bitcoin and stay alert.
Your vigilance is not just a defence; it’s your only defence!
