25 March 2018 | Michael Philbert | Dynamic Mix

In a recent testimony by SEC Chairman Jay Clayton to the U.S. Senate Committee he mentioned that,

“There are significant security risks that can arise by transacting in these markets, including the loss of investment and personal information due to hacks of online trading platforms and individual assets “wallets”. A recent study estimated that 10% of proceeds generated by ICOs, or almost $400 million, has been lost to such hacks”.

Investing in the crypto market can be very exciting, but very risky if you jump in before properly educating yourself on the associated risks and best practices. Usually when a friend asks me about how to get started the conversation goes like this:

Friend: hey man, I heard that you know a lot about crypto, can you help me get started?

Me: Sure, before we get started we need to make sure you all of your stuff is secure.

Friend: What stuff?

Me: Your computer and your phone mainly.

Friend: Ok, so what do we need to do.

Me: Check the current incoming connections to your computer with the Netstat command to make sure your are not already exposed, update your anti-virus, create a user account because i’m sure your logged in with an admin account, uninstall all bloatware because they increase your vulnerability platform…….

Friend: Never-mind, can I just give you some money to invest for me?

Unfortunately, we never make it to the conversation about phone security, transacting securely and risks of social engineering. Most individuals new to the crypto space build a foundation on sand that will surely sink into the depths of vulnerability. There are always new lessons learned emerging and we need to stay vigilant in educating ourselves, not just in the latest ICO (Initial Coin Offering) hype, but in best practices to stay secure.

Unlike traditional investments, in the crypto space all of the liability is on the investor to protect their assets. The ecosystem is very complex comprising of the investor, computers, phones, social media sites, wallets, hardware wallets, online accounts, traditional banks and much more. Every one of these areas introduce vulnerabilities that need to be mitigated. Often the biggest vulnerability is an uneducated investor.

The uneducated investor often makes the following mistakes:

Seeks advice rather than research

Reacts to FOMO (Fear of Missing Out)

Reacts to FUD (Fear Uncertainty Doubt)

Acts hastily and makes mistakes due to the lack of attention to detail

Falls victim to social engineering (skillfully crafted correspondence that tricks a user to taking action that leads to compromise)

Introduces unnecessary vulnerabilities to their phones/computers

Investing in Pump and Dump ICOs

Excessively sends PII (Personal Identifiable Information) to illegitimate organizations

And much more!

The reality is that Information Technology (IT) systems are difficult to compromise, but processes are not. For example, it is not easy to access a secure home, but if you check your mail box everyday at 5pm and leave the door open, a criminal can exploit that process. Knowing how to secure your processes and the platforms in which you perform them is key to staying secure.

The initial consideration should be whether your devices are secure. You have been poking holes in the security of your computer and phone since the day you purchased them. You download programs and application, save passwords in your browser, download torrents, visit compromised web pages, forget to update programs and operating systems with the latest security patches along with many other things. I alway recommend a second phone if you will be doing business on a mobile device.

I’m sure your thinking, “why do I need another phone, that is ridiculous”, well here are the facts. Every communication technology on your device is an attack vector. If you have bluetooth, airdrop, NFC (Near Field Communication), Wi-fi direct, SMS, MMS, Cellular data etc. you can be exploited. These communication technologies along with your daily use activities increases the attack platform (options of attack). Imagine that you are at a carnival and have to throw a ball at a stack of cups, each cup is a vulnerability and the collective is that attack surface. If you were to remove cups, it would become increasingly difficult to hit them with a ball. Congratulations, you have reduced your attack platform.

Most of your transaction will occur on your computer and you will surely download a wallet eventually to store your assets. Did you know?:

A virus executes at the level of permission of the user logged on

Upon initial setup, all Windows computer create an admin account as the first account

Most users NEVER create an additional account with user permissions ONLY as their primary account

There is not 1 anti-virus program that contains every vulnerability leaving you exposed to the ones not accounted for

Zero-day attacks are malware which are released for the first time ever and exploits newly discover vulnerabilities

These facts are a dream for a hacker looking to exploit you. All they have to do is to deliver Malware and they can rest assure that it will execute without a problem. If your bored reading this article, here is a little exercise for you:

WINDOWS USERS

Close all internet browser windows and any programs that may be accessing the internet

Click into the search window on the bottom left of your Windows machine and type “CMD” and press enter (launches a black window called Command Prompt)

In the Command prompt window, type NETSTAT -AOB and press enter

Pay attention to LOCAL ADDRESS, FOREIGN ADDRESS and STATE. Local address shows the many doors (Ports) to your computer, foreign is the system remotely connected and state shows the connection state (Established, Listening, Time_wait etc.)

MAC USERS

Close all internet browser windows and any programs that may be accessing the internet

In the top right of your computer click the magnifying glass icon

Type “Terminal” and press enter (launches a terminal window)

Type lsof -Pn -i4 and press enter (Maximize your window or it will look confusing)

Anything that says established is actively connected to your system. If your freaking out right now, calm down and continue reading. There are some legitimate processes, like windows update and Anti-virus programs, that maintain a connection to the internet. For Windows users, the processes responsible for the connection will appear in brackets [Process.exe]. You can google these processes to see if they are legit and expected. For Mac users, the program establishing the connection will appear in the left most column and the source/destination addresses will appear in the right most column annotate 8.8.8.8 -> x.x.x.x (Established,Listen, Closed etc). Some viruses, like root kits, compromise that very foundation of your system, while others you can recover from. If you have a root kit you will need to factory reset your computer.

The final thing that I will briefly discuss is social engineering. This is an attempt at convincing you to take actions that will lead to compromise. You probably have already seen some form of this if you have an email account. It probably came in the form of an email that had your friend’s name as the sender and prompted you to take action. Maybe while surfing the internet you may have even visited a site that displayed a huge banner saying “YOUR SYSTEM IS INFECTED, CLICK HERE TO GET EVEN MORE INFECTED”!

As you travel the crypto space you may visit social media sites or chat services where you will be contacted by fake admins or people offering to sell you a coin/token of your choice for a great price. Most often they are trying to steal your assets! In order to stay protected only visited verified websites, take direction from trusted communities, and don’t engage in unsolicited contact.

We are embarking on a paradigm shift that yields great potential, but comes with a great deal of risk. We have an obligation to each other to usher in this new era in a manner that doesn’t create a fertile hunting ground for hacker, crazy attackers, or molywacker (don’t know what the last two are, but it rhymed and i had to have 3 items).

Upcoming identity management projects like Bridge Protocol will be key in ensuring that you can transact securely when participating in ICOs by creating an infrastructure that allows organizations to validate your identity in the KYC (Know Your Customer) process without compromising your PII (Personal Identifiable Information). They will be the conduit that translates government regulatory requirements into an ICO service to ensure that the projects you interact with operate within the highest established regulatory standards and guidelines. They are one of the many tools that you should employ to operate securely in this space. Share this information if you find value in it and happy investing!

Join us on

Telegram: https://t.me/DynamicMix

Reddit: DynamicMix

Bridge Protocol: https://www.bridgeprotocol.io