$ Phishing for Cryptocurrency: Why we need wallet-level verification protocols to restore trust to the blockchain
Earlier this month, Bitcoin.com reported that $1.36 billion worth of cryptocurrency was stolen in the first two months of 2018: or $9 million each day. Even if you exclude the huge “outlier” thefts involving Coincheck, Bitconnect, and Bitgrail, that amount still exceeds half a billion dollars in sixty days. And this astonishing figure only accounts for thefts above a minimum threshold of $400,000; so-called “micro-scams” on social media (such as the infamous Twitter celebrity impersonation con) are not included in the statistic because they are too difficult to measure.
Human beings are often the weakest link in any security program; consequently, phishing attacks and similar forms of social engineering — using imitation profiles and websites to trick users into sending their valuable stuff to a hacker — have become a highly-organized and profitable industry. A security team at Cisco recently documented the activities of a Ukraine-based phishing ring called COINHOARDER, which used Google Adwords to poison Google search results, targeting users of the Bitcoin wallet service blockchain.info.
The COINHOARDER group used “typosquatting” (obtaining domain names with small typographical differences from the authentic domain names) and “homograph attacks” (creating domain names where an international letter or symbol looks very similar to one in English) to host convincing imitation websites that are extremely difficult to detect. The group then targeted countries where English is not the dominant language — especially African states with volatile national currencies and limited banking infrastructure, where cryptocurrencies offer a (relatively) stable alternative. The imitation sites obtained free SSL certificates to bolster their illusion of credibility, but an SSL certificate (and the green HTTPS “checkmark” that accompanies it) only ensures that your connection is encrypted, not that the website is trustworthy and its operator is actually who they claim to be.
In the case of the COINHOARDER attacks, a tool like MetaCert’s Cryptonite whitelist offers a small form of protection: domain names and social media accounts that have been verified by the Cryptonite team show a green “shield” icon in your browser tray, so you know if a site’s domain name is an attack site or the real deal. But a system that only inspects URLs can offer a false sense of security — for example, in the case of the Seele ICO hack, in which Seele’s Telegram account was compromised. Hackers used Seele’s official social media to announce a fake token sale, soliciting payments to their own wallet address, resulting in nearly $2 million in stolen cryptocurrency. A similar vulnerability punished Beetoken’s ICO: hackers obtained Beetoken’s mailing list and sent a mass e-mail soliciting investors to send their cryptocurrency to a fraudulent wallet address. By only checking URLs and “verified” social media accounts, tools like Cryptonite leave users exposed to critical “points of failure”: you must trust Telegram (or Twitter, Facebook, Mailchimp, etc.) to protect their user data, and you leave them responsible for ensuring the individual you are communicating with is who they claim to be.
A domain name may be “whitelisted,” but that alone is no guarantee that the website itself is “legitimate.” In another recent hack, hackers hijacked the Domain Name Server (DNS) of the cryptocurrency exchange EtherDelta, redirecting users to a nearly-identical imitation site; on the fake exchange site, every transaction was sent directly to the hacker’s wallet instead of the exchange. During the EtherDelta hack, a user reported in the MetaCert public Slack group that the EtherDelta DNS was hacked, and the Cryptonite extension was updated to warn users away from the fake site. But creating this warning required three separate steps: 1. EtherDelta publicly acknowledging the DNS hack, 2. a Good Samaritan community member forwarding EtherDelta’s report to Cryptonite, and 3. the Cryptonite team updating the site’s classification in their system. If there is any delay at any step of this process, then the tool has failed.
The only way to know with certainty that you are transacting with the person or entity you intended is by implementing a system for authenticating and verifying ownership of the wallet address itself. A cryptocurrency wallet is like a cryptographic keyring that contains the keys used to sign and commit a transaction to the blockchain — after that, the transaction is irreversible. A robust protocol for publicly documenting the identity and trustworthiness of wallet owners provides cryptocurrency users with protection from phishing attacks at the most fundamental level, eliminating numerous “points of failure” that currently threaten individuals transacting on blockchains. This is necessary to achieve the philosophical aim of blockchains, a “trustless” network for transmitting value: there must be protocols in place that more effectively encode trust in blockchain transactions.
Trustroot is building a blockchain-based certificate authority system for cryptocurrencies. A wallet-owner engaged in legitimate business activities — whether an individual or a major corporation — wants to assure the people they transact with that they (the wallet-owner) are who they claim to be, and not an imposter. The wallet-owner can send a request for certification to the Trustroot blockchain: a decentralized network of certificate authorities then reviews the wallet-owner’s request and authenticates the documentation contained in the application (e.g. proof of identity for an individual, articles of incorporation for a business). Only after a certain threshold of confidence is achieved by the consensus of certificate authorities (according to authentication requirements agreed upon by the community), a certificate is written to the Trustroot blockchain.
When you install the Trustroot browser extension, it gets added to the tray in the top-right of the browser — throughout the day as you are browsing the web, any time a cryptocurrency wallet address appears in a webpage you will see an indicator informing you whether that wallet has been “audited” by the Trustroot network: you will immediately know whether the wallet-owner’s identity has been verified by the Trustroot certificate authorities (a green checkmark for ‘yes’ and a red X mark for ‘no’). Expand the extension, and you will see whether the wallet belongs to the organization or entity you expect it to. You can check the legal name of the company, its business address, any other relevant identifying information, as well as who issued the certificate — without ever leaving the original webpage.
It will take time and resources to achieve our vision of safe cryptocurrencies regulated by a decentralized, blockchain-based verification system. In the meantime, we are developing the first certificate authority and the basic protocols that will form the model for our decentralized verification system. We are also developing a reputation feedback system that allows individuals to review their transactions and write their reports to the blockchain, to better inform future users about potential ‘bad actors.’ It is important to establish universal and easy-to-implement safety standards for cryptocurrencies — so we are focused on building open-source libraries for chain explorers, hosted wallets, exchanges, and ICOs to integrate these features into their services.
In terms of total value stolen, phishing attacks may not be the “worst” form of crypto vulnerability — hacks of hosted wallet sites and exchanges, “exit scams” from fake companies, and outright robbery can be more lucrative methods of cryptocurrency theft. Nevertheless, phishing is the most prevalent and preventable threat to ordinary users transacting on blockchains. Educating and protecting everyday users is especially important for blockchain technologies as they leave their infancy, because the future of cryptocurrencies depends on the public’s trust and confidence in the underlying infrastructure. We’re excited about the potential of blockchains, and determined to do our part to ensure their safety and security for everyone. Learn more about our project and track our progress at trustroot.io.