Risk in DeFi (Part 1/3): Procedural hacks and how to avoid them
How sure are you about the security of your digital assets?
Before investing any assets in DeFi products, it’s worth asking yourself, “do I have the patience and know-how to store my digital assets in a way that’s reasonably secure?
To help you optimize your financial decisions, we’re producing a series of articles to help you understand the risks to consider before using DeFi tools and protocols to manage your assets.
Our first article introduces the different forms of risk to consider and takes a closer look at procedural hacks, highlighting some of the different types of attacks to look out for and providing best practices for securing your digital assets.
Risk in DeFi
Risk in DeFi can be grouped into three different categories: financial, technical, and procedural.
Financial risk involves comparing the potential risk and reward associated with various investment opportunities with the goal of constructing a successful portfolio in accordance with a person or organization’s tolerance for risk.
Technical risk means evaluating potential vulnerabilities in the hardware and software behind a product or service.
Procedural risk can be considered similar to technical risk but instead of looking at the product or service, procedural risk examines the ways in which users might be manipulated into using the product in unintended ways that could compromise their security.
One common form of procedural hack that most of us would recognize is a phishing attack.
When executing a phishing attack, a hacker will start by doing something like replicating a popular website or drafting an email that looks like it’s from a trusted institution like a bank or healthcare provider.
Then, the hacker will use that content to trick victims into revealing sensitive information using tools like fake login or signup forms. Your information can then be sold on the dark web or used to steal or extort value in other ways.
The real website or email service hasn’t been compromised, or else this would be an example of a technical vulnerability. The user has simply been duped into providing information that can be used against them, contrary to the intention of the product or service provider.
Individuals known to hold cryptocurrency are often targeted by fraudulent communications from attackers pretending to be from a digital exchange or wallet provider. As an example, the hacker might pretend to be a customer support agent and extract enough credentials through “account verification” procedures to then turn around and steal the user’s funds.
In addition to phishing, other procedural hacks to watch out for include:
Baiting, also referred to as the “bait and switch,” is similar to phishing but instead of creating a fake website or email blast, an attacker will purchase ad space on a website and link to a page infected with malicious software (malware).
Once the victim clicks the link, the malware will be downloaded to the computer and typically used to provide full access to your system.
Bait and switch attacks are a part of the reason it’s important to be careful when clicking ads and exploring unfamiliar businesses or organizations on the Internet.
Pretexting is when an attacker impersonates a trusted individual like a family member, a manager or other coworker with some level of authority, or a healthcare provider and uses that trust to extract money or information from the victim.
A pretexting attack may involve email, phone calls, or in-person communication and hackers often pretend there’s an emergency to escalate the urgency of the call, insisting that a boss is angry or claiming a loved one has been seriously injured, for example.
- Quid Pro Quo
Quid Pro Quo is a form of baiting in which the attacker pretends to offer something of value in exchange for doing what the attacker wants the victim to do.
For example, a hacker might call a victim posing as a technical or customer support representative and offer to help the victim with a problem they didn’t know about.
A SIM-swap is an extension of a phishing attack that involves using the information extracted from the victim to convince a mobile service provider to add a new SIM card to the user’s account.
With full access to the victim’s smartphone, the attacker can steal funds from any digital wallets on the phone and access multi-authentication apps, which can be used to break into sensitive accounts and steal valuable assets, monetary or otherwise.
- Spear Phishing
Spear phishing is an advanced form of phishing that involves targeting specific individuals or organizations. Common targets include new and lower-level employees and especially those working in finance departments who may have access to sensitive information, or at least the ability to unwittingly provide access to sensitive information.
Tailgating is an important attack to consider because it demonstrates that not all attacks take place in the digital world.
When someone uses deception to gain access to a location they’re not supposed to be in, they’re tailgating. The most common example would be an individual asking someone to hold a locked door open for them or simply waiting and following someone into an area after they unlock a door.
Best Practices for Securing Digital Assets
With so many different types and brands of digital wallets, aggregators, and DeFi products to choose from, it can be difficult to figure out where to even get started.
Here are a few important things to keep in mind before downloading a new digital wallet or DeFi solution.
Always select trusted products and services
Baiting attacks are a perfect example of why it’s important to be careful when downloading and navigating unfamiliar apps and websites.
Investigating the trustworthiness of decentralized products can be extremely difficult due to the lack of best practices for things like smart contract security.
Unless you’re comfortable doing things like auditing the security of smart contracts, it’s generally best to stick with popular solutions or seek opinions from trustworthy experts before experimenting with unfamiliar software.
Use the right tool for the job
You wouldn’t keep thousands of dollars in cash just lying around if you had access to a bank account, right?
Well, you shouldn’t keep all of your digital assets on an exchange or some other hot storage solution, either.
When storing digital assets, it’s important to consider which digital wallets you want to use.
Hot storage refers to digital wallet solutions in which the private key that secures the wallet may be exposed to the Internet when doing things like signing transactions. Mobile, desktop, and browser-based wallets are common examples of hot storage solutions.
Cold storage refers to digital wallet solutions that, by design, do not expose the private key to the Internet. Paper and hardware wallets are the most common examples of cold storage solutions.
Hot storage solutions are generally used for smaller amounts of cryptocurrency kept for on-the-go use when using digital assets for things like teaching, developing, or trading, while funds intended for long-term savings should be secured in a trustworthy cold storage solution.
Always use multi-factor authentication
In addition to creating a username and password, it’s important to set up any multi-factor authentication procedures supported by your digital wallet solution. Multi-factor authentication procedures can include:
2-Factor Codes are time-sensitive codes that reset after a short period of time can be delivered via SMS (text) or an application like Google Authenticator or Authy. Apps tend to be preferred to SMS as codes delivered by SMS will be vulnerable in the even to of a SIM-swapping attack.
Email Confirmation can often be used to confirm logins and withdrawals from a wallet.
Multi-Signature Authentication can be set up to require “m of n” keys to be provided in order to initiate a transaction. In other words, a system might require 3 out of 8 keys to move funds — the user can specify how many keys must be present (m) and how many keys exist in total (n).
Keep your software updated
Effective software providers consistently provide updates including bug fixes and patches for newly-discovered vulnerabilities.
In addition to staying up-to-date on your digital wallet software, it’s typically a good idea to download the latest updates and drivers for the software on your computers and smartphones as well.
Always keep a back-up
Many digital wallets enable the user to create a backup in the form of a seed phrase, JSON file, or simply by exposing the private key.
Any wallet with more funds than the user is comfortable losing should be backed-up in a secure location.
Seed phrases or copies of your private key should be written using an age and weather-resistant media like metal engraving or ink on paper sealed in a plastic bag and JSON files should be kept on password-protected USB drives, NOT left in a file on a Google drive or personal computer.
All backups should be stored in a secure location like a safety deposit box or a fire and tamperproof container secured in a secret location.
Never, ever, ever reveal your holdings
If you happen to like mafia and gangster movies, you’re undoubtedly familiar with the cliche of a “rat” who snitches on the lead gangster and topples their criminal empire. Don’t “rat” on yourself and topple your own “crypto empire” just because you got excited about sharing your unique investment with the wrong stranger.
Consulting an attorney to create a plan for loved ones to inherit your digital assets is a good idea but any good plan should NOT involve giving the lawyer access to your private key.
Ready to DeFi?
Not so fast! Keep an eye out for our coming articles covering what to think about in terms of the technical and financial risks associated with digital assets and DeFi products.
Want to shape the user experience of Plutus DeFi’s privacy-enabled Lend & Earn product? Please sign-up on our website at https://plutusdefi.com/. 😀