Why It’s Unsafe to Store Private Crypto Keys in the Cloud
As soon as they heard I was going to write this story, Bitcoin Magazine asked if they could coordinate its publication online. You can find it on BitcoinMagazine here. This is a must read for any crypto exchange and wallet who have a duty to educate customers about cybersecurity best practices.
There are two primary reasons why storing your private crypto keys in the cloud is a bad idea. First, your cloud provider could experience a security breach, allowing cyber criminals to access your data. In August 2018, the fourth man was jailed for hacking into private Apple iCloud accounts and leaking nude photos of Jennifer Lawrence, Kirsten Dunst, Mary Elizabeth Winstead and others has been jailed in the U.S. So it does happen. And it will probably happen again in the future.
The second and more likely threat is the threat of falling for a phishing scam. Phishing is a social engineering technique used by cyber criminals to trick people into handing their personal credentials over to a counterfeit website that is designed to look like the legitimate one.
Meet Adrian
Adrian uses a Mac computer and an iPhone for work and personal use. He uses iCloud for file storage. He’s a pretty careful kind of guy — he likes to make sure all of his files are backed up regularly in the Cloud and synchronized across his computer and mobile device. iCloud is safe — it has state-of-the art security — and it is owned and maintained by Apple. This means that Adrian’s data in the Cloud is likely to be safer than on his mobile device. After all, he could lose his mobile at any time or drop it into water.
Adrian likes to trade crypto. He’s a customer of a crypto company called Coinbase. He prefers Coinbase over other similar solutions because their service is easy to use — they cater to mainstream customers. Like everyone else, Adrian loves convenience. So, while he cares about security, he cares more about convenience .
If you prefer security over convenience, please disregard how you feel right now and take my word for it when I say that you are in the minority. Adrian is in the majority.
On February 12, 2019, Coinbase announced that customers like Adrian can now “back up their encrypted private keys on Google Drive and iCloud with Coinbase Wallet.”
Coinbase is telling customers that:
Starting today, you can now backup an encrypted version of your Coinbase Wallet’s private keys to your personal cloud storage accounts, using either Google Drive or iCloud.
This new feature provides a safeguard for users, helping them avoid losing their funds if they lose their device or misplace their private keys.
Adrian is a busy guy, so he doesn’t have time to finish reading Coinbase’s Medium post. And he generally likes to skim. Here are the basics that Adrian took away from reading the post:
you can now backup your Coinbase Wallet’s private keys to your personal cloud storage accounts, using either Google Drive or iCloud.
See the difference? Of course you did. You always pay attention when you read an article. And you were half-expecting me to prove a point. I’m almost certain that some people will actually need to reread both paragraphs to spot the difference.
Adrian now goes on to store his unencrypted private keys to his personal iCloud account. He overlooked the most important part of Coinbase’s message — you can now backup an ENCRYPTED version of your Coinbase Wallet’s private keys.
One Sunday afternoon, Adrian gets an email from Apple, offering him a special deal on a new iPhone. It’s well-designed as you would expect from Apple, and there are no spelling mistakes or grammatical errors. Most people who have gone through anti-phishing awareness training would fall for this scam.
So why would Adrian question it? OK, he did question it. He checked the email to make sure it’s actually from Apple.
Most people who have gone through anti-phishing awareness training would fall for this scam. So why would Adrian question it? OK, he did question it. He checked the email to make sure it’s actually from Apple.
Great, Adrian has now confirmed that the email is really from Apple.
When he opens the link Adrian is asked to sign into his account to confirm he is eligible for the special offer. So, he signs into the website. Or at least he tries. After entering his credentials he’s redirected to an error page. He gives up and doesn’t think anything of it — he can’t be bothered to check.
Adrian has just fallen for a phishing scam. His personal credentials to iTunes are compromised. Adrian is no different from most people: He uses the same username and password for his iCloud account because it’s convenient and it’s easy for him to remember. How can anyone expect him to remember 134 different passwords?
Meet Vlad
Vlad is a cyber criminal and he’s the one who sent Adrian the spear-phishing email. He now has access to Adrian’s private key. And the rest of the story, as they say, is history. It’s history being repeated. There’s more to this social engineering tactic but it’s still rather easy for Vlad to gather all of the other information that he needs to finish his heist.
I have advised dozens of executives, including founders of crypto companies over the past two years. When advising them on cybersecurity best practices I learned that no matter how well informed a person is, in regards to cybersecurity, they can easily fall for a sophisticated phishing scam.
Even I couldn’t tell that the Apple lookalike email above was a fake until I investigated further. I’m not the average consumer — so what hope do they have? Most people will not investigate to make sure this is a legitimate email. They will open the link, sign into what they think is an Apple website and BOOM — their credentials are stolen.
What else does Adrian store on iCloud? Everything!
I personally don’t recommend storing anything that is as sensitive as your private keys in the Cloud, even if they are encrypted. But I wouldn’t call out a person for doing it. It’s probably safe — for them.
It’s not OK, however, for a prominent company such as Coinbase, to make such a recommendation to customers. I was extremely surprised by their decision to promote this level of convenience over security.
I would like to strongly urge Coinbase to reverse their recommendation. Can they be blamed if Adrian decides to store unencrypted keys in iCloud even though it was recommended that he store his encrypted keys? Some would say yes, it’s irresponsible. I received messages across Telegram, Twitter and email from our community members who were exasperated by the recommendation.
The Ripple Effect
Given that people tend to exaggerate or extend what they have been told, it’s very likely that some customers will now extend the advice given to them by Coinbase. In that context, Megan asks Adrian for some advice on how to store her passwords. Adrian recalls Coinbase advising iCloud as a secure place for private keys, so it must be safe for passwords. So he advises Megan to save her usernames and passwords in her iCloud account.
Unless cybersecurity becomes part of the fabric of blockchain and crypto with stakeholders taking it more seriously, it will take much longer for this amazing technology and currency to get the mass adoption that it deserves.
Below are stats for data breaches around the world in 2018. The crypto ecosystem is no different — 90% of all breaches start with phishing.
My prediction
I predict an increase in Apple related phishing scams being sent out in the coming months.
In 2015 I predicted phishing attacks would be a problem for teams on Slack. While it took longe than I thought, in 2017 phishing inside Slack became the #1 problem for the crypto ecosystem worldwide. It took a few months for MetaCert to achieve product/market fit, before completely eradicate phishing attacks — this is why you don’t read about it in the media anymore.
I predicted attacks would move from Slack to Telegram on account of MetaCert stamping it out for communities on Slack. And in 2018 it became a big problem. So we built a security chatbot that is now protecting over 1 million people across over 1,300 crypto groups on Telegram.
How to stay safe
I’d love to advise people to “check links before opening them” — but that advice doesn’t keep people safe. Some phishing scams are virtually impossible to detect with the naked eye. And, many phishing scams redirect links — so hovering over a link inside an email for example, will only provide a false sense of security. If you look the email above for example, most of the links went to legit apple pages while the main call to action link goes to a redirected phishing site. It’s a pretty smart phishing scam that I received personally.
I’ve love to say “don’t open links from people you don’t recognize” — but that doesn’t work. There will always be those who open emails from people they don’t know. I’m one of them. In fact, I’d go as far as to say that 99.9% of us open emails from people we don’t know.
So what’s the answer?
I’m biased, but I believe MetaCert has the best solution on the market for keeping people safe from phishing scams.
Whether links are shared or opened inside a cloud service, email, Skype, Facebook, Twitter, Slack or any other channel, employees are fully protected by MetaCert.
IT’S IMPOSSIBLE FOR ANY SECURITY COMPANY TO DETECT EVERY NEW CYBER ATTACK BEFORE IT’S TOO LATE.
Organizations that use a combination of email and network-based security solutions say that phishing remains a significant problem for them.
Whether links are shared or opened inside a cloud service, email, Skype, Facebook, Twitter, Slack or any other channel, employees are fully protected by MetaCert.
MetaCert is the first to bundle advanced website identity, with anti-phishing awareness training into a single software solution.The software takes 60 seconds to install and 60 seconds to train employees in how to use it.
MetaCert has everything needed for companies with as few as 5, or as many as 50,000 employees.
Try MetaCert for FREE
👉 Follow MetaCert on Twitter at twitter.com/metacert
👉🏼 Connect with me personally on Twitter at twitter.com/paul__walsh
👉🏽 Engage with our team and the community on Telegram at t.me/metacert
