OPSEC tips to ensure crypto security
Ron Stoner is head of security at the US-based crypto security specialist Casa.
__________
Operational security, or OPSEC, is the process of performing risk management by defining what information you are trying to secure, what is required to achieve that goal, and then taking the practical steps required.
The philosophy behind OPSEC focuses primarily on thinking like your attacker, understanding who this attacker might be, and what steps they might take to exploit you.
Providing good OPSEC is especially important for cryptocurrency key signing devices such as hardware wallets. Hardware wallets are considered “cold wallets” because they have no direct internet functionality and must be connected to another device, such as a smartphone or PC, to connect to the internet and perform a transaction.
These hardware devices and the bridge they connect via are the most crucial points of failure when conducting cryptocurrency transactions.
As 2022 became the worst year ever for cryptocurrency hacking, with $3.8 billion stolen, OPSEC has never been more critical. As the digital asset space becomes more mainstream, attackers are seeking new ways to exploit users and platforms.
While the stakes and risk profile of each entity using digital assets will vary, all users should follow best practices to protect their value.
Securing the signing environment
Before signing transactions, look at your environment to identify anything which can serve as an attack vector.
Assuming you’re in an otherwise private setting, such as your home, this includes things like cameras or microphones, which are found on almost all modern laptops and mobile devices.
Don’t forget various Internet of Things (IoT) products like smart TVs, Alexa, etc. Any of these can potentially be used to spy on you while you’re making a transaction.
As such, it is important to “clear” the workplace of anything that could potentially be used – turn off or even remove these devices from the operating area entirely.
While this may appear a bit paranoid, it is an important aspect of protecting yourself from attackers if large, critical sums of money are at stake.
Signing transactions from any public space such as an office, library, or coffee shop is generally not recommended, but sometimes you may have no other option. If this is the case, several steps can be taken to maximize safety.
Once again, be aware of any security cameras in the area. These days, CCTV, especially HD and 4K resolution cameras, can easily read what is displayed on a computer or mobile phone screen within its field of view.
Of course – and hopefully this goes without saying – there should be no other people in the immediate vicinity. It is best to find a place as secluded as possible, for example an empty study room.
Update all involved devices
Perhaps most importantly, you will want to update all software and firmware on all devices involved in the signing process.
If you are not using a computer or mobile device directly, your hardware wallet must be connected to one in order to transfer a transaction.
In theory, hardware wallets are designed so that it shouldn’t matter if the device they connect to is compromised. All processes take place on the wallet itself; PCs or smartphones are only used to broadcast the transaction.
However, some forms of malware can change various aspects of a transaction, including the amount and recipient address. Even the change address – an address where the change from a transaction goes after the selected amount is sent to the recipient – can be manipulated, a field that is easy to overlook.
If you’re using a phone or computer, you’ll want to update your operating system with the latest security patch. The wallet’s firmware should also be updated according to regulations.
Unless the update involves a specific pressing security threat, it’s often better to wait a few days after a new release to upgrade. This is because it is common for there to be bugs in the latest updates, which tend to be fixed quickly, but can cause headaches. For this reason, it’s a good idea to give non-critical updates some space to be tested.
One last thing to remember is to continuously update all software and firmware only from official sources, such as a website or repository.
Try to learn how to use tools like GPG to check the file signatures against the officially documented ones to confirm that all data matches what is supposed to be there.
Never trust any links, even those from a given piece of software itself, as there are far too many ways they can be used as a means of attack.
As an example, the popular Bitcoin wallet Electrum suffered an attack in 2020 that allowed malicious actors to send a message to all users through the app itself, claiming the need for an update with a link.
As it turned out, the link was a phishing attack that installed a corrupt version of Electrum on the victim’s machine. This gave the attackers full control over the wallets of those who installed the malware, resulting in the loss of millions of dollars in user funds.
Easily overlooked OPSEC procedures
One of the most obvious attack vectors to address is human error. Even if you think you have good security, people tend to develop a false sense of security when nothing goes wrong, leading to lax practices.
The worst mistakes happen when you fail. Never rush a signing event; ensure you have plenty of uninterrupted time.
Rushing or being distracted are good ways to overlook something like double-checking your transaction data before verifying a signature.
Although we have mentioned several lines of defense, the latter should never be taken for granted. Double and triple check the amounts and addresses involved in any transaction because it can save you from making a big mistake.
Also, be extremely careful about using public charging stations or even unknown third-party USB cables. There are seemingly innocuous USB cables circulating with tiny chips inside their heads that can intercept and inject data – hijacking a cryptocurrency transaction and wreaking havoc.
Coupled with some compatibility and device wear issues, it’s always best to use the USB cables packaged with an external signing device.
Health checks can provide quick confidence in your keys
Finally, there is a technique that some signing devices offer that can be invaluable in increasing security. This technique, known as a “health check”, provides an easy way to verify that your keys are available for signing transactions.
If you were to run a health check on a mobile phone, the check would first verify that your key is available locally and that the device is working properly. It will also ensure that the same valid key is securely backed up on the cloud.
All this can be automated with a single click, and the user will be notified if something is wrong.
The same basic steps apply to hardware wallets, but the external device must be connected to a computer or mobile phone. Health checks can also be done for multiple keys on multi-signature wallets.
Importantly, if these keys are stored on different devices, the health check should be run on all relevant devices.
While the world of OPSEC is complex and ever-changing, securing the environment, keeping all devices up-to-date and ensuring they have addressed easily overlooked issues are important steps to stay ahead of attackers.
By combining these strategies with regular health checks every six months, users can significantly improve the security that protects their cryptocurrency funds.
____
Learn more:
– Trezor issues a security warning
– This popular hardware wallet was hacked by a cyber security firm – should you be worried?
– Cryptohackers and fraudsters stole $1.62 billion in the fourth quarter alone
– Web3 lost almost 4 billion dollars to fraudsters last year – Will things get better in 2023
– Crypto Scammer Gets Away With $1.2M in ARB Tokens Through ‘Address Poisoning’ Attack – Here’s What Happened
– Crypto Wallet Maker Ledger Raises $109M in Latest Funding Round – Is the Bull Market Back?
– MetaMask introduces more payment options for buying cryptocurrencies – Crypto adoption on the rise?
– Apple approves decentralized exchange Uniswap iOS Wallet App – How it works
– How to choose a Bitcoin wallet?
– 3 ways to set up an Ethereum wallet
