Address the most common attacks on crypto wallets
The value of cryptocurrencies has fallen sharply recently, but they are still an asset class that banks need to monitor closely from a security perspective.
Many consumers store their cryptocurrencies in a digital wallet on their smartphone which is a prime target for attacks. There are many ways to attack a crypto wallet, but in my experience as a mobile security professional, defending against these five most common attacks will go a long way in making them much more secure.
To steal passphrases or private keys: Whether the crypto wallet is custodian (a third party controls the private keys required to manage funds) or non-custodian (the user has sole control over private keys), the keys themselves must be encrypted at the application level. Unencrypted keys in the application’s sandbox, SD card, preference areas, or external areas such as the clipboard can be stolen by hackers. With these keys, they can transfer money wherever they want.
By encrypting the keys at the application level, they will remain protected within the app, so even if the device is compromised, the keys will remain safe.
Dynamic attacks on private keys: Crypto wallet keys can also be stolen dynamically as the wallet owner enters the characters of the keys into the crypto wallet’s mobile app. There are three primary ways hackers can do this:
- Over-the-shoulder attack: Traditionally, this refers to a situation where the hacker physically sits next to the user and watches them enter the private key or passphrase into the crypto wallet. But there are other ways to see a user enter these secrets. Screenshots, screen recordings and mirroring can be misused for this purpose.
- Malware Keylogging: Smartphone malware works in the background to record every keystroke the user makes, which it then sends to hackers. Keylogging attacks can also give hackers control over the device’s operating system if the device has been rooted (Android) or jailbroken (iOS).
- Overlay attack: This form of malware overlays a screen that tricks the owner into entering the private key or passphrase on a malicious screen or a malicious field inside the wallet app. The malware then sends the information to hackers or uses the information directly to take over the wallet and send the cryptocurrency funds to cybercriminals’ accounts.
To protect against these attacks, the app must be able to detect threats such as overlays, recordings and keylogging – and take action by warning the user or terminating operations.
Malicious instrumentation: Crypto wallet apps rely on transactions between the mobile client and the blockchain, meaning the wallet’s security depends on the integrity of the platform running it. If the device is jailbroken or rooted, or if cybercriminals misuse common software development tools like Frida, hackers can gain access to the blockchain address of the client app or even impersonate the app.
It is crucial for mobile crypto wallet apps to detect when they are operating in a jailbroken or rooted environment and shut down if necessary. They must also be able to block Frida, Magisk and other dynamic tools that could be used to compromise the integrity of critical functions. Best practices also require developers to obfuscate the app’s code to complicate hackers’ efforts to reverse engineer the app in the first place.
Man-in-the-middle (MitM) attack: Some crypto wallets are part of centralized or decentralized exchanges. Communication between the app and the server or peer-to-peer transactions open the mobile wallet to MitM attacks. All data in transmission must be encrypted, and it is crucial to enforce secure socket layer (SSL) / transport layer security (TLS) for all communications.
Emulators: Banks must also be aware that cybercriminals are adept at creating modified versions of a crypto wallet app. When used in conjunction with emulators, simulators or even malware on the device, they can enable hackers to create fake accounts, commit fraud and transfer cryptocurrency.
The key to protecting against this type of attack is to use runtime application self-protection (RASP) methods, specifically anti-tampering, anti-debugging and emulator detection.
Cryptocurrency and mobile wallet security may seem out of reach for many banks, but as government-issued currencies increasingly move in a digital direction, the security lessons banks can learn from crypto will serve them well as they prepare to work with central bank digital currencies (CBDCs). Those days are not far off, so even banks that do not offer cryptocurrency services should start preparing their security strategies.
Karen Hsu is marketing manager at Appdome.