The value of cryptocurrencies have sharply declined recently, but they are still an asset class to which banks need to pay close attention from a security perspective.
Many consumers store their cryptocurrencies in a digital wallet on their smartphone that are prime targets for attack. There are many ways to attack a crypto wallet, but in my experience as a mobile security professional, defending against these five most common attacks will go a long way towards making them much more secure.
Stealing passphrases or private keys: Whether the crypto wallet is custodial (a third party controls the private keys required to manage funds) or non-custodial (the user has sole control of private keys), the keys themselves must be encrypted at the application level. Unencrypted keys in the application sandbox, SD card, preference areas or external areas like the clipboard can be stolen by hackers. With these keys, they can transfer funds wherever they please.
By encrypting the keys at the application level, they will remain protected within the app, so that even if the device is compromised, the keys will remain safe.
Dynamic attacks on private keys: Crypto wallet keys can also be stolen dynamically as the wallet owner types in the characters of the keys into the crypto wallet mobile app. There are three primary ways hackers can do this:
Over-the-shoulder attack: Traditionally, this refers to a situation where the hacker is physically sitting next to the user and watches them enter the private key or pass phrase into the crypto wallet. But there are other ways to witness a user inputing these secrets. Screenshots, screen recording and mirroring can be abused to this end.
Keylogging malware: Malware on the smartphone works in the background to record every keystroke the user makes, which it then sends to hackers. Keylogging attacks can also giving hackers control over the device’s operating system if the device has been rooted (Android) or jailbroken (iOS).
Overlay attack: This form of malware superimposes a screen that tricks the owner into entering the private key or pass phrase into a malicious screen or field inside the wallet app. The malware then sends the information to hackers or directly uses the information to take over the wallet and send the cryptocurrency funds to cybercriminals’ accounts.
To protect against these attacks, the app must be able to detect threats such as overlays, recording and keylogging — and take action by warning the user or terminating operations.
Malicious instrumenting: Crypto wallet apps depend on transactions between the mobile client and blockchain, which means that the wallet’s security depends on the integrity of the platform that runs it. If the device is jailbroken or rooted, or if cybercriminals abuse common software development tools such as Frida, hackers can gain access to the blockchain address of the client app or even impersonate the app.
It’s critical for mobile crypto wallet apps to detect when they are operating in a jailbroken or rooted environment, and shut down if necessary. They must also be able to block Frida, Magisk and other dynamic tools that can be used to compromise the integrity of critical functions. Best practice also calls for developers to obfuscate the app’s code to complicate hacker efforts to reverse-engineer the app in the first place.
Man-in-the-middle (MitM) attacks: Some crypto wallets are part of centralized or decentralized exchanges. Communications between the app and the server or peer-to-peer transactions open the mobile wallet up to MitM attacks. All data in transit must be encrypted, and it’s critical to enforce secure socket layer (SSL) / transport layer security (TLS) for all communications.
Emulators: Banks also need to be aware that cybercriminals are skilled at creating modified versions of a crypto wallet app. When used in concert with emulators, simulators or even on-device malware, they can enable hackers to create fake accounts, perform fraudulent trades and transfer cryptocurrency.
The key to protecting against these kinds of attacks is to use runtime application self-protection (RASP) methods, and specifically anti-tampering, anti-debugging and emulator detection.
Cryptocurrency and mobile wallet security may seem out of scope for many banks, but as government-issued currencies move increasingly in a digital direction, the security lessons that banks can glean from crypto will serve them well as they prepare to work with central bank digital currencies (CBDCs). Those days are not far off, so even banks that do not provide cryptocurrency services should begin preparing their security strategies.
Karen Hsu is the chief marketing officer at Appdome.
In this month’s BAI Executive Report, we examine where things stand with fraud protection and how it can be done more efficiently and effectively, including looking at the role of both humans and technology in fraud prevention strategies. Download Now...
A strong authentication process is key to mitigating mobile phone fraud and distinguishing legitimate customers from fraudsters. Don Smith, product manager of global fraud solutions at Neustar, a TransUnion company, spoke with BAI about strategies to strengthen customer authentication....
Compliance training and professional development courses that are efficient, effective and on-point. Give your people the latest industry-approved tools they need to improve performance, reduce operational risk and better serve your customers.