• Brian Gale

Crypto’s security problem is holding it back




In the world of cybersecurity, 2021 was a crazy year. At FYEO we saw a huge increase in both phishing and ransomware attacks and a doubling of the number of investigated incidents per client. So, what constitutes a successful attack? At FYEO, we define these as fraud, phishing, extortion, DDOS, malware and ransomware attacks, all of which increased dramatically in 2021. Unfortunately, this is not a trend we see slowing down.


So, what does that mean for crypto and mainstream adoption?


In 2021, DeFi exploits alone totaled more than $12 billion. At BTblock, the firm from which FYEO was born, we see high and critical exploits in our code audit work on a daily basis. Thankfully, in the case of code reviews we can report these vulnerabilities to their related projects before they go on the mainnet. Beyond what can be found in secure code reviews, brute force attacks, credential stuffing, phishing attacks, rug pulls (just to name a few) still resulted in billions and billions of dollars more of assets and funds that disappeared seemingly in an instant. Which is why it is more critical than ever that security becomes an embedded part of cryptocurrency because in order to establish the trust necessary for cryptocurrency use to scale it must first become and remain cybersecure.


It shouldn’t be of surprise that theft of digital assets remains the biggest barrier to trust in crypto and blockchain adoption. When exploits, and scams happen, consumer confidence in crypto diminishes and creates barriers for new market entrants and further adoption. Current estimates say that around 300 million people around the world own crypto. If we want to see cryptocurrencies embedded as a trusted asset class with expanded everyday usage, trust must be created. For trust to occur, people need to believe that the platforms and products they rely on are inherently secure.



Whatever you do, do not launch or invest in a product that hasn’t undergone a proper security assessment!


This is not a sales pitch. This is just a fact based on the extensive independent cybersecurity code reviews performed by BTblock for major blockchain protocols. We all know about tunnel vision, namely the feeling you get when you have been staring at something for too long. You miss critical details. While this is not a critique of any of the amazing groups of developers out there, mistakes do happen when thousands of lines of code are being created. That’s where an independent security assessment becomes crucial. This allows ethical hackers who are really good at breaking into code to have a good look under the hood, line by line, to see how and where the system might be vulnerable. It’s not a guarantee but it shows a) that the project takes security seriously and b) that you’re not just taking their word for it when they say it is safe.


The potential cybersecurity exploits that the BTblock team encountered over the past few years could have resulted in catastrophic financial loss not just for the platforms and the protocols, but for individuals as well. Again, it really goes back to my first point about trust. If the exploits continue at the rate we saw in 2021 are not discovered and addressed prior to being integrated into a platform, exchange, or protocol going live, people lose money, faith and trust in the system. Every time one of these exploits happens it fuels fire to the media talking point of "this is the wild west where anything goes". Proper audit and review ensures to a point that if a user or investor puts their faith in something, they can at least rest assured their investment won't disappear in an instant. Unless, of course, they give bad actors another way to gain access to their assets.



Bad passwords will be the end of us…or at least our wallet


Password reuse from personal accounts to accounts holding crypto assets is still very common. In fact, this trend holds true for all of our online credentials. The average internet user today uses five or fewer passwords across over 100 accounts - and it is expected that this number will double over the next five years.


Threat actors use leaked emails and passwords from past leaks and breaches to access your accounts every day. This means even if the site where you bank, or hold crypto, has not been breached previously, hackers can use “credential stuffing” to essentially try the variations of leaked passwords associated with your email to gain access. If you’re thinking “well, I have 2FA” as a secondary security layer, we are projecting 2021 will go down as the year that 2FA by phone was no longer enough.


By cross referencing data with leaked telephone numbers, hackers last year were able to fool the two factor authentication system for password reset and thereby managed to empty peoples’ accounts of their crypto holdings. To hijack these accounts, the threat actors needed to know the person's email address, password, and phone number as well as gain access to their email inbox.


All of this information was gained from dump files that are publicly available and traded on the internet and on the darkweb.


In 2021, we saw several large institutions as well as some of our clients get hit by attacks and attack chains that circumvented 2FA using this tactic. The most prolific attacks that circumvented 2FA have been against Coinbase, the world's second-largest cryptocurrency exchange service, holding accounts for around 68 million users.


Bottom line - use a password manager (join the FYEO beta - it’s free!) and create unique credentials for all your accounts. We know it will take time, but please just do it for your own peace of mind and financial security. Our goal at FYEO is to make this exceedingly easy for you, but it still does require some time to set up. Second, use something other than your phone number as 2FA - a platform like YubiKey (not affiliated) or Google Authenticator (also not affiliated) seems to be the most widely available option with most sites. These are two factor solutions based on time secrets such as https://en.wikipedia.org/wiki/Time-based_One-Time_Password and are inherently more secure since they are not vulnerable to “man in the middle” attacks



Are you saying we need better training?


If you’re the one out there building the applications you better have people with a keen and thorough understanding of cryptography. For everyone else, we need ongoing education that makes us well-aware of the possible risks involved in clicking any link in the digital world. But on top of a healthy cybersecurity mindset, we need effective solutions that anyone can use no matter their level of expertise because barriers create vulnerabilities. At FYEO this is really our goal - to create a streamlined easy to use solution available to the masses. We will be the bridge to web 3.0 because we know training sessions are not enough - people need real-world experience as part of your on the job or life training. It's not just companies that need to worry about cyber threats, it’s everyone. If you’re digitally connected, you are not immune from threats.



So if all of this isn’t painting a rosy picture of the future, what’s in store for us this year? And can we be better?


Builders and the users they serve need to be aware that the rate of scams and phishing attempts will continue to accelerate. As the work from home and distributed workplace continues and the crossover from personal to work devices becomes more common, so will the rate of exposure to life, financial and company damaging consequences of cyber attacks..


Here’s one way to be better in 2022 + a soft sales pitch to end this post:

  1. BETTER PASSWORDS - at the very very least, create unique, strong passwords for any account that holds anything of financial value. If you want to be really good, get a password manager and identity monitoring service, like FYEO (again, it’s free)

  2. If you’re a builder, get a security assessment BEFORE you launch or please get one if you’ve already launched and then use FYEO Domain Intelligence for continued monitoring.


If you’re a builder and want a security assessment, contact strategy@btblock.io or fill out the form here. If you want to try the FYEO beta, click here.


Once you’ve done a security assessment don’t let your guard down. Ping us at hello@gofyeo.com to learn more about how FYEO Domain Intelligence can protect your business and its assets.