Recently, bills were introduced in the U.S. Senate that would give
Commodities Futures Trading Commission (CFTC) oversight of cryptocurrency, which would treat them as digital commodities. Regardless of whether the bill becomes law, however, banks and financial institutions should pay close attention to cryptocurrency,
if for no other reason than from a security perspective. After all, some financial services organizations are selling cryptocurrencies products, such as
U.S. Bank’s cryptocurrency custody service. But there’s an even more important reason for banks to care about crypto. It’s clear that nation-states are moving in the direction of digital currencies, with some having actually issued them, such as the
Bahamian Sand Dollar. Even the United States is
seriously weighing the issue of CBDCs and a digital dollar. Many of the security vulnerabilities that cryptocurrencies face will pertain to central bank digital currencies (CBDCs) as well.
Consumers who invest in crypto often store their cryptocurrencies in a digital wallet that exists as a mobile app on their smartphone. Cybercriminals are well aware, which means they are tempting targets for attack. And, like any app, there are myriad methods
to attack a crypto wallet, but in my experience working with crypto and as a security professional, ensuring the app is secured against these five most common attacks will greatly increase the protection provided to consumers.
Stealing Keys and Passphrases
Encryption of keys at the application level is an absolute must-have. If keys are unencrypted in preference areas, the application sandbox, the SD card or in external areas such as the clipboard, hackers will be able to steal them. Once
they have the keys, they can do what they like with the funds in the wallet.
If encrypted at the application level, even if the device itself is compromised, the keys will remain safe.
Dynamic Attacks on Private Keys
The keys and pass phrases to a crypto wallet can also be dynamically stolen, meaning that they are somehow intercepted as the wallet owner types the key or pass phrase characters into the crypto wallet mobile app. Hackers typically use one of three methods
to do this:
-
Over-the-shoulder attack: Historically, this refers to a hacker who is physically and surreptitiously close enough to a user to see them enter the pass phrase into the crypto wallet. But today, there’s no need to be there in the flesh. Screenshots and screen
recording can be abused to this end.
-
Keylogging malware: Here, malware runs in the background on the app to capture every keystroke and send them to cybercriminals. Rooting (Android) and jailbreaking (iOS) the smartphone makes keylogging even easier to accomplish.
-
Overlay attack: In this case, malware places a screen, which could look genuine or could be transparent, that tricks the crypto wallet’s owner into entering credentials either into a field inside the wallet app or a malicious screen. The malware either transmits
the information directly to cybercriminals or takes over the wallet directly to transfer the funds in the wallet to hackers.
Defending against these threats requires the app to detect keylogging, overlays and recording, so it can take direct action by warning the wallet’s owner or even shutting down the app entirely.
Malicious Instrumenting
The security of a mobile wallet depends on the integrity of the platform that runs it, because if the device is rooted or jailbroken, or if hackers abuse development tools like Frida, they can gain access to the blockchain address of the client app. They
can even impersonate the app to make transactions on their own. Mobile crypto wallet apps must be able to tell when they are working within a rooted or jailbroken environment so they can, if called for, shut down to protect the user. They must also be able
to block Magisk, Frida and other dynamic analysis and instrumentation tools that can be abused to compromise critical functions’ integrity.
Just as important, developers should obfuscate the app’s code so that hackers will have a much more difficult time reverse-engineering the app’s inner workings and logic.
Man-in-the-Middle (MitM) Attacks
Many crypto wallets are part of exchanges that can be decentralized or centralized. Either way, communications are open to MitM attacks when the app is communicating with a server or during peer-to-peer transactions. Data in transit should be protected with
AES-256 encryption, and secure socket layer (SSL) / transport layer security (TLS) must be strictly enforced for all communications.
Emulators
Hackers are also able to make modified versions of crypto wallet apps. They can also use these modified apps with simulators and emulators to create fraudulent accounts, make fraudulent trades and transfer cryptocurrency.
Runtime application self-protection (RASP) methods, and specifically anti-tampering, anti-debugging and emulator detection, are the key to thwarting these kinds of attacks.
Even for financial institutions not involved in any kind of cryptocurrency services, it’s important to learn from the security challenges that users face, particularly when it comes to crypto wallets. The “digital dollar” may not be as far away as we think,
and those institutions that are prepared to provide secure mobile wallets of CBDCs will have a significant competitive advantage.