Don’t get crypto-mugged!
Thinking of trying your hand at cryptocurrency? Here are eight things to watch for to keep your money — and yourself — safe.
Eight tips to keep your crypto money safe:
1. Don’t brag about your crypto earnings
2. Type in the site name yourself or use a bookmark
3. Don’t expose your private key
4. Don’t use an e-mail address/phone number you post online
5. Use 2-factor authentication
6. Use a cold wallet
7. Stay alert for fakes & tricks
8. Watch out for real-life muggers
Don’t get crypto-mugged
You might not flash your cash if you had $50,000 lying around.
But seeing your crypto currency investments go up quickly gets some people excited.
Bragging about your digital coin is at the top of the list of ways to get yourself crypto-mugged.
Profile of a mugging
It started at the Ruby Tuesday on Times Square in New York City.
Louis Meza and a friend met there in November 2017.
His friend left in an Uber minivan, reported the New York Daily News.
But the Uber was fake.
The Ruby Tuesday on Times Square where Louis Meza and his alleged victim met in November 2917. Image credit: Google Maps
Investigators say Meza and three members of a Bronx biker gang — “Joker”, “Bishop” and “Fuego” — set up a heist, with Joker at the minivan wheel and gunman Bishop jumping out from behind the seats.
They wanted the victim’s phone, apartment keys and the password to his crypto riches — $1.8 million in a currency called Ether.
Prosecutors say the third biker, Fuego, and Meza went to the victim’s apartment for his hardware wallet, a Ledger Nano S according to Fortune magazine, which held the keys to the victim’s digital money.
Meza then transferred the Ether to his own account, investigators said.
The Ledger Nano S hardware wallet for cryptocurrency. Image credit: Ledger
Keep it on the down-low
“You don’t want to make yourself a target,” said Chris Wysopal, founder and CTO of security company Veracode.
We don’t know if the New York victim boasted about his digital stash.
But we do know that Wysopal’s advice at the Collision 2018 start-up conference in New Orleans holds true.
“Don’t brag about your crypto fortune online,” he told the crowd.
Chris Wysopal speaks at the Collision 2018 conference in New Orleans in May 2018. Image credit: Collision 2018
Even if you don’t brag, you could still run into trouble.
Let’s say you do a Google search for “blockchain” or “bitcoin wallet.”
You may not notice that some of the search results say something very similar, but with a letter changed, like Blokchien-dot-info or Block-clain-dot-info
Thieves bought their way into Google’s search function, putting up bad links, said researchers at Cisco Talos.
Click, and you would go to a site that looks like an actual blockchain wallet site for cryptocurrency.
But the site is fake.
Search results with misspellings that could lead to fake websites, according to Cisco Talos. Image credit: Cisco Talos
“People are like, ‘Oh, let me go check my blockchain info,’” said Wysopal.
“They click on the link ’cause it’s sitting on the page. It just seems so easy to do,” he added. “Very bad idea.”
“They’re going to a phishing site,” Wysopal said. “They’re actually not going to the real site. And they’re doing a transaction with the attacker.”
The crypto-muggers stole $10 million in four months, from September to December 2017.
Always type in the website name yourself or use a bookmark to get you there instead of clicking on links in searches, ads or e-mails.
Poisoned search results can lead to fake websites like this, according to Cisco Talos. Image credit: Cisco Talos
Do’s & Dont’s
Don’t expose your private key or someone could steal your money.
Don’t use the same e-mail and phone number you post somewhere else or someone could pretend to be you.
Do use two-factor authentication to protect your account.
Do use a cold wallet, a wallet that’s not connected to the Internet, Wysopal said.
Crooks can attack and drain a hot wallet — one that is connected to the Internet — more easily.
Banks do the same kind of thing with real cash, according to Wysopal.
“They don’t have all the money in the tellers’ drawers all the time. Or even in all the branches, right?” he said. “The money is somewhere else. It’s only what needs to be done for that day.”
An example of a hardware wallet. Image credit: KeepKey
Keep Your Eyes Open
Always stay alert for fakes and tricks.
Cybersecurity company ESET found apps that pretend to be your cryptocurrency wallet, but really steal your digital coins.
Another trick went down during a coin offerings for CoinDash, where attackers hacked the company website and changed the wallet address to their own.
And there are even fake hacks.
Investigators say Gelfman Blueprint took in more than half a million in Bitcoin investments, then staged a fake hack so they could keep the money for themselves.
Some fake apps pretend to cryptocurrency wallets. Image credit: ESET
Finally, if you go into a digital coin business, keep an eye out for real-life muggers, like the suspects accused of hitting up a cryptocurrency company in Ottawa, Canada, and these guys in England who police say tried to make a crypto currency trader transfer Bitcoin to another account at gunpoint.
“It’s a very attractive target for attackers. So, there’s a lot of attacker activity,” Wysopal said. “We’re talking about a huge amount of money that’s really readily and easily accessible.”
Main image credit: geralt