Cryptocurrencies are basically the same as e-money — like WebMoney or PayPal. That means they also have the same problems as classic e-payment systems.
However, the operating principles specific to cryptocurrencies sometimes make the problems more likely to occur, and thus more disturbing. In addition, the same principles are responsible for a certain number of risks unique to cryptocurrencies.
Spoofing payment information and phishing
We’ll start with common problems such as plain old theft. Let’s say you’re transferring money to a friend. You copy his wallet address accurately, but malware replaces the address in the clipboard with another one. Not every user is vigilant and double checks an address after copying it. Especially if the address is a long jumble of characters.
Or take phishing, for another example. As with ordinary e-money, users can be tricked into going to a phishing website where they upload their cryptowallets and enter a password.
Of course, users of a traditional bank or payment system can also run into trouble with cyberthieves. However, with a traditional system there is always a fairly good chance of cancelling the transfer. In the case of cryptocurrencies, you might as well try to complain to the United Nations. What happens in blockchain stays in blockchain.
Hacking a payment gateway
On top of that, even using a genuine payment gateway with the correct address can result in a loss of money. In June 2017, the most popular Web wallet for the Ethereum Classic cryptocurrency, with the original address https://classicetherwallet.com/, suddenly started stealing money from users’ wallets.
Turned out, hackers had used social-engineering methods to convince the hosting provider that they were the real domain owners. After gaining access, they started intercepting cash flows.
Luckily, the strategy those hackers used wasn’t the best — they replaced the payees immediately, thus quickly blowing their cover and managing to steal only $300,000 in several hours. If they had collected the wallets and waited a while, they would have remained undetected for a lot longer, and the damage probably would have been far worse.
In all fairness, classic financial services can also fall prey to that kind of attack. For example, in Brazil this year, hackers hijacked a whole bank.
User address error
The preceding cases were typical electronic-money issues, but as we’ve already said, cryptocurrencies add their own wrinkles. For example, there is a risk that’s very specific to cryptocurrencies — loss of money due to an error in the address to which the money transfer is made.
In the case of Ethereum, if the last digit of the address wasn’t copied, the money would disappear into thin air. Or it would go where it was supposed to, but the amount you intended to transfer would be it multiplied by 256.
That error is not relevant to Bitcoin; its system has built-in address validation. However, in Bitcoin, you might send money to a mystery recipient — how does losing 800 bitcoins strike you? (that’s about $3.2 million at the exchange rate on September 28, 2017). Or you could unwittingly pay a fee of 80 bitcoins (about $320,000). To be fair, that kind of mistake is unlikely with a popular Bitcoin client; in those cases it’s likely people were using something homemade.
Loss of a wallet file
There’s one more problem that is typical of cryptocurrencies: loss or theft of a wallet. Most users store their cryptocurrency wallet files on their computers. Therefore, they can be stolen using malware or lost if the hard disk crashes.
So most advanced users make hard copies of their secret key and purchase USB hardware wallets. But the number of such users is small.
The situation with “centralised” e-money is far better at present. It’s the rare Internet bank that doesn’t require two-factor authentication and confirmation of transactions using SMS with one-time-use passwords. And in the case of corporations or large amounts, the use of a USB token is mandatory.
Insecure ICOs
In 2017, investing in projects associated with a blockchain or cryptocurrencies became very popular among cryptocurrency holders. This type of fundraising is called an ICO — Initial Coin Offering.
You can learn more about how all this happens, what the Ethereum network is, and how smart contracts work, in our previous post on the topic, so we won’t repeat the technical details here. The upshot is that using cryptocurrencies has made it easy to raise outrageous amounts of funds with nothing more than an Internet connection. More than $1.7 billion has already been raised through ICOs in 2017. You don’t hear much about successful projects, but investors are still optimistic.
What’s the problem, then? The problem is that the cryptocurrency market still isn’t regulated by any means, there are no risk assessment mechanisms, and there is no guarantee — like at all — of return on investments, except the word of honour of people who came up with the project.
Generally speaking, the fact that someone has an idea doesn’t mean the idea is good or even feasible, that the resulting product will make a profit, or that the author will actually spend the money on implementing it rather than on paying the director (himself). Ultimately, he might simply make off with the money, knowing it’s not very easy to track down and de-anonymize a payee on the cryptocurrency market.
Spoofing a user address
Sometimes, a money-grabbing scheme is even simpler. Collection of funds in an ICO usually opens at a specified time and closes when the required amount has been collected. The collection address is posted on the project website when it opens (it’s not necessary, just common practice).
During one ICO, a hacker got access to the project website and as soon as collection opened, he replaced the address with his own. Within an hour, 2,000 participants had thrown in $8 million. Then the address was flagged as fake. But even that didn’t stop the eager crypto-investors — a lot of them continued to transfer money to the same fake address, and the hacker got another $2 million that day.
Tips for cryptocurrency holders and crypto-investors
How can you avoid the above-mentioned problems? We have several tips to help.
- Always verify a Web wallet’s address, and don’t follow links to an Internet bank or Web wallet.
- Before sending, double-check the recipient’s address (at least check the first and last characters), the amount being sent, and the size of the associated fee.
- Write down a mnemonic phrase that allows you to recover a cryptowallet if you lose it or forget your password.
- Keep a cool head and make informed decisions when crypto-investing, and don’t panic or hurry.
- Always remember that crypto-investment is very risky. Do not invest more than you’re ready to lose at any moment. Diversify your investments.
- Use cryptocurrency hardware wallets.
- Run high-quality antivirus protection to protect the devices you use to access cryptowallets, trade on crypto-exchanges, and so on.