Day: September 21, 2017

Cryptocurrency-related cyber attacks are on the rise. As cryptocurrency continues to explode in value and public awareness, we can only expect this trend to continue. I was recently the target of such an attack. I also personally know of multiple other cases of the same attack being successfully carried out. Even worse, this type of attack is becoming ever more common and is likely to see an even bigger boost thanks to the professional excellence of firms like Equifax, making it an urgent topic as almost everyone is at immediate risk.

This article describes this increasingly common attack vector and provides immediate steps you can take to protect yourself. I will also provide additional tools and best practices to further safeguard yourself and your funds more generally.

As a computer programmer active in the crypto ecosystem since early 2013, I’ve always been too aware of the constant threat of cybersecurity attacks and the possibility that I could be targeted at any time. Cryptocurrency is the perfect hacker pay day. Once it’s transferred away from your control it’s gone forever, and it’s easily liquidated in any number of ways. Black hats are constantly prowling for possible cryptocurrency holders.

As such, I’ve always taken the minimum precaution of keeping my coins off third-party accounts, and have always advised others to do the same. But what I couldn’t prepare for was how unnerving being the target of an attack could be regardless of your level of preparation. The hypothetical can become reality in a matter of seconds, and you never truly understand the personal value of putting proper security in place until it’s too late. For those with enough at stake, it can be ruinous. Ultimately none of my funds were compromised by this attack, but others have not been so lucky.

“But not all accounts are created equal for data thieves  —  and the most valuable online accounts to steal are like the ones belonging to Mr. Burniske, who is a cryptocurrency fan. In the few minutes it took to get control of his phone, the virtual currency investor saw his virtual currency password change and its accounts drained of $150,000.” -PYMNTS

The Attack

It started when I received a text message from my cellular service provider alerting me that my SIM card had been “updated.” Included in the text was a number to call if this “update” wasn’t in fact authorized by me. I read this text several minutes after it had been sent, and by the time I called the number provided a minute or two later, my cell service and data were suddenly cut off by what I began realizing must be an attacker. Almost immediately, I was also logged out of my Facebook messenger window right before my eyes. With control of my phone number, my attacker had managed to quickly reset my Facebook password and gain control of the account.

As the reality of what was happening to me sank in, I felt an initial wave of panic. Suddenly, I didn’t know if the years of precautions I had taken amounted to anything at all. I had no idea how robust the attack was, how deep the attacker had penetrated my numerous online accounts or what my first reaction should even be. I momentarily feared the worst. Could my coins be at risk?

I forced several deep breaths. Thankfully my coins were not at risk via a phone, social media or email hijacking. Reminding myself of this eased my fears and allowed me to focus on going on the defensive and taking back control of my accounts as quickly as I could.

Using FaceTime from my laptop, I was able to get a family member to call the number provided by my cellular provider’s text message and initiate the process to eventually retake control of my phone number. Using an old email strictly used as an emergency recovery email for situations such as these, I was also able to lock down my Facebook account and regain control soon after.

What I discovered once I logged back in confirmed that the attacker had specifically targeted me due to my public cryptocurrency involvement. In the brief span of time they controlled my Facebook account, they had sent the same message to several friends of mine also involved in the ecosystem, many of whom I’ve known for years. The messages claimed I had an emergency and needed to borrow several bitcoins or the equivalent value in alternate coins for a day. The attacker was in the middle of sending out many more such messages to even more of my friends when I regained control.

At the end of the day, the damage done to myself was limited to being spooked. Unfortunately, however, at least one of the recipients of my fake Facebook messages was later the target of the same attack. I’ve decided to learn from these events and share those lessons, and hopefully help some avert the worst. First and foremost is eliminating this specific and trivially easy attack vector completely.

How to Stop It Before It Happens

Text message two-factor authentication (2FA) is the default security precaution for most online accounts today, and cellular service providers are woefully unprepared for this reality. It is almost trivially easy for an attacker to contact your service provider and pretend to be you.

In all the cases I’ve personally observed, it began with the attacker identifying an individual likely to have cryptocurrency and contacting their cell provider. They impersonate their target using personal information like social security numbers and home addresses from any number of possible leaks, Equifax being the most obvious and concerning source.

After successfully convincing your cell provider that they are you, they then port your SIM card to a phone they control. This approach is known as a social engineering attack, and with today’s common security default of using text messages for 2FA, they immediately have the keys to the kingdom. With your phone number they can now reset the password to any account you have with text 2FA enabled, including cryptocurrency wallets and accounts.

The minimal action you should take right now to prevent this: Contact your cellular service provider and request restrictions to be placed on your account so that no changes can be made to it without special verification. This can include setting a password on your account or requiring you to physically visit a store with your ID to make any account changes. Call again once this is in place and attempt to change your own SIM card as a test to ensure the restrictions have indeed been put in place and are being properly enforced by your cellular provider.

This simple step means that no matter what information an attacker may have on you, socially engineering a takeover of your SIM card is no longer a trivially simple endeavor. However, this precaution isn’t ironclad, and there’s also a variety of other attacks you can be the target of.

Taking It a Step Further

Black hat actors tend to focus on the low-hanging fruit, which is why the social engineering SIM attack has become so prevalent. But it is by no means the only way to compromise your accounts, and as the low-hanging fruit become harder to find, attackers will move on to these other methods. I highly recommend everyone implement these precautionary steps to further secure yourselves. The upfront investment needed to set up these measures may seem tedious now, but can pay invaluable dividends in the future.

1. If you hold any significant amounts of cryptocurrency, invest in an offline hardware storage solution.

These devices contain your cryptocurrency private keys and can remain completely disconnected from the internet or any computer until you need to make transactions, so that your funds remain totally safe regardless of any of your other devices or accounts being compromised. These devices include OpenDime, TREZOR and Ledger. Even if you do not opt for any of these solutions, at a bare minimum do not store funds on third-party services such as Coinbase or exchanges, especially on any service or wallet that integrates email or a phone number to authorize access to funds.

2. Ditch text messaging 2FA.

Placing verification restrictions on your cellular service account is a big step up in security, but can still be circumvented by an insider or even just a careless customer service rep who doesn’t do their job properly. Text message authorization is also still too incredibly insecure to be relied on in any way, period. Recent research shows that intercepting text messages is a trivial task for someone with the right tools, and many other exploits are likely to be discovered in the future.

The first item on this list will protect your personal funds from theft, but as I learned the hard way your money isn’t the only thing at risk. With access to your social media accounts and emails, an attacker can trick your friends into giving them funds or exposing themselves in other ways. They’ll also obviously have a clear look into all your messaging and file history on those accounts, which can expose you and your social circle even more. Shoring up your 2FA is a big step in preventing this.

Eliminate all of your text messaging–based 2FA and at a minimum replace it with Google Authenticator. However, like storing cryptocurrency, you can take it a step further with a dedicated hardware solution. I highly recommend YubiKeys.

You can configure many major online accounts (not Coinbase yet) to require you to physically insert and activate your YubiKey as your 2FA authorization, eliminating the risk of a remotely compromised phone.

3. Use multiple emails with interlinked recovery options, and use completely different and robust passwords for those emails and other online accounts alike.

Luckily I did not have text messaging 2FA enabled on the email account associated with my Facebook profile; otherwise my attacker could have seized control of that as well. If they did, I have a chain of recovery emails I could have used to regain control of it, all with different passwords. This practice also means that having your password being captured or leaked for any one of your accounts won’t jeopardize all of them.

4. Stay vigilant, stay paranoid.

To quote the Onion Knight, “Safety is never a permanent state of affairs.” Don’t get lazy and begin recycling passwords or leaving funds on Coinbase or other third-party accounts. Be aware of the technology you are using and the tradeoffs you are making or exposure you are generating by doing so. Stay up to date on the latest breaches, exploits and technology. Opt to use end-to-end encrypted messaging services like Signal, Telegram or WhatsApp. Don’t answer calls from strange phone numbers, and use apps like Hiya to filter out known spam numbers to reduce the risk that you do. Ultimately, however, there is no easy fix for security and no list that can guarantee you won’t get hacked.

Make no mistake, there are individuals out there who want to harm you and are actively working to do so. The time needed to reasonably secure yourself can seem tedious and time-consuming up front, but can easily and quickly become a priceless investment as I and many others have learned firsthand. 

This guest post by Ariel Deschapell was originally published on Medium and is reproduced here under a Creative Commons License. The views expressed do not necessarily reflect those of BTC Media or Bitcoin Magazine.

To a complete outsider, the worlds of art and cryptocurrency do not appear to be linked. But for content creators of all kinds, blockchain technology provides an ideal solution to preserve intellectual property, create demand and increase value for digital content.

The digital revolution is often blamed for making life harder than ever for artists. We are always hearing stories of artists realizing their work has been ripped off by a major brand or that they are not being paid or credited for the content they create.

However, thanks to blockchains, ownership rights can be restored in favor of artists. The very digital landscape that proves so difficult for artists could well increase the possibility of profits for artists online.

Physical art was one of the first big applications of blockchain technology.

The concept of integrating blockchain technology into the art industry is not untested. Blockchains have already been a part of the physical art world for a few years now as a reliable way to verify creation and ownership details. The application of a trustworthy system of verification like the blockchain to artworks makes perfect sense.

A number of companies are actually already authenticating artwork with blockchain technology, including Verisart in Los Angeles, Tagsmart in London and Ascribe in Berlin. For both collectors and artists, they provide digital certificates of authenticity and provenance records that enable buyers to verify the authenticity of the artwork they purchase while creating an accredited ownership history for the artwork over time.  

What blockchain technology provides is its unmodifiable digital ledger which logs every single digital transaction. More importantly, this ledger is public so everyone can see its history. This means, for example, that you can see that the painting you are interested in has been purchased three times from buyers in London, Madrid and Milan. Because the log is decentralized and cannot be edited, there is no potential for lies or trickery — no one can sell you a fake copy if a digital record of the authentic piece exists.

By allowing records like provenance, authorship and ownership to be unmodifiable, blockchain technology potentially solves the issue of forgeries and thefts in the art world. According to the FBI, billions of dollars worth of art and cultural property go missing every year. Being able to prove and track the ownership of artwork could make it almost impossible to resell stolen artwork in the future.

By increasing trust in the art world, blockchain technology could also help increase the value of art. One important factor in art is scarcity — it is what drives demand. People covet beautiful things: the more unique, the better. The Mona Lisa wouldn’t likely be worth $2 billion if there were 10 originals on the market.

Blockchain technology may pave the way for a robust new market of digital art.

It is no secret that life for digital artists can be difficult. In the music world, for example, physical sales are almost non-existent. Artists earn less than a cent from each time their music is played. At Spotify, the average payout for a stream to labels and publishers is between $0.006 and $0.0084. By the time the label has taken its share, artists receive an estimated $0.001128.

The digital art and design world is arguably just as bad — or worse. While individuals can easily download a music file from a file-sharing website, it is even easier to screenshot or share digital art without any attribution or financial benefit for the artist. As long as people don’t consider digital assets “objects,” digital artists won’t be paid what their work is worth. However, being able to certify the ownership of digital assets through the blockchain could assure the value of digital art and change the behavior that it is okay to swipe art from the web without a thought. People already consume all kinds of creative content on digital screens, be it books, movies, media, or music. The time has come for them to value digital art they can appreciate just as thoroughly on their devices.

A new generation of blockchain-based art collections is bringing the digital art and cryptocurrency worlds together.

For many people, a painting on the wall is worth money; but a digital work of art online has no financial value. A new business model, however, is now emerging for digital art that could alter this perspective.

CryptoPunks by Larva Labs is one known example. The company has created 10,000 computer-generated digital characters, each one unique, with proof of ownership stored on the Ethereum blockchain. Each one is owned by a single person and verified by a smart contract. As the blockchain data is public, you can see exactly which of the characters have been purchased and which remain available. Some people have spent 10 ETH (around $3,000) on the rarest types of CryptoPunks on the secondary market.

Another example is the selling of “Rare Pepes,” crude depictions of the meme often used online as an alt-right symbol. Meme artists previously tried to watermark their memes; nevertheless, they continued to be downloaded and shared. The solution was to use the Counterparty platform, which allows users to make anything into a unique digital token. Now the Pepes can be bought and sold — the rarest costing $11,589 — with RarePepeWallet.com.

This is just the tip of the creative iceberg. Imagine the possibilities with digital art created by actual artists becoming desirable and more valuable. In addition, artists who otherwise would have been forced to use a large-scale centralized company to distribute their work are now able to distribute their work in a decentralized way and receive fair compensation.

Soon, people may begin collecting digital art in the very same way they collect it in its physical form. This may also require a cultural shift in the perception of digital art and its value, but this cultural shift could well be instigated by applying technology, thereby adding financial value and scarcity to digital art. This may well turn out to be a significant boon in the lives of artists all over the world who will be able to profit and take control of their creative output and their intellectual property in a dynamic, budding market.

ICOs (Initial Coin Offerings) or token sales have seen a dramatic increase over the past year as a method for raising capital. According to CoinMarketCap, Bitcoin market capitalization sits at around $70 billion at the time of writing (even after the China ICO market correction), up from $11 billion in June 2016. Overall, the cryptocurrency market cap is now over $150 billion, roughly the size of Algeria or Iraq’s GDP.

Many organizations have, therefore, become interested in using token sales (aka ICOs and token generation events) as a way of raising capital. Mostly, companies look at token sales as a way to raise startup capital; they issue “utility tokens” to avoid being classified as a security. This method is in line with traditional “crowdfunding” that companies have been doing for many years.

I also believe there is a lot of pent up demand from traditional asset classes and established companies to utilize the blockchain to raise capital and conduct their business. This is because there are a many benefits for both the issuer and the investor.

For the issuer, it’s a frictionless process of raising capital that opens up a global market of potential investors. Costs of raising capital via this process can be a fraction of what it may cost to address the same size market with a traditional raise.

For the investor, it provides access to a wider range of investment opportunities, which a regular person may never otherwise have access to. Typically, there are zero or very low investment minimums, and one can easily participate in a token sale anywhere on the globe — just set up a wallet, buy some bitcoin or ether, and get in on time. As a bonus, there’s also often the existence of a secondary market where tokens can be traded after the initial token sale, thus providing fast liquidity to those that desire it.

However, the process is not without its challenges, and there are several things to consider when launching your next fund offering on the blockchain.

What are traditional asset classes and why may a blockchain be of benefit to them?

Traditional asset classes are those that generally come up when people talk about investments. They include stocks, commodities, real estate, private equity funds and derivatives, VC funds, REITs and others.

Most, if not all, traditional assets would fall under the SEC’s definition of a security, as stipulated by the Howey test. However, due to the decentralized nature of blockchains, the U.S. is not the only jurisdiction where tokens can be sold from; many countries around the world such as Switzerland, Cayman Islands, Estonia and others are stepping up to welcome ICOs, be they utilities or a securities.

So, how is blockchain technology and tokenization beneficial to traditional asset classes? Consider this example based on the logic illustrated by Stephen McKeon. If we take real estate as an example, it’s estimated that the size of commercial real estate in the U.S. alone is about $11 trillion. Let’s say 10 percent of that can be tokenized; that immediately puts over $1 trillion of liquidity back into the marketplace and removes an “illiquidity premium” which issuers are forced to pay because investors have no way to exit their investment for a number of years. This is a win-win for both the issuer and the investor.

Challenge #1 – Jurisdiction

Even if one decides to tokenize an existing asset, there are several challenges that must be addressed, and finding the right home for your fund is key.  Since most traditional assets may be considered a security, finding the right jurisdiction will be very important during and immediately following your token generating event. Let’s take a look at some of the options available to us today.

The State of Delaware has a newly invoked law that will allow businesses to maintain shareholder lists and other corporate records on the blockchain. This move is even more significant when you consider that this jurisdiction is the corporate domicile capital of America, with 66% of Fortune 500 companies calling it home. If your plan is to make token holders Limited Partners or equity holders of your new fund, this may be a reasonable option.

Also in the U.S., Regulation A, Regulation A+ and Regulation D contain rules that could exempt entities selling securities from registering with the SEC, including a specific look at equity crowdfunding. These rules can be applied to any crowd sale, and potentially encompass token sales as well. It’s also possible to raise under Regulation S, which would exclude U.S. investors altogether, thereby removing the need for protection of unaccredited investors.

Switzerland, one of the leading centers of capital in Europe and known for recently abolishing its banking secrecy laws, has become a fintech hub and is considered a friendly jurisdiction. A number of leading Swiss companies have formed an alliance called Crypto Valley, where one of the most prominent law firms, MME, hosted a recent conversation about the legalities of token sales and what may constitute a security under Swiss law.

The Cayman Islands, a leading offshore jurisdiction with a 0 percent tax rate for foreign-controlled companies, have seen an uptick in ICOs lately. Recent token sales events from the Caymans include EOS, Domain Developers Fund and others. The Cayman Islands and other offshore jurisdictions have taken a friendly view on blockchain assets and have the service provider infrastructure in place, with lots of experience creating and operating traditional funds. I believe incorporating in the Caymans and other offshore jurisdictions have many benefits and is a practice that will continue to increase.

Estonia is another interesting example of a jurisdiction where several ICOs — which would almost certainly be considered securities in the U.S. — have been domiciled. Recently, Agrello, Polybius and a number of other companies completed successful token sales. Estonia is unique because of its e-government initiatives, which encompass e-citizenship, e-voting, e-tax and government blockchains. Further, Estonia recently announced its own cryptocurrency called Estcoin. Estonia currently doesn’t regulate crowdfunding (though some EU laws may apply) and is one of the top friendly jurisdictions for launching tokenized funds.

Challenge #2 – Knowing Your Customer

Another roadblock to conducting legal and compliant token sales is the issuer’s ability to follow KYC and AML regulations effectively. KYC (Know Your Customer) is the method in which issuers verify the identity of its investors. Many cryptocurrencies of choice for token generation events have anonymity features built in (cryptocurrencies such as Monero and Zcash are prime examples, and bitcoin can be anonymized as well). Further, the crypto investment community likes the idea of not having to go through lengthy and intrusive KYC processes. This practice doesn’t bode well for the issuer, however, since KYC is a key requirement for many banks. Strong KYC during the token generating event will make it easier to work with banks and follow AML (Anti Money Laundering) regulations.

Challenge #3 – Tax, Compliance and Custody

There are further complications with taxes, compliance and custody. There are not yet clear standards for cryptocurrency compliance to be followed. Further, if your fund is going to be holding crypto-assets and cryptocurrencies, security and custody needs to be considered. Luckily, there are some players such as Gemini that offer crypto-custody services; some reputable banks such as the Swiss Falcon Private Bank are also starting to offer bank-level cryptocurrency trading services. There are still more challenges around custody and compliance for altcoins.

On the tax side, there are open questions about treatment of virtual currencies. IRS guidance 2014-12 classifies cryptocurrencies as an asset class, imposing capital gains taxes on profits in certain situations. Some other countries such as Vietnam have proposed making digital currencies like bitcoin a form of currency. The world tax authorities still need more time to figure out how to tax this new asset class.

Challenge #4 – What Happens Next?

Once you’ve jumped through a lot of hoops and successfully executed a tokenization event for your fund, the real work starts. If you accepted U.S. investors, think about how you can prevent them from selling your tokens in the first 12 months (if you raised under Regulation D). If you didn’t accept U.S. investors, how do you prevent them from buying your tokens in the future? What exchanges do you want to list on to make sure you can comply with AML and other regulations? This is a complex process that needs to be thought of before you start planning your token generation event.

Looking to the Past

Launching a tokenized fund on the blockchain is a relatively new concept; however, we have some successful precedents. The biggest and most interesting example is Blockchain Capital, founded by Brock Pierce. Their token, BCAP, was sold under Regulation D exemption to 99 accredited U.S. investors (and unlimited foreign investors with many exceptions), who, per SEC regulation, can’t sell their tokens for 12 months. Blockchain Capital has a complex structure, with entities in Singapore, the Cayman Islands and the U.S. According to their memorandum, they spent up to 10 percent of their raise on legal expenses (they raised $10 million), which is a hefty sum. Also, questions remain: What prevents non-accredited U.S. investors from buying BCAP tokens post ICO? How are the 99 accredited investors forced to comply with the requirement to hold these tokens for the time allotted?

Conclusion

Launching token generation events for your fund can be a worthwhile activity, but you need to plan carefully and entrust your process to qualified professionals.

Some things to think about before going ahead with launching a tokenized fund:

• Is your token a security (Howey test)?

• Have you chosen the right jurisdiction?

• Do you comply with the applicable regulations, including KYC and AML?

• What are tax and custody implications for your cryptocurrency?

• What happens after the token sale is over?