As the global crypto economy continues to prosper, with Bitcoin (BTC) currently occupying the $15,500 region, questions regarding the overall safety and security of digital assets continue to persist, especially in the wake of a new scam whereby hackers made use of a phishing email to direct users to a fake Ledger website. According to various reports, victims were scammed to the tune of 1,150,000 XRP, worth approximately $290,000.
Dave Jevans, CEO of blockchain intelligence firm CipherTrace and chairman of Anti-Phishing Working Group, told Cointelegraph, “Ledger should clearly have a more aggressive defensive domain acquisition strategy, as look-alike domains were used by phishers in an attempt to trick Ledger users.” He explained further that an illegal money-making scheme employed the use of a homoglyph in the company’s official URL — in this case, a letter that looked like the letter “e.” He added:
“The phishing scams were likely a result of emails released from an e-commerce/marketing data breach. An unauthorized third party had access to a portion of Ledger’s e-commerce and marketing database through an API Key.”
Earlier this year in July, the Ledger team revealed that it had been on the receiving end of a data breach, as a result of which nearly a million email addresses were compromised, along with the personal details of a subset of 9,500 customers. Furthermore, back in 2018, scammers were able to devise a copy of the Binance website (complete with an SSL certificate), which remained active for some time before being taken down.
Lastly, some miscreants were able to rake in a sizable 1.4 million XRP tokens in March by making use of a scammy Google Chrome extension that replicated Ledger’s likeness. In fact, the extension was live on the Google app store for nearly a month. Speaking on the various security protocols that the company employs, a spokesperson for Ledger told Cointelegraph:
“Ledger has its own attack lab, Ledger Donjon, where the security experts try to hack and stress test our own solutions, the solutions of our partners, and our competitors’ solutions. Furthermore, Ledger regularly conducts penetration tests.”
Customers bear responsibility as well?
It goes without saying that wallet operators need to be on top of their security game when it comes to protecting the assets of their customers. However, phishing attacks are a common occurrence, not only within the crypto space, but with any online service that involves a means of payment.
Speaking on the issue, Pavol Rusnák, co-founder and chief technology officer of SatoshiLabs, the firm behind the Trezor wallet, told Cointelegraph that it’s of prime importance that crypto owners are careful and double-check every piece of information they receive in relation to their digital assets, be it from their wallet providers or the internet in general:
“If an email claims you need to do something, you can always confirm this via vendor’s support or with other users on Reddit or Twitter. As for what vendors can (and should) do is to decrease the possibility of the leak by not sharing their customers’ data with third parties and decrease the impact of such leaks by deleting their customers’ data after a certain period of time.”
A similar outlook was shared by Jevans who believes that matters related to customer security and privacy need to be viewed with a lens of “shared responsibility,” such that hardware wallet operators as well as crypto owners work in sync with one another to ensure the optimal safety of their assets from third-party threats.
Jevans encouraged users to take reasonable safeguards to protect their value and take responsibility for their actions by using practices that are steeped in individual data safety, adding: “Deploy two-factor authentication as well as never click on a ledger link unless they specifically requested their password reset. Users should always type the URL themselves when visiting the Ledger site directly.”
Crypto education remains crucial
Despite being revolutionary in design and technological potential, crypto continues to remain a foreign concept for most. However, by providing people with monetary self-sovereignty, the technology has also burdened them with a lot of personal responsibility, especially in terms of individual financial security. As a result, it stands to reason that companies in the blockchain and crypto space need to educate their users about the security implications of their actions.
Rusnák believes that the industry still has some ground to tread regarding security. He pointed out that a number of companies operating within this domain today tend to make gross oversimplifications, such as, “Your coins are safe because your wallet has a secure element,” or, “Your coins are safe because our exchange is insured.” To this, he added, “This is not helping with the matter, making people believe something which is not true, rendering them defenseless.”
Statistically speaking, around 85% to 90% of crypto owners seem to fall prey to very common crypto theft schemes, typically fake investment scams rather than phishing traps, according to data provided to Cointelegraph by CipherTrace. As a result, Jevans believes that it would be in the best interests of major hardware wallet operators to use their platforms to educate their users about what to look for when it comes to phishing attempts, particularly when these scams invoke the wallet provider’s name:
“Based on hundreds of crypto theft and fraud cases, crypto users need to become much more sophisticated regarding their personal security operations (SecOps) when they choose to custody their private keys. Many crypto crime victims do not know what to do when they discover they have experienced theft.”
Wallet operators should become industry trendsetters
While companies like Ledger and Trezor do have dedicated information related to phishing and other similar, scammy tactics on their websites, these pages are not easily accessible and are usually buried deep within troubleshooting FAQ sections. Therefore, it seems reasonable to expect that e stablished wallet providers do more in terms of providing customers with streamlined access to high-quality education that centers around security.
On the issue, Rusnák is adamant that transparency and education are the keys when it comes to maximizing the security of one’s funds. He opined that users can’t really be safe unless they actually take time to sit down and understand the nitty gritty of crypto security and personal wallet safety.
On a more technical note, he explained that the core operational design of Trezor’s various wallet options are fully open-source and that the company is completely transparent about all of its various operational agreements with its customers, to avoid all legal monetary issues encountered later down the line: “It will take some time until every company in the cryptocurrency space understands this, but it’s also our job to demand transparency and openness from service providers we use.”