Steve Grobman, a SVP and CTO at McAfee has recently said: ’With cryptocurrencies, even when the underlying blockchain technologies are secure, there are still risks if the supporting technologies have security vulnerabilities or issues. For example, if there are security issues in cryptocurrency wallets or exchanges, these can be an avenue for an attacker to disrupt or exploit.‘
Mr Grobman has the pleasure to be chairing one of the world’s largest securities companies. The US securities law is one of the main pillars that any ICO-issuer ought to deal with.
For this particular reason, providers of services that launch Initial Coin Offerings, such as the Robin8 Foundation, for example, tend to generally avoid dealing with US securities law.
Mr Grobman’s warning has been most apt and brilliantly-timed. Amid discussions that cryptocurrencies are indeed a secure way of managing money around the world, one of the flagship wallets out there, storing Ether tokens, has been hacked. A DNS attack took hold of MyEtherWallet, resulting in the heist of $150,000 Ether tokens.
MyEtherWallet’s team made a statement on Reddit explaining the issue in detail. Bottom line, the service’s Domain Name System servers have been stolen and visitors were automatically redirected to a phishing website instead.
A Reddit user posted their account of what had happened before the attack was spotted:
Woke up today, Put my computer on, went on to myetherwallet and saw that myetherwallet had a invalid connection certificate in the corner. I thought this was odd. https://i.imgur.com/2x9d7bR.png . So I double checked the url address, tripple checked it, went on google, got the url . Used EAL to confirm it wasn’t a phisihing site. And even though every part of my body told me not to try and log in, I did. As soon as I logged in, there was a countdown for about 10 seconds and A tx was made sending the available money I had on the wallet to another wallet ” 0x1d50588C0aa11959A5c28831ce3DC5F1D3120d29 “
I have no idea what happened. I barely download things and thought I was careful enough at least to avoid problems. I’m curious as to how this worked. Do they not have my private key? Why did it happen automatically as soon as I logged in.
I didn’t lose too much , .09eth , alot for me, but i’m more concerned with my dock.io tokens on the account and how I can get it out…
Myetherwallet still has that invalid connection error saying my connection might be intercepted. Ran a scan with avast and malwarebytes and found nothing. I’m lost …any guidance would be greatly appreciated. I have half a mind rn to reinstall windows and wipe my entire PC
In other words, it turns out that the security of crypto wallets is not solely and exclusively contingent on blockchain matters. Overall Internet security ought to be improved too for it to work.
With this in mind, nobody really expects that the servers of a company will be hijacked so that they may redirect to phising websites. Part of the solution is, of course, the tech savvy users who have themselves spotted the murky activities.
However, checking your browse URL eveyr time when visiting a trusted source is to say the least – annoying. The hunch of the user was spot on, but the happening highlights that security breaches may come through channels that are native to blockchain and native to the Internet as a whole.
In a user discussion, on Reddit, participants suspected that the attack was conducted by a Russia-based DNS. The whole Ethereum network has been targeted, however.
However, there are ways to fend off such incursions on your wallets even if the service you have been using has been compromised:
- Downloading a MEW and using it locally and independently from the website is what Ether users could do;
- A hardware wallet or MetaMask would ensure that the hackers do not steal your private keys, if they had successfully stolen your tokens;
- Warnings such as your browser’s innate ‘do not venture out there’ pop outs are there for a reason, but people may tend to overlook them readily.
With this being said, there is a whole lot more that needs to be done if blockchain is going to be completely secure at all. Introducing more laws and asking companies to invest more in their security is one way to do this.
However, in order for future such mishaps to be avoided, regulators, governments and crypto enthusiasts themselves will have to think of a way where they can co-exist and collaborate.