In the crypto space most people only consider wallet security, exchange security and safety- with little to no considerations for the behind the scene security risk.
Security is paramount even as you read this article some form of hacking is taking place either to an individual or a cooperate entity – the cryptocurrency space is the wild west as you already know and one needs to be a gunslinger to have some form of protection. We will be taking a look at Password setup, multifactor authentication (specifically 2FA), Browser fingerprint and cookie stealing as it pertains to an individual.
In the wake of the Poly network hack – I had decided to look into individual security as this is the space where most of us find ourselves. The loss of your asset can happen in an instant, and there would be little or nothing you can really do about it at this point. “Anything that is written and built can be hacked” – hence your password should work with you rather than against you. The decision to not harm yourself voluntarily is yours …utilize the smart security tools around you to an optimal point, after all “Smart phones require smart people”.
In order to gain access, you would require what you know, what you have and in some cases what you are. Let’s start with password creation. A password or pass code is a secret data typically a string of character that confirms the user identity. This has to be memorised or stored via password manager that encrypt depending on the complexity desire.
The password entropy (the amount of information held in a password) matters as it reduces the probability and increases the time to brute-force the password either by logical guess work or the use of supper fast computer - noting that as GPU* gets faster these barriers levels go down or don’t even matter at all; imagine a 14 billion hash per second, this would likely break a password that is has 8 digits in seconds.
The higher the password entropy the more it becomes difficulty to remember and hence the need for a passcode manager or the old hand written note pad - if (password) properly setup with a high entropy bit it would take almost forever to hack into. See charts below for visual example.
Furthermore, password are not very useful way to authenticate as humans as it may be hard for us to remember but easy for the computer to guess. What! I know and get it…except you are protecting top secret for a government facility you may not need these levels of effort, hmm that being said as your crypto assets grow into thousands and millions of dollars this becomes a necessity and except you have developed the habit and rhythm it becomes tasking to follow through. A good example of a basic password shown below as shared by Edward Snowden.
Other threats that Password are prone to includes:
- Key Logging – Malware to track and copy a user’s password as they type. Obtaining every keystroke.
- Brute-Force Attacks – randomly generating passwords for a specific computer until the correct sequence is achieved usually with the password dictionary i.e. rockyou2021.txt
- Phishing – email with clickable links to malicious websites designed to either infect the recipient device or convince them to enter their password.
- Social Engineering – Using deception, manipulation and influence to trick a target into doing something or complying with a request. It could also be in the form of preying on users’ curiosity! and habits; some appealing to the user’s emotion to elicit an action i.e. your account has been compromised (the intent here is to provoke an action!)
- Simple Password theft.
This takes us to the popular Two- factor authentication system which is a specific type of multi-factor authentication that reinforces access security by requiring two methods to verify your identity. The factors typically include something you know - like your password and something you have - like a token/app generated code in order to gain/verify access.
They are five factors of authentication predominantly used in the security space. They include Knowledge factor (user password), Possession factor (token security key or app that user must have on his/her person), Location factor (IP address), inherence factor(biometric) and time factor (access time range). While they are a number of 2FA based on the combination above – these includes SMS 2FA, TOTP 2FA, U2F Token and Web Authentication.
SMS 2FA – Validation of the identity of the user by texting a security code to their mobile device. This type of 2FA done via SMS route is the weakest and most unsecure of the three forms being discussed in this article; mainly due to SMS protocol itself not being secured i.e. man-in-the middle (MitM) attack using signal system number 7 (SS7) hack (Simply put a hacker intercepting the required information being sent by SMSM on the SS7 protocol.) Due to the need for anonymity and privacy users always frown and shy away from leaving their phone numbers to a third party as it raises the exposure level a notch higher in the event of data breach.
TOTP 2FA - Time based One -Time Password authentication validates the user by generating a key locally in the user’s device i.e. the passcode generated by Google Authenticator and it expires after a certain period of time and it is refreshed again in a loop.
This is prone to key or device loss and out of time sync error.
U2F Token -Universal Second Factor Tokens validates the user by using a physical USB (Universal Serial Bus) port or a Near Field Communication (NFC) devices based on similar security technology found in smart cards.
The only draw back is that it is needed physically-in case of loss users’ identity authentication is impossible.
And Finally, The Web Authentication API validates using a public key cryptography registration and authentication enabling passwordless authentication and/or secure second-factor authentication without SMS texts.
Elements of Browser finger print
The level of details includes your browser plug-in details, time zone of the browser, with specific location i.e. continent/city, screen size and colour depth of the computer! - you would agree with me that these are just generic identifiers but it also has individual identifier such as the hash canvas fingerprint and the hash webgl fingerprint- these hash are specific about a user device and settings and allows them (device owner) be pinpoint them in the world wide web hay stack.
You can test your browser here https://coveryourtracks.eff.org/ to see the result and consider if you are satisfied with that level of anonymous status. See comparison between Chrome incognito mode and Tor browser.
What are cookies? Computer cookies or HTTP cookie are essentially scripted codes saved by websites onto the user’s web browser when a session is initiated – usually with the intent to manage the sessions in the form of tracking and user personalization.
They are text files with small data -like user name, password - that are stored in one’s computer which enables the server to identify your computer as you use the network i.e. if you visit a website, the cookies of the website would ask for permission (cookie notification due to general data protection regulation (GDPR) ) for it to be saved on your browser before the session commences. When you revisit the website again after a few days or weeks the website would know it is the same user. These data can be sniffed out and utilized to gain same access as the real owner with the website authenticating access without any input.
A password with a high entropy and a hardware generated possession factor of authentication are the best basic security set up, other activities that are associated with social engineering, trusting devices or websites and the like are just sorted out by imbibing the right habits when online.
Furthermore, setting breach alert via email and making sure they are not delivered in the junk folder. All these steps are akin to walking in a dark alleyway and knowing how to handle yourself when push turns to shove.