MetaBlaze Talks Cryptocurrency Wallet Security: Multi-Factor Authentication
Head of Cybersecurity at MetaBlaze Raises Awareness on Crypto Wallet Safety.
How secure is your wallet? At this point, most people are aware of the benefits of owning cryptocurrency. However, crypto theft has become a stark reality.
Like anything connected to the internet, there will always exist methods of compromise. What we can do is make the process of exploiting our accounts as tedious and thus as secure as possible. The best way to ensure the security of crypto wallets, such as Trust Wallet, is through the use of secure Multi Factor Authentication (MFA). However, not all MFA methods are as secure as others. For example, a website that requires a password and pin is not a true MFA method. There are three factors that provide the genetic makeup for MFA. In order to be considered MFA and not simply two-factor authentication (2FA), there must be two of the following in-place:
- Something you know
- Something you have
- Something you are
In the example above, the factor being used for both the password and PIN is “something you know”. Something you know — would be a password or something that you need to remember. Something you have — would be something such as a smart card or security token or perhaps a keyfob with a new pin number generated every minute. Something you are — would be a biological/biometric security such as a fingerprint or facial recognition scan.
Surprisingly enough, biometrics (something you are) can be easily forged by an attacker, not to mention there is a much higher rate of false positive readings with biometrics than with any other form of authentication. Therefore, the two best factors for Multi factor authentication for Crypto wallets would be “something you know”, a secure password, and “something you have” a token on an authenticator phone app for instance.
In 2022, many people already have a secondary factor implemented for their accounts. When they attempt to log in to their wallet, a SMS verification code is sent to the phone, and they enter the verification code on the login page to complete their log in. Once this is done, they are granted a Session Cookie known as an Access Control Token (ACT). This token is what the website or wallet service uses to verify the user has been authenticated, thus granting them access to the web pages.
The vulnerability here in SMS verification codes is due to an attack called SIM Swapping. A SIM swap attack is perpetrated when a bad actor switches the SIM card from the victim’s phone to one that the attackers are in possession of. In doing so, the phone in their possession is given the victim’s phone number, therefore forwarding the SMS message containing the verification code to the phone in the attacker’s possession.
SIM swapping is illegal and usually involves stealing a device from a cellular storefront or by socially-engineering an employee at a cellular provider and using coercion to swap the SIM. SIM-swapping attacks are on the rise and cyber-criminals are seeking access to your crypto wallets. As seen just last week, a person in Florida lost upwards of $18,000 from their crypto wallet due to a SIM-swapping attack.
Once the attacker has switched the SIM card to their device, they begin to receive the SMS codes. From here, they begin to launder the funds. This is usually done by exchanging one crypto currency for another multiple times and eventually using the funds to purchase anonymous prepaid debit or gift cards to avoid depositing the funds into a bank account that can be linked back to themselves.
Several Mobile Apps designed just for this reason, such as: Duo Mobile, Lastpass, Google Authenticator, and Microsoft Authenticator. These Apps generate their own verification codes and have their own login information that you would create, thus mitigating the risk of a SIM swap.
To properly mitigate the risks associated with crypto-wallet takeover or theft attacks, starting with strong authentication is paramount. At times, utilizing MFA on such accounts can prove to be the last line of defense in both sophisticated and randomized attacks. If SMS-based two-factor authentication is available, this is certainly a step above simple username and password authentication.
However, wherever possible; seek to implement true multi-factor authentication via more secure applications.
MetaBlaze is a blockchain-based gaming company that uses $MBLZ to power its ecosystem. Built on the Binance Smart Chain, MetaBlaze merges popular elements of GameFi and DeFi to create a synergistic ecosystem of Web 3 technologies.