Ron Stoner is the Head of Security at US-based crypto security specialist Casa.
Operational security, or OPSEC, is the process of performing risk management by defining what information you are trying to secure, what is required to achieve that goal, and then taking the practical steps required.
The philosophy behind OPSEC primarily focuses on thinking like your attacker, understanding who that attacker may be, and what steps they may take to exploit you.
Performing good OPSEC is especially essential for cryptocurrency key-signing devices, such as hardware wallets. Hardware wallets are considered “cold wallets” because they have no direct internet functionality and must be attached to another device, such as a smartphone or PC, to bridge to the internet and perform a transaction.
These hardware devices and the bridge they connect via are the most crucial points of failure when performing cryptocurrency transactions.
With 2022 becoming the worst year on record for cryptocurrency hacks, with $3.8 billion stolen, OPSEC has never been more critical. As the digital asset space becomes more mainstream, attackers seek new ways to exploit users and platforms.
While the stakes and risk profile for every entity using digital assets will vary, all users should obey best practices for protecting their value.
Securing The Signing Environment
Before signing transactions, look at your environment to identify anything that could serve as an attack vector.
Assuming you are in an otherwise private setting, such as your home, this includes things like cameras or microphones, which are present on almost all modern laptops and mobile devices.
Don’t forget about various Internet of Things (IoT) products such as smart TVs, Alexa, etc. Any of these can be potentially used to spy on you while you perform a transaction.
As such, it’s essential to “clean” your working space of anything that could be potentially tapped into — powering down or even removing these devices from the area of operation altogether.
While this may come across as a little paranoid, if large, critical amounts of money are on the line, it is one important aspect of protecting you from attackers.
Signing transactions from any public space, such as an office, library, or cafe, is generally not recommended, but you may sometimes have no other alternative. If this is the case, several steps can be taken to maximize security.
Once again, you’ll want to account for any security cameras in the area. These days, CCTV, especially HD and 4K resolution cameras, can easily read what is displayed on a computer or mobile phone screen within the field of view.
Of course — and hopefully, this goes without saying — there shouldn’t be any other people in direct proximity. It is best to find the most secluded space possible, an empty workroom, for example.
Update All Involved Devices
Perhaps most importantly, you’ll want to update all software and firmware on any devices involved in the signing process.
If you aren’t using a computer or mobile device directly, then your hardware wallet will need to connect to one to transmit a transaction.
Theoretically, hardware wallets are designed so that it shouldn’t matter if the unit they connect to is compromised. All processes happen on the wallet itself; PCs or smartphones are only used to broadcast the transaction.
However, some forms of malware can alter various aspects of a transaction, including the amount and the recipient address. Even the change address — an address where the change from a transaction goes after the chosen amount has been sent to the recipient — can be manipulated, a field that is easy to overlook.
If you are using a phone or computer, you will want to update your operating system with the latest security patch. Your wallet’s firmware, too, should be regulatory updated.
Though unless the update involves a specific urgent security threat, it is often better to wait a few days after a new release to upgrade. This is because it’s common for there to be bugs present in the latest patches, which tend to be resolved quickly but can cause headaches. For this reason, giving non-critical updates a bit of room to be tested is a good idea.
One last thing to remember is to continually update all software and firmware only from official sources, like a website or repository.
Try to learn to use tools like GPG to check the file signatures against the officially documented ones to confirm all data matches what is supposed to be there.
Never trust any links, even those coming from within a given piece of software itself, as there are far too many ways they can be used as a means of attack.
As an example, the popular Bitcoin wallet Electrum suffered an attack in 2020 that allowed malicious actors to push a message to all users through the app itself, claiming the need for an update with a link provided.
As it turned out, the link was a phishing attack that installed a corrupt version of Electrum on the victim’s machine. This gave the attackers full control of the wallets of those who installed the malicious software, resulting in the loss of millions of dollars in user funds.
Easily Overlooked OPSEC Procedures
One of the most obvious attack vectors to address is human error. Even if you think you have good security, humans tend to develop a false sense of security when nothing goes wrong, leading to lax practices.
The worst failures happen when you let your guard down. Never rush a signing event; ensure you have plenty of uninterrupted time.
Hurrying or being distracted are great ways to overlook something like double-checking your transaction data before confirming a signature.
While we’ve mentioned several lines of defense, the latter should never be taken for granted. Double and triple-check the amounts and addresses involved in any transaction because it could save you from making a major mistake.
Also, be extremely wary of using public charging stations or even unknown, third-party USB cables. There are seemingly innocuous USB cables circulating with tiny chips inside the head that can intercept and inject data — hijacking a cryptocurrency transaction and wreaking havoc.
Combined with some issues around compatibility and device wear, it is always best to use the USB cables that are packaged with any external signing device.
Health Checks Can Provide Quick Confidence In Your Keys
Lastly, there’s a technique that some signing devices offer that can be invaluable in boosting security. Known as a “health check,” this technique provides an easy way to verify that your keys are available for signing transactions.
If you were to run a health check on a mobile phone, the check would first confirm that your key is available locally and that the device is working correctly. It will also ensure that the same valid key is backed up securely on the cloud.
This can all be automated with a simple click, and the user will be alerted if anything is wrong.
The same basic steps apply for hardware wallets, but the external device will need to be connected to a computer or mobile phone. Health checks can be done for multiple keys on multi-signature wallets as well.
Importantly, If these keys are stored across different devices, the health check should be run on every relevant unit.
While the world of OPSEC is complex and ever-changing, securing the environment, keeping all devices updated, and ensuring they’ve accounted for easily overlooked issues, are essential steps to staying ahead of attackers.
By combining these strategies with regular health checks every six months, users can significantly improve the security that protects their cryptocurrency funds.
– Trezor Issues a Security Warning
– This Popular Hardware Wallet was Hacked by a Cybersecurity Firm – Should You Be Concerned?
– Crypto Hackers & Fraudsters Stole $1.62 Billion in Q4 Alone
– Web3 Lost Nearly $4 Billion To Fraudsters Last Year – Will Things Improve in 2023
– Crypto Scammer Gets Away with $1.2M in ARB Tokens Through ‘Address Poisoning’ Attack – Here’s What Happened
– Crypto Wallet Maker Ledger Raises $109 Million in Latest Funding Round – Is the Bull Market Back?
– MetaMask Introduces More Payment Options for Buying Cryptocurrencies – Crypto Adoption on the Rise?
– Apple Approves Decentralized Exchange Uniswap iOS Wallet App – Here’s How it Works
– How to Choose a Bitcoin Wallet?
– 3 Ways to Set Up an Ethereum Wallet