Investing is a risky business. Who doesn’t know someone who knows someone who lost all their money in the stock market, or got scammed out of their savings? And that’s just traditional markets. ICOs have opened up the playing field to a new kind of investor and a different type of criminal–the cybercriminal, waiting to rob you blind with no weapons or warning.
Notice we’re not talking about ICO scams or inexperienced teams with poor money management skills here. We’re looking at the critical vulnerabilities in how they accept your Ether. According to a survey by Positive.com, last year’s ICOs had an average of five security vulnerabilities making them easy prey for hackers.
These flaws ranged from mild to medium to darn right critical and, in fact, some 47 percent of all ICO vulnerabilities were deemed medium to high. Just one flaw in a smart contract is enough to cause unthinkable damage (think DAO hack).
There’s a Lot of Money on the Table
Cryptocurrency has become a magnet for criminal activity because exchanges, wallets, and secondary software are just so easy to hack. Considering that more than $12 billion in funds have been raised by ICOs so far (and the fact that over 10 percent of all 2017’s funds were lost or stolen), it’s like stealing candy from a baby.
Positive.com discovered that 71 percent of the ICOs it tested contained flaws in their smart contracts. And once the ICO begins, there’s no turning back.
What’s behind these flaws? In many cases, human error, a lack of programming expertise, or insufficient testing. Maybe a combination of these things. Think Parity Wallet at the end of last year. Other vulnerabilities included weak web applications, which can lead to the loss of millions of dollars in a few minutes.
The Top 5 ICO Security Vulnerabilities
5. Attacks on ICO Organizers
One in three ICOs tested had critical flaws that could enable attacks on the ICO organizers themselves. These include attack strategies such as email account hijacking, using information from social media profiles, purchasing data on the dark web, and using social engineering tactics to bypass 2FA. If an email account is hijacked, the ICO password can be reset. The hacker can then replace the wallet address. Think Coindash.io, who lost $7 million.
4. Smart Contract Errors
We may have fallen victim to marketing hype, but smart contracts are not always secure. In fact, they’re only as good as the programmer who coded them. Positive.com found most smart contract errors emerged from non-compliance with ERC20 standards (this is the token interface for crypto exchanges and digital wallets), or incorrect random number generation. This is mainly due to lack of experience or testing.
3. Web Application Errors
Among the web application errors found were problems with web3.js (blockchain security and backend implementation), as well as general errors including web server disclosure of sensitive information, insecure data transfers, code injection, and arbitrary file reading.
2. Attacks on Investors
23 percent of projects assessed by Positive.com found some really sloppy and easily avoidable mistakes that could lead to attacks on investors. These included social engineering tactics that can result in phishing. These types of vulnerabilities can be mitigated by ensuring that all different versions of the domain name are registered. That includes possible misspellings and register/sign up names on social media accounts.
1. Mobile App Vulnerabilities
Ironically, some ICO teams go to greater lengths to boost investor confidence by launching mobile apps, but they end up shooting themselves in the foot. There were actually 2.5 times more flaws in ICO mobile apps than web applications. And here’s the kicker: Positive.com found vulnerabilities in 100 percent of all ICO mobile apps tested.
The most common problems included insecure data transfers, the way in which user data is stored in backups, and session ID disclosure. All these flaws make it easier for hackers to gather the ammunition they need to launch an attack.
Don’t invest in ICOs.
No, seriously. Invest in ICOs if you want to, but remember that the moment an ICO goes public, it’s not only potential investors who are alerted. Cybercriminals can immediately glean the potential value and start scouring for vulnerabilities. Since ICO teams are generally new kids on the block, they’re often an easy target for cybercrime.
What this means for ICO teams is that they need to take their cybersecurity very seriously if they want to install investor confidence. Every last detail and line of code should be checked and tested to ensure the platform is as robust as possible.
And as for investors? There are a lot of people after your money. And they’ll go to great lengths to get it. Don’t get lax when it comes to your data and don’t invest in sketchy-looking ICOs. You may not always be able to prevent an attack, but you can certainly make it harder for hackers to meddle with your digital affairs.