[ad_1]
There are two main reasons why storing your private cryptographic keys in the cloud is a bad idea. First of all, your cloud provider is a centralized back office that can suffer security breaches, allowing cyber criminals to access your data. For example, in August 2018, a fourth man was jailed in the United States for hacking Apple iCloud private accounts and leaked bad photos of Jennifer Lawrence, Kirsten Dunst, Mary Elizabeth Winstead and others. So it happens. And that will probably happen again in the future.
The second and most likely threat is the threat of users falling into the phishing scam. Phishing is a social engineering technique used by cyber criminals to get people to entrust their personal information to a counterfeit website designed to look like a legitimate site.
Meet "Adrian"
Adrian uses a Mac computer and an iPhone for work and for personal use. It uses iCloud for file storage. He is a very cautious guy: he likes to make sure that all his files are backed up regularly in the Cloud and synchronized on his computer and his mobile device. iCloud is safe – it has state-of-the-art security – and it is owned and maintained by Apple. This means that Adrian's data in the cloud will probably be safer than on his mobile device. After all, he could lose his cell phone at any time or drop it into the water.
Adrian likes to trade crypto. It is a client of a cryptographic company called Coinbase. It prefers Coinbase to other similar solutions because their service is easy to use – they are aimed at traditional customers. Like everyone else, Adrian loves convenience. So, while he cares about security, he cares more about convenience.
If you prefer safety to convenience, ignore how you feel now and trust me when I say you are in the minority. Adrian is in the majority.
On February 12, 2019, Coinbase announced that customers such as Adrian can now "back up their encrypted private keys on Google Drive and iCloud with Coinbase Wallet".
Coinbase tells customers that:
Starting today, you can back up an encrypted version of your Coinbase Wallet private keys to your personal cloud storage accounts, using Google Drive or iCloud.
This new feature provides protection for users, helping them avoid losing their funds if they lose their device or lose their private keys.
Adrian is a busy guy, so he does not have time to finish reading Coinbase's post in Medium. And he usually likes skim. Here are the basics that Adrian borrowed from reading the message:
You can now back up your Coinbase Wallet private keys to your personal cloud storage accounts using Google Drive or iCloud.
Look at the difference? Of course you did. You are always careful when reading an article. And you half expected me to prove something. I'm pretty sure some people will actually have to re-read the two paragraphs to find the difference.
Adrian will now store his unencrypted private keys at his iCloud personal account. He forgot the most important part of Coinbase's message – you can now save a Crypt private key of your Coinbase wallet.
More than 90% of all data breaches start with phishing
On a Sunday afternoon, Adrian receives an e-mail from Apple offering him a special offer on a new iPhone. It's well designed, as you would expect from Apple, and there are no spelling mistakes or grammatical mistakes. Most people who have undergone anti-phishing training would fall under the spell of this scam.
So, why would Adrian ask the question? OK, he asked him. He checked the email to make sure it was from Apple.
Awesome. Adrian has now confirmed that e-mail comes well from Apple.
When he opens the link, Adrian is prompted to login to his account to confirm his eligibility for the special offer. So, he connects to the site. Or at least he tries. After entering his credentials, he is redirected to an error page. He gives up and thinks nothing – he can not be bothered to check.
Adrian has just cracked for phishing. His personal identification information on iTunes is compromised. Adrian is no different from most people: he uses the same username and pbadword for his iCloud account because it's convenient and easy for him to remember. How can we expect that he will remember 134 different pbadwords?
Meet "Vlad"
Vlad is a cybercriminal and he is the one who sent Adrian the email containing spear phishing. He now has access to Adrian's private key. And the rest of the story, as they say, belongs to the story. This is the story that repeats itself. This social engineering tactic is not just that, but it's still pretty easy for Vlad to gather all the other information he needs to complete his flight.
I've been advising dozens of leaders, including founders of cryptographic companies over the past two years. By advising them on cybersecurity best practices, I learned that no matter how much an individual knows about cybersecurity, she can easily fall in love with sophisticated phishing.
Even though I could not say that the Apple-like mail above was a fake until I investigated it further. I am not the average consumer – so what hope do they have? Most people will not investigate to make sure that it is a legitimate email. They will open the link, connect to what they think is an Apple website and BOOM – their identity information is stolen.
$ 1.8 million, the average cost of a phishing attack on a medium-sized business in the United States.
6.4 billion – number of stolen messages sent every day
30% – the percentage of phishing emails opened by employees
136% – the increase in losses exposed between 2016 and 2018
Source: White Paper published by Osterman Research on August 8, 2018.
What else does Adrian store on iCloud? All!
Personally, I do not recommend storing data as sensitive as your private keys in the cloud, even if they are encrypted. But I would not call someone to do it. It's probably safe – for them.
However, it is not appropriate for a company as important as Coinbase to make such a recommendation to its customers. I was extremely surprised by their decision to promote this level of comfort with respect to security.
I would like to urge Coinbase to reconsider their recommendation. Can they be blamed if Adrian decides to store unencrypted keys in iCloud even though it was recommended to him to store his crypt keys? Some would say it's irresponsible. I have received messages via Telegram, Twitter and emails from members of our community who have been infuriated by the recommendation.
The effect of ripple
Since people tend to exaggerate or prolong what has been said to them, it is very likely that some customers will now follow the advice given by Coinbase. In this context, Megan asks Adrian for advice on how to store his pbadwords. Adrian reminds Coinbase, advising iCloud as a secure place for private keys, so pbadwords should be safe. He advises Megan to save his usernames and pbadwords in his iCloud account.
Unless cybersecurity becomes an integral part of the blockchain and crypto and stakeholders take it more seriously, it will take much longer for this amazing technology and currency to get the mbadive adoption that it has. She deserves.
This is a guest post from Paul Walsh. The opinions expressed are his own and do not necessarily reflect those of Bitcoin Magazine or BTC Inc.
Source link
