{"id":20523,"date":"2019-02-18T21:19:18","date_gmt":"2019-02-18T21:19:18","guid":{"rendered":"http:\/\/ci027cfe6f900026c3"},"modified":"2019-02-18T21:19:18","modified_gmt":"2019-02-18T21:19:18","slug":"op-ed-why-its-unsafe-to-store-private-crypto-keys-in-the-cloud","status":"publish","type":"post","link":"https:\/\/bitcoinmagazine.com\/culture\/op-ed-why-its-unsafe-to-store-private-crypto-keys-in-the-cloud","title":{"rendered":"Op Ed: Why It\u2019s Unsafe to Store Private Crypto Keys in the Cloud"},"content":{"rendered":"
<\/div>
<\/figure>\n

There are two primary reasons why storing your private crypto keys in the cloud is a bad idea. First, your cloud provider represents a centralized honeypot that could experience a security breach, allowing cyber criminals to access your data. For example, in August 2018, a fourth man was jailed<\/a> in the U.S. for hacking into private Apple iCloud accounts and leaking nude photos of Jennifer Lawrence, Kirsten Dunst, Mary Elizabeth Winstead and others. So it does happen. And it will probably happen again in the future.<\/p>\n

The second and more likely threat is the threat of users falling for a phishing scam<\/a>. Phishing is a social engineering technique used by cyber criminals to trick people into handing their personal credentials over to a counterfeit website that is designed to look like the legitimate one.<\/p>\n

Meet “Adrian”<\/h3>\n

Adrian uses a Mac computer and an iPhone for work and personal use. He uses iCloud for file storage. He\u2019s a pretty careful kind of guy \u2014 he likes to make sure all of his files are backed up regularly in the Cloud and synchronized across his computer and mobile device. iCloud is safe \u2014 it has state-of-the art security \u2014 and it is owned and maintained by Apple. This means that Adrian\u2019s data in the Cloud is likely to be safer than on his mobile device. After all, he could lose his mobile at any time or drop it into water.<\/p>\n

Adrian likes to trade crypto. He\u2019s a customer of a crypto company called Coinbase. He prefers Coinbase over other similar solutions because their service is easy to use \u2014 they cater to mainstream customers. Like everyone else, Adrian loves convenience. So, while he cares about security, he cares more about convenience .<\/p>\n

If you prefer security over convenience, please disregard how you feel right now and take my word for it when I say that you are in the minority. Adrian is in the majority.<\/p>\n

On February 12, 2019, Coinbase announced that customers like Adrian can now \u201cback up their encrypted private keys on Google Drive and iCloud with Coinbase Wallet<\/a>.\u201d<\/p>\n

Coinbase is telling customers that:<\/p>\n

\n

Starting today, you can now backup an encrypted version of your Coinbase Wallet\u2019s private keys to your personal cloud storage accounts, using either Google Drive or iCloud.<\/em><\/p>\n<\/blockquote>\n

\n

This new feature provides a safeguard for users, helping them avoid losing their funds if they lose their device or misplace their private keys.<\/em><\/p>\n<\/blockquote>\n

Adrian is a busy guy, so he doesn\u2019t have time to finish reading Coinbase\u2019s Medium post. And he generally likes to skim. Here are the basics what Adrian took away from reading the post:<\/p>\n

You can now backup your Coinbase Wallet\u2019s private keys to your personal cloud storage accounts, using either Google Drive or iCloud.<\/em><\/p>\n

See the difference? Of course you did. You always pay attention when you read an article. And you were half-expecting me to prove a point. I\u2019m almost certain that some people will actually need to reread both paragraphs to spot the difference.<\/p>\n

Adrian now goes on to store his unencrypted private keys to his personal iCloud account.<\/em> He overlooked the most important part of Coinbase\u2019s message \u2014 you can now backup an<\/em>ENCRYPTED<\/em><\/strong> version of your Coinbase Wallet\u2019s private keys.<\/em><\/p>\n

<\/figure>\n

Over 90 Percent of All Data Breaches Start With Phishing<\/h3>\n
<\/figure>\n

One Sunday afternoon, Adrian gets an email from Apple, offering him a special deal on a new iPhone. It\u2019s well-designed as you would expect from Apple, and there are no spelling mistakes or grammatical errors. Most people who have gone through anti-phishing awareness training would fall for this scam.<\/p>\n

So why would Adrian question it? OK, he did question it. He checked the email to make sure it\u2019s actually from Apple.<\/p>\n

<\/figure>\n

Great. Adrian has now confirmed that the email is really from Apple.<\/p>\n

When he opens the link Adrian is asked to sign into his account to confirm he is eligible for the special offer. So, he signs into the website. Or at least he tries. After entering his credentials he\u2019s redirected to an error page. He gives up and doesn\u2019t think anything of it \u2014 he can\u2019t be bothered to check.<\/p>\n

Adrian has just fallen for a phishing scam. His personal credentials to iTunes are compromised. Adrian is no different from most people: He uses the same username and password for his iCloud account because it\u2019s convenient and it\u2019s easy for him to remember. How can anyone expect him to remember 134 different passwords?<\/p>\n

Meet “Vlad”<\/h3>\n

Vlad is a cyber criminal and he\u2019s the one who sent Adrian the spear-phishing email. He now has access to Adrian\u2019s private key. And the rest of the story, as they say, is history. It\u2019s history being repeated. There\u2019s more to this social engineering tactic but it\u2019s still rather easy for Vlad to gather all of the other information that he needs to finish his heist.<\/p>\n

I have advised dozens of executives, including founders of crypto companies over the past two years. When advising them on cybersecurity best practices I learned that no matter how well informed a person is, in regards to cybersecurity, they can easily fall for a sophisticated phishing scam.<\/p>\n

Even I couldn\u2019t tell that the Apple lookalike email above was a fake until I investigated further. I\u2019m not the average consumer \u2014 so what hope do they have? Most people will not investigate to make sure this is a legitimate email. They will open the link, sign into what they think is an Apple website and BOOM \u2014 their credentials are stolen.<\/p>\n

\n

$1.8 million – the average cost of a phishing attack on a mid-size company in the U.S.<\/p>\n<\/blockquote>\n

\n

6.4 billion – number of spoofed messages sent every day<\/p>\n<\/blockquote>\n

\n

30- the percentage of phishing emails that are opened by employees<\/p>\n<\/blockquote>\n

\n

136- the increase in exposed losses between 2016 and 2018<\/p>\n<\/blockquote>\n

Source: An Osterman Research white paper published August 8, 2018<\/em><\/a><\/p>\n

What else does Adrian store on iCloud? Everything!<\/p>\n

I personally don\u2019t recommend storing anything that is as sensitive as your private keys in the Cloud, even if they are encrypted. But I wouldn\u2019t call out a person for doing it. It\u2019s probably safe \u2014 for them.<\/p>\n

It\u2019s not OK, however, for a prominent company such as Coinbase, to make such a recommendation to customers. I was extremely surprised by their decision to promote this level of convenience over security.<\/p>\n

I would like to strongly urge Coinbase to reverse their recommendation. Can they be blamed if Adrian decides to store unencrypted<\/em> keys in iCloud even though it was recommended that he store his encrypted<\/em> keys? Some would say yes, it\u2019s irresponsible. I received messages across Telegram, Twitter and email from our community members who were exasperated by the recommendation.<\/p>\n

The Ripple Effect<\/h3>\n

Given that people tend to exaggerate or extend what they have been told, it\u2019s very likely that some customers will now extend the advice given to them by Coinbase. In that context, Megan asks Adrian for some advice on how to store her passwords. Adrian recalls Coinbase advising iCloud as a secure place for private keys, so it must be safe for passwords. So he advises Megan to save her usernames and passwords in her iCloud account.<\/p>\n

Unless cybersecurity becomes part of the fabric of blockchain and crypto with stakeholders taking it more seriously, it will take much longer for this amazing technology and currency to get the mass adoption that it deserves.<\/p>\n

This is a guest post by Paul Walsh. Opinions expressed are his own and do not necessarily reflect those of Bitcoin Magazine or BTC Inc.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

Unless cybersecurity becomes part of the fabric of blockchain and crypto with stakeholders taking it more seriously, it will take much longer for this amazing technology and currency to get the mass adoption that it deserves.<\/p>\n","protected":false},"author":3475,"featured_media":20525,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[190,3253,330],"class_list":{"0":"post-20523","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-culture","8":"tag-coinbase","9":"tag-phishing","10":"tag-security"},"author_data":{"id":3475,"name":"Paul Walsh","nicename":"paul-walsh","avatar_url":"https:\/\/bitcoinmagazine.com\/wp-content\/uploads\/2024\/12\/cropped-bitcoin-schmitcoin-promo-image-1-2-96x96.png"},"featured_image_url":"https:\/\/bitcoinmagazine.com\/wp-content\/uploads\/2024\/11\/op-ed-why-its-unsafe-to-store-private-crypto-keys-in-the-cloud.jpg","_links":{"self":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts\/20523","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/users\/3475"}],"replies":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/comments?post=20523"}],"version-history":[{"count":0,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts\/20523\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/media\/20525"}],"wp:attachment":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/media?parent=20523"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/categories?post=20523"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/tags?post=20523"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}