When being a business owner, lack of security is not the option, especially when it comes to money safety. No matter how strong and forward-thinking are the solutions implemented in the digital space nowadays, the human factor remains the key to a successful theft of assets. If you have organized a company, raised investments and worry about money protection, it’s crucial to take a dive and assess all the possible threats to your crypto services that are used for the company's purposes.
This article addresses the current issue of digital security and proposes solutions to particular threats that a business owner might face in the near future.
Implementing preemptive-thinking culture
They say – “forewarned is forearmed” and not without foundation. Generally, there are 2 things that must be protected like the apple of an eye – a private key and a seed phrase (or the mnemonic). It’s easy to guess that ill-wishers aim to steal one of them, but how exactly? Here are the main methods they use to get to your assets.
- Device hack
Whether it’s a laptop or a smartphone, storing your private key there is not a good idea. Losing such key equals losing a credit or debit card along with the PIN code. The consequences are obvious and need no further explanation.
What to do?
Find another way of storing sensitive information. In fact, keeping a hard copy of your private keys is the most common solution to this issue. However, a piece of paper doesn’t always seem to be the most solid way of storing, so using a more creative approach on top of this will definitely increase your chances to avoid the loss. As for the business owners, the most relevant solutions for that are Cryptosteel, Cryptoart and use of HSM (Hardware security module).
- Email phishing
Emails are an inseparable part of doing business and hackers know this like nobody else. For this reason, they send emails that supposedly come from a service you are accustomed to and ask for data to perform certain actions.
Their emails may impersonate a company representative (if you’re using a wallet service, for instance) who may ask you to share some personal information, even though an official representative will never try to do so. This is where the human factor comes into play and some people tend to provide the information.
What to do?
When getting the message of such kind, ignore it and immediately get in touch with the official representative of a company/service you work with. As a little life hack, you can always remind yourself: do official bank representatives ask for PIN codes?
- Fake wallets
Unfortunately, hackers succeed in making apps that impersonate official companies (like Trezor, for example) and avoid getting banned within Google App Store platform. They use similar names and masquerade official wallets. In 2022, the Trezor clients received an email from the trezor.us domain mimicking a message from trezor.io that asked them to update their wallet software by following a link – it appeared to be a
What to do?
Make sure to download the app from the official website of the wallet service. Some of these wallets may even ask for your mobile phone number to send a safe link that gets you to the app store.
- Malware
Getting hold of your data is crucial to hackers. As a malware, keyloggers perfectly suit this goal and record every password, PIN and the mnemonic to transfer them further to an interested person. There are 3 ways to get infected with a keylogger:
- Email;
- Running an infected software from a particular website or torrent;
- Inserting an infected USB.
There are also trojans that are similar to keyloggers and can monitor your behavior and steal anything that looks like a private key. When a trojan gets its job done, a hacker will quickly and easily destroy your crypto address without you even noticing.
Moreover, there's malware that messes up your clipboard so that when you copy a wallet address to transfer money, once you paste it the address differs. A program under the name CryptoShuffler
What to do?
Make sure your antivirus system scans all the attachments that you download. Ensure to have a reliable antivirus system for corporate purposes so that you and your employees who work with crypto can detect malware in time. Also, don’t forget to double check the wallet address you are pasting.
- Impersonation
Pretending to be some company, crypto exchange or a particular person is very beneficial to hackers and remains to be one of the most common ways to achieve their intentions. This approach is fully based on a human factor and generally a lot easier due to the fact that breaking into a computer system is a more complicated task. In this case, impersonators are interested in stealing your account, not hacking. They will ask you to make transactions to particular addresses. More cunning hackers create websites where you can see your “investments” and then ask you to share some data.
What to do?
The issue addressed here is tied to our personal qualities, so pay attention, double check everything, don’t make hasty decisions and convey this information to your employees.
- Browser extensions
Extensions that you install on your browser can make your life easier, but they are also a potential threat to your security. There’s been many reports of extensions that monitor and copy data for hackers, apart from delivering their services. In 2020 alone, Google removed 49 Chrome
What to do?
Before installing an extension, verify the company or developer behind it. Checking (and double checking) reviews online is also welcomed.
- Bypassing 2FA
Trusted wallet providers always use two factor authentication to ensure real people are behind certain operations. While 2FA remains an effective way to protect customers from fraudulent activities, there’s been cases when hackers found ways to bypass this layer of security.
For instance, attackers can intercept SMS messages due to vulnerabilities in the data sending protocol. Hackers may also infect a smartphone with malware in advance, clone cards of mobile operators, and hack into user accounts on a website. Their goal is to gain control over all the protections that a visitor uses. After that, hacking a crypto wallet is no longer relevant: scammers already get access to the cryptocurrency.
What to do?
Keep an eye on the notifications you receive and keep in mind everything that is said here.
Going further. Considering multisig and cold wallets
Everything that is covered up to this point affects hot wallets (that are always connected to the internet) and single private keys used for them, but there is a lot more to consider when thinking about security. Let’s take a look at solutions that will boost your security level so you won’t ever worry this much about getting hacked or losing large amounts of money.
Hot and cold wallets
Striking the right balance between functionality and security is always a relevant issue that is now solved by using hot and cold wallets. On the one hand, hot wallets are very functional, but lack security. On the other hand there are cold wallets that are quite secure, but lack functionality. Now the question arises: what to choose?
Well, those who have been in crypto for a long time benefit from the hybrid experience by storing their funds on the physical devices (such as Ledger or Trezor) and transferring them via internet-connected ones. Hardware wallets are less convenient than hot wallets because they have to be powered on and then connected to the internet. In addition, they can cost you between $50 and $200. Nevertheless, it’s a small price to pay to protect business from losing all your funds because such devices are designed to be immune to hacking.
However, hot wallets are also in demand for businesses due to their ease-of-use for recieving, storing, exchanging and sending payments. Because they are always online, there’s no need to transition between offline and online to make a cryptocurrency transaction. Such wallets are used to instantly pay and bill partners, as well as make different crypto payouts on multiple addresses from one single wallet. For large amounts, some systems require at least 2 of the customer’s administrators to approve the transaction prior to being signed.
That being said, if you seek for a perfect low-risk decision, the hybrid strategy is the one to go.
Multisig wallets
A multisig (multi-signature) wallet can be one of the most precious tools for crypto businesses. But what is a multisig wallet, you might ask? Now it’s time to get to the best part.
A multisig wallet is a special type of crypto wallet that can be accessed only when 2 or more signatures are entered together. It is essentially the digital version of a multi-key secure deposit box that can only be opened when multiple keys are inserted into multiple locks.
Transactions in such wallets are also made when multiple users enter their own unique signatures or keys. A user can create a rule and determine the amount of signatures needed to complete the operation/transaction: 1 of 2, 2 of 3, 5 of 8 etc. Such transactions don’t expire – they will be pending ones until all of the required keys sign the transaction. Multisig wallets don’t have a hierarchy, which means that no specific signature is needed to validate and complete the transaction.
Multisig wallet is a must-have for every business that doesn't want to depend on the only key holder who may be unable or unwilling to make transactions. The use of a multisig process facilitates access to funds and enables different employees to transact as required.
Apart from increased security, one of the main advantages of using a multisig wallet is decision-making, when a group of keyholders is able to control funds together. Everyone can see the budget and propose various changes, but no one can transfer money on their own. The wallet primarily acts as a form of voting where transactions do not pass through when a certain majority of users agree on it.
As for the disadvantages, use of such wallets affects transaction speed as it requires multiple signatures. But probably the most common obstacle here is technical knowledge that is necessary in order to set up a multisig wallet. Moreover, there are some legal nuances that haven’t yet caught up with the new technology. Luckily, there are third-party wallet providers and companies that help businesses in solving such issues (like Roketo, BitPay or Casa), especially when it comes to the use of multisig wallets.
Conclusion
As can be seen from the above, there are numerous ways to increase the security of your business that must be taken seriously into consideration. Among them, use of a multisig wallet proves to be an excellent way to address security concerns and makes it easier for groups of people to fairly control funds. Having said that, when it comes to doing business with multiple parties, multisig wallet is a must-have.