Unless you've been living under a rock for the past few weeks, you've probably heard a little something about a digital currency called Bitcoin. The price of this and other cryptocurrencies has been soaring, and it's driving a tulip mania-style frenzy on Wall Street.
There is so much hype about alt-coins lately that there are now reports of people even taking out second mortgages and home equity lines to buy them. The volatility is so great that the Chicago Board Options Exchange (CBOE) halted bitcoin trading twice on Dec. 10 and once again on Dec. 13, and Coinbase halted litecoin and ethereum trading on Dec. 12.
For years, financial analysts have warned people away from cryptocurrency by arguing that it was too volatile to be a safe investment. However, with prices going sky-high, it's hard for investors and entrepreneurs to sit on the sidelines while a major new asset class emerges.
However, before people take the plunge, they need to understand the risks. The cryptocurrency markets aren't just volatile, they are also extremely murky and riddled with fraud. Since the launch of bitcoin in 2009, these markets have been plagued with cyber attacks and scams that have cost investors millions of dollars. To make matters worse, cryptocurrency isn't protected by the FDIC, so losses due to theft may not be covered.
There are two main ways cryptocurrency investors can lose their shirts to scammers.
The first is when hackers attack the infrastructure underpinning these coin markets (ex: exchanges, digital wallets, mining companies, web host services, etc.). Reuters estimates that 980,000 bitcoins have been stolen from cryptocurrency exchanges since 2011, the equivalent of $15 billion to $18 billion at current prices. Recent examples of this include the NiceHash hack in December, which lost $64 million in investors' money; also, in November, Tether was hacked for $30 million; and someone exploited a software bug in Parity to freeze $160 million in investors' accounts. And let's not forget the massive Mt. Gox hack in 2014 -- $460 million was lost as a result.
The second is when criminals target investors directly. There are a variety of these online scams, which often use "social engineering" tactics, but the primary ones to worry about are initial coin offering (ICO) fraud, phone-porting, fake wallets and malware.
While there is not much investors can do to protect themselves against attacks on the cryptocurrency system, they can take measures to lower their own risk of falling for a targeted attack.
Here is a breakdown of these four attacks and ways to reduce the threat:
Initial Coin Offering (ICO) fraud
An ICO is when a newly invented cryptocurrency is launched to investors. Needless to say, this is an unregulated and risky activity all by itself, but it is also plagued by scammers.
There are two ways ICO fraud happens. The first is when criminals create a fake ICO and steal any money that investors give them. This is what happened in December, when the SEC shut down the PlexCoin ICO, which it alleges was a $15 million fraud.
The second type of ICO fraud is when hackers "spoof," or impersonate, a legitimate ICO and trick investors into paying them instead of the real company. This happened recently with messaging giant Kik's ICO, which goes to show it can affect even well-established companies. Typically, cybercriminals will create a fake website or social media account and use phishing emails to promote a phony "pre-sale" offer or other trick. Chainalysis recently estimated that ICO spoofing has victimized 30,000 investors this year alone, to the tune of $225 million.
Security tip: Do sufficient research on an ICO before buying in. Check industry sites like CoinDesk to verify the legitimacy of a claimed ICO. Don't fall for hard sell tactics or too-good-to-be-true offers, especially when received over email or social media messaging, as these are likely phishing attempts. See the SEC's tips on ICO investments.
Cell phone identity theft, also known as "phone-porting," is when criminals commandeer a person's phone number by tricking the mobile provider into giving them control of the account. Once they have the phone number, they can reset the password to a digital wallet and drain the account. Since these cryptocurrency transactions can't be reversed, the investor can lose everything. According to Federal Trade Commission statistics, phone-porting attacks in general rose by 256 percent between 2013 and 2016.
Security tip: Mobile providers usually recommend adding a unique PIN and verification question to the account to improve security. However, a better solution is to switch two-factor authentication from SMS to a third-party service like Google Authenticator.
Fake digital wallets
Cryptocurrency has to be stored somewhere, and investors often use virtual wallets. The problem is that fake wallets occasionally appear online or in mobile app stores, and they may steal investors' savings. This happened recently with the bitcoin gold wallet scam, which reportedly stole $3 million. On Dec. 10, the popular service MyEtherWallet warned customers about a fake MyEtherWallet digital wallet app, which had risen to No. 3 in the iOS App Store's finance category.
Security tip: Before selecting a digital wallet provider, do your homework. Only use services that have a solid track record. Another option is to use an offline hardware wallet.
It's estimated that nearly one-third of all home computers are infected with some type of malware. Recently, a new category of malware has emerged that specializes in one activity -- stealing bitcoins. It can do this in a few different ways, such as stealing log-in credentials or the wallet itself, or getting in the middle of a transaction. Dell SecureWorks estimates this malware increased 11-fold between 2012 and 2014.
Security tip: Use a robust antivirus program and an inbound/outbound firewall to protect your computer. Use two-factor authentication and a password manager to protect the log-in.
Cryptocurrency investors face a lot of risks, not the least of which is scamming. Since this market is largely unregulated and unprotected, it is up to individual investors to account for their own security. Follow the above tips, and also take additional measures, such as encrypting the internet connection with a VPN (virtual private network). It's also not a bad idea to consider using a dedicated computer (i.e., it does nothing else but log in to your bitcoin account) to be safer when performing these transactions.
Related Video: The Risks of Starting a Bitcoin-Based Business