Op Ed: Why It’s Unsafe to Store Private Crypto Keys in the Cloud
There are two primary reasons why storing your private crypto keys in the cloud is a bad idea. First, your cloud provider represents a centralized honeypot that could experience a security breach, allowing cyber criminals to access your data. For example, in August 2018, a fourth man was jailed in the U.S. for hacking into private Apple iCloud accounts and leaking nude photos of Jennifer Lawrence, Kirsten Dunst, Mary Elizabeth Winstead and others. So it does happen. And it will probably happen again in the future.
The second and more likely threat is the threat of users falling for a phishing scam. Phishing is a social engineering technique used by cyber criminals to trick people into handing their personal credentials over to a counterfeit website that is designed to look like the legitimate one.
Meet “Adrian”
Adrian uses a Mac computer and an iPhone for work and personal use. He uses iCloud for file storage. He’s a pretty careful kind of guy — he likes to make sure all of his files are backed up regularly in the Cloud and synchronized across his computer and mobile device. iCloud is safe — it has state-of-the art security — and it is owned and maintained by Apple. This means that Adrian’s data in the Cloud is likely to be safer than on his mobile device. After all, he could lose his mobile at any time or drop it into water.
Adrian likes to trade crypto. He’s a customer of a crypto company called Coinbase. He prefers Coinbase over other similar solutions because their service is easy to use — they cater to mainstream customers. Like everyone else, Adrian loves convenience. So, while he cares about security, he cares more about convenience .
If you prefer security over convenience, please disregard how you feel right now and take my word for it when I say that you are in the minority. Adrian is in the majority.
On February 12, 2019, Coinbase announced that customers like Adrian can now “back up their encrypted private keys on Google Drive and iCloud with Coinbase Wallet.”
Coinbase is telling customers that:
Starting today, you can now backup an encrypted version of your Coinbase Wallet’s private keys to your personal cloud storage accounts, using either Google Drive or iCloud.
This new feature provides a safeguard for users, helping them avoid losing their funds if they lose their device or misplace their private keys.
Adrian is a busy guy, so he doesn’t have time to finish reading Coinbase’s Medium post. And he generally likes to skim. Here are the basics what Adrian took away from reading the post:
You can now backup your Coinbase Wallet’s private keys to your personal cloud storage accounts, using either Google Drive or iCloud.
See the difference? Of course you did. You always pay attention when you read an article. And you were half-expecting me to prove a point. I’m almost certain that some people will actually need to reread both paragraphs to spot the difference.
Adrian now goes on to store his unencrypted private keys to his personal iCloud account. He overlooked the most important part of Coinbase’s message — you can now backup an ENCRYPTED version of your Coinbase Wallet’s private keys.
Over 90 Percent of All Data Breaches Start With Phishing
One Sunday afternoon, Adrian gets an email from Apple, offering him a special deal on a new iPhone. It’s well-designed as you would expect from Apple, and there are no spelling mistakes or grammatical errors. Most people who have gone through anti-phishing awareness training would fall for this scam.
So why would Adrian question it? OK, he did question it. He checked the email to make sure it’s actually from Apple.
Great. Adrian has now confirmed that the email is really from Apple.
When he opens the link Adrian is asked to sign into his account to confirm he is eligible for the special offer. So, he signs into the website. Or at least he tries. After entering his credentials he’s redirected to an error page. He gives up and doesn’t think anything of it — he can’t be bothered to check.
Adrian has just fallen for a phishing scam. His personal credentials to iTunes are compromised. Adrian is no different from most people: He uses the same username and password for his iCloud account because it’s convenient and it’s easy for him to remember. How can anyone expect him to remember 134 different passwords?
Meet “Vlad”
Vlad is a cyber criminal and he’s the one who sent Adrian the spear-phishing email. He now has access to Adrian’s private key. And the rest of the story, as they say, is history. It’s history being repeated. There’s more to this social engineering tactic but it’s still rather easy for Vlad to gather all of the other information that he needs to finish his heist.
I have advised dozens of executives, including founders of crypto companies over the past two years. When advising them on cybersecurity best practices I learned that no matter how well informed a person is, in regards to cybersecurity, they can easily fall for a sophisticated phishing scam.
Even I couldn’t tell that the Apple lookalike email above was a fake until I investigated further. I’m not the average consumer — so what hope do they have? Most people will not investigate to make sure this is a legitimate email. They will open the link, sign into what they think is an Apple website and BOOM — their credentials are stolen.
$1.8 million – the average cost of a phishing attack on a mid-size company in the U.S.
6.4 billion – number of spoofed messages sent every day
30% – the percentage of phishing emails that are opened by employees
136% – the increase in exposed losses between 2016 and 2018
Source: An Osterman Research white paper published August 8, 2018
What else does Adrian store on iCloud? Everything!
I personally don’t recommend storing anything that is as sensitive as your private keys in the Cloud, even if they are encrypted. But I wouldn’t call out a person for doing it. It’s probably safe — for them.
It’s not OK, however, for a prominent company such as Coinbase, to make such a recommendation to customers. I was extremely surprised by their decision to promote this level of convenience over security.
I would like to strongly urge Coinbase to reverse their recommendation. Can they be blamed if Adrian decides to store unencrypted keys in iCloud even though it was recommended that he store his encrypted keys? Some would say yes, it’s irresponsible. I received messages across Telegram, Twitter and email from our community members who were exasperated by the recommendation.
The Ripple Effect
Given that people tend to exaggerate or extend what they have been told, it’s very likely that some customers will now extend the advice given to them by Coinbase. In that context, Megan asks Adrian for some advice on how to store her passwords. Adrian recalls Coinbase advising iCloud as a secure place for private keys, so it must be safe for passwords. So he advises Megan to save her usernames and passwords in her iCloud account.
Unless cybersecurity becomes part of the fabric of blockchain and crypto with stakeholders taking it more seriously, it will take much longer for this amazing technology and currency to get the mass adoption that it deserves.
This is a guest post by Paul Walsh. Opinions expressed are his own and do not necessarily reflect those of Bitcoin Magazine or BTC Inc.
This article originally appeared on Bitcoin Magazine.