Australian Cryptocurrency Theft Highlights Security MistakesAU$450,000 of Ripple Lost After Email, Cryptocurrency Account Takeovers
Australian police have charged a 23-year-old woman in the theft of AU$450,000 (US$318,000) worth of the virtual currency XRP, also known as Ripple, in what is believed to be the one of the largest cryptocurrency thefts from a single victim.
The details of the case highlight that despite the oft-repeated advice about how to protect cryptocurrency accounts, the most basic security messaging isn't being heeded.
The victim, a 56-year-old man, saw 100,000 units of XRP transferred out of his account with a Sydney-based exchange without his authorization. He noticed the loss following a two-day period in mid-January when he was locked out of his account with the exchange, New South Wales Police say.
The timing for the perpetrator couldn't have been better. Cryptocurrencies launched into a bull run in mid-December 2017, and XRP reached its peak on Jan. 8 at US$3.38, or in Australian dollars at the time, about AU$4.50.
The value XRP, as well as all cryptocurrencies, has precipitously fallen. But 100,000 XRP would still be worth around AU$65,000, according to the exchange rate on Friday.
On Thursday morning, police raided a home in the Sydney suburb of Epping to arrest a woman, who was not identified. She was charged with receiving the proceeds of crime. Police say they seized various electronic equipment, computers, mobile phones and documentation.
The suspect has been released on bail and will appear in court in Sydney on Nov. 19.
NSW Police are not releasing the precise details of how the attack was executed but have broadly outlined how the man's XRP was stolen.
The man's Hotmail email account was linked to the exchange where he held the XRP, says Detective Inspector Gordon Arbinja. The man believes his Hotmail account was compromised in December 2017. Then, in January, someone logged into his account with the cryptocurrency exchange and locked him out.
Neither the Hotmail account nor the exchange account had two-step verification enabled, which likely would have thwarted the account takeovers, Arbinja says. The 100,000 XRP were then transferred to an exchange in China, where it was used to buy bitcoin.
Use Two-Step Verification
There's an immediate lesson to learn from this case: Use two-step verification on all accounts - especially those that are linked with any cryptocurrency holdings.
Even then, advanced attack scenarios can undermine two-step verification, particularly if the two-step code is sent over SMS. Police and identity theft experts in Australia say there has been a sharp spike in SIM hijackings, where an attacker steals someone's phone number (see: Gone in 15 Minutes: Australia's Phone Number Theft Problem).
SIM hijackings are executed by taking advantage of the poor controls mobile operators have around number porting. A safer way to use two-step verification is to use an application, such as Google Authenticator or Authy, to generate a code that is not sent over the mobile channel.
Ironically, police allege that after the woman took over the victim's account, she enabled two-step verification on his account with a different phone number.
The man also made another unfortunate mistake: leaving cryptocurrency on an exchange. Cryptocurrency exchanges are among the most attractive targets for cybercriminals, and there is a long list of exchanges that have suffered attacks.
For users, that means that even if their login credentials were not compromised, they still lost their funds. There are risks, of course, with holding cryptocurrency on a computer. But those risks can be mitigated by creating "cold" wallets - printing the private keys and storing them in a safe place - or using secure hardware wallets.
Chance of Restitution?
Whether the man's funds will be recovered remains to be seen. That will depend, in part, on whether the bitcoin was transferred back from the exchange in China to any of the devices that have been seized by police.
Arbinja says police seized a hardware wallet. These wallets, such as the Ledger or Trezor, aim to make storing cryptocurrency safer by using a variety of cryptographic protections and other safeguards.
Those devices can be configured to erase their data. For example, Trezor users can set up to a nine-digit PIN to access the device. Wrong guesses then cause a longer wait before another attempt is allowed. A Trezor will automatically wipe itself after 16 incorrect passcode attempts. After that happens, the only way to recover the wallet is using the recovery seed.
"The use of cryptocurrency among criminal groups is advancing definitely. It's not going anywhere."
— Det. Inspector Gordon Arbinja, NSW Police
If police seize such a device that holds stolen funds, it may be difficult or impossible to recover the cryptocurrency without either the passcode, PIN or seed phrase.
Some Australian states have laws that mandate a suspect must disclose passwords at the direction of a court, but New South Wales does not have such a provision, Arbinja says.
National legislation under consideration could change that. Australian lawmakers are debating legislation called the Assistance and Access Bill 2018 (see: Tech Companies Bristle at Australia's Crypto Legislation). The bill aims to enable the state to compel technology companies to enable access to encrypted content. It would also mandate a penalty of up to 10 years in prison for refusing to disclose information, such as a password, that's needed to access a device.
Australia predicts that virtually all communications between organized criminals and terrorist groups will be encrypted by 2020. And cryptocurrency is also playing a key role, both in the ability to quickly move funds and for money laundering.
"The use of cryptocurrency among criminal groups is advancing definitely," Arbinja says. "It's not going anywhere."