While crypto wallets may be considered to be at the sharp end of payments innovation, the security vulnerabilities they face are much the same as those that already exist in digital banking and payments, according to a recent report by Javelin Strategy and Research. Al Pascual, Javelin’s senior vice president and lead author of the research, discusses the report’s findings in an interview with Information Security Media Group.
Digital wallets are designed for storing cryptocurrencies safely online or offline. The research looks specifically at the security capabilities of these wallets and assesses whether they are sufficiently secure for their purpose.
“If you think about what fraud looks like for these, and if you think about custodial wallets, they’re very much like a bank account – you’re the one responsible for their failure,” Pascual says.
“These criminals have gotten really good; they cut their teeth on the banks and a lot of banks obviously have very good security. So with some of these wallets, their security isn’t at the same level and it’s pretty easy for them to manipulate users to potentially socially engineer to glean credentials and access accounts.”
Critical Security Features
Crypto wallets that rank highest in fraud prevention, detection and resolution, Pascual says, have good authentication as well as alerts and notification capabilities.
“Like with banks, fraudster are going to test, see how much they can move and a lot of this is immutable”, says Pascual. “If they leave with your crypto, that crypto is probably gone.”
In the interview (see audio link below photo), Pascual discusses:
The difference between custodial, noncustodial and multisignature crypto wallets and the threat profiles for each;
The types of fraud schemes targeting crypto wallets that are the most prevalent;
The similarities between crypto wallet security and digital banking and payment security.
Pascual is Javelin’s senior vice president of research and head of fraud and security. Previously, he held risk management roles at HSBC, Goldman Sachs and FIS. He is a member of the Association of Certified Fraud Examiners, the International Association of Financial Crimes Investigators and the Federal Reserve Secure Payments Task Force.
Plan Your Security Transformation With Results from the ExpertsPresented by Tata Communications 60 minutes
Learn from our peers’ struggles in 2017 to plan your 2018 security transformation
Today’s most advanced threat actors – whether external or internal – are stealthier than ever and able to hide within one’s systems for days, weeks or even months as they gather intel and prepare to strike. Sixty-one percent of security leaders rate the strength of their organizations’ overall security posture as above average or superior, as compared to peers in their sectors.
Yet, 77 percent of these same leaders say advanced threats against their critical information systems have increased over the past 12 months. And 46 percent say that, when it comes to detecting and stopping these advanced threats, their organizations’ security postures are mostly or fully reactive.
These are among the results of the 2017 Security Transformation Study. Register for this webinar which examines the newly released survey results and learn more about:
The state of organizations’ security posture going into 2018;
Which factors most prevent organizations from enhancing their threat-hunting capabilities;
Which key investments organizations are looking to make in 2018 to create a more proactive security organization.
This survey was conducted online in the summer 2017, and it generated more than 260 responses from security leaders around the globe, with emphasis on North America, EMEA, India and APAC. Responses were consistent from organizations in all regions and sectors, with little statistical deviation. Forty percent of the respondent organizations have 10,000 or more employees.
US, UK and Canada Have Begun Probing Data Leak and Privacy RepercussionsJeremy Kirk (jeremy_kirk) • March 21, 2018
Regulators, attorneys general and lawmakers in the U.S., U.K. and Canada continue to spring into action to try and unravel the events that led to the personal information of as many as 60 million Facebook users leaking to a voter-profiling firm (see Probes Begin as Facebook Slammed by Data Leak Blowback).
The firm, London-based Cambridge Analytica, claims to be able to sway voters through careful profiling of online platforms and crafted social media messaging.
Since 2015, Facebook knew the firm had acquired the data by means that violated its own policies, and some particulars of the situation have featured in press reports for at least a year. But information disclosed by Chris Wylie, a former Cambridge Analytics data scientist turned whistleblower, featured in an
Observer report this past weekend, has turned what started as an apparent Facebook policy violation into a global privacy scandal.
Worries have been fueled following the U.K.’s Channel 4 broadcasting an undercover video of Cambridge Analytica’s CEO, Alexander Nix. In the video, first broadcast Monday, Nix describes a variety of ethically questionable techniques the firm, which was employed by President Donald Trump’s campaign, could use to swing elections. A second installment, broadcast Tuesday, raised further eyebrows owing to Cambridge Analytica executives claiming their firm ran “all” of President Trump’s 2016 digital campaign and that their efforts left “no paper trail.”
An investigation by Channel 4 News has revealed how Cambridge Analytica claims it ran “all” of President Trump’s digital campaign – and may have broken election law. Executives were secretly filmed saying they leave “no paper trail.”
As a result, Cambridge Analytica’s board suspended Nix, saying on Tuesday that his comments as captured by Channel 4 “do not represent the values or operations of the firm.” The board says it’s launched its own investigation into whether employees violated any laws.
Cambridge Analytica didn’t immediately respond to a request for comment about whether Nix continues to have any role with Cambridge Analytica’s parent company, SCL Group, where he worked as a director for 14 years before setting up the subsidiary in 2013.
FTC Launches Investigation
Meanwhile, Facebook is being called to account for how it manages and secures personal data, and it’s facing inquires from lawmakers as well as regulators both inside the U.S. and abroad.
On Tuesday, the Washington Post reported that the U.S. Federal Trade Commission has opened an investigation into the matter. The publication cites anonymous sources because the FTC does not confirm investigations.
Facebook has previously run afoul of the FTC over privacy-related concerns. In 2011, the agency accused Facebook of unfair and deceptive practices by assuring users their personal information could be kept private, but still sharing it with third parties. Facebook reached a settlement agreement with the regulator. If it’s since violated that agreement, however, it could face millions of dollars in fines.
The FTC’s settlement agreement appears to be highly relevant to the unfolding Cambridge Analytica scandal. In one section of the FTC’s 2011 complaint, the regulator contended that even if a user restricted access to their profile information to “only friends” or “friends of friends,” that setting didn’t necessarily restrict access to their information by third parties.
The FTC’s 2011 order against Facebook.
The FTC contended that if someone’s friend installed a particular app, that app could still pull their birthday, hometown, activities, interests, status updates, marital status, education, place of employment, photos and videos.
As part of the settlement agreement reached in November 2011, Facebook was supposed to stop that practice, among many others. But the transfer of that kind of information to third parties without a Facebook user’s consent is what has come to the forefront in the controversy with Cambridge Analytica.
As part of Facebook’s 2011 settlement with the FTC, the company is also required to obtain a third-party audit every two years that examines its privacy program and compliance with the FTC’s order.
Cambridge Analytica acquired the data in question from a University of Cambridge psychology lecturer, Aleksandr Kogan. Kogan deployed a Facebook app in 2014 called “thisisyourdigitallife,” which paid users to participate in a personality survey.
About 270,000 people installed the app. But the app also could pull profile data from anyone who was friends with someone who installed it, increasing its reach to as many as 60 million users. From a reading of Facebook’s settlement agreement with the FTC, it would appear that Kogan’s app shouldn’t have been able to do that.
Facebook contends Kogan lied to the company, presenting the app initially as an academic project, but then later passing the data to Cambridge Analytica for commercial use. Multiple reports have suggested that Cambridge Analytica is a shell company, and that the funding ultimately came from SCL Group.
Psychology Lecturer Says He’s a Scapegoat
Kogan told BBC Radio 4’s Today program on Wednesday that he’s been unfairly blamed for the debacle.
“My view is that I’m being basically used as a scapegoat by both Facebook and Cambridge Analytica,” he said. “Honestly we thought we were acting perfectly appropriately. We thought we were doing something that was really normal.”
Scientist Aleksandr Kogan, whose app was used to gather personal details from millions of Facebook users, now at the centre of the Facebook/Cambridge Analytica data controversy, says he is being “scapegoated” #r4todaypic.twitter.com/JpEEZ4u1eP
“Consumers have a right to know how their information is used – and companies like Facebook have a fundamental responsibility to protect their users’ personal information,” Schneiderman says. “New Yorkers deserve answers, and if any company or individual violated the law, we will hold them accountable.”
New Jersey Attorney General Gurbir S. Grewal on Tuesday said his office has also launched an investigation into how data for Facebook users ended up in Cambridge Analytica’s hands.
“I am particularly troubled by reports that Facebook may have allowed Cambridge to harvest and monetize its users’ private data, despite Facebook’s promises to keep that information secure,” Grewel says. “At this point we have many questions and few answers, and New Jersey’s residents deserve to know what happened.”
Facebook Goes to Washington
Facebook CEO Mark Zuckerberg has yet to comment publicly on the Cambridge Analytica scandal, although the company has issued several statements. Facebook largely blames Kogan, whom the company contends violated its rules by sharing the data with Cambridge Analytica (see Facebook Attempts to Explain Data Leak, Denies ‘Breach’).
“The entire company is outraged we were deceived,” Facebook says in a statement that attempts to paint the data leak as a policy-infringement matter (see Facebook: Day of Reckoning, or Back to Business as Usual?). “We are committed to vigorously enforcing our policies to protect people’s information and will take whatever steps are required to see that this happens.”
Facebook’s response to date hasn’t quelled critics, who question whether the technology giant realized the gravity of the situation when it first learned of the leak in 2015. Several U.S. senators, including Sen. Dianne Feinstein of California, the top Democrat on the Judiciary Committee, have called on Zuckerberg to testify before Congress.
Facebook is due to brief Senate and House aides on Wednesday. The company is expected to meet with Senate Commerce, Science and Transportation Committee staff, as well as staffers from the House and Senate Intelligence committees, the House Energy and Commerce Committee, the Senate Commerce Committee and the House and Senate Judiciary committees, The Hill reports.
The Senate Intelligence Committee, which is also investigating Russian interference in U.S. elections, will conduct its own investigation of the matter, an unnamed Congressional official with knowledge of the investigation tells Reuters.
Rep. Adam Schiff of California, the highest-ranking Democrat on the House Intelligence Committee, which has been investigating Russia’s use of social media to manipulate U.S. public opinion, has also called on Zuckerberg to testify. “I think it would be beneficial to have him come testify before the appropriate oversight committees,” he told the Washington Post. “And not just Mark but the other CEOs of the other major companies that operate in this space.”
Schiff said whistleblower Chris Wylie has agreed to testify before the House Intelligence Committee, and he says the panel request that Alexander Nix do the same. “The American people cannot rely solely on the investigative work of journalists; Congress also has an obligation to get the truth,” Schiff says.
Canada, UK Investigate
Meanwhile, several countries are probing Cambridge Analytica and Facebook.
The president of the European Parliament, Italian politician Antonio Tajani, says he’s “invited” Zuckerberg to address EU lawmakers. “Facebook needs to clarify before the representatives of 500 million Europeans that personal data is not being used to manipulate democracy,” he says.
In the U.K., the Information Commissioner’s Office, an independent authority set up to uphold information rights in the public interest, issued a “demand for access” to Cambridge Analytica for its records and data on March 7. The company did not reply, so the ICO says it is now seeking a warrant. Facebook had dispatched auditors to Cambridge Analytica’s London offices, but it withdrew the team after the ICO requested that they stand down.
On Tuesday, Canada’s privacy commissioner said his office has launched its own investigation and that it has already been in contact with the ICO.
“We have received a complaint against Facebook in relation to allegations involving Cambridge Analytica and have therefore opened a formal investigation,” says Privacy Commissioner Daniel Therrien. “The first step will be to confirm with the company whether the personal information of Facebook users in Canada was affected.”
The investigation will examine whether Facebook complied with PIPEDA – Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act.
“The allegations we’ve seen in media reports raise extremely important privacy questions,” Therrien says. “The digital world, and social media in particular, have become entrenched in our daily lives and people want their rights to be respected.”
Executive Editor Mathew Schwartz contributed to this article.
The flaws were first publicized on March 13 by CTS Labs, an Israeli cybersecurity startup that launched a website and released a white paper to announce the flaws. The company’s moves, and a statement saying that it may have an economic interest in the performance of AMD’s stock, had led some to dismiss the firm’s actions as a PR stunt (see AMD Chipset Flaws Are Real, But Experts Question Disclosure).
AMD, based in Santa Clara, California, says it first learned of the flaws less than 24 hours before CTS Labs publicly released the information. CTS said the 13 flaws fell into four sets, which it’s called Masterkey, Ryzenfall, Fallout and Chimera, the latter being an alleged backdoor.
Seven days after the vulnerabilities became public knowledge, AMD confirmed the flaws, which exist in the embedded security control processor – called AMD Secure Processor – built into some of its CPUs. Also at risk are the chipsets in two types of microprocessor socket platforms – the AM4 and TR4 – used by AMD’s CPUs. The AM4 is part of AMD’s Zen and Excavator microarchitectures, while the TR4 is part of its Zen-based Ryzen Threadripper desktop processors.
Fix development is underway. “AMD has rapidly completed its assessment and is in the process of developing and staging the deployment of mitigations,” Mark Papermaster, AMD’s chief technology officer, says in a Tuesday blog post.
AMD says the flaws can be grouped into three major categories:
Masterkey and Platform Security Processor Privilege Escalation: An attacker could circumvent platform security controls – in a manner that survives rebooting – by flashing the firmware “to corrupt its contents,” which the AMD Secure Processor would not detect.
Ryzenfall and Fallout: An attacker could circumvent platform security controls – but not in a manner that survives across reboots – by abusing the PSP APIs to execute arbitrary code.
Chimera: An attacker could install a malicious driver in the “Promontory” chipset used in many socket AM4 desktop and socket TR4 high-end desktop platforms.
For the first two groups, AMD says it plans a “firmware patch release” for its PSP firmware, which will be installed via a BIOS update. For the third set of flaws, “AMD is working with the third-party provider that designed and manufactured the ‘Promontory’ chipset on appropriate mitigations,” it says.
AMD adds that it expects the fixes to have “no performance impact.”
Admin Access Required
An attacker would require administrative access to a system to exploit any of the flaws. Still, a successful attack would likely leave few traces, meaning that exploiting these flaws could be of great interest to intelligence agencies or sophisticated crime cartels.
Papermaster says that would-be attackers would face significant obstacles, including having to gain in-person or remote administrative access to a system. “All modern operating systems and enterprise-quality hypervisors today have many effective security controls, such as Microsoft Windows Credential Guard in the Windows environment, in place to prevent unauthorized administrative access that would need to be overcome in order to affect these security issues,” he says.
“There is no immediate risk of exploitation of these vulnerabilities for most users.”
—Dan Guido, Trail of Bits
None of the flaws are connected in any way to the trio of speculative execution vulnerabilities known as Spectre and Meltdown that first came to light publicly in January, AMD says. Millions of processors built by Intel, AMD and ARM are vulnerable to variant 1 or variant 2 of the flaws, known as Spectre. Many Intel processors, as well as some built by ARM, are also vulnerable to variant 3, known as Meltdown (see Microsoft Offers Payouts for New Spectre, Meltdown Flaws).
13 Flaws: Little Immediate Risk
AMD has yet to release a timeline of when it expects to release fixes for the 13 flaws. But Papermaster says more technical analysis and mitigation plan information will be released “in the coming weeks.”
Dan Guido, CEO of Trail of Bits – an information security consultancy that says it was contacted and later paid by CTS Labs to review its research before it was publicly released – says the 13 flaws publicized by CTS Labs pose little immediate risk.
“There is no immediate risk of exploitation of these vulnerabilities for most users,” Guido says in a blog post. “Even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities. This level of effort is beyond the reach of most attackers.”
Guido says these types of vulnerabilities are widespread and that chipmakers should be doing a better job of finding and fixing them before independent security researchers discover them.
“These types of vulnerabilities should not surprise any security researchers; similar flaws have been found in other embedded systems that have attempted to implement security features,” he says. “They are the result of simple programming flaws, unclear security boundaries and insufficient security testing. In contrast, the recent Meltdown and Spectre flaws required previously unknown techniques and novel research advances to discover and exploit.”
AMD describes the patches being “released in the coming weeks … through a BIOS update.” I deferred to AMD in our blog on the subject of mitigations, but the delivery method and that amount of time (April/May?) seem reasonable.
Many researchers and organizations, including Google, have chosen to pursue “coordinated disclosure” programs that give organizations up to 90 days to mitigate or warn of bugs in their products before publicly releasing bug information. Some organizations also run bug bounty programs that pay researchers for their efforts, often in exchange for their agreeing to certain terms and conditions. But otherwise, researchers have no legal obligation to provide 90 days’ notice (see Google’s Psychological Patch Warfare).
But in the case of the Spectre and Meltdown flaws, Google agreed to a seven-month delay before publicizing the flaws, owing both to the dangers they posed as well as the difficulty that chipmakers Intel, AMD and ARM would face when attempting to coordinate, distribute and see their microcode updates for mitigating the problems to be patched in part via operating system updates.