paint-brush
How do you stop ICO heists? With machine learning and a lot of common senseby@johnbiggs
921 reads
921 reads

How do you stop ICO heists? With machine learning and a lot of common sense

by John BiggsSeptember 17th, 2017
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

<span>P</span><em>aul Walsh is the founder of MetaCert, a company that started out trying to stop fake news and suddenly discovered that its software was able to ensure that token sales were safe and secure. By ensuring that any link that appears in a Slack chat room is real. This has, at least for some ICOs, kept millions of dollars worth of tokens safe. Let’s see how he does it.</em>

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - How do you stop ICO heists? With machine learning and a lot of common sense
John Biggs HackerNoon profile picture

P_aul Walsh is the founder of MetaCert, a company that started out trying to stop fake news and suddenly discovered that its software was able to ensure that token sales were safe and secure. By ensuring that any link that appears in a Slack chat room is real. This has, at least for some ICOs, kept millions of dollars worth of tokens safe. Let’s see how he does it._

JB: Tell me about MetaCert. What does it do?

Paul: MetaCert is a security company that protects companies and communities of all sizes from malicious links when using messaging services such as Slack and HipChat. We have security products for other platforms such as Messenger and Skype but we are now laser focused on helping to protect cryptocurrency communities from phishing attacks inside Slack as that’s currently the number one problem faced by Token launches, ICOs and their investors.

JB: It seems like security exploits are everywhere today. What should consumers do to protect themselves? What should organizations be doing differently?

P: People are usually the weakest link when it comes to an exploit. Consumers need to stay vigilant at all times. I have three pieces of advice and if followed, many consumers will stay more safe.

First, never use SMS for the second level / backup password known as 2FA (2 factor authenticator). It’s easy for the bad guys to call your cell provider and get text messages redirected to their phone. They don’t even need to hack into your gmail account — they simply do a password reset by sending it to your, no, their phone. Instead use a mobile app that acts as the second layer of authentication — it’s much safer.

If you like to invest in cryptocurrencies and you get a message about an ICO or Token discount that’s time sensitive and it sounds too good to be true, it is. Contact the company direct and ask them if it’s real. Crypto companies will not have time sensitive deals that make you act within minutes or even hours. So don’t get caught off guard — this is how very smart people get duped.

My third tip — when visiting websites that require a login, especially when they request a credit card, or crypto wallet key, it’s best to type the website domain name into the address bar instead of searching for it. And then bookmark it. Searching for a company name in Google or Bing will likely bring up the real site along with impersonations — and it’s almost impossible to know the difference unless you have a very experienced trained eye.

The bad guys now use SSL Certificates so their site puts a padlock in the browser toolbar. Anyone can do this because SSL Certs are free and they don’t require any company verification. This padlock does not indicate that the site is the real one. So, don’t rely on the padlock. If it has the company name in green inside the toolbar, that’s called an extended validation certificate and it can be trusted.

Organizations need to invest in security. They need to think about the new age where their staff are likely to use their own mobile device. This means they’re not connected to their organizations’ cloud-based security and they’re not likely using a secure VPN. This makes their device and them as a person, vulnerable to a cyberattack. When using Slack or HipChat, organizations need to install MetaCert as it’s embedded inside the fabric of the service so it doesn’t matter what device a person uses or what network they are connected to. For other app related security products I recommend Lookout and for Cloud-based Okta.

Banks need to stop emailing consumers asking them to click on a link so they can open a secure message inside the browser. This is the dumbest thing I’ve ever seen in my career — most banks do this and it does nothing to help educate consumers about the pitfalls of phishing links.

JB: Who should be using this kind of security?

P: Of the $225 million already stolen by crypto criminals in 2017, $115 million was via phishing. That makes phishing the number one problem within the cryptocurrency world. And almost all crypto communities are built inside Slack. So, that makes slack the number one attack vector for phishing scams. MetaCert is the only company with products designed for this specific problem. We are currently laser focused on helping crypto companies and their investors stay more safe by reducing the risk of them falling for a scam.

Token launches and ICOs are our ideal customer and it takes less than 7 seconds for them to install our software at slacksecurity.metacert.com

Of course, other companies that care about security should also install our integration for Slack and HipChat — especially if they have regulatory compliance to consider.

JB: How important is anti-phishing to ecommerce, trading, and ICO token sales?

P: Vital! The crypto world is full of first-time investors. That’s one of the main benefits of blockchain technology — it decentralizes power and the accessibility of investment opportunities in the next big thing. These are mostly non-sophisticated investors so as soon as they get their fingers burnt with a phishing scam, they’re less likely to invest in the future. Or at the very best, they will delay their investments and likely to tell family and friends of their loss.

By keeping more people safe from phishing scams, we are likely to see more money invested in new Token launches and ICO and therefore, more cryptocurrency circulated generally. They will also be more likely to buy and sell in crypto in the future. It’s therefore in everyone’s best interest to help combat this issue.

JB: What steps can they do to prevent being phished by their own employees, and what steps should their consumers take to prevent being phished?

P: Same as what I’ve described before. It doesn’t matter if it’s a community member or an employee. But it’s certainly a relevant question because most companies are more concerned about insider threats than they are about external hacks. Now with information flowing more freely inside collaboration tools like Slack, it’s important to install security products to make sure they’re not sharing or leaking sensitive information. This is more true now that Slack for example, recently announced that companies will be able to share channels with other companies. That’s a massive security threat that hasn’t been addressed — aside from the fact that MetaCert will address it by default with the existing features.

JB: What’s the biggest security problem you see with ICOs? How should it be addressed?

P: Phishing. There have been over 30,000 victims according to Coin Analysis. You don’t hear about them in the media as often as a big hack. Hacks get the attention because it happens less frequently but the numbers are bigger. But as I said, phishing is the number of threat. As the crypto world gets more media attention with the ever increasing number of Token launches, ICos and Government commentary regarding regulation, more cybercriminals are going to be attracted to this new type of scam. Without software like MetaCert it’s almost impossible to stop and they know it. I see phishing growing exponentially and not just in ratio to the number of new cryptocurrencies and solutions.

JB: What’s the one thing people don’t pay attention to at all that you wish they did? What are we all missing?

P: It’s the fact they pay attention to the padlock in the browser when they shouldn’t. Stop. Unless it has the company name in the address bar, before the domain name, ignore it. It’s meaningless. It can be a spoofed website.