The debate about internet privacy and the role of cryptography in protecting our communications has been raging for years. However, cryptography is only one step in a long chain of security measures meant to protect data from unauthorised access.
First Published 30th March 2016 | Latest Refresh 23rd November 2021
Brussels – eternally misunderstood.
3 min read | Reflare Research Team
History shows the challenge remains
In March 2106, the European city of Brussel experienced a terrorist attack where 32 civilians and three perpetrators died. At the time, this attack opened the debate on privacy once again. Privacy and cryptography were (and continue to be) at the forefront of the security debate as society and governments question the balance between what should be private and when this privacy should be violated to protect security interests.
Unfortunately, even all these years later, cryptography is still misunderstood by many of the players across governments and the wider society, making it difficult to predict what the debate's long-expected outcome will be.
Retention; simple-ish
At the centre of the debate are data retention policies. Data retention is relatively easy to understand for citizens and politicians and can be fluidly adjusted. For example, governments may decide to retain phone data for 90 days and web access data for 180 days and then increase or decrease both as needed.
We, therefore, expect a relatively reasonable outcome of the discussions surrounding data retention.
Cryptography; complex-ish
On the other hand, very few people understand cryptography on the level which is being discussed at the moment. Cryptography is either secure or it is not. Cryptographic keys are either long enough to take an incredible amount of time to crack, or they are so short that third-party entities can crack them with enough effort. The same is true for cryptographic algorithms, they are either secure or they are not. Naturally, governments want secure cryptography for their own activities but also desire the ability to crack the encrypted communications of others.
The ability to crack the encryption used by other governments or civilian actors ties into national security and surveillance issues. Cryptography is relatively difficult to understand, so having a debate between governments and the general population is difficult. In many cases, neither party fully understands the technical issues involved.
This makes the outcome of upcoming cryptography-related debates hard to predict. Governments claim to require backdoors for security purposes, and citizens do not understand the technology enough to form a complete opinion on the issue.
The Brussels attacks provided governments with more reasons to argue that cryptography must be controlled and backdoored. Providing a backdoor however, makes cryptography virtually useless.
Tools and algorithms providing strong cryptography are also in the public domain, so regulating them will prove difficult. Where governments and citizens decide to draw the line between privacy and security remains unpredictable.
Who needs 'regulation' when you're going to the moon?
Now let's look at society's recent behavioural evolution towards cryptocurrencies, and how this is a hacker's dream.
And in recent times, individual investors have poured significant amounts of cash into cryptocurrencies. This is all well and good, but the security awareness of the individual investor often leaves much to be desired.
Poor phone etiquette
Is fair to assert that the majority of smaller crypto investors have no understanding of the cyber security implications of how they conduct their investing activities. To support this, the volume of crypto trading happening on smartphones has continued to grow year-on-year. Furthermore, there has been a notable spike in funds being stolen from well-known crypto investors through hackers hijacking their phone numbers.
The opportunity for criminals to steal funds through SIM-swap fraud continues to grow. The United States Federal Communications Commission is currently proposing tighter restrictions on how customers switch numbers between devices, subsequently making it more difficult for SIM-swap fraud to take place. However, our service providers are pushing back, stating that such rules will impose unnecessary complications for their customers.
Good ol' social engineering
Wall Street Journal journalist David Uberti spoke with US Mobile CEO Mr. Ahmed Khattak, who reported that "a lot of these hackings I happening because of social engineering", referring to the employees of the wireless providers being tricked or co-opted into enabling the breach.
In David's story, he reports and of hackers hijacking phone numbers to then access multifactor authentication measures based on text messages, and then using this authentication to access the internal computer systems of crypto-infrastructure firms to then transfer funds from the victim's digital wallet.
How to defend
The Brussels attack was many years ago, yet we still haven't got a sufficient security and privacy mechanism when it comes to crypto. However, there has been some progress. A number of crypto exchanges are now using machine learning models to predict and analyse the risks associated with users who request password changes. When user behaviour is considered as high risk, the exchange will begin restricting trades until further verification of the user can be conducted.
But it's not all up to the exchange platforms or Government regulators. Consumers must also increase their security awareness and resilience in the face of an increasing number of hackers moving into the SIM-swap fraud space. If investors had a stronger understanding of the vulnerabilities which come from their behaviour with their hardware, more care would be taken to protect their investment.
SIM-swapping is just one technique used by criminals to successfully conduct theft. To learn more about the latest in cybersecurity defence and attack trends, subscribe to our research newsletter and explore the related topic below.