When you imagine a high-profile conference that caters to an industry with high net worth attendees who are (justifiably) paranoid about their personal and financial security, you’d imagine a heavy security presence. But at the Blockchain Futurist Conference in Toronto—like many events of its kind—you’d be hard pressed to find it.
Upon arriving for the first day of the two-day event in August, my all-access press pass stuck out from the pile at the check-in desk. After picking up the badge and telling the woman behind the desk “that’s me,” she simply said, “OK.” I asked if she wanted to see some identification, but she declined. On day two, I slid my wristband up my sleeve and kept my lanyard tucked inside a jacket pocket and breezed through the front door. The only time I was asked for credentials by a staff member was when I walked into the VIP lounge where the speakers and sponsors mingled and prepared before going onstage. (BREAKER requested an interview with conference organizers to talk about security measures, but it was cancelled due to scheduling conflicts.)
Over the course of the conference, I spoke with a number of security experts who outlined how organizers and attendees at blockchain events—which are increasingly targeted by those looking to steal digital assets—can best protect themselves.
“If you’re an executive in a blockchain company right now, you are absolutely a target, 100 percent,” says Jason Truppi, a partner at TLDR Capital and former supervisory special agent with the FBI’s cyber crimes unit. “There’s a pretty concerted and organized effort to target people in the crypto space—mostly executives and people who are known to have a large wallet—either based on social media posts or what they talk about at conferences.”
In recent years, Truppi says attacks targeting cryptocurrency wallets have only gotten more brazen. Approximately $1.1 billion worth of digital currency was stolen in the first half of 2018 alone, and in June South Korean exchange Bithumb suspended all transactions as it investigated the theft of $32 million. Last December a man was arrested in New York for armed robbery and kidnapping in relation to the theft of $1.8 million worth of ether, around the same time that kidnappers in the Ukraine released a Bitcoin analyst following a $1 million ransom payment.
At the Blockchain Futurist Conference attendees still seemed anything but shy about sharing financial information related to themselves or their companies. Such conversations, according to Truppi, are often a starting point for malicious actors searching for their next target.
“How the criminals are getting this information can come from a conference,” he said, adding that it’s “really easy” to sneak into just about any industry event. “You might have been talking to a small group of people at a conference, telling people how much money you made in bitcoin, talking about some details of your business or your accounts, giving out business cards with your personal information.”
With this information, Truppi says malicious actors can begin to penetrate the user’s email account in search of passwords or information that might provide access to a digital wallet or bank account. One of the most popular forms of attack is SIM swapping, wherein a malicious actor calls a telecommunications provider with the information they’ve gathered in order to have the carrier issue a new SIM card attached to that account. That new SIM card in turn provides access to information and assets stored on their victim’s mobile device.
Once the attacker has full control over all the details in your phone, they start resetting the passwords on those accounts, and they can log in using their new passwords. By reading your email and account information, they start moving laterally to other accounts—or extorting friends in your network.
Truppi says that the simplest defense against SIM swapping is setting up a pin with the mobile carrier to ensure nobody can access the account without it, even if they provide all the necessary personal information. Another simple defense tactic is decoupling work and personal email accounts and phones in order to protect personal assets from attacks against a business.
Beyond gathering information on potential targets through networking, Truppi says he’s often surprised by how many unattended bags he sees at industry events. “Those are easy targets for attackers to go steal those devices and use them to perpetrate crimes,” he said.
What makes the conference floor particularly enticing to would-be-criminals, however, goes beyond unattended bags and personal information. Conferences provide both a pool of targets and reasons to connect devices to a wide range of external technologies.
“Some people will put out chargers for people to charge their phones, which is a great point of vulnerability; that could be a data cable,” said Yaron Vorona, the CEO of cybersecurity provider Deep Defence. Vorona adds that those attending conferences and plugging into public charging stations should consider using a “USB condom” that prevents any form of data transfer during charging. “The other major point of attack that people will use is USB keys; it’s a really easy way to infect somebody,” he said. “Take the risk of unknown USB keys very seriously.”
Vulnerable points of entry, however, are not limited to physical ports. Near field communication (NFC), cellular services, Bluetooth, and Wi-Fi are more easily penetrated in a public space, which is why conference attendees should always be wary of unverified connections.
“There are multiple antennas in your cellphone that connect—there’s Wi-Fi, there’s cell phone, there’s NFC—all of those are points of vulnerability where an attacker can capture information,” said Vorona. “People will bump into other people with a special NFC scanner in their pocket so they can capture information.”
Waseem Khan, the managing director of Dizruptiv.com who attended the Toronto conference, has developed a series of security protocols and precautions when attending industry events, he says.
“My phone [case] has a magnetic strip on it that cuts off all the Wi-Fi and data communication on my phone; once you close it, it shuts off everything,” he said. “My biggest precaution is I don’t carry a lot of crypto on my portable wallets. I keep them external on my hard wallet.”
Khan adds that he regularly checks his records to ensure he recognizes all transactions on his account, just as he would a credit or debit account. Though he is cautious, however, he doesn’t take the level of physical security at blockchain and cryptocurrency conferences into consideration when deciding whether or not to attend, nor does he believe it should fall solely on organizers to protect attendees against theft.
“Whether you own a car, a home, or a large amount of cryptocurrency, it’s your responsibility as an individual to protect your assets” he said. “When you come to these events do your risk management on protecting yourself from any theft or fraud.”