The Cryptocurrency Informer
Security & Encryption: AT&T, Blockstream, the LAED Act
This week is all about security and encryption! AT&T is getting sued over their alleged involvement in a sim-swap scam, a potentially pricey bug was discovered in Blockstream’s Liquid Network, and… Senator Lindsey Graham apparently wants to make encryption obsolete.
AT&T Sim-Swap Lawsuit
Blockstream’s Liquid Network Vulnerability
The Lawful Access to Encrypted Data Act
Reddit Thread: US Senators introduce bill to FORCE all device and software providers in the US to build backdoors into their products. Bill would make encryption ILLEGAL unless it had a backdoor for the US government. (Lawful Access to Encrypted Data act 2020, “LAED” act)
July 3rd, 2020: Security & Encryption: AT&T, Blockstream, the LAED Act
On Wednesday, it was reported that telecom giant AT&T was being sued…again…for allegedly allowing a sim-swap attack to occur on one of their customers, Seth Shapiro. This follows a $240 million dollar lawsuit back in 2018 by Michael Terpin, in which Terpin claims he lost millions of dollars worth of crypto due to multiple sim-swap attacks that occurred. For those listening who are unfamiliar with a sim-swap attack, I’ll provide a brief summary of what they are and then provide documentation for how to best protect yourself from one on talk.bitcoin.tax.
Most people are familiar with 2FA, or two-factor authentication, an additional security measure provided by many websites, meant to prevent bad actors from gaining illegitimate access to a user’s account. 2FA is also commonly used to allow a legitimate user access to an account that they are unable to log in to using traditional methods (for example, if they have forgotten their password). One very common form of 2FA is receiving a text message with a one-time code to confirm ownership of an account. However, this form of security has a major flaw – if someone who doesn’t own the account is able to intercept that text message containing the code, they will be able to gain access to the account.
Apparently, that is what happened to both Seth Shapiro and Micahel Terpin. In both cases, the lawsuits allege that bad actors were able to convince AT&T employees that they owned the accounts – and the accounts were moved from the original sim cards to the bad actors’ sim card. This is what’s known as a sim swap – normally, a legitimate procedure that is used when someone wants to move their phone number to a new phone (for example, if they lost their phone, broken their phone, or simply want an upgraded model). After a sim swap, a bad actor will be able to receive a 2FA text message to gain access to a victim’s account – and in the world of crypto, this spells financial trouble.
Now, both cases are still ongoing – and there’s a lot more nuance to the sim-swap attack – but they certainly occur and can clearly cause a lot of financial trouble. They are a legitimate cyber security threat, and if you are someone who relies on a SMS -style 2FA to protect yourself, you should check out the links we’ve provided on talk.bitcoin.tax to learn more about the attacks and how to protect yourself from them.
This week there were reports that Blockstream, a blockchain company, had a serious vulnerability in their Liquid Network. The Liquid Network is considered a sidechain – it operates using LBTC, a token that represents BTC 1 to 1. Coindesk provides a good TLDR of how this works:
“When bitcoin moves onto Liquid, it goes through a “peg-in” process where bitcoin is stored in a secure wallet moderated by the federation. LBTC is created and redeemed when bitcoin is deposited. The process reverses when bitcoin is withdrawn.
An emergency caveat does exist when bitcoins have not moved from a wallet for 30 days. In that case, a two-of-three multisig approval is activated in order to preserve the network.”
A blockchain developer named James Prestwich on Twitter discovered that quote “for just under and hour, the emergency 2-of-3 controlled 870 Bitcoin” end quote. According to him, this is an emergency failsafe that was activated when there was no emergency, and by doing so, it made a large quantity of Bitcoin vulnerable to internal theft.
It’s an interesting situation and we’ve provided links to the Twitter thread involving James Prestwich and Adam Black, the CEO of Blockstream. In addition, we’ve linked to Blockstream’s official response.
Finally, this week we saw the introduction of the Lawful Access to Encrypted Data Act. There’s a lot to unwrap with this story, but we’ll keep it brief – the government has long desired to have backdoor access to encrypted systems – a well-known example is when the FBI wanted Apple to provide access to the San Bernadino shooter’s iPhone back in 2016. We’ll provide a link to that story if you haven’t heard about it, but the FBI did not get its way.
Tim Cook, the CEO of Apple, denied the FBI with the reasoning that providing them with a backdoor would put Apple users at risk and would also be a slippery slope to allowing government access to encrypted data whenever they requested it. Fast forward to this week – the new Lawful Access to Encrypted Data Act, introduced by Senator Lindsay Graham, would force companies to do just that – give the government access to encrypted data when requested for criminal and national security issues.
Of course, encryption is a key component of cryptocurrency, so what does this mean for the world of crypto? It’s difficult to say. The real effects won’t be fully evident until the bill is passed – if that ever happens. As history has shown, there is certainly a fine line between keeping people safe and overstepping the boundary of privacy. There are two sides to the coin – will this bill infringe on inherent rights or will it help make the world safer? Politicians generally are not known as being tech savvy – and many fear that a fundamental misunderstanding of encryption technology could spell trouble for the rights of many. Only time will tell though – we’ll certainly stay on top of any important developments.
Get Alerts – Never Miss An Episode!
This website is provided for informational purposes only. The website does not constitute financial, tax or legal advice, and is not intended to be used by anyone for the purpose of financial advice, legal advice, tax avoidance, promoting, marketing or recommending to any other party any matter addressed herein. For financial or legal advice please consult your own professional.