Is your business thinking about entering the crypto world with an Initial Coin Offering (ICO)? You may want to think again. ICO projects contain an average of five separate vulnerabilities, and 47% of those vulnerabilities are medium- to high-severity, potentially putting your company at risk for data and money loss, according to a Monday report from Positive.com.
Positive.com examined ICO project audits from 2017, and found that total investments in ICOs exceeded $5 billion that year, with more expected in 2018. With large amounts of money involved, ICOs are a prime target for cybercriminals: Of all funds raised last year, 7%—or $300 million—was stolen, the report found.
"In an ICO, time is of the essence, and short time frames mean that anticipating attacks well in advance is critical for avoiding financial losses," Leigh-Anne Galloway, cybersecurity resilience lead at Positive.com, said in a press release. "The latest figures have shown the rapidly increasing rate of crime and fraud on the cryptocurrency market, with cybercriminals recognizing the opportunity presented by the dramatic rise of the cryptocurrency market in recent months."
SEE: Security awareness and training policy (Tech Pro Research)
Here are the five different groups of vulnerabilities found in ICO projects, and what causes them, according to the report:
1. Vulnerabilities allowing attacks against ICO organizers
One in three ICOs studied had flaws that made it possible for hackers to attack the ICO organizers. Attacks could take the form of hijacking the email account of the ICO organizer, or gaining text message information from darknet merchants, or social engineering techniques to bypass two-factor authentication. Once the account has been hijacked, attackers can reset the password for the ICO domain or web host, and replace the wallet address.
2. Smart contract vulnerabilities
Smart contracts are a major weak link in the ICO chain, the report found: 71% of projects tested contained vulnerabilities in this area. These vulnerabilities are usually caused by a lack of programmer expertise and insufficient source code testing, the report noted.
3. Vulnerabilities in web applications
Half of the ICO projects studied contained vulnerabilities in ICO web applications, the report found. Some of these involved the security of the blockchain and its backend implementations, while others involved more general issues with code injection, web server disclosure of sensitive information, insecure data transfer, and arbitrary file reading.
SEE: IT leader's guide to the blockchain (Tech Pro Research)
4. Vulnerabilities enabling attacks against investors
Some 23% of projects examined in the report contained flaws that allowed attacks against investors. These risks can be mitigated with strong pre-planning by ICO teams, in terms of registering all possible versions of the project domain name, and registering names on social media accounts.
5. Vulnerabilities in mobile applications
Some ICO teams create mobile apps to make the projects more convenient for investors to access. However, 100% of ICO mobile apps studied contained vulnerabilities. These apps also contained 2.5 times more vulnerabilities than web apps, the report found. The most common flaws found included insecure data transfer, storage of user data in backups, and session ID disclosure.
"The second a company goes public with an intention to do an ICO, it's waving a huge flag to cyber criminals that it's both valuable and also in a very vulnerable phase of its company growth," Galloway said in the release. "ICO teams have a responsibility to ensure their security posture is as robust as possible, from the development of the smart contract and web applications, to monitoring load once the ICO has begun and helping investors avoid phishing attacks."
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- ICO projects contain an average of five separate vulnerabilities, and 47% of those vulnerabilities are medium- to high-severity. — Positive.com, 2018
- 100% of ICO mobile apps studied contained vulnerabilities. — Positive.com, 2018
- What is blockchain? Understanding the technology and the revolution (free PDF) (TechRepublic)
- SEC launches spoof cryptocurrency ICO scam website (ZDNet)
- Blockchain: A cheat sheet (TechRepublic)
- Headphones maker Monster files for $300 million ICO (CNET)
- 18 new IT jobs created by Bitcoin and blockchain (TechRepublic)
Alison DeNisco Rayome has nothing to disclose. She does not hold investments in the technology companies she covers.
Alison DeNisco Rayome is a Staff Writer for TechRepublic. She covers CXO, cybersecurity, and the convergence of tech and the workplace.