Hackers, spammers, and other ICO security traps to watch out for

If investors know when your ICO is about to happen, then hackers do too.

It might sound alarmist, but it’s the truth. And how could it be otherwise—with millions of dollars of virtual money changing hands, sometimes in a short space of time, an Initial Coin Offering is a honeypot for cybercriminals.

But there’s no need to panic: There are many prior examples to learn from in terms of potential security risks and how to pre-emptively defend against them. So while you need to put serious time and thought into ensuring the security of your company and your investors’ money, you don’t need to fight the battle alone.

Communications

The most pressing security risks you will face when conducting an ICO are not necessarily the most sophisticated, and many common attacks will involve sending malicious communications to your potential investors to phish their login details or trick them into sending Ether to the wrong address.

One tactic that is often used against cryptocurrency start-ups of all kinds is to register a domain that closely resembles either your company’s website, or the domain of a wallet service through which investors will be sending you money, and send out links to it through Slack, Twitter, or other communications channels.

Since it is very difficult (if not impossible) to prevent attackers from sending these messages in the first place, the best way to defend against this attack is to clearly define your official communications channels and instruct users to disregard messages from any other source.

For example, rather than different members of your team posting updates in a Slack channel, send updates from a single company account, and make it clear that no other account should be considered a trusted source of information, particularly in the event of a security breach or other urgent situation.

Operational security

Besides clearly establishing your external communications channels, you must also make sure that all members of your team are clear about the operational procedures they must take in order to minimize risk.

Some of these steps can be easily outline—for example, using two-factor authentication for all email accounts and other web services associated with the company. Also, remember that the more people who have access to your critical services, the bigger the target for hackers to aim at. Admin accounts for the website should be restricted to only a few individuals, and those people should be told to be on high alert for phishing emails, tweets, Slack messages and other attacks.

If one of your team members sends you a message that seems suspicious, remember that their account might have been hacked! If you have any doubt about the veracity of a message,always use another channel of communication (like asking them face to face or calling their cellphone) to check that it’s real. It will only take minutes—and could save you milions.

Technical precautions

Of course, as well as operational and communications risks, many of the security threats you face will be technical. Not all of these involve stealing money: Some might involve a more conventional attempt to take your website offline, e.g. a DDoS attack from a botnet, which can be crippling if it hits your company at a crucial point during the ICO. (The best way to mitigate this risk is to use a content delivery service like Cloudflare, which should keep your site online through heavy user loads.)

There are too many technical attack vectors to list in detail, but there is one key practice that can reduce risk accross the board: Have your code independently audited before running launching the token sale or any other sensitive activities.

If you are publishing your code open source, bug bounty programmes can be a good way to indentify threats and crowdsource improvements from a community of programmers who are already interested in your product. Apart from this, it is absolutely critical that smart conctract code should be independently reviewed before the ICO: No matter how good your developers are, an outside opinion can still reveal flaws in the code that you did not know are there.

Though these guidelines should help you to understand some of the potential risks, it’s crucial to enlist the help of security professionals to make sure you have minimized the chance of being hacked. There are many cybersecurity companies specializing in the cryptocurrency market—so either research them independently, or let IBC connect you with the right team for the job.