Operational security (OPSEC) is the process used to optimize security and reduce the risks of your vital data getting into the wrong hands; it involves analyzing your everyday actions that could accidentally reveal critical or sensitive information. It goes beyond using a complex password, a strong VPN or observing good internet privacy practices. OPSEC is a lifestyle that demands conscious decision making. Operations security manager for Fort Jackson; Dwight Peter said – “OPSEC is a mindset, if it’s not on your mind, you won’t practice it”.
“Privacy is normal” is a common mantra in the crypto community, but we’ve come to realize that privacy isn’t given, it’s taken. The internet is literally bugged with data siphoning tools that it becomes a struggle concealing your data from a third party. There is a saying “If you have nothing to hide, you have nothing to fear” but the reality is that regardless of your moral standard (whether you use the internet for legal or illegal activities), nobody wishes for their personal information to be accessed by the public. When it relates to the crypto industry, maintaining a good OPSEC is also very critical because there are a lot of bad actors in this space and thus, the minutest weakness in your OPSEC could compromise your security and portfolio.
How Did OPSEC even exist?
The concept of OPSEC was first conceived by a U.S. multidisciplinary security team called Purple Dragon, which was assigned with the task of investigating the failure of combat operations during the Vietnam War. The counterintelligence team realized that its adversaries could anticipate the U.S’s strategies without having resources to build tools powerful enough to decrypt their communication or steal their data. The team concluded that the U.S. military forces were unknowingly revealing information to the enemy, and OPSEC was initiated. The initial definition of OPSEC was: “The ability to keep knowledge of our strengths and weaknesses away from hostile forces.”
Why is OPSEC important?
The amount of data we generate everyday builds a digital footprint that makes us easy preys to prying eyes. Consider how much information your phone knows about you, or the search engine you use every day, or even the posts you make on social platforms. All these provide breadcrumbs of information that when aggregated, could be used to identify and attack the victim. As a crypto user, it is important to understand that attackers are constantly profiling random data which can be used to commit numerous crimes including stealing your crypto assets. The best way to understand the importance of OPSEC especially in crypto is to observe how others have parted ways with their crypto assets due to poor OPSEC.
A significant example of the effect of poor OPSEC is the horror of SIM jacking Messari founder – Ryan Selkis had to experience. SIM jacking (also known as SIM splitting or swapping) is a technique used by hackers to gain control of your phone number. Phone numbers are usually linked to a lot of platforms, in crypto, your phone number can be linked to an exchange or your two-factor authenticator. In essence, once a hacker controls your phone number, they automatically gain access to these platforms.
Another notable attack in the crypto industry was the “BitPay Phishing Attack” which led to a painful give away of 5,000 $BTC to the hacker. The attack began when the hacker gained access to the email account of David Bailey – the founder of yBitcoin (a property of BTC Media Inc.) who has been in negotiation with BitPay over a Bitcoin-related magazine purchase. With Bailey’s email address; the hacker sent a mail to the CFO of BitPay – Bryan Krohn, which contained a link to a scam Google page that required Krohn to log in. Unsuspectingly, Krohn attempted to log in through the fake portal which provided the hacker with Krohn’s email account credential.
The hacker used the details given by Krohn to log in to his email account and monitor the operations of BitPay, gaining access to sensitive information like employees contact, executives’ interactions and most importantly, BitPay’s financial transactions. With Krohn’s email, the hacker was able to initiate a transaction that led to the loss of over $1.8 million.
Sometimes OPSEC doesn’t always need to be technical, it can also be done by reducing the amount of information we give out every day, especially on social platforms. In crypto, it’s normal for influencers to flaunt their crypto wealth and portfolio, but all these provide a chain of information sufficient for a hacker. Oversharing is a weak point in OPSEC that has caused many including Pavel Nyashin- a Russian Youtuber to kiss goodbye to their crypto wealth. After boasting about his crypto wealth in a YouTube video, Pavel was robbed of $425k just because he couldn’t keep his wealth to himself.
Process to OPSEC
1.) Identify what critical information an attacker might want to steal: Truth is, you can’t protect what you don’t know. Identifying information about you, what form it’s in and where it resides is the first step to performing OPSEC. The most effective way to achieve this is to carry out Open Source Intelligence (OSINT) on yourself as it would show you how much of your information is publicly available.
2.) Analyze threats: The next step after uncovering your digital foot print is to identify who would be interested in your information and how much you’ve unknowingly given to them. Questions you want to ask yourself may include; “Why is this information useful to an attacker?” “Why would an attacker want to compromise me?”
3.) Analyze vulnerabilities: Consider what your weak points in OPSEC are; for Pavel, oversharing on social platforms was a risk to his OPSEC. If you’re fond of oversharing, especially information relating to your crypto wealth, you might want to consider keeping more information to yourself.
4.) Analyze risks: Risk management is a common term in crypto, while most people relate it to crypto trading and investing; risk management is also a critical factor to your OPSEC. It’s important to always analyze the security risks related to your information. For example, if an attacker gained access to your SIM that is linked to a crypto exchange, it means your crypto assets could be stolen. Thus, you might want to prioritize the security of your SIM and maybe disconnect your phone number from any exchange platform.
5.) Apply necessary countermeasures: Now you know what information can be enticing to an attacker and their entry point. The next step is to take the necessary actions to keep your information safe. The basic step being reducing the amount of information you share online. It’s very important to understand which information should be given to the public and which should be kept private. To learn more about crypto OPSEC, check out this post on Security by the Decred community.