I was informed about a fresh research: "When the cookie meets the blockchain: Privacy risks of web payments via cryptocurrencies".  In this post I give you a brief summary of the this paper. It presents a  new attack vector (at least new for me), that can be used to  deanonymize cryptocurrency users.

We  find that at least 53/130 of merchants leak payment information to a  total of at least 40 third parties, most frequently from shopping cart pages. This information can be used to link addresses together.

​Explain Me Like I'm Five

Imagine you are a cryptocurrency user and you would relish to buy a Magic Wand Vibrator at Newegg,  and order some groceries from your local super innovative, website  having, cryptocurrency accepting grocery shop. I suppose you are not  keen to connect those two purchases together, so you make sure there's  no connection between the coins you intend to use for each purchases on  the blockchain.

But you are not only communicating with the  blockchain, additionally you are communicating with your browser. And  that's what the research is about. If your browser tells the two  websites: "Hey, I'm John" and leaks it to third parties, then the third  parties will know that these two payments came from the same person:  John.

So far, this would apply to credit card purchases, too,  however the difference is: they have no public blockchain, thus data  mining stops at there, while in crypto, it's just where the blockchain  analysis fun starts.

Just How Real This Attack Is?

After digesting the research my initial thoughts are: this attack can be only utilized against "the idiots and the innocents".

The  main self-defense available to users today is to use  tracking-protection tools such as Ghostery or uBlock Origin, but we note  several limitations. […] even with tracking protection enabled, 25  merchants still leak sensitive information to third parties.

If  you can recall, the number without tracking protection was 53/130  leaks. With tracking protection it halved, but likely the "sensitive  leaks" became also less sensitive, than they initially was, so the  quantification of this data is slightly unfair.

However the research examined the "clean Bitcoin economy", the darknet is an entirely different story.
First:  the Tor Browser is in a different level, regarding tracking protection,  than the tools above. I'm sufficiently certain, even malicious darknet  markets find close to impossible establishing a connection between two  of their accounts simply based on metadata.
Second: deepweb does not  delegate payment processing to third parties (BitPay, CoinBase), which  was the main way merchants leaked sensitive information and why the  results of the research were so frightening. All of them have their own  implementations.

Nevertheless, the rest of us, are vulnerable.

How To Defend?

Depending on your level of paranoia I'll share what I think the most effective ways to defend this attack:

  1. Apply tracking protection on your regular browsing activities. AdBlock, Ghostery, uBlock, Origin, etc…
  2. Use Tor Browser every time you pay with cryptocurrencies.
  3. Try not to pay with cryptocurrencies if your payment goes through BitPay, CoinBase or similar third party payment processors.
  4. Only buy stuff from the darknet.
  5. Stop using cryptocurrencies altogether.

via medium by ​@nopara73

Share this post