TLDR: Web3 holds tremendous potential for Healthcare, but developing solutions that protect and store Private Health Information securely in a Web3 world will take time.
I’m taking a slight detour with this week’s essay, but I assure you, there will be a healthcare angle. Let me tell you the story about getting hacked.
Setting the Stage
It was relatively early on a Saturday morning when I rolled over to do what most of us do first thing in the morning – check Twitter. That’s when it all started to go wrong. Still groggy from a great night’s sleep, I started scrolling through Web3 news and updates on the latest NFT drop. That’s when I came across the tweet that would ultimately cause me much heartache. The actual tweet has since been deleted and the account banned, but I managed to find the screenshot below.
My sleepy, groggy self could not believe my eyes. I had a new follower — and not just any follower. It was none other than a co-founder of the blue-chip NFT and cultural phenomenon Bored Ape Yacht Club. Not only was I the lucky one she followed, but I was also being granted the opportunity to mint a one-of-a-kind Mutant Ape. A dream.
I looked at the name of the person who had just so graciously followed me and saw that they were verified. That makes this legit, right? Look at that follower count, 60k+ followers – this has got to be real!
So, I clicked on the tweet to view the comments. Wow, more validation! These people who minted the impossible are over the moon with their decision. The NFT gods had smiled on me.
Let’s assess the situation so far – your half-awake Deductible writer has just stumbled on an unbelievable offer from a co-founder of an NFT giant. The Twitter account looks legit, the comments are above-board, and it all adds up.
So, I click the link. And…
It takes me to a legitimate-looking website. It looks exactly like boredapeyachtclub.com. I continue to read and it all seems to make sense. The website, the follower count, the verification checkmark – we’re off to the races!
So, I click “mint”. And that’s where it all went wrong. So very wrong.
A prompt appeared for me to connect the website to my Metamask wallet. So I did.
Another prompt asked me to enter the number of ETH I wanted to send. Wait, that’s unusual. This is when the alarm bells should have been blaring in my head. Hmm, this is strange, I thought, having minted a few NFTs in the past. That’s not how these transactions typically work. Ignoring that thought, I proceed anyway. So, I input the mint amount of 0.33 ETH, a relative bargain for a Mutant Ape that trades at a floor price of 24.8 ETH (yes, I know I’m an idiot).
I push “confirm” and the transaction goes through. I am now the proud owner of a MAYC NFT!
Or not. That’s when it all hit me. I have been scammed.
I definitely did not become an owner of the prized NFT. Over the next few days, I would come to realize the scale of what a mistake I had made.
Painful Transparency
The beauty of the blockchain is that it’s there for all to see. Each transaction is clearly displayed in its entirety as an unalterable record of the past.
As you can see by the transaction ledger on Etherscan, I hadn’t minted anything. All I had done was send a decent amount of ETH to a scammer that had cleverly lured me in with a too-good-to-be-true opportunity. The scammer packaged it in a way that not only spoke to my desire to own the prized NFT, but to that innate sense of making a quick buck.
In the blockchain transaction below, you can clearly see the .33 ETH simply move from my wallet to one that has since been labeled as “Fake_Phishing 5397” by the kind folks over at Etherscan.
The pain unfortunately did not end there. Over the course of the next few days, the scammer drained my wallet of all my NFTs, including my favorite LinksDAO NFT which I have written about so often here.
Take a look at the carnage below. Three of my more valuable NFTs were moved to that same “Fake_Phishing” wallet. A clean, simple transfer out of my wallet, into another. It’s elegant, really.
When all was said and done, the scammers took home a total of 145 ETH, or $420k, from unsuspecting folks like me.
Besides my obvious lapse in judgment, how did this all happen? We first must get a basic understanding of how crypto wallets work to fully understand this scam.
How Digital Wallets Work
There are two types of crypto wallets – digital and hardware wallets. For the purposes of this essay, we will focus on digital wallets.
Digital wallets are similar to your physical wallet. Physical wallets store valuables, such as your credit cards, paper money, insurance cards, and other items that you want to keep close and safe. When you purchase something you provide a credit card or cash that then is used to facilitate the transaction.
A digital wallet works much the same, but with a few more features. A digital wallet is made of three key components – an address, a public key, and a private key.
An address is the “name” of your digital wallet. Just like many of us have chosen a specific design or added embossed initials, a wallet’s address is how we know the wallet belongs to you. If an entity or person wants to send you cryptocurrency, they first need to know your wallet’s address. Your address makes your wallet visible on the blockchain to send and receive crypto, tokens, or NFTs.
Public keys are the way for you to receive transactions within your digital wallet. Think of a public key as similar to the routing and account number combinations of traditional bank accounts, but with one major differentiation. With digital wallets, in order for a transaction to process and be verified on the blockchain, the transaction must match the wallet’s private key which allows the transaction to proceed.
The private keys in a crypto digital wallet are analogous to passwords that are needed to confirm or sign a transaction. A private key is a way to “prove” that you are the owner of the wallet. Once matched to the public key, the private key decrypts the transaction and places it in your wallet. It’s important to note that your private keys are never visible on the blockchain.
In order for a transaction to process successfully and be placed on the blockchain, it needs to be signed. That is where the interaction of the public and private keys take place. The way a transaction is signed is as follows:
- A transaction is encrypted with a public key
- The transaction is then signed by the private key, which proves that the transaction is legitimate and hasn’t been modified
- A private key is then used to decrypt the transaction
- A digital signature is then created with a combination of the private key and the data associated with the transaction
- The transaction is then verified by Nodes on the blockchain network whose job is to verify the transaction and all others like it
- Once a transaction is verified and authenticated, it is then stored on the blockchain and is irreversible
Here’s what that looks like visually.
Here’s a great video that explains this concept further.
Lessons Learned
So, how did I get hacked? It’s simple.
By connecting my wallet to that fake minting site, I gave full access to my wallet, including my public and private keys. The scammers had access to do whatever they wanted with the contents of my wallet.
What are the lessons here?
First, there is absolutely no one to blame but me for what happened. I fell for a scam that appealed to my interests. It seemed to pass the initial sniff test, albeit a very brief sniff and looked legitimate. I took the bait, hook-line-and-sinker. A two-second Google search would have revealed that this was a scam – but I wanted it to be true. I acted recklessly and connected my wallet to a website that I did not triple-check its validity – the cardinal sin in crypto.
Second, with any nascent and new technology, there will be bad actors. We saw this with the dawn of the internet with email scams and it still continues today with phishing hacks and the like. Bad actors will exploit those that fall for their scam, but that shouldn’t taint progress. These scams will happen from time to time and are part of the technology landscape. Which is no different for Web3.
So, how does my mistake relate to healthcare and Web3?
Healthcare Data Security in a Web3 World
This experience is a perfect illustration of the seamless nature of Web3, its speed, and transparency, but also the gaps that exist in securing wallets and the assets that reside in them.
If Web3 is going to have an impact on healthcare where data security is paramount, we’ve got a lot of room for improvement ahead of us.
So, how do we bridge the current reality of easily hacked Web3 wallets to one that supports the complexities of storing private health information?
The answer is, unfortunately, not as elegant or exciting as you may want to hear. The answer is time.
As with all new technologies, at the early stages, there is a tradeoff between adoption, usability, and security. That doesn’t mean that today’s digital wallets are flawed. It’s just early. There will be better security protocols that will allow us to secure wallets that hold our private health information much better than we currently can in a Web3 world.
Similar to a “real-world” wallet, I think the digital wallet of the future will have various slots for different types of transactions. In the “real-world”, we use different credit cards for different types of purchases (e.g., groceries, travel) to maximize the points we earn. We may use an HSA card to pay for our health-related expenses
In the Web3 world, we also make a decision on which “card” to “connect” to a third party. I see a world where each slot or card will have a purpose. Our digital wallets must include the ability to connect only the “healthcare” portion of our wallets to a set of whitelisted wallets, pharmacies, providers, etc. that we’ve verified.
The solution to a more secure Web3 experience that can store private health information is a combination of time, technological advances, and common sense.
Bringing it home
I eventually did that two-second Google search (after my wallet was emptied). Turns out that the Twitter account was in fact verified and Ally was a real person. However, she was definitely not a co-founder of Yuga Labs, the creator of the Mutant and Bored Ape NFT franchises. She is an accomplished paratriathlete, whose Twitter account had been hacked. All of her recent tweets had been deleted and replaced with NFT and Bored Ape-related content. The perfect scam.
Yes, it was a painful and expensive experience, but one that I learned from.
Often in life, experience is the best, but also the most expensive, teacher.
Yes, the world of crypto and Web3 has a lot to improve on when it comes to security and data protection. But, it’s not worth discounting the massive upside potential of the technology based on the seemingly frequent occurrence of hacks. It’s part of the maturation cycle of the technology.
The current speed of Web3 adoption and technological advances mean that we will solve the data security and hacking issues relatively quickly. In the meantime, with a bit more common sense, diligence, and without losing our appetite for risk, we will continue to push forward into the brave new world full of promise that is Web3.