To purloin crypto, hackers are importing successful—and very familiar—methods from the world of fiat money. Here’s what experts say needs to be done.
Security has always been a big selling point for Bitcoin and other cryptocurrencies. The crux of the security argument is twofold. Unlike cash, cryptocurrencies are encrypted in a digital wallet that can only be unlocked with a private key so mathematically complex that it’s considered hacker-proof.
Plus, every cryptocurrency transaction is recorded in the blockchain, an up-to-the-minute ledger that requires verification for each transaction from multiple parties.
This double layer of security, cryptocurrency evangelists say, makes cryptocurrency incorruptible and as fraud-resistant as money gets.
In theory, cryptocurrency security is tighter than that of Fort Knox. But theory is not always reality. Criminals, as they so often do, find weaknesses in crypto defenses. Instead of directly attacking the blockchain or the cryptography that protects private keys, fraudsters are relying on the same social-engineering techniques they use to hack the databases of financial institutions and corporations.
These techniques include phishing and malware attacks that target employees of cryptocurrency exchanges or individual users. These attacks often occur via email.
Domain-name system (DNS) hijacking is another familiar scam. This ploy exploits weaknesses in the DNS so a criminal can replace a legitimate Web-site address with a phony address that redirects the exchange’s traffic to a phony Web site that looks just like the exchange site but is controlled by the criminal. When cryptocurrency users enter their private key on the phony site, the data goes straight to the criminal.
Social-engineering scams are intended to produce the same result: Trick cryptocurrency users into unwittingly giving up their private keys. Once in possession of the private key, criminals can empty a cryptocurrency user’s wallet.
Since cryptocurrency is uninsured by a government, unlike cash deposits held in U.S. banks, for example, crypto users have no way to recoup all, or part, of their losses due to theft.
Compounding the problem is that cryptocurrency ensures anonymity. While the blockchain requires multiple parties to validate a transaction, it does not provide a record of who actually makes a transaction.
That means criminals who trick an unwitting consumer to hand over his key won’t leave a paper trail after absconding with the victim’s funds. That’s because all the keepers of the blockchain see is that the private key was used to unlock the wallet.
Bottom line, cybercriminals are simply importing tried-and-true methods from the world of fiat money.
“Cryptocurrency hackings today have nothing to do with the math behind the private keys, the issues are with the security around protecting the keys themselves,” says Ahmet Tuncay, chief executive of Sepior, an Aarhus, Denmark-based provider of security solutions for cryptocurrency and blockchain applications.
Cryptocurrency’s vulnerability to social engineering has produced some eye-popping losses. In 2018, cyberthieves made off with $1.7 billion in cryptocurrency, according to Menlo, Calif. Park-based CipherTrace Inc., a provider of cryptocurrency and blockchain security solutions.
Criminals have kept up their torrid pace in 2019, pocketing $150 million in cryptocurrency in January alone, and show no signs of slowing down, even though the prices of cryptocurrency have dropped, CipherTrace says.
Of the losses incurred in 2018, $950 million was heisted from cryptocurrency exchanges that allow consumers to buy, sell, and store digital currencies. That amount was three times more than what was stolen from exchanges in 2017, CipherTrace says.
The huge jump in losses incurred by exchanges is an indication that with each successful theft, criminals become emboldened to pull off bigger heists, security experts say.
That makes exchanges prime targets, as they house the largest caches of cryptocurrency. Indeed, two Japanese exchanges were hit for $600 million in combined losses in 2018, according to CipherTrace. The first heist, which occurred in January 2018 against the Coincheck exchange, totaled $530 million and affected a reported 260,000 investors.
That amount shattered the previous record of $400 million in Bitcoin stolen from Mt. Gox in 2014. Nine months later, cryptocurrency firm Tech Bureau Corp.’s exchange was hit for $70 million in losses by cyberthieves.
The balance of crypto thefts occur in one of two ways. One way is for criminals gain access to consumer wallets stored outside an exchange. For example, they might take over a consumer’s Internet-enabled device to steal his private key.
Or they might deploy cons in which investors are approached to use cryptocurrency to purchase shares in a new exchange or company developing new blockchain technology, only to see criminals vanish with their funds. The scam is often referred to as an initial coin offering, since in an ICO cryptocurrency is the funding mechanism for raising investment capital.
Smaller-scale scams include creating fake sites that purportedly sell secure cryptocurrency wallets to consumers wishing to manage their wallets on their own. More often than not, these wallets appear to be legitimate, but have been compromised and are being resold. Consequently, any money deposited into the wallet is rerouted to the criminal marketing the wallet.
“If a consumer wants to manage [his] own keys in a cryptocurrency wallet, he needs to be certain he is buying the wallet direct from the manufacturer,” says David Jevans, chief executive of CipherTrace. “Criminals targeting cryptocurrency usually have degrees in technology and understand the world cryptocurrency trades in, so they’ve developed a lot of ways to get people to part with their private keys.”
That insight is why criminals targeting cryptocurrency have about a six-month lead on market security practices, Jevans says.
Wallets Hot And Cold
Closing the gap will require exchanges and consumers to recognize the need for better security hygiene. “Exchanges are getting hacked for the same reasons banks, credit bureaus, and companies do—failure to properly enforce security practices,” says Gideon Samid, chief technology officer for McLean, Va.-based BitMint, a digital currency. Samid also is this magazine’s security columnist (page 12).
Best practices start with educating employees of exchanges about the risk of opening emails from someone other than a trusted sender. Criminals can disguise phishing emails with legitimate corporate logos or email addresses similar to a trusted sender.
“There are emails that can be made to look like a memo to all employees from the CEO,” says Kim Grauer, a senior economist for Chainalysis Inc., a New York City-based provider of blockchain security and compliance applications.
Opening a suspicious email can launch malware into the system that captures passwords and other vital data needed for unlocking wallets. “That’s why employees need to be trained that if they click on a suspicious email or link, they need to report it immediately,” Grauer says.
Vigilance against phishing attacks, however, is not enough to keep hackers completely out, as a few are bound to slip through this line of defense. That’s why storing cryptocurrency in a cold wallet can be an effective solution for preventing losses.
Unlike hot wallets, which are continuously connected to the Internet to allow around-the-clock access to funds stored in them, cold wallets store cryptocurrency offline, making them immune to an attack via an Internet connection.
Keeping the majority of cryptocurrency holdings in cold wallets can prevent huge losses. “Exchanges should be breaking up storage of cryptocurrency between hot and cold wallets,” Jevans says. “If an exchange has $500 million in cryptocurrency, it may really only need $30 to $40 million live at any one time.”
Keeping cold wallets on servers that have never been connected to the Internet and transferring the funds to a hot wallet via a single use flash drive can provide an even stronger layer of security.
To move funds in this environment, which is sometimes referred to as deep cold storage, funds are downloaded to a flash drive that has never been connected to an Internet-enabled device. Wallets in cold storage are opened by entering the private key.
After the funds are downloaded, the flash drive is connected to a server containing the hot wallet into which the funds are transferred. The flash drive is then destroyed or disposed of as a precaution against any contamination from malware.
“Consumers managing their own wallet can benefit from cold-wallet storage too,” Jevans says. “It requires an [offline] computer dedicated to managing the account.”
‘Step Up And Lead’
Security experts also recommend cryptocurrency users never store their private keys on a computer connected to the Internet, a smart phone, or in an email sent to themselves.
“Write the code out on paper and put it in a safe place,” Jevans says. “If a consumer elects to have an exchange store their wallet, be sure to perform due diligence on the exchanges’ security measures and make use of all the security tools it provides.”
Consumers and exchanges should also be sure to keep their anti-virus and anti-malware software up to date.
Performing due diligence on an exchange that offers wallet-management service is critical, because many of them are startups with little or no track record when it comes to security. And like many businesses, exchanges also must contend with a shortage of skilled security technicians, says Rick McElroy, head of security at Carbon Black Inc., a Waltham, Mass.-based cybersecurity company.
“A lot of new exchanges are more focused on getting up and running first, as opposed to security,” McElroy says. “Someone has to step up and lead on cryptocurrency-security management, and exchanges can be the ones to spark the charge.”
One step exchanges can take to lead the charge on security is requiring multiple signatures on the transaction record to verify and record the transaction approval. Many cryptocurrencies, including Bitcoin, record either a single signature or a composite of multiple signatures, because this is a simple, low-cost solution to implement. Single signatures are only secure, however, if the single private key is secure.
A more secure signature-authentication method is to require multiple different parties to approve a transaction. This option is quite costly and can raise transaction fees, which means it has limited implementation, says Sepior’s Tuncay.
An alternative to multi-signature technology is ThresholdSig, which allows multiple different parties to collectively approve a transaction, but record it on the blockchain as a single signature.
“Rather than generating entire keys, ThresholdSig uses a technique called Multiparty Computation to generate shares of a single key on the device used by each approver,” Tuncay says. “An entire key is never produced or stored on any device at any time. These attributes dramatically reduce the potential for key theft and cost less to implement, which holds down transaction costs.”
Not all thefts are the result of email tricks and other established tactics. Above all, cryptocurrency users need to guard against overconfidence about the strength of the cryptography used to secure private keys. While there are no known incidents of criminals cracking these codes, some cryptography experts argue it can be done.
One potential weakness lies in the assembly of cryptographic protocols. “The mathematics behind the algorithms may be solid, but if the protocols are pieced together incorrectly, it can produce a weakness in the security system through which the private key can be leaked,” says Nicko van Someren, chief security officer for Nanopay, a Toronto-based payment platform for real-time multi-currency payment solutions.
History has also shown that any mathematical equation can be solved either by a smarter mathematician, someone with the computing power to crack the code, or both. “Few people delve into the math behind cryptography to determine how strong it really is,” says Samid. “I’ve seen predictions that the cryptography behind Bitcoin will be cracked in 10 years.”
It’s an ominous prediction that, if proven true, could rock the cryptocurrency world to its core. “Security is something that a lot of crypto users don’t want to learn or think about, but it’s not a given,” Samid says. “There are a lot of threats and they can’t be ignored.”