The skyrocketing value of cryptocurrencies has ushered in a new wave of financial cybercrime. These blockchain exploits and mining schemes are growing more sophisticated and more effective every day as investors flock to buy up digital funds. Users should closely monitor their cryptocurrency wallets and implement robust endpoint security measures to protect their increasingly valuable digital funds from this burgeoning threat, warns IBM Security.
“Is the Bitcoin craze another in a series of history’s most infamous bubbles, or is it a genuine harbinger of a new global financial architecture?”. This question asked by economist Marshall Auerback, published on the Alternate web portal illustratively frames the dilemma that many of us have about Bitcoin and other cryptocurrencies. Auerback goes on to say that: “in spite of recent market turbulence, its champions see bitcoin (and its cryptocurrency peers) as an ideal market-generated solution as questions arise about the future viability of paper currencies in a global economy characterised by sky-high indebtedness and bloated government/central bank balance sheets. The enthusiasts behind cryptocurrencies produce debt clocks that relentlessly tick over to get us to believe that a Weimar–style hyperinflation is imminent. By creating an alternative store of value outside the control of easy-money-peddling central banks, and their corrupt Wall Street handmaidens, they assert that bitcoin offers a way out of this looming destruction of our savings”.
Thus, our dilemma is should we embrace them or cautiously wait and see if it would be just another bubble set out to imminently burst? There are numerous published article on the topic and as many divided opinions on usefulness or irrationality of these currencies. Many newcomers are, unfortunately, unaware of the risks and security holes in the still hardly known but lucrative world of cryptocurrency. This makes them an easy prey for cybercriminals.
Cryptocurrency and enabling technology
Cryptocurrencies and its underlying blockchain technologies are becoming an emerging global phenomenon. However, beyond noise through the media and guesses, the majority of us, including scientists, developers and bankers do not have much knowledge about this novelty concept.
Cryptocurrencies or digital currencies do not have material form and can be issued by an unlimited number of anonymous sources. The origin of these currencies goes back to 2008 when (still anonymous) Satoshi Nakamoto unintentionally invented Bitcoin while working on the ‘A Peer-to-Peer Electronic Cash System’ project. The most important part of this project was the invention of the way of building decentralised digital cash system. This ‘distributed ledger’ is based on limited entries in a database that nobody can change without meeting specific conditions.
The main characteristics of the cryptocurrency transactions are irreversibility, pseudonymous nature, speed and global reach, permissionless and (supposed) security. Irreversibility means that after confirmation, a transaction cannot be reversed while pseudonymous nature denotes that neither transactions nor accounts are connected to real-world identities. The transactions of cryptocurrencies can be performed instantaneously and are not constrained by global locations. Being performed by free-of-charge software, the users do not have to ask for permission to use cryptocurrencies or transact them. Lastly, the cryptocurrency transactions are deemed as secure as they are using a public key cryptographic system.
Many worldwide central banks have treated the phenomenon with caution, although some have started exploring the possibilities that it offers – and even developing their own cryptocurrency. The list of countries that have introduced or are introducing cryptocurrencies includes Tunisia, Ecuador, Sweden, Senegal, Estonia, China, Russia, Japan, Venezuela, and Israel.
However, despite the proclaimed advantages of cryptocurrencies, the news outlets bring an increasing number of cautionary stories. For example, the Capital Economics research consultancy warns that Bitcoin, the most known cryptocurrency, is a bubble that has already begun to burst. They specified that most people do not buy bitcoin because of a belief in its future but because of an expected rise in price.
The latest fluctuation of major cryptocurrency (Bitcoin, Ripple and Ethereum) prices might suggest that there are some reasons for concern. Just a week or so back, cryptocurrencies lost USD 200 billion of their market capitalisation in just one day. The total market capitalisation of these currencies fell from USD 653.8 billion to USD 450.5 billion. Hence some experts believe that cryptocurrencies will not be trusted due its instability. How, for example, can these currencies be used for paying salaries if they can lose 25% of its value in a single day?
There are also some emerging concerns, not only on financial but on digital (in)security of these currencies. All financial benefits potentially gained through the use of cryptocurrencies might instantly disappear through a successful hacking attack.
Last month, Coincheck Inc., a leading Japanese cryptocurrency platform, announced a loss of USD 530 million in customer assets due to hacking. The cryptocurrency called NEM suddenly disappeared from the virtual exchange! This was, according to Coincheck operators, attributed to an unauthorised access outside the system. In other words, this platform for the cryptocurrency exchange was hacked!
As a consequence, all transactions of this and other currencies were halted after the company became aware of the situation – which happened more than 8 hours after the incident! The Coincheck exchange incurred not only financial losses caused by the hack but also by the compensations paid to the customers.
However, there were opposite views of the event. Some Twitter users have accused the Coinbase exchange of spamming the blockchain system, thus making the pending period longer and commission higher. The user @CivEkonom pointed out that, after the platform had stopped Bitcoin withdrawal, the volume of the total number of all transactions awaiting verification began to decrease. The platform was accused of conducting transactions separately instead of packing them together, which made the pending period longer and commission higher.
This was, unfortunately, not an isolated cryptocurrency hiccup incident. According to the Autonomous Research LLP, in the last 10 years, hackers have stolen USD 1.2 billion worth of various cryptocurrencies. The same source estimates that crypto-hacking could be a USD 200 million annual revenue industry. Ernst & Young predicts that about 10% of funds, accumulated through the 372 initial coin offerings (ICOs) between 2015 and 2017, have been stolen through hacks.
Bloomberg has reported that cybercriminals have stolen more than 14% of the cryptocurrencies supply over the last decade, while the WinterGreen Research pointed out that cryptocurrency hacks have cost companies and governments USD 11.3 billion worth of potential tax revenue from cryptocurrency sales. Mt. Gox, a Japan-based Bitcoin exchange, lost a fortune in 2014 and was forced to file bankruptcy. And the stories go on. Boffins predict the cryptocurrency losses could continue to increase dramatically as more companies and investors join the cryptocurrency tide.
How are cryptocurrency platforms attacked?
‘Cryptocurrency rush’, an urge to quickly attract investors, coupled with still not well-tested blockchain platforms, are among main enablers for successful hacks. The Ernst & Young report found that about 10% of USD 3.7 billion generated by the initial coin offerings (ICOs) has been stolen so far. This happened due to the project founders focusing on attracting investors and not prioritising security. It seems that hackers are successfully taking advantage of the more hyped and large-scale ICOs.
Although seemingly secure, blockchain records, which are kept by the digitised, decentralised, public ledger of cryptocurrency transactions to allow all investors to keep track of digital currency transactions, are not that much safer than any other software, concludes the same report.
“Since there are thousands of blockchains with their own bugs, securing them all is tricky as such implementation is going to have its own problems” – Matt Suiche, from blockchain security company Comae Technologies told Bloomberg.
Blockchains start as forks that diverge from existing crypto ledgers, i.e. databases where every cryptocurrency transaction is recorded. These forks, which occur during cryptocurrency ‘mining’ process, represent transaction changes with a common history that are responsible for the creation of two different coins. The significance of this process for our story lies in the possibility for hackers to manipulate the data at every fork. This is what the Taiwanese Institute of Electrical and Electronics Engineers (IEEE) announced in December 2017.
More worrying is the finding of the IEEE report that hackers can theoretically spend the same Bitcoins twice through what is called a ‘balance attack’. In this kind of attack, hackers can purposefully delay network communications between Bitcoin miners to prevent their computers from validating blockchain transactions.
Somewhat comforting is the fact that there is not yet evidence that such attacks have already been performed on Bitcoin or other cryptocurrencies but the Taiwanese researchers believe that some of the important characteristics of Bitcoin make these attacks practical and potentially highly disruptive.
Similar reports prompted some governments and corporations around the world to voice their concerns over cryptocurrency transactions, amid fears that criminals might take advantage of both: vulnerabilities of the cryptocurrency platforms and the anonymity of the transactions.
Phone-porting and other possible attacks
One common crime that is performed on the cryptocurrency investors is the phone-porting attack, reports CNBC. Hackers snoop around social media, looking for cryptocurrency conversations in which investors post their phone and email for easy contact. Then, posing as the victim, they call up the phone provider in an attempt to fool the customer service representative into transferring the phone number to a device they control.
Once the hackers take over the phone number, they can go into the victim’s cryptocurrency exchange account by resetting the password, ultimately stealing cryptocurrencies from the account. CNBC reported that Cody Brown, a virtual reality developer, blogged about how he lost around USD 8,000 worth of cryptocurrencies on Coinbase in 15 minutes, triggered by a phone porting attack.
Another example comes from IBM Security. Criminals replaced the Ethereum address on the Enigma cryptocurrency investment platform with their own address and collected USD 500,000 in investment funding for the start-up – before anyone from the company noticed the change! The replacement was the result of a simple password attack that helped the attackers to gain access to the Enigma website. Although the money was eventually returned, the cryptocurrency and security communities should expect more of these attacks in 2018.
Mobile phones are not the only points of weakness, according to Adam Dachis, a former writer for Lifehacker. He admitted that his Coinbase account was looted in May 2017 by hackers who took control of his home computer. That attack left him without USD 10,000 worth of cryptocurrencies.
Jonathan Levin, co-founder of Chainalysis, an intelligence software firm that specializes in tracking and solving cryptocurrency crimes, points out that computer hacks, phishing attacks and cryptocurrency Ponzi schemes are all common types of cryptocurrency theft. IBM security confirms that fraudsters have written specialised phishing lures to penetrate the cryptocurrency systems in recent months.
IBM security also warns that perhaps the most devastating incidents have been the distributed denial-of-service (DDoS) attacks, either on the blockchain-based exchanges or other sources of cryptocurrency. The first such attack targeted the DAO joint Ethereum investment fund back in 2016, but security researchers have reported numerous other DDoS exploits since then.
Fraudsters have also been known to take over unsuspecting endpoint computers and use them to mine or create new crypto coins, cautions IBM Security. For example, the Neptune exploit kit enables cybercriminals to hide their mining payloads in seemingly innocuous hiking advertisements. These tools register the attacker’s email address as the source of the mining operation before infecting the victim’s PC with malware. The Slovenian bitcoin trading marketplace NiceHash, which enables customers to mine for cryptocurrencies by leveraging unused CPU cycles, reported the loss about USD 64 million worth of bitcoin during this type of attack on its systems in December 2017.
Protecting your cryptocurrency investment
The solution to the cryptocurrency security threats is not a simple one. While electronic trading platforms require technical expertise for fixing current security vulnerabilities, the investors should learn about their role in protecting their investment. The security incidents, that occurred thus far, have taught us a lesson that digital trading platforms cannot be a sole protection of our investment. Since our participation is inevitable, here are some advice, recently shared by investors and technical experts with CNBC.
The simplest precaution should be not to talk publically about cryptocurrency investments, especially avoiding that on social media.
Before opening up an account on the cryptocurrency trading platform, it is advisable to set up a unique email account specifically for that purpose. That account should be accessed only by you and should have a very strong password.In case of having an investment with different exchanges, unique passwords are desirable for each of them.
Furthermore, ask your cell phone provider to provide you with every possible level of security. Also, ask them to add a “do not port” SIM card to your account as a phone port attack can still lead to an email compromise.
It is also advisable not to keep all cryptocurrencies in one place. Diversification among the exchange platforms will lower possibilities of loss as it is unlikely that all platforms would be hacked at the same time.
Moreover, the investors should keep the bulk of their cryptocurrencies in so-called ‘cold wallet’. Most people who hold digital assets have both ‘cold’ and ‘hot’ digital wallets because they are designed for different purposes: ‘hot wallets’ are connected to the Internet while ‘cold wallets’ (‘hardware wallet’), are not. Usually, investors keep a few cryptocurrencies in ‘hot wallet’ and use it for purchasing purposes. The rest of digital assets are typically kept in a ‘cold wallet’ as savings. From the cybersecurity viewpoint, ‘cold wallet’ is safer as cybercriminals cannot access it via the Internet. The security of ‘hot wallets’ is largely dependent on the security habits of users but also of the third parties involved.
Interested readers can definitely find more security tips published elsewhere but it suffices to say that the aim of this article is not to promote or oppose cryptocurrencies. That should always be a personal or organisational choice. We have only provided related information that might help our readers to make informed decisions regarding the digital security of their cryptocurrency investment.