Cryptocurrencies were the talk of 2017. Everyone from bank chairs to soccer moms, from investors to entrepreneurs, from hi-tech professionals to politicians were talking about it nonstop. The number of people worldwide who entered the field and started investing in crypto also skyrocketed. Unlike many other articles, I am not going to talk about whether it is wise to invest in crypto from a financial point of view. Nor am I going to foresee whether crypto will change the world or if it is just another bubble. Instead, I intend to talk about what most people do not, and that is the cybersecurity risks for the nonprofessionals who are dealing with crypto at present.
Blockchain, considered by some to be the most exciting technology since the Internet, holds the promise for a completely secure and reliable means of transferring assets, making deals, and keeping records (of one's bitcoins for example). The theory and mathematics at the base of blockchain are probably as secure and reliable as promised. But like in many other cases of encryption methods, the implementation is usually much less perfect than the mathematics. Almost any encryption method in the last 20 years or so is theoretically unbreakable. However, in practice, many systems using these methods have been hacked and the encryption overcome by indirect measures. From simple means like making use of the fact that too many people still use PASSWORD1 as their password (password guessing is too easy and once guessed, the encryption's strength is irrelevant), to more sophisticated attacks such as stealing certificates, like in the case where hackers stole certificates from Foxconn and used them to hack into Kaspersky Labs or the hack into DigiNotar which used to create and sign certificates. Going after the "manufacturer" of the encryption system or the device using an encryption are some of the ways hackers overcome unbreakable encryptions.
Going back to blockchain and cryptocurrencies, over the last few months we have witnessed many hacks into cryptocurrency exchanges. The South Korean Bitcoin exchange Youbit, for example, quit its operation and filed for bankruptcy due to two cyber-attacks in the last eight months. In the first one hackers stole 3816.2028 Bitcoin (US$5 million at that time) which was 37% of user funds. In their latest announcement, the Bitcoin exchange said that despite taking security measures the company suffered another data breach in which 17% of total assets were stolen. As a result, all coins and cash withdrawals were suspended. In a different case, Bithumb, one of the largest Bitcoin and Ether exchange platforms, was hacked resulting in a loss of billions of South Korean Won, with many user accounts compromised.
Not only crypto exchanges are being hacked. Any subsystem somehow connected to the crypto world is a target for hackers these days. Cryptocurrency mining market NiceHash was hacked, and around $67 million were stolen from its Bitcoin wallet. Consequently, NiceHash urged users to change their online passwords. CoinDash (ISO), an Israeli cryptocurrency social trading startup announced that it suffered a massive security breach in which the company’s crowdfunding page was hacked during its Token Sale event. As a result, unknown hackers stole Ethereum worth $7 million. The company then announced that no one who sent transactions after the CoinDash’s site was shut down would be compensated. Tether, a startup firm known for offering dollar-backed cryptocurrency, was hacked and $30 million were stolen from its main digital wallet.
Another angle to approach this from is the digital wallets themselves. Hackers are targeting them in many ways, for example, by uploading Fake Bitcoin Wallet Apps to the Google Play Store. The whole concept of digital wallets is very immature, and the technology is not for ignorant users or people who are not tech savvy. The need to somehow secure a large number of random words, for example, in a way not easily accessible to hackers but nonetheless easily accessible to the user is not trivial.
Blockchain is still a new technology, unripe and as yet unstable. The technology around cryptocurrency is even younger and much less stable. The entities behind many exchanges, miners and wallets are early-stage companies and even individuals who never dealt before with building a robust and secure IT infrastructure. The rush for gold makes companies and individuals scramble to deploy technologies that have not been sufficiently tested and what is more, have not been reviewed by any official entity. Regulation is still considering what Bitcoin means, so no regulatory and compliance requirements exist for someone who decides to open a new crypto exchange.
Another aspect that is different in the crypto world from traditional banking is the lack of accountability and assurance. Regular banks are hacked as well, but when it occurs, it is the bank's problem and not its customers'. Customers will get their money back. Traditional stock exchanges are very heavily secured and regulated. It is a much tougher challenge to hack into NASDAQ than today's crypto exchanges. Even though Blockchain and Bitcoin are completely secure in theory, the IT in which they are rooted is far from being so.
In this realm, anyone who wishes to join the party is at severe risk of losing their money due to cybersecurity issues. No one promises to give you your money back if stolen from the exchange or some other service provider. No one will reimburse you if your own wallet is hacked and emptied (as opposed to your bank account).
This article does not attempt to provide any buy, sell or hold analysis of any crypto investment. However, I do think that, at present, crypto investing involves more than just the traditional financial risk inherent in the early stage of this business. I believe that common people who seek to get involved in the rush for cryptos are far from being aware of the nature of the risks facing them, so my goal is to help them become somewhat more aware. At present, dealing with cryptos is not only not for dummies but also hardly for ordinary investors.
Zohar Rosenberg is VP Cyber Investments at Elron. In the past, he had served as Head of the IDF Cyber Department