In December of 2017, Bitcoin hit $19,343 and was creating a feeding frenzy worldwide. The frenzy was far and wide and impacting even the most mature of social investment groups. Doctors, lawyers, cops, fire personnel even sanitation workers were buying into cryptocurrency and in unprecedented volume. It wasn’t just Bitcoin it was the whole cryptocurrency market: Ethereum, Ripple, lite coin to name a few. Did you know that there are over 1200 crypto currencies? Coin Market Cap lists 876 cryptocurrencies alone and there are more that aren’t listed on exchanges at all. Within a month the value had fallen to under $7,700 and weeks later to $6,700, causing large amounts of wealth to change hands.
The volatility of cryptocurrency is one thing, and the loss of value through speculation is expected, but loss through theft and trickery is shocking and important to understand and guard against. Large amounts of wealth have changed hands illegally and dishonestly since crypto’s inception. The inner workings of this new currency is left to the code writers, as this article isn’t necessarily about how crypto works mathematically, but instead about how social behavior plays into this new form of currency.
Code is Law
Bitcoin is built upon blockchain technology as are all cryptocurrencies. Blockchain is described as a distributed and decentralized ledger where all members of the blockchain are aware of all the previous blocks as well as any new blocks. This is the main attraction to blockchain because technically no single entity or member can change a block without every other member knowing. As blockchain technology evolves, mainstream business players like Walmart, ADP, Kronos along with major universities and even governments are either using or experimenting with blockchain technology. Walmart is already using blockchain for inventory management. The global payroll and HR vendor ADP has developed a team working on a blockchain payroll system. The major HR player Kronos is heavily considering blockchain for payroll and other HR applications. The use of blockchain for Cross-Border payments holds a lot of promise and a few start-ups are already doing business in this area. Blockchain technology holds potential for so many other social centric areas; education, federal, state and municipal record keeping of everything from birth, death, marriage records, motor vehicles, licensing and insurance. The uses are vast.
The fact that once a block in the blockchain is generated it can’t be changed or altered is what makes it so desirable. If you ask someone well-informed about the characteristics of blockchain, the word ‘immutable’ will invariably appear in the response. In plain English, this word immutable is used to denote something which can never be modified or changed. In a blockchain, it refers to the global log of transactions, which is created by a consensus between the chain’s participants. The basic notion is this: once a blockchain transaction has received a sufficient level of validation, some cryptography ensures that it can never be replaced or reversed.
But Is It Immutable?
Nonetheless, the mere possibility of this form of interference puts the cryptocurrency immutability doctrine in its place. The bitcoin blockchain and its ilk are not immutable in any perfect or absolute sense. Rather, they are immutable so long as nobody big enough and rich enough decides to destroy them. Basically, if some entity has enough computational power including the electricity to drive a subversion attack it is possible to fork the blockchain or rollback transactions and erase previous but not validated blockchain transactions. The requirements to disrupt public blockchain currencies like Bitcoin are enormous but possible.
Still, by relying on the economic cost of subverting the network, cryptocurrency immutability satisfies the specific needs of people who don’t want to trust governments, companies and banks.
Can I Have a Fork Please?
“Forking” happens when consensus peers disagree over the laws pertaining to the blockchain strain. A case in point happened with the Ethereum blockchain, which suffered a devastating exploit in June 2016. Someone found a coding loophole in a smart contract called The DAO, in which almost $250m had been invested, and began draining its funds at speed. While this clearly violated the intentions of the contract’s creators and investors, its terms and conditions relied on the mantra that ‘code is law’. Law or not, less than a month later, the Ethereum software was updated to prevent the hacker from withdrawing the cryptocurrency “earned”.
This update could not be enforced, since every Ethereum user controls their own computer. Nonetheless, it was publicly supported by Vitalik Buterin, Ethereum creator, as well as many other community leaders. As a result, most users compiled, and the blockchain with the new rules kept the name Ethereum.
A minority disagreed with the change and continued the blockchain according to its original rules, earning the title “Ethereum Classic”. A more accurate choice of names might be “Ethereum the Compromised”, and “Ethereum the Pure”. Either way, democracy is democracy, and the pragmatic and popular Ethereum is now worth over 800x the idealistic, but sidelined, Ethereum Classic.
The downside of the fork split is that the value of classic ether is much lower than the new ether. So, two potential vulnerabilities in Ethereum increase its risk profile, volatility and code flaws.
Trust Is King
Even amongst the cryptocurrency exchanges trust is an issue and with what is referred to as a trustless system. Forbes states that “Florida-based Weiss Ratings released a report that assigned grades to dozens of cryptocurrencies based on a number of metrics, like risk, technological innovation, and other fundamentals”. Can blockchain provide integrity? If it’s a GIGO system of accounting with no checks then it’s garbage out, because of garbage in. Walmart is now using blockchain to manage its fruits and vegetable produce inventory but how does it qualify whether the produce is fresh and what grade of quality it is? To date, a human must qualify the condition of the produce. If they accidentally input organic for a pesticide protected peach, then blockchain cannot guarantee the accuracy and integrity of the peach in question. The same goes for a student’s GPA or transcript. Many colleges and universities are exploring the possibility of using blockchain to control and maintain student’s transcripts and this offers an array of advantages in using this information, from employers verifying a job applicant’s representation to transferring CEU’s. But what if the student cheated in their exams? The blockchain ledger would purport exactly what was entered in. The integrity of the transcript is only as good as the trust in the system that grades the student.
Bots are Stealing the Show
In October of 2010 the stock market lost trillions of dollars in value momentarily. Not because of theft but due to high frequency traders. Traders with a technological advantage were beating slower systems to the draw. Along with the high frequency traders, there are bots to contend with. Trading bots listen for media buzzwords that can indicate whether a stock is going to rise or fall and then act on the information with a trade. It’s important to remember that a small fraction of the trades on stock markets these days — maybe 10 percent — are made by real-life human beings deciding to buy or sell shares in this or that company. Another 40 percent or so reflect decisions to invest in the entire stock market, or an entire industry, or an entire class of companies — index funds, exchange-traded funds (ETFs) or other kinds of passive investments.
That leaves half the trading that is done automatically by computers, according to complex algorithms that focus on changes in market prices or indices caused by the trading done by other computers. In this kind of robots v. robots trading with its circular logic, fundamentals are irrelevant, the volumes are enormous and the holding periods are often a matter of minutes, or even seconds.
The same goes with cryptocurrency markets as it turns out bots may account for a large part of short-term holdings in crypto markets. Worse yet, bot trading could be freely manipulating the market, artificially inflating prices and causing individual investors to overpay on their executed trades.
Case in point: Neo. With Ethereum’s 5,800 percent rise in 2017, investors piled into Neo, which is touted as the Chinese equivalent of Ethereum. And Neo quickly became prime territory for a trading bot to operate and take advantage of overly optimistic and inexperienced investors. On November 29th, advanced crypto trading platforms began detecting abnormal signals that indicated multiple bots trading on Neo. The extreme volatility of the market coupled with dozens of bots trading simultaneously caused the price to crash within minutes of the first detected signals. Neo went from $34 to $3.74 in a matter of seconds, before returning to $34. Investors who bet big lost almost everything within a few bats of an eye. This kind of flash-crash has happened more than once and will likely happen again.
Horror Stories of Theft
When it comes to holding on to your crypto-money there are plenty of horror stories of loss. Some lost money because they misplaced the keys to their crypto wallet others because they lost the passwords to their online exchange. There are plenty of dumb ways to lose your cryptocurrency and you can’t fix stupid. What you can fix is bad habits and apply best practice to how you handle your crypto-money. Before we do this let’s take a stroll along memory lane and examine some of the bigger theft events.
Mt Gox, based in Japan, was the world’s biggest cryptocurrency exchange when hackers broke in and stole an estimated $400 million worth of bitcoin almost four years ago. Mt Gox went bankrupt shortly afterward and affected users still haven’t been compensated.
Seoul-based Youbit said it was filing for bankruptcy after cyber-thieves stole nearly a fifth of its clients’ holdings in an attack recently. It’s the second time that Youbit, which allows customers to trade Bitcoin and other digital currencies, has been hit by hackers. Last time, thieves made off with 38 billion won ($35 million) in digital currencies. The company didn’t say how much was taken in the latest heist or how exactly it happened.
Earlier, hackers stole more than $70 million worth of bitcoins from digital currency platform Nicehash.Last year, Hong Kong-based exchange Bitfinex was briefly shut down after hackers stole more than $60 million in bitcoins.
NEW DELHI, April 13,2018 (Reuters) – Coinsecure, an Indian cryptocurrency exchange, said nearly $3 million were stolen from its bitcoin wallet, the biggest reported so far in the country’s fledgling virtual currency market. The theft is expected to further weaken trade in cryptocurrencies, which the government has likened to “Ponzi schemes” that offer unusually high returns to early investors. Coinsecur, which has over 200,000 users trading on its platform daily, said that around 438 bitcoins, which were stored in a password-protected virtual wallet, were siphoned off to an unknown destination on the internet after the details were leaked online. According to Coinsecure “We regret to inform you that our bitcoin funds have been exposed and seem to have been siphoned out to an address that is outside our control,” the company said in a statement posted on its website.
On April 17, 2018, Japan’s Financial Services Agency (FSA) punished seven digital currency exchanges, demanding that two of them halt operations. The suspension order against Bit Station came after FSA investigators found one of its senior employees using a customer’s Bitcoin for personal purposes. As a result, the exchange has pulled out its application for authorization.
In May 2018, hackers were able to compromise MyEtherWallet.com via the BGP routing protocol thereby directing users on the network to a fake website. The tactic only lasted for a few hours but allowed $330,000 to be siphoned from interested buyers. This is not the only time crypto traders have fallen for spoofed websites. As seen in the cryptocurrency subreddit, scammers have found a way to make their website addresses (URLs) look just like the authentic URLs of some popular cryptocurrency exchange sites, like Binance and Bittrex. Unfortunately for the unsuspecting crypto trader, using your login credentials on a scam site can lead to theft of your cryptocurrency or even your standard government-minted money.
The list goes on and on. A simple Google lookup of cryptocurrency theft will take you on a scary journey.
It’s bad enough that money is being stolen but cryptocurrency hackers are stealing your power too. By leveraging crypto-mining malware criminals are infecting computers and mobile devices with malware that uses the computer’s processing power and electricity to mine for cryptocurrency. Bitcoin-mining malware has a long history in Google Play, with the first family, Andr/LepriCon-A, appearing in 2014.
What Can I Do to Protect My Money?
So, we see that cryptocurrency can be lost in a number of interesting ways. It can be by mistake, for instance by losing your crypto key. It can be stolen while in an exchange, or even in your computer based wallet. You can send money to a spoofed website pretending to be an exchange. You can lose your fiat money if your computer or mobile device has been compromised and used as a criminal crypto-miner where you don’t get the financial benefit…just the electric bill. All of these exploits can be neutralized with an understanding of the dangers of working with cryptocurrency.
Phone Sim Cards
What type of device are your cryptocurrency accounts managed with? If it’s a mobile device you need to be careful with letting your device out of your view. There are cases where the SIM card has been stolen or cloned. For that matter, keep your mobile device locked with the highest security including protection from theft.
As email is one of the main factors for compromising a device, whether it’s a laptop, desktop or mobile device, it’s best practice to use a separate device and email for financial transactions. Or, better yet, use a virtual machine for anything related to securing your currency.
Prevent the “Phone Number Port”
There are reported cases of phone numbers being “ported” by hackers to gain control of SMS messages. A good block for this tactic is to keep alerts on from your phone provider, and use authenticators like Google’s Authenticator rather than SMS. Using multifactor authentication is a smart move because it can protect your accounts form brute force password attacks, but if you do, use a token device rather than SMS or email for two factor (2FA). There are reported cases where the second password was intercepted due to “Man in the Browser” attacks, where whatever is typed into the browser will be typed in the hacker’s screen.
As we saw above, many crypto exchanges have been hacked and untold amounts of currency have evaporated. The full extent of these vulnerabilities is not understood completely. In most cases, they’ve been software vulnerabilities, and for some it’s thought to be insider greed. Let’s face it…at some point, we need to trust someone in what is a trustless system. We can transfer the trust we have in our fiat banking systems to the cryptocurrency systems, but they don’t have the same controls as FDIC and banking regulatory laws. If your cryptocurrency holding rises above your risk threshold, then take it out of the exchange wallet and store it in an offline hardware wallet (cold storage). Then store the hardware wallet in a secure physical place, like a safe deposit box. There are several hardware wallet devices available like the Ledger Nano S and Trezor, with prices ranging from $100-$200.
Safe Keeping Keys
Key escrow has always been a problem for encryption safety. If you lose your encryption key you lose your data. In the case of cryptocurrency, you lose your money. Enter “Cryptosteel”, an indestructible backup tool for optimal offline storage of private keys, passwords and wallet recovery seeds without any third-party involvement. Keeping your keys, passwords and cryptocurrency recovery seeds in this safe keeper will protect them. It can withstand temperatures up to 1200°C (2100°F) and it’s waterproof as well, in case you run into any icebergs while pleasure boating.
Cryptocurrency was designed as a peer to peer financial medium where transactions occur between peers and without a third party to make that transaction. Cryptocurrency exchanges were created to enhance the convenience of money exchanges, whether it’s exchanging one cryptocurrency for another or for fiat currency. If you are going to keep money in an exchange,perhaps consider not putting all of your eggs in one basket and use multiple exchanges.
As we saw above, your web browser can be compromised to allow unauthorized crypto-mining. Good endpoint protection, IDS and SIEM, help to prevent this, but the simplest way to protect yourself from cryptojacking is to install a cryptojacking blocker.
Be Careful Where You Do Business
You need to do your due diligence when working with cryptocurrency. Do your research and evaluate the trust levels of the exchanges you are working with. As cryptocurrency systems mature, better metrics will evolve that can give us more reliable rating systems of trust. Think of it as Yelp for cryptocurrency. Let’s face it: it’s your money and you’d better understand the system, including the danger of loss as well as the best practices for safekeeping.
Be Careful Where You Send Your Coins
It’s possible to send your cryptocurrency to the wrong party. This has happened and is a problem when dealing with large transaction words. It’s important to be careful. As the master carpenter said to the apprentice, “measure twice and cut once”. There are even QR code approaches to simplify the handling of transaction codes, but depending on the level of trust this can complicate the checking of transaction codes.
Ponzi Schemes for Cryptocurrency
With upwards of 1200+ cryptocurrencies out there, the task of separating the good from the bad and the ugly is challenging. While the popular high trust currencies like Bitcoin, Ethereum, Ripple, Litecoin, Zcash and Dash are your “safer bet”, newer or less trusted currency might have the potential to provide higher yield profit but with higher risk of being scammed. Let’s just say “buyer beware”, do your research before investing in what might seem like a safe bet but is a Ponzi scheme.
For instance, last month the technology developer Gnosis sold $12.5 million worth of GNO, its in-house digital currency, in 12 minutes. The April 24th sale, intended to fund development of an advanced prediction market, got admiring coverage from Forbes and The Wall Street Journal. On the same day, in an exurb of Mumbai, a company called OneCoin was in the midst of a sales pitch for its own digital currency, when financial enforcement officers raided the meeting, jailing 18 OneCoin representatives and ultimately seizing more than $2 million in investor funds. Multiple national authorities have now described OneCoin, which pitched itself as the next Bitcoin, as a Ponzi scheme; by the time of the Mumbai bust, it had already moved at least $350 million in allegedly scammed funds through a payment processor in Germany.
It’s Mostly “Social Engineering 101”
In the beginning of this article I said that most theft of cryptocurrency was due to social behavior and manipulation. As we have seen, other than serious software errors, most of the problems with the theft of cryptocurrency is from human error, or due to Social Engineering. The cautious position would be to avoid the crypto market if you don’t understand it… but the high probability that this is the future of money and trade means that you’d better understand it. And learn how to keep your money in your wallet.
About the Author:
Tom Updegrove is the CEO of InterNetwork Service, an Information Security services company and the CTO of CIAsecure. Tom regularly maintains back office support for firewalls, VPNs, IDS, malware protection, secure email, IP based CCTV, VOIP, cloud computing and many other of today’s cutting-edge technology issues including conducting regular penetration tests as part of patch management services. Tom is also a Certified EC-Council Instructor (CEI) with over 20 years of experience providing technical and security services.
Disclaimer: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of EC-Council.