Your crypto exchange may be less secure than your email account
NEW ORLEANS — Cryptocurrency exchanges and apps aren’t just among the most valuable targets for hackers, they also remain among the most vulnerable.
That’s the warning Chris Wysopal, chief technology officer at the security-tools firm Veracode, offered during a talk at the Collision conference here on May 1. It’s something that should be at the top of concerns for people looking to trade or invest in cryptocurrencies such as bitcoin, which are generated through increasingly complex mathematical “mining” and allow pseudonymous transactions online and across international borders — and have increased in value wildly, even after recent plunges.
“When we talk about cryptocurrency, we’re not talking about just stealing someone’s data that we then have to monetize,” he said. “We’re actually talking about stealing money. It’s a very, very attractive target for attackers.”
Mistakes were made
Wysopal recounted a series of embarrassing but preventable hacks of cryptocurrency exchanges and apps. A partial selection:
In 2016, a bug in the smart-contacts code meant to allow automatic execution of transactions at a network called the Distributed Autonomous Organization allowed a hacker to siphon out $50 million worth of the cryptocurrency Ethereum.
(Onstage, Wysopal said this happened in 2014; in an email Thursday, he said he mixed up that date with that of another cryptocurrency hack, the theft of some $460 million from the Mt. Gox exchange in 2014.)In August of 2016, the cryptocurrency exchange Bitfinex got hacked to the tune of $73 million. A key cause: That Hong Kong-based site kept all of its security keys online instead of putting one in offline “cold storage.”
In January, attackers broke into another exchange, Coincheck, and stole $534 million in cryptocurrency. Their work was eased by that Tokyo-based firm keeping all of its customers’ funds in a single “hot wallet.” Observed Wysopal: “That seems really, really dumb. This isn’t how banks work, right? They don’t have all the money in the tellers’ drawers all the time.”
In February, the Ukrainian hacking group Coinhoarder stole $50 million from users of the Blockchain.info digital wallet by running Google (GOOG, GOOGL) ads that conned victims into thinking they were logging into the real site. Since then, Google, Facebook (FB) and Twitter (TWTR) have banned cryptocurrency ads.
What you can do
Wysopal — who began his information-security career as one of the first members of the L0pht hacking collective and then co-founded Veracode, now owned by CA Technologies (CA), in 2006 — offered some specific tips to his audience.
Enabling “two-step verification” — in which you confirm a login with a one-time password sent to your phone or computed by an application on it — topped that list. “You definitely want to use two-factor,” Wysopal said. (Note that two-step systems that rely on text messages to deliver those codes can be defeated if an attacker can take over your mobile number.)
He also advised complicating the efforts of would-be phishers by not logging in with a publicly-known email or number. “Don’t use an email address or a phone number that’s associated with that account that you’re then going to publish somewhere,” he said. “They need that identifier to then go try to impersonate you, either through SMS or just through email.”
For local cryptocurrency storage, Wysopal endorsed using hardware wallets (see my colleague Daniel Roberts’ how-to post) instead of mobile apps, saying “they’re not too expensive.”
Finally, he advised a little social-media modesty. “Don’t brag about your crypto fortune online,” Wysopal said, noting a January home-invasion bitcoin robbery in the U.K. “If you’re bragging about it, you’re just making yourself a target.”
What you can’t do
Wysopal closed his talk on a semi-optimistic note: “I think in the future we’ll have services that will help people understand the security behind an exchange, behind a wallet, behind a smart contract; we’re just not there yet.”
(See, for example, Consumer Reports’ initiative to test and grade the security of internet-of-things connected gadgets.)
In a phone interview, though, he noted a structural obstacle to digital money attaining the same security as government-issued money in a bank: We don’t have regulations holding cryptocurrency firms responsible for losses due to hacking like those that hold banks accountable today.
“We’re so used to doing transactions and storing our money in places where there’s regulation and you have some liability by your provider,” he said. “That’s totally not there with cryptocurrency.”
Instead, it’s up to individuals in cryptocurrency markets to insist on better security. Wysopal is among them, although he said he only holds “a small amount” of digital currency.
“The thing that has to happen is, investors or customers need to demand some evidence that things are built securely,” he said.
The upside, as he noted in the talk, is that building a secure system for cryptocurrency should make other “infosec” problems look easy: “If you can make it here, you can make it anywhere.”
More from Rob:
Email Rob at rob@robpegoraro.com; follow him on Twitter at @robpegoraro.
