Digital cryptocurrency bitcoin has been touted by many venture capitalists, merchants and cybersecurity professionals as the next big thing in Internet technology. It is free from all the rules that govern traditional currencies – it isn’t printed by a central bank, regulated by a government or issued as paper bills or metal coins. All transactions are person-to-person and protected by digital signatures. There are no international exchange rates to worry about, banks to visit or accounts to be frozen.
Unfortunately, the same things that make bitcoin an appealing alternative to dollars, yen and sterling have also put in the sites of cybercriminals. Due to its unregulated, decentralized nature and the way that it rewards technical computing prowess, bitcoin has opened up a new frontier in cybercrime.
For the cybersecurity community, the question is whether bitcoin’s design – its status as a cryptocurrency – is intrinsically flawed or if its handlers simply have not instituted enough safeguards to protect users and exchanges. Having already crossed the $1 billion threshold in total market value, bitcoin may well on the way to revolutionizing international finance, but professionals should take a long look at some of the recent bitcoin robberies and assess if and how the cryptocurrency can become a safe way to pay.
An overview of bitcoin and what separates it from other cryptocurrencies
Bitcoin isn’t new technology. Plans for online cryptocurrencies date to at least the 1990s, but any early attempts at creating cryptographically protected virtual money (each bitcoin is essentially a private cryptographic key) failed to overcome technical issues.
Bitcoin entered the spotlight in 2008, featuring a novel approach to preventing double-spending, or the reuse of the same digital unit in different transactions. As Wired’s Benjamin Wallace explained, bitcoin creator Satoshi Nakamoto broke with cryptocurrency tradition and made the ledger – the global clearinghouse of all bitcoin transactions – publicly available.
Users originally devoted CPU resources to running software that both maintained the ledger, tracked users’ digital signatures and generated new currency. Other cryptocurrencies had shied away from using a public ledger out of the belief that only a trusted party could oversee transactions.
Nakamoto’s solution ensured that bitcoin was much more user-friendly than its predecessors. Users maintaining the ledger could solve difficult, CPU-intensive cryptographic puzzles to “mine” bitcoins. However, the public availability of the ledger and the competitive nature of bitcoin mining has made it an ideal target for abuse and attack.
Bitcoin exchanges hacked in Hong Kong, Czech Republic
A key weakness in bitcoin security is the series of unregulated exchanges that store the cryptocurrency. Writing for Wired, Robert McMillan chronicled the hack of inputs.io, a handling service that issued bitcoin wallets and facilitated quick, fee-free payments. It was hacked twice in late October and the attackers made off with 4,100 bitcoin, or about $1.2 million.
The attackers utilized social engineering tactics to infiltrate the network. Ultimately, they compromised the cloud servers that hosted inputs.io’s infrastructure.
“The attack was done through compromising a chain of email accounts which eventually allowed the attacker to reset the password for the the Linode server,” stated an inputs.io official known only as TradeFortress.
Inputs.io is hardly the only victim of bitcoin exchange hacking. Czech website bitcash.cz reported that its security systems had been compromised November 11, 2013, although the amount of stolen bitcoin was unknown at the time. An exchange in Hong Kong belonging to Global Bond Limited mysteriously went offline in October after an unspecified attack. Up to $5 million may have disappeared.
The broader impact on bitcoin on cybersecurity and commerce
The string of attacks on bitcoin exchanges isn’t remarkable for its specific tactics or sophistication. Rather, the cybersecurity community should be taking note of how the very structure of bitcoin, with its emphasis on intensive CPU operations, encourages a culture of hacking that can quickly lead to malicious incidents.
Moreover, bitcoin transactions are irreversible and buyers cannot receive refunds, making theft particularly damaging. For most users, the only safe way to store bitcoins is to keep them offline, given the considerable amount of cybercriminal pressure on online exchanges.
“This [design of bitcoin] attracts some serious criminal talent,” stated CORE Security technical support engineer Tommy Chin. “If you use [b]itcoins, be prepared to get robbed no matter how much security you implement. By design, this system gives smart people easy methods to take someone else’s money.”
Cybercriminals’ interest in bitcoin would be concerning enough if it simply exposed major flaws in Web security and cryptography. However, the promising commercial prospects of bitcoin further complicate the issue.
According to Forbes, prominent bitcoin investor Cameron and Tyler Winklevoss believe that the bitcoin market could eventually be worth $400 billion. Growth could surge as buyers and sellers realize how bitcoin seems to facilitate simpler, faster transactions than traditional currencies.
Consumers are already getting a taste of bitcoin online, and traditional retailers may be under pressure to follow suit. One coffee shop in Vancouver recently reported that its bitcoin ATM, the first of its kind anywhere, had processed more than $95,000 in transactions in its first week of operation.
“Right now, bitcoin is accepted on thousands of online shops. But it’s difficult to get brick-and-mortar shops to accept it,” said Anthony Di Iorio, executive director at Toronto nonprofit Bitcoin Alliance of Canada, according to The Toronto Star. “As bitcoin gets more and more accepted, there’s going to be more and more people demanding to use it.”
Bitcoin still has some hurdles to clear, not least of which is its security vulnerabilities. It is also under scrutiny from U.S. government bodies such as the Drug Enforcement Agency, which seized bitcoin from a South Carolina man in April after he attempted to buy controlled substances with it.
While bitcoin has attracted much interest from the cybercriminal and drug trafficking sectors, it could be a boon to legitimate merchants and consumers if it ever becomes safer. Given its increasing prominence, bitcoin merits ongoing attention from the cybersecurity community, which should think about what can be done to overcome bitcoin’s flaws and protect it from hacking.