After A $65m Hack, Is Bitcoin Really Safe & Secure?

It seemed bitcoin exchange Bitfinex was doing all the right things. In the end, that didn’t stop hackers from stealing $65 million.

The latest in a long list of attacks on the digital currency since its birth in 2009 has been particularly vexing for the bitcoin community. Not only was Bitfinex the largest exchange for US dollar transactions, but the hack highlights that the industry hasn’t figured out critical security, despite years of learning from mistakes and making improvements to its infrastructure.

Even as the incident has triggered calls for audits in certain parts of the industry, experts don’t anticipate the investigations will unearth new ways of radically strengthening protection. What’s more telling, they say, is that the community’s willingness to vilify targets while shrugging off the need for industry-wide solutions is a sign it’s doomed to happen again.

“There is a long tradition of blaming the victim in the bitcoin community,” said Emin Gun Sirer, a Cornell University computer science professor who researches the currency. “But when you have a six-year long history of near-continuous key theft, at some point, we have to stop shirking off the responsibility.”

The fallout has been widespread. Bitfinex imposed a levy on customers to cover the lost $65 million, taking 36 percent of everyone’s assets whether they had been hit by the hackers or not.

The price of bitcoin also plunged on news of the hack, slashing the value of the digital currency well beyond Bitfinex. Collectively, investors have lost about $1.2 billion since the attack, according data from Coindesk.

That’s not to say bitcoin security hasn’t come far, through the efforts of thousands who work and volunteer to improve the digital currency. Since Mt. Gox, at one time the world’s largest exchange, was hacked for $450 million in early 2014, most venues have adopted tough security measures, including segregated client accounts, external audits of systems and two-factor authentication for securing logins.

Another step forward has been multi-signature security, which essentially splits the private keys attached to every bitcoin into several copies and hides them in multiple locations. The technology requires a sign-off from a majority of the copies (for example, two out of three) before the bitcoin can be moved again. That forces hackers to breach multiple systems before they can get access to funds.

Bitfinex made use of the technology and, as suggested by security experts, stored copies offline and with a third party, its security partner BitGo Inc. When it was implemented in June 2015, confidence was so high that BitGo’s chief executive officer boasted the system made “breaches such as those of Mt. Gox impossible.”

Bitfinex hasn't disclosed details of how hackers managed to compromise that system, saying the investigation is still pending. It did suspend its use of BitGo's technology and said hackers had increased withdrawal limits without BitGo realizing it.

BitGo has said its software functioned properly and denied its systems were breached. “Securing tiny electronic files from leaking - keys - pushes the bounds of known computer science,” Jeff Garzik, one of bitcoin’s earliest developers and founder of blockchain startup Bloq Inc., wrote in an e-mail. “Multi-sig raises that bar considerably, but nothing is perfect.”

After a hack thought ‘impossible’ just a year ago, bitcoin proponents are scrambling for solutions. Some argue that existing technology is strong enough to keep out hackers, but implementation has to be better. Individuals, for example, can protect themselves by storing bitcoin in individual wallets rather than at exchanges, which remain targets for attack.

“When users choose to store their bitcoin in a custodial wallet or exchange, they are giving the provider control over their bitcoins,” said Peter Smith, chief executive officer of Blockchain, which provides bitcoin wallets to individuals. “As a result, customers are not only subjected to the possibility that they will lose their funds via cybertheft but also that the provider can impose a tax to cover the loss of other clients, as Bitfinex is doing here.”

A more radical solution is to use technology to punish thieves. This summer, hackers siphoned off about $60 millions of Ethereum, the world’s second most-popular digital currency behind bitcoin. The community reacted by adopting a so-called hard fork, which effectively migrated users to a new version of Ethereum in which the theft never occurred.

The decision triggered a rebellion from a significant chunk of the community, who argued that nullifying the theft was a violation of Ethereum’s free market ethos. Given such extreme steps, some say the time has come for the bitcoin community to consider a form of regulation, either self-imposed or with the assistance of governments. The key, they say, will be educating regulators so that they don’t slow down innovation in the name of protecting consumers.

Some, including BitGo, have begun work with auditors like Deloitte LLP to standardize security requirements for the industry, although how and who would enforce the guidelines is unclear.

“Even bitcoin enthusiasts are slowly realizing that regulation is necessary,” said Trond Undheim, a former senior lecturer at Massachusetts Institute of Technology’s Sloan School of Management. “That’s the only way it will survive. That’s also the key to its wider adoption.”

Investors want solutions. Kay Van-Petersen, a strategist at Saxo Capital Markets, avoided Bitfinex but still saw a tenth of his bitcoin investment wiped out as prices dropped after the attack. “Every time an exchange gets hacked, it just looks bad on everybody,” he said.

Information-Management:

 

« Snowden: NSA Hacking Tools Leak Is ‘a warning’
The 3 Biggest Mistakes in Cybersecurity »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Zimperium

Zimperium

Zimperium offers enterprise class protection for mobile devices against the next generation of advanced mobile attacks.

ACI Solutions

ACI Solutions

ACI Solutions is a managed IT services and network security provider working with diverse global commercial, government and public sector clients.

CyberGuarded

CyberGuarded

CyberGuarded are an accredited vendor independent information security testing and auditing company.

Bird & Bird

Bird & Bird

Bird & Bird is an international law firm with a focus on helping organisations being changed by technology and the digital world. Areas of expertise include cyber security.

Wipe-Global

Wipe-Global

Wipe-Global is specialized in data erasure with an international established service partner network.

Ensighten

Ensighten

Ensighten is a leader in Website Security & Privacy Compliance. Protect your website from malicious attacks, monitor & detect vulnerabilities, protect consumer data.

C3i Hub

C3i Hub

C3i Hub aims to address the issue of cyber security of cyber physical systems in its entirety, from analysing security vulnerabilities to developing tools and technologies.

Alacrinet

Alacrinet

Alacrinet is an IT and cyber security consultancy. From penetration testing to fully managed MSSP, our team is focused on knowing the latest threats, preventing vulnerabilities, and providing value.

Patriot Consulting Technology Group

Patriot Consulting Technology Group

Patriot Consulting's mission is to help our clients manage cybersecurity risk through secure deployments of Microsoft 365.

Menaya

Menaya

Menaya provide Ethical Hackers for leading companies while also providing cyber security solutions to help major infrastructures protect against cyber crime.

Ruptura InfoSecurity

Ruptura InfoSecurity

Ruptura InfoSecurity provide CREST Accredited Penetration Testing & Offensive Security Services. We secure your critical assets through targeted and research driven penetration testing.

DeXpose

DeXpose

DeXpose is a hybrid dark/deep web monitoring and attack surface mapping platform to help you find compromised data or exposed assets related to your organization way before threat actors.

ZoobeTek

ZoobeTek

ZoobeTek are a company focused on preventing leaks related to the security of business information3.

ReachOut Technology

ReachOut Technology

ReachOut is a transformative approach to IT Security, Support, and Guidance. But we’re more than that. We’re passionate IT experts driven to make solutions to your problems.

Eclypses

Eclypses

Eclypses has a disrupting cyber technology, offering organizations an advanced data security solution called MicroToken Exchange (MTE).

SECTA5

SECTA5

SECTA5 is a cybersecurity company building a next-generation Continuous Threat and Exposure Management platform, leveraging the expertise of offensively trained cyber defenders.