Security in the financial world is achieved by methods which were accomplished through trial and error. All too often, when a bank or other financial entity updates their security infrastructure, it is too late. These updates usually mean that something bad has already happened, and changes were made in response.
Although security is a key component for a banking system to be trustworthy and accessible, there have always been bad actors intending to test the security of their vaults, physically and technologically.
Cryptocurrencies have brought robbers into the digital world. Today’s cyber-robberies are characterized by their advanced and complicated plans of action, which disrupt both the users and providers of this new world finance system.
The blockchain is the invention that makes cryptocurrencies work and is the database containing the time stamped records of the transactions that have ever occured in the network. However, despite the security that the cryptographic techniques offer like privacy, transparency, integrity and consistency to name a few, the blockchain is still vulnerable to attacks, some of which are intrinsic in the programming language and some which are caused by external factors. The purpose of this article is to make the reader aware of the fact that no wallet is secure from a maliciously crafted stream of bits coming from mischievous and yet very smart actors.
The Ethereum Blockchain
One of the most important and widely-used blockchain platforms is Ethereum. It allows the creation of digital tokens and sensitive decentralized applications (DApps) which use smart contracts to provide specific services. A digital token represents a specific good or utility that has the ability to be exchanged for other similar assets, thereby fuelling DApps allowing users to take advantage of blockchain-powered decentralized services, that cryptographically secure data and information in the network. Ethereum is based on a scripting language called Solidity.
Financial experts and software developers have grouped together to produce their own smart contracts to allow people to exchange digital assets and enjoy decentralized services. Smart contracts are the protocol used to interact with the blockchain’s ledgers, acting as middle man when exchanging tokens transactions. They allow entrepreneurs and software engineers to create their own tokens and decentralized applications.
Attack Vectors
Although claimed to be unhackable, the Ethereum platform presents vulnerabilities that may be exploited by attackers to maliciously control the blockchain, targeting the very core of a cryptocurrency. Also, it is important to consider that digital currency today is coded by developers that may have left bugs or used third party software that may be vulnerable to attacks.
Hackers have challenged the Solidity language by performing a type of attack called “re-entrancy attack”, which exploits a call to an external function capable of running code remotely. Such an attack introduces bugs into the smart contracts, leading to financial loss for some and profit for others. A re-entrancy attack allowed attackers to have Ethereum returned in exchange of DAO tokens. An attack was performed against the DAO organization in June 2016, resulting in a loss of $70 million. It consisted in returning the right value of Ethereum to the DAO token holder, then taking that amount in DAO tokens to register a new transaction on the blockchain and update the balance with the same amount in DAO tokens.
Re-entrance attacks can be prevented with a technology called eventual-send, developed to solve this kind of “interleaving hazards”. The agreement among multiple nodes about a given transaction is established through a consensus algorithm. PoW (Proof-of-Work) and PoS (Proof-of-Stake) are among the most used consensus algorithm and are also susceptible to some powerful kinds of attacks. The consensus is based upon the fact that although many nodes are involved in running the distributed network, only one node at a time can add a new block of data to the chain.
An interesting type of attack based on manipulating the consensus, is called “double-spending attack”, consisting in duplicating or falsifying a digital token to spend it more than once. This is possible through acquiring more than half of the hashing power of the network on which the token is based, allowing the attacker to monopolize the blockchain, giving him the power to control, revert transactions, and earn the entire reward for any new successfully mined block and practically full control over the Blockchain. In May 2018, Bitcoin Gold was hit by a double-spending attack, allowing a malicious miner to steal $18 million worth of BTG.
Hacking and breaching the very code of a blockchain like this requires an enormous amount of technical skills as well as computing power, therefore, attackers often tend to target other individuals’ crypto wallets hosted on unprotected machines connected to the internet, which may become victims of wild malwares, or they simply target crypto trading platforms.
Roughly one year after the double-spending attack at the Bitcoin Gold, one of the biggest exchange platforms online suffered a silent data breach. A massive amount of user data was collected and used to steal $40 million worth of bitcoins from the Binance exchange.
While this attack was not perpetrated directly against the blockchain, hackers were able to obtain a large number of user API keys, 2FA codes, and other sensitive information, undermining the credibility and reliability of the cryptographic technology used by the platforms, as they used the information to withdraw funds, avoiding triggering any alarm on the exchange platform. Investigations report that most of the loot was then laundered through Chipmixer (a renowned crypto-mixing service), together with some of the proceeds of another previous hack, which happened one month earlier to a Japan-based exchange platform called Bitpoint, that lost roughly $32 million dollars worth of different cryptocurrencies stored on the company’s hot wallet, causing the company to close their trading activity until August 2019.
Preventing Crypto Hacks
At this point, it is clear that the personal and sensitive data of customers, as well as the anonymity that users rely on, is at stake. The same information that was stolen from crypto exchanges could have been used to perform other types of attacks in the wild, and compromise systems that are not based on the blockchain, posing an enormous threat to people’s privacy.
While some people are affected by this misuse of the blockchain to transform transactions and rob crypto wallets, developers and researchers are coming up with constant upgrades to protect people’s assets, studying new cryptographic models and inventing new protocols to implement into their code and improve security.
On the other hand, some organizations may not be “security oriented” and become a target when allowing storing and exchanging of digital assets without proper security measures deployed. The previously mentioned companies have handled the breaches and the money loss with great professionalism in regards to their customers, by promptly alerting and refunding the affected parties, while others have claimed it was impossible to refund the robbed users, then declaring bankruptcy before disappearing.
Nonetheless, common vulnerabilities and exposures for bitcoin and altcoins are widely disclosed, so that security researchers can keep up with the ever-growing database of bugs that can be found in the protocol code or in a web app. It is possible to experiment with some of the described attacks by setting up a personal blockchain environment, to use for testing smart contracts, and where multiple nodes communicate just as they would do in reality.
In general there is a lack of knowledge and preparation about cryptocurrency hacks and attack cases targeting the technology beneath the crypto world. Nonetheless, it is possible to reduce the chances to be a victim of a hack by strictly following some best practices.
For example, it is important to keep funds in separate wallets, one online used for spending, called a “hot wallet”, and another one, where most of the savings are kept, that will not be accessible from the internet and is always kept offline, called a “cold wallet”. When using trading platforms it is important to always read up about the company and determine their transparency, researching information about the partners and their reputation.
Conclusions
Nowadays, serious crypto exchange platforms have introduced continuity plans as well as advanced prevention and mitigation techniques, well developed to contain losses and security failures. Still it is in the user’s best interest to do their own research before choosing a trading platform
In conclusion, “crypto robberies” are a broadly diffuse type of crime in the cyber world, and hacks against digital currency are widely exploited in the wild to disrupt businesses and people’s digital savings. All in all, the world is living a new particular kind of shift since the creation of “currency” to pay for goods and services, and it is not without issues that the “cryptocurrency” is claiming its place besides it. However, this new medium should not be stopped as it still provides a form of freedom, in both the digital and the real world, that people are seeking, frustrated by the monopoly that centralized payment systems have established over the course of centuries.
References
Moubarak, J., Filiol, E. and Chamoun, M. (2018) ‘On blockchain security and relevant attacks’, in 2018 IEEE Middle East and North Africa Communications Conference (MENACOMM). 2018 IEEE Middle East and North Africa Communications Conference (MENACOMM), Jounieh: IEEE, pp. 1–6. doi: 10.1109/MENACOMM.2018.8371010.
Tosh, D. K., Shetty, S., Liang, X., Kamhoua, C. A., Kwiat, K. A. and Njilla, L. (2017) ‘Security Implications of Blockchain Cloud with Analysis of Block Withholding Attack’, in 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (CCGRID). 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (CCGRID), Madrid, Spain: IEEE, pp. 458–467. doi: 10.1109/CCGRID.2017.111.
Ekparinya, P., Gramoli, V. and Jourjon, G. (2018) ‘Impact of Man-In-The-Middle Attacks on Ethereum’, in 2018 IEEE 37th Symposium on Reliable Distributed Systems (SRDS). 2018 IEEE 37th Symposium on Reliable Distributed Systems (SRDS), Salvador, Brazil: IEEE, pp. 11–20. doi: 10.1109/SRDS.2018.00012.
Wang, S., Wang, C. and Hu, Q. (2019) ‘Corking by Forking: Vulnerability Analysis of Blockchain’, in IEEE INFOCOM 2019 - IEEE Conference on Computer Communications. IEEE INFOCOM 2019 - IEEE Conference on Computer Communications, Paris, France: IEEE, pp. 829–837. doi: 10.1109/INFOCOM.2019.8737490.
51% Attack. Available at: https://www.investopedia.com/terms/1/51-attack.asp
An introduction to understanding attacks and dishonesty on proof-of-work blockchains. Available at: https://medium.com/@chrshmmmr/an-introduction-to-understanding-attac ks-and-dishonesty-on-proof-of-work-blockchains-9e7f547ed4c8
Investigating the $40M Binance Hack - Data Driven Investor - Medium. Available at: https://medium.com/datadriveninvestor/investigating-the-40m-binance-hack -c5fba32900f1
Binance Hack: 7,000 Bitcoin Worth $40 Million Stolen By Hackers - Bloomberg. Available at: https://www.bloomberg.com/news/articles/2019-05-08/crypto-exchange-gia nt-binance-reports-a-hack-of-7-000-bitcoin
If Blockchains Are So Secure, Why Is Everyone Getting Hacked? Available at: https://medium.com/@monikaproffitt/if-blockchains-are-so-secure-why-is-ev eryone-getting-hacked-ffdcdfcea90e