Another Bad Week for the Security of Cryptocurrencies
posted Saturday Jan 27, 2018 by Scott Ertz
Over the past year, the value of cryptocurrencies has fluctuated up and down, with Bitcoin reaching unimaginable highs. While value has been variable, there has been one constant: insecurity. Despite the idea that these coins are based on encryption, somehow the way the coins are stored, in digital wallets, is far from it. In fact, it seems that stealing these coins might be the easiest way to make a quick buck. This week, two more exchanges suffered breaches, in one form or another.
First, and most damaging, was the Japanese exchange Coincheck. The company ceased operations on Friday, after 500 million XEM coins, created by the NEM foundation, were stolen. At noon local time, all deposits of XEM were suspended. By 4PM, all deposits were suspended, and by 6PM all transactions of any kind were suspended. Shortly after, police were spotted at the offices of Coincheck.
Of course, there is plenty of blame to go around, though some of the organizations involved are looking for ways to be uninvolved. The president of the NEM foundation, Lon Wong, was quoted as saying,
This is the biggest theft in the history of the world.
In reality, the value of the loss was around $400 million. The 2014 hack of Mt. Gox resulted in just shy of $492 million being stolen, bankrupting the company and likely singlehandedly delaying the overall acceptance of cryptocurrency until this past year. But, size and scale not withstanding, Wong also claims that the reason for the hack was because Coincheck did not implement an important part of the transfer contract.
Alos this week, around $4 million worth of IOTA coins was stolen. This was a far less high-tech method, involving poor planning on the part of IOTA themselves and a creative phishing site. Because IOTA requires a generated seed to begin and to secure the wallet, someone created a website that masqueraded as the official seed generator and bought their way to the top of Google's search results for the term. Founder David Sønstebø, described it saying,
What actually happened was a lot of unfortunate users were generating their unique seed (which is what you derive your password from) from a false website, a phishing website. It was meticulously crafted in such a way that it ended up being at the top of a Google search for IOTA seed generator, it was the first thing listed in the ads…So, this malicious actor essentially had people go there, and he/she created a website that looked very legitimate to new users. Therefore, they trusted it, and generated a seed there. That essentially means that they gave away their private key to a thief. It's equivalent to giving your keys to someone as you go into a store, and then coming back out to find that your car is gone.
So, in this case, the blame falls squarely on the shoulders of the organization that allowed their security structure to be dependent on an outside tool, which was easily duplicated. There are bound to be more technological and security-related blunders as this new industry tries to find its footing. Investing now could bring in large rewards, but could also lead to major failures, such as in these cases.