Following a cyber-attack on South Korean bitcoin exchange Coinrail over the weekend, the cryptocurrency suffered yet another massive sell-off, destroying a whopping $42 billion of its market value. Coinrail announced the hack in a tweet, triggering a $500 (£372) drop in the space of just one hour; overall, the cryptocurrency suffered a 10 percent drop to a two-month low, dragging down many other virtual currencies as well.
But how can a relatively small attack on a fairly niche virtual currency exchange in just one country cause such a plunge in crypto value? Why are bitcoin and cryptocurrencies in general so volatile?
Cryptocurrencies were always positioned by their fans as ultra-secure stores of value, as every transaction was verified by blockchain, a form of distributed ledger. In real life, though, storing your cryptocurrency in private wallets online – so that it’s actually easy to use - seems to be about as safe as putting it behind a bench in a public park.
So is digital money unsafe?
Don’t panic - the problem is not the bitcoin blockchain itself, which is still much more secure than today’s banking networks – the problem is elsewhere. “The security problem is with the user access to the bitcoin and other crypto blockchains,” says Gartner security expert Avivah Litan. The Achilles heel is the security protocols of the cryptocurrency exchanges that store users' private wallets.
Most exchanges – such as, in this case, Coinrail - simply haven’t invested enough in strong and smart security, including fraud analytics and continuous strong and risk-based user authentication. “My guess is that they are too greedy and don’t want to spend the money. But they will get burned for this attitude as has been the case,” says Litan.
That’s because cryptocurrency exchanges are usually nothing like the exchanges and banks in the real world. “By and large these exchanges are small businesses and they are most often in permanent startup mode, facilitating transactions,” says Rik Ferguson, an analyst at cyber security firm Trend Micro. “These organisations have small security teams, if they have one at all, little to no experience in securing a financial institution and generally a very large, attractive pile of money.” Some are run by just two or three people. No wonder then that they might not know much about how to protect themselves against hackers.
That - combined with the fact that many advanced hacker groups have migrated from attacking banks to attacking crypto exchanges because they are more lucrative targets, says Litan.
Beyond Coinrail: 51 per cent attacks
And it’s not just crypto exchanges. There has recently been a surge in a different kind of cyber-attacks called 51 percent attacks; criminals take action when more than half – more than 50 percent, hence the name – of the validation of transactions (or computing power) is controlled by one party, so that validation is not trustworthy because there are no checks and balances on that party’s power. Hackers get enough computing power to compromise smaller networks, prevent new transactions from getting confirmed, thus halting payments between users - and steal large sums of digital money.
At least five virtual currencies - monacoin, bitcoin gold, zencash, verge and litecoin cash – have recently been hacked.
Such attacks were developed specifically to overcome the safeguards of blockchain – similar to the old school “smash and grab” attacks on banks, says Ferguson. “Online crime already has a mature ‘as a service’ model, where individual aspects of crime can be outsourced at low cost, and attacks against digital currencies are rapidly becoming a part of this ecosystem,” he adds. There are even websites that estimate the cost of and even provide the processing power required to carry out such an attack, says Ferguson.
“The 51 percent attack is a real threat, which is why users should only trade in crypto that has substantial hashpower,” says Litan. Hash power refers to the number of computer nodes (servers) that validate the transactions - so the more validation nodes (also known as miners), the more hash power in the network, and the less likely the validation of transactions can ever be manipulated since there is no ‘majority’ owner.
For now, bitcoin meets that test. It’s ironic, says Litan, that it’s hash power that has grown exponentially since the crypto bubble price of $19,000 that started crashing last year. Bitcoin has never been more secure because of that, she says – in other words, more and more nodes are needed to achieve consensus, or to validate or cross-validate the deals.
Users should stay away from centralised crypto blockchains as these types of attacks are real and prone to happen, she says. “Small numbers of nodes means you have to trust those that exist. I certainly wouldn’t.”
As for extreme volatility, Litan thinks that it’s possible the large traders are shorting bitcoin and other crypto currencies to drive prices down - so they can buy in at low prices. “Welcome to the world of crypto manipulation - it’s not that different to non-crypto securities manipulation, but over time it should stabilise, especially as the system gets regulated,” she says.
Graham Cluley, a security expert, says that the plunge might also be due to panic-selling. “Outside of South Korea, hardly anyone will have heard of Coinrail,” he says. But “people hear of yet another cryptocurrency exchange being hacked and they sell their cryptocurrency, believing it might also be at risk. That selling then causes more media stories. The media stories ignite yet more selling. The circle goes on and on...”
So what can bitcoin owners do to secure their digital riches? Using a “cold wallet”- one that is not connected to the internet – is a good idea to enhance security. Most crypto exchanges got hacked because the currency was kept in an online hot wallet, says Simon Choi, an ICO lawyer and blockchain expert at Acme Ardent in Hong Kong, China.
But there is a trade-off - in usability and convenience. “If you want to maintain your ability to trade rapidly, then the extra steps introduced by offline storage may not be so attractive to you,” says Ferguson.
One option is to opt for a hardware-based private cold wallet like Trezor. The usability of such wallets is improving, says Litan – and if a user can’t manage that, then he or she should use well-known established exchanges that are open to regulations, for example Coinbase. “But none of the exchanges will refund stolen money as far as I know, so a hardware wallet is best,” she says.
Another option for consumers is to invest in crypto funds managed by regulated financial institutions, but that’s costly because of fees, and liability rules are still unclear.
Cryptocurrencies may have gained in popularity during the past few years, but investors should not forget that they are an immature financial asset – although the arrival of large financial institutions like Fidelity and Goldman Sachs, who have set up , may change that quickly, says Litan.
Despite the high-profile hacks, cryptocurrencies are no more vulnerable to theft and fraud than cash and even mature banking systems, says Ferguson. The difference is that any raid on a cryptocurrency exchange triggers much more volatile trading than a cyberattack on a traditional bank – simply because the traditional financial system is much larger than all cyber currencies taken together. To stem the volatility, he says, “security in cryptocurrency trading needs to become a differentiator upon which exchanges compete to win business.”