Cryptocurrencies: Understanding their Cyber Security Risks

Cryptocurrencies have captivated the international financial services industry. 2018 has seen cryptocurrencies such as Bitcoin, Ethereum and Litecoin experience outlandish appreciation in value, recording approximately 2000%, 5600% and 4500% gains respectively. However, the cryptocurrency industry is still very much in its infancy and it remains unclear whether cryptocurrencies are vehicles for short- to long-term capital gains or genuine financial instruments that can transform the future of global finance. Regardless of how the industry may evolve, successfully combating the cyber security risks and challenges now attached to cryptocurrencies is essential.

Who Is In the Cryptocurrency Market?

Bitcoin became a cryptocurrency pioneer in 2009, using a then-revolutionary distributed ledger technology called Blockchain. Bitcoin acted as a medium of exchange, using the cryptography to secure transactions, eliminate government control and exchange rate issues, and create and control a new global currency. Following Bitcoin, it was not long before other alternative currencies or ‘Altcoins’ came to market, most prominently Ethereum, Ripple and Bitcoin Cash.

Litecoin released a far simpler cryptographic algorithm in 2011, acting as a ‘silver’ to Bitcoins ‘gold.’ Users with regular computers were now able to participate in the cryptocurrency industry.

Like Bitcoin and Litecoin, Ethereum possesses an active decentralized currency, but its fundamental purpose is quite different. Ethereum is a decentralized software platform that enables SmartContracts and Distributed Applications (ĐApps) to be built and run without any downtime, fraud, control or interference from a third party. Ethereum is not just a platform, but also a programming language (Turing complete) running on a blockchain, helping developers to build and publish distributed applications.[1] Bitcoin Cash is a close relative of Bitcoin. On August 1^st 2017, Bitcoin miners and developers initiated a ‘hard fork,’ diverging from the previous version of blockchain and effectively creating a new, upgraded blockchain as well as a new currency: Bitcoin Cash.[2] Bitcoin Cash aims to increase the number of transactions that can be processed compared to the classic Bitcoin, and supporters hope that this change will allow Bitcoin Cash to compete with the volume of transactions that PayPal and Visa can handle by increasing the size of blocks.[3]

The idea behind Ripple was to create a global settlement network for other currencies such as Bitcoin or the USD. When settlements are made, a small fee needs to be paid in Ripple XRP (Ripples tokens or currency), which can then be traded on the cryptocurrency markets.

Ransomware, Hacking and Cyber-Extortion:

The introduction of cryptocurrency and its features of anonymity has been a breakthrough for cybercriminals as governments and regulators have yet to determine appropriate legal structures and financial and governance norms. Amid concerns that criminals are using cryptocurrencies as a vehicle to launder money and avoid taxes, the British government has been looking to increase the regulation of Bitcoin, seeking to regulate it under EU anti-money laundering rules, forcing traders in the cryptocurrency industry to disclose their identities and any suspicious activity. Changes to new EU-wide rules on Bitcoin are expected to come into effect by the end of December or early next year. [4] However, even if these controls and regulations are implemented, they will not necessarily prevent all criminal acts as other altcoins are readily available for use.

Hacking, cyber-extortion and the use of ransomware has increased since the inception of Bitcoin and other digital currencies and the anonymity they provide. Ransomware is a form of malicious software or malware that, once on the targeted computer, threatens the user with harm, usually by denying access to data. The attacker demands a ransom from the victim, promising — not always truthfully — to restore access to the data upon payment. Users are shown instructions on how to pay a fee, which can range from a few hundred dollars to thousands, largely payable to Bitcoin, to get a decryption key.[5] The ease and availability of such cryptocurrencies have made the use of ransomware a very viable and profitable method for cyber criminals.

The ransomware industry is currently so ripe for attack that, according to research by cyber security firm Malwarebytes, 40% of companies surveyed have been targeted, and 54% of UK-based companies. In May 2017, WannaCry Ransomware launched a worldwide assault, targeting organizations in approximately 150 countries and demanding $300 in bitcoin per computer affected in exchange for unlocking the treacherous encryption[6]. Remarkably, in June 2017, South Korean web hosting firm Nayana had to fork out approximately $1 million as more than 150 servers were hit, affecting around 3,400 customers.

As a precaution, organisations are looking to stockpile Bitcoins to pay off cyber-extortionists who threaten to take down their critical systems. When telecoms provider TalkTalk suffered a cyber attack in 2016, they lost 101,000 customers and suffered losses of £60m. [7] The cost of paying off cybercriminals can be seen as a rational option, but more sophisticated ransomware and higher demands may be on the horizon. A possible solution may be tougher sanctions against companies with insufficient data protection, hopefully incentivising them to find better ways of prevention. But technology is only part of the answer. Employees need to improve resilience through better training and organisational awareness, and until those areas improve, Bitcoin and ransomware will continue to be a cyber security risk.

The likelihood of an individual cryptocurrency investor falling victim to theft is uncomfortably high. Crypto platforms (exchanges, wallets, mining farms are attacked more frequently than fiat money institutions, making individual investors easy targets for hackers. These platforms are mostly FinTech start-ups that do not and sometimes cannot invest the proper amount of time and other resources into security best practices. In January 2018, $543m worth of Bitcoin alternative ‘NEM’ was stolen by hackers from the Japanese Coincheck exchange.[8] These cases are becoming a regular occurrence, which further highlights the vulnerabilities in trading an asset that global policymakers are struggling to regulate.

Financial institutions, in contrast, invest heavily in cyber security resources and sturdy infrastructure, in some cases with entire divisions dedicated to cyber defence. For users on these platforms, risk of theft comes from the compromising of unique private keys, which provide the sole permission to an individual’s funds and cryptocurrency ownership. Secure private key storage is imperative to curb the risk of theft through hacking; best practices include avoiding cloud storage, storing keys offline or locally and even simply storing private keys manually, implementing a sufficiently secure authentication mechanism and adopting basic web application security controls. Furthermore, cryptocurrency exchanges and other service providers should adopt vigorous security training of all employees and regularly perform basic security audits of their software and hardware infrastructure.[9]

A Threat to Consider for the Future

Since the recent discovery that quantum computers could potentially undermine and even exploit Bitcoin’s security protocols, they have emerged as the most pressing new threat to cryptocurrencies.[10] Quantum computing could someday surpass the processing power of classical ‘supercomputers’ and could potentially have the capability of breaking RSA encryption, a tool used to secure data transmission on the Internet as well as digital signatures used in Bitcoin and other cryptocurrencies. “That would mean you could forge transactions, and steal coins,” explained Bernardo David, a cryptographer at Tokyo Institute of Technology.[11] With usable quantum computers still a decade or two away, it gives cryptocurrency platforms ample time to reconsider their encryption methods.[12]

As cryptocurrency is becoming further integrated into the world of finance and technology, the risks accompanying it are becoming more clearly apparent. For governments and global financial institutions, curbing illicit criminal activity such as money laundering and implementing regulatory controls will be the main challenges. Businesses, particularly cryptocurrency platforms, will now have to invest heavily in strong software and hardware infrastructures, improve internal data protection protocols, raise training standards and implement stern organisational awareness of the risks of hacking, ransomware and cyber-extortion. For individual investors, exercising best practices for secure private key storage will be a deciding factor in the safety of their cryptocurrency investments. It would be naïve to assume that the responsibility of the security of their investments lies solely with the cryptocurrency platforms they use.

[1] Investopedia, 2016. Ethereum. Investopedia [online]. Available at: <https://www.investopedia.com/terms/e/ethereum.asp>

[2]  Investopedia, 2016. Bitcoin vs Bitcoin Cash: What’s the Difference? Investopedia [online]. Available at:
<https://www.investopedia.com/tech/bitcoin-vs-bitcoin-cash-whats-difference/>

[3]  Investopedia, 2016. Bitcoin Cash. Investopedia [online]. Available at: <https://www.investopedia.com/terms/b/bitcoin-cash.asp>

[4] Musaddique, S., 2017. UK Government Plans Bitcoin crackdown amid money laundering concerns. The Independent [online].
Available at: <http://www.independent.co.uk/news/business/news/uk-bitcoin-regulation-money-laundering-crytocurrency-european-union-eu-a8090791.html>

[5] Fruhlinger, J., 2017. What is ransomware? How it works and how to remove it. CSO Online [online].
Available at: <https://www.csoonline.com/article/3236183/ransomware/what-is-ransomware-how-it-works-and-how-to-remove-it.html>

[6] BBC Technology, 2017. WannaCry ransomware cyber-attacks slow but fears remain. BBC [online].
Available at: <http://www.bbc.co.uk/news/technology-39920141>

[7] Farrell, S., 2016. TalkTalk count costs of cyber-attack. The Guardian [online].
Available at: <https://www.theguardian.com/business/2016/feb/02/talktalk-cyberattack-costs-customers-leave>

[8] Sulleyman, A., 2018. Coincheck Hack: Bitcoin Exchange Security Under Scrutiny After $34M Cryptocurrency Theft. The Independent [online].
Available at: <http://www.independent.co.uk/life-style/gadgets-and-tech/news/coincheck-hack-nem-latest-updates-japan-bitcoin-theft-cryptocurrency-inspect-exchanges-south-korea-a8183281.html>

[9] Pearl, M., 2017. The Crypto Industry Does Not Meet the Minimal Security Standard. Finance Magnates [online].
Available at: <https://www.financemagnates.com/cryptocurrency/interview/crypto-industry-not-meet-minimal-security-standard>

[10]  Galeon, D., 2017. The Future of Bitcoin is Threatened by Quantum Computers. Futurism [online].
Available at: <https://futurism.com/bitcoins-security-quantum-computers/>

[11] Castor, A., 2017. Why Quantum Computing’s Threat To Bitcoin And Blockchain is A Long Way Off. Forbes [online].
Available at: <https://www.forbes.com/sites/amycastor/2017/08/25/why-quantum-computings-threat-to-bitcoin-and-blockchain-is-a-long-way-off/#5a959a6e2882>

[12] Galeon, D., 2017. The Future of Bitcoin is Threatened by Quantum Computers. Futurism [online].
Available at: <https://futurism.com/bitcoins-security-quantum-computers/>