Hacks of cryptocurrency exchanges in the first half of 2018 led to losses of over $770 million (£594 million) highlighting the continued vulnerability of these platforms, which need to find imperatives to establish trust with their customers and the future of the technology.
Despite the underlying security of many of the currencies themselves, investors are learning painful lessons when it comes to the stability and security of exchanges and the associated tools and services.
Exchanges and digital wallets for the storage and transfer of cryptocurrencies quickly sprang up following the release of Bitcoin in 2009, but users were faced with three significant challenges from the outset: malicious attacks, technical shortfalls and fraud.
As Bitcoin approaches its 10th birthday, recent losses highlight that these three issues remain unresolved, starkly underlined by Japanese exchange Coincheck $535 million loss in January 2018.
2018 echoes 2014
January’s hack of the Coincheck exchange was the biggest exchange loss since the $450 million hack of the MT. Gox exchange in 2014.
Despite the intervening years, Coincheck and other significant losses in 2018 highlight how fundamental weaknesses in exchanges and wallets have yet to be overcome. By July 2018, major cryptocurrency losses from exchanges exceeded $770 million.
- Coincheck set a bad precedent for 2018 when initial reports of $400 million in NEM tokens being stolen surfaced in January. The company eventually estimated that tokens valued at $535 million had been illicitly transferred from the system leading to the platforms, eventually suspending trading for all currencies apart from Bitcoin.
- In February, Italian exchange BitGrail was forced to halt trading when over $170 million in Nano tokens were removed from the exchange. Relations between Nano and BitGrail were strained and quickly became mired in legal actions making it difficult to ascertain much of what had happened. In June, an Italian judge ordered that wallets with Bitgrail’s bitcoin holdings should be seized and used to compensate victims of the February hack.
- Two hacks in South Korea rounded out the first half of the year when the Bithumb and Coinrail exchanges were both hacked in June with total losses of $72million (£54m).
But these figures are only part of the picture: smaller losses, like the $3.3 million lost from Indian exchange Coinsecure, push actual losses significantly higher than the estimated $770 million highlighted.
And this trend looks set to continue in the second half of the year. In July, Israeli exchange Bancor reporting a loss of $24 million; so, losses for 2018 could easily top $1 billion by year’s end.
However, with Bitcoin’s 10th anniversary approaching, it is reasonable to wonder why, after a relatively long time in digital years, exchanges and associated technologies like digital wallets, appear to remain so vulnerable.
In many ways, the technical, decentralised nature of cryptocurrencies may explain why overcoming these challenges is and will be difficult. While improved security and better regulation may have helped avoid or limit many of the hacks outlined above, these concepts are largely anathema to the libertarian philosophy underpinning cryptocurrencies.
Improve exchanges security
The original Bitcoin white paper and earlier cryptocurrency concepts proposed by people like Nick Szabo, put security and verification of transactions at the heart of the system.
Blockchain, the foundation of this protection, has since transformed into its own ‘hot’ tech sector even drawing in unlikely players like the Long Island Iced Tea Corporation.
However, despite the security precautions baked into the more reputable currencies themselves, exchanges and digital wallets remain vulnerable due to a range of lax security measures.
These weaknesses range from poorly constructed codebases to single points of failure which thwart other security measures that are in place. For example, the MT. Gox exchange was riddled with security weaknesses from a poorly constructed and loosely managed codebase to loopholes in transaction management, the flaw which allowed hackers to make off with $450 million.
Meanwhile, attempts to improve the security of exchanges have been at best sloppy or at worst, deliberately misleading. The Bitfinex exchange was reportedly secured by multi-sign wallets, similar to a physical safe which required two of three different keys to open.
However, this system was easily circumvented by hackers who discovered that instead of three separate keys in different locations, two keys were stored in a ‘hot wallet’ on the Bitfinex servers. With access to a hot wallet – one accessible via the internet unlike an offline ‘cold’ wallet – hackers easily accessed two keys via a single exploitation. After this, triggering illegal withdrawals was relatively straightforward.
While there may well be outright fraud in the system, security weaknesses generally seem to stem from two issues: The first one, being the Wild West approach to cryptocurrencies, which are grounded in a mistrust of central regulators.
While the reputable currencies themselves adhere to strict rules and controls, other currencies, exchanges and tools like digital wallets, attract groups and individuals looking to make a quick buck: groups for whom security is almost an afterthought.
This is starkly illustrated by the lax approach many exchanges have to basic IT security measures.
Of the 35 organizations surveyed by Dashlane recently, 70% were found to have basic security flaws in their password management systems. Some allowing passwords as basic as ‘1234’ or simply ‘a’ leaving user’s accounts “perilously exposed” according to the report.
Passwords are only one facet of online security but Dashlane’s report noted that:
“For an industry that prides itself in its cybersecurity innovations, the cryptocurrency exchanges are much weaker when it comes to password security than the average mainstream website.”
Dashlane’s Cryptocurrency Exchange Password Power™ Rankings 2018
Given how frequently password vulnerabilities are the root cause of hacks, this weakness is alarming. Moreover, this lax attitude to passwords likely reflects the overall attitude to security.
The second issue is the complexity of cryptocurrencies and the associated technologies.
Cryptocurrencies owe more to cryptography and advanced math than basic computer science. Layered onto this is the added difficulty posed when conducting financial transactions meaning that cryptocurrencies are significantly more challenging than other start-up sectors.
While the Bitcoin white paper is elegant in its simplicity, the application of these concepts in practice throws up a series of wicked problems which are hard to solve. This complexity is exacerbated by the shortage of engineers able to tackle these issues meaning that even if there is a willingness to tighten security; exchanges may lack the necessary skills and abilities.
This freewheeling, libertarian mindset and technical complexity is also apparent when it comes to regulating these exchanges.
Faster government regulations response
Born from a distrust of central regulation and fiat currencies, cryptocurrencies are libertarian at heart posing an immediate challenge to the idea of regulation. Moreover, like any online business, moving location is often a relatively straightforward matter of switching servers to a more permissive jurisdiction.
This has meant that attempts to regulate or licence cryptocurrency firms by states like New York have met significant oppositions and, in some cases, led to the departure of firms.
Compared to the relaxed atmosphere of other locations, such as Switzerland’s canton of Zug, jurisdictions with any forms of regulation will find it difficult to compete as a home for these firms.
However, this opposition to regulation is compounded by the sluggishness on the part of governments to regulate these currencies and exchanges.
Japan’s Financial Services Authority (JFSA) released a report after an assessment of 23 firms finding an overall climate of loose business practices and glaring security flaws. But the JFSA has been looking at the stability and reliability of crypto exchanges since the MT. Gox hack in 2014.
This makes Coincheck hack in January all the more startling particularly when Japan possibly accounts for as much as 65% of the major losses identified between 2014 and 2018.
However, Japan is not alone in its inactions, nor are financial regulators necessarily lagging their counterparts.
Governments worldwide are struggling to adapt and respond to the disruption caused to traditional industries such as transportation and hotels. When regulation of scooters is a challenge, it is not surprising that dealing with something as complex as cryptocurrencies is time consuming and slow.
Industry-led improvements present an opportunity
Failures on many other disruptive platforms – a shoddy cab ride, bad rental experience or the inconvenience of abandoned scooters – only affect individuals or small groups at a time. Meanwhile, cryptocurrency exchanges service thousands of consumers and hold billions of dollars in tokens making the repercussions of failure much more widespread.
Moreover, lax exchanges with poor security and anonymity also lend themselves to illicit transactions and money laundering.
These twin issues of consumer protection and the darker side of crypto exchanges servicing illegal online activities would suggest that authorities have a pressing responsibility to reign in and regulate this space.
As with all regulation, many will complain about the burden and cost and some may vote with their feet and substitute New York for Zug. But despite their libertarian tendencies, reputable operators who already act responsibility should welcome some forms of regulation and improved security standards.
Self-regulation and cooperation with authorities would reward conscientious firms and close out competition from less reputable actors improving the space for consumers, exchanges and the currencies themselves.
This presents an opportunity for reputable actors to become leaders and dominate the space to the advantage of both themselves and consumers.