Crypto Currency Hacking Is Not About The Coin

Crypto Currency Hacking Is Not About The Coin.jpg

By Doug Barbin

Two weekends ago the South Korean cryptocurrency exchange Coinrail announced a hacking attempt on its website. With no more detail than a statement that said there was activity of a “cyber intrusion” and that it had managed to “freeze” certain coins with others being kept in a cold wallet. The exchange is now offline (hence no link to the website and its announcement). 

At the time, this news was believed to be the culprit of the drop in Bitcoin value along with commensurate drops for some of the other major currencies. 

I am not an economist nor a financial analyst. I am an amateur follower of cryptocurrency at best. What I am, though, is a 20+ year security professional who has spent a lot of time investigating and helping companies prevent security breaches and fraud. 

I am struggling to understand why something that happens daily in other areas of cyberspace has such an effect on the value of these currencies. Why would the alleged hack of a South Korean exchange site (the 98th largest) that no one knows anything about or has not provided any details indicate that there is any sort of fundamental problem with the currency? 

A TechCrunch article went as far as to state the following: “In all the cases, the companies issuing the tokens themselves were not hacked, the tokens that were nabbed belong to Coinrail users."

As the details of the compromise have still not be shared, the best I can do is provide a comparison to historical compromises. As such consider the following:

  • The potential for a security flaw in the web application programming that was detected by an external hacker
  • The potential for weak transport encryption (SSL/TLS) enabling a man-in-the-middle attack
  • The potential for weak authentication controls (e.g. weak passwords and no multi-factor authentication)
  • The potential for the use of cloud services that themselves are not adequately locked down by the tenant
  • The potential for an infected PC to gain unauthorized access to an account
  • The potential for a malicious insider to access customer accounts

Every one of the above relates to the security of the environment or application. These are all items that enable the exchange, but not one has anything to do with the currency itself.

Spend an hour looking at some of the hundreds of exchanges around the world and you will see that not all are created equal. Some are impressive with multi-factor authentication and one I observed scans the browser for malware prior to logging in.  Others are basically frightening. 

By and large, security threats exist at the ingress and egress points of a system. In the cryptocurrency world, those are the exchanges. Coin traders, perhaps you could question using an exchange with those super attractive fees. 

For the exchanges, if you’re one of the good ones pouring money into your security with controls like multi-factor authentication, strong encryption, secure coding, and advanced malware and threat detection, market that as a completive differentiator. Also consider third-party audits to help you share that with the marketplace.

No one has “hacked” Bitcoin, although the headlines would lead you to believe that. This is nothing new. “Hacks” were previously reported on applications hosted at major cloud providers like Amazon, only to be determined that the company hosting the application did not, indeed, secure it. That should be the story here. 

Whether your position on the matter is regulation or just tightening of the security controls, exchanges and the applications that allow trading should be where we put our focus. 

About Doug Barbin

Doug Barbin is a principal at Schellman where he leads the firm's cybersecurity practices.  He has more than 20 years of experience working with large enterprise, government agencies, and many of the world’s most innovative startups. Today he leads assessments of advanced technologies from cloud computing to AI and Blockchain, allowing companies to communicate their security posture to their regulators and stakeholders.  Doug’s previous roles have included managing the product lines for a major managed security service provider and leading global indecent response and forensic teams. 

More About Doug