Posted by Steve Giguere on February 5, 2018
In Part 1 of our article on blockchain security and cryptocurrency, we took a hard look at the core components that make up a successful cryptocurrency like Bitcoin. From the distributed network itself to the individuals who wish to own and use a cryptocurrency wallet to transfer or spend Bitcoin, security is key (pun intended) and very much a consideration at every stage. We ended our last article talking about the types of wallets available for conducting transactions on the network. This is where both choice and the potential for user or developer error come into play, especially when we discuss the types of wallets and, more importantly, the storage each type provides.
Defending your wallet is probably where security is the weakest when it comes to cryptocurrency investing. As discussed, the wallet itself is merely digital. It’s just an unguessably big numeric key used to “sign” each transaction to demonstrate that the sender is you without revealing the key itself. It also enables the generation of a public key, or an address associated with your private key, so that people can send money to you.
The decentralization of currency is a popular concept within the ranks of the crypto-hard-core. Crypto-users like the idea of sticking it to the man and often make grand claims about Bitcoin replacing banks. But once you strip away the bonuses, the bailouts, the bad service, the fees, and the general feeling that Darth Vader (other Sith Lords are available) is somehow involved in your bank, there is one major advantage of banks that is overlooked: They keep your money safe!
It may be hard for the crypto-warriors to admit, but it’s true. Banks, for the most part, are pretty good at keeping large quantities of your money safe. What a “large quantity of money” represents is down to the beholder, of course. To work that out, ask yourself how much money you would feel comfortable carrying around in your wallet. I think the most I’ve ever carried was $5,000, when I purchased a motorcycle with cash. It didn’t fit very well, and although I felt a bit gangsta, it was a nervous experience. I was happy once it was gone and I could go back to using my card.
With cryptocurrency, you need to think early about how you are going to store your coin. There is no cryptocurrency equivalent of a bank account. If you can imagine a completely cryptocurrency world, your life savings would be held in your wallet. Scary. As we said, it’s not physical money but instead just a complex numeric key that sits on your computer, your phone, a USB drive, a piece of paper, an online service, or a dedicated piece of purpose-built technology.
Cold storage is often recommended for Bitcoin addresses with a significant balance, so let’s start there.
I’m not good with paper, so that idea is out for me, but some people do just create QR codes of their keys and pop them in a safe. You can, however, keep a public key available as a soft copy to deposit money into your cold wallet for safekeeping. Nice and secure.
The hardware wallet is a personal favorite. One example is Ledger Nano S, although Trezor is another good brand of hardware wallet. A hardware wallet stores your private key on a separate hardware device and allows the sending of cryptocurrency only when the device is connected to a computer. Frankly, if you are sending coin frequently, it would be a better idea to keep a hot wallet as a rough equivalent of your normal wallet for cryptocurrency exchanging or spending. To fund it, just send a small amount from your hardware wallet only to yourself.
Let’s move over to hot wallet security. There are, of course, several desktop applications. The problem with having all your eggs on one computer is that computers fail, and sometimes we forget what is on our hard drives till it’s too late. There are already well-known stories of people digging through dumpsters, trying to find hard disks containing Bitcoin wallets worth billions. Additionally, a growing number of email phishing and social engineering campaigns are designed to get malware, such as the Cerber strain, to hunt for crypto-wallets and send those away to malicious parties. It’s getting harder and harder to defend ourselves and our computers.
I’ve also already mentioned that some mobile wallets with sloppily written code have all but given people’s money away through poor ECDSA implementation. Anybody can submit a wallet application to the Google Play store, and there have already been reports of fake wallet applications accepting the WIF of your private key and disappearing with your Bitcoin. Blockchain.info and Breadwallet are trusted applications for mobile hot wallets, but do be careful when choosing one, and ideally, use the hot wallet only for currency that is active.
For newbies looking to dive into crypto, using an online service takes a lot of the pain away. Online services do charge fees for services, but they also remove much of the complexity. But do your research—and use a little common sense—when choosing a service. One of the largest original online services was called Mt. Gox. The early days of cryptocurrency trading were rather rocky, and inexperienced players made a royal mess of it, losing over half a million Bitcoin before Mt. Gox went bankrupt and the CEO went to prison. If you choose an exchange to handle your coin, maybe don’t go with one called Magic: The Gathering Online eXchange (aka Mt. Gox).
Since then, many new coin exchanges have appeared, and many have suffered. Just in the past few years, we have seen several exchanges hit by cyber attacks ranging from phishing campaigns to denial of service:
Bitfinex (Hong Kong): lost $70 million in 2016 and suffered a DDoS in 2017
NiceHash crowdsourced mining (Slovenia): lost $60 million
Youbit (South Korea): was hacked twice and is now bankrupt
Yapizon (South Korea): lost $5 million+
Bithumb (South Korea): lost $1 million+
Hint: Maybe stay away from South Korean exchanges, which North Koreans seems to be hacking to fund their own country.
Coinbase is often referred to as the idiot’s platform for crypto-investment. They don’t offer a lot of different options, it’s simple, the interface is easy—and they take security extremely seriously (check out this podcast for a reassuring chat).
But even Coinbase isn’t without scars, as they suffered a minor scandal back in December when they were accused of insider trading during the addition of Bitcoin Cash to their exchange. Nothing official has been announced, and there are alternative theories about trading bots pushing up the price.
There are three more potential dangers of using online wallet or exchange services.
The first is spoof websites. If you are using a service like Coinbase, bookmark the link to your site, and use that bookmark. Many people just go to Google and type “Coinbase,” assuming that the real Coinbase will be the first website listed. I had a friend who did this with Mt. Gox and found himself logging into a Mt. Gox look-alike site. It took him only a few seconds to realize his mistake, but by then, his Mt. Gox Bitcoin had already been stolen.
A second danger is malicious browser extensions. These often mask themselves as simple conveniences. One such Chrome extension advertised itself as a cryptocurrency ticker that would show current prices. But after you logged into your online service, if you were sending Bitcoin to a remote address, just as you clicked the send button, it would change the destination address and send your Bitcoin to the bad guys. When you are sending cryptocurrency, it’s a good idea to do it from a secure browser or one with only thoroughly trusted extensions.
Blockchain technologies are growing at an unprecedented rate and powering new concepts for everything from shared storage to social networks. Cryptocurrency isn’t going away anytime soon, and the fact that it has exploded certainly demonstrates that from a security perspective, we are breaking new ground. For users and investors, using both cold wallets for major storage and hot wallets for real-time trading is a good idea. Always be careful when using online services or mobile apps, as they may be fake or hijacked by browser malware or just so poorly implemented that they give away your private key and your money.
With the total market cap of all cryptocurrency at $757,890,628,246 (when this article was written), you can see why developers are incentivized to create blockchain applications. However, they should have equal incentive to follow the gold standard when it comes to securing applications and services surrounding cryptocurrency trading and blockchain application development. The technology is a deadly combination of high value, high stakes, and low maturity. Assessing risk, creating threat models, and doing some of the basics of application security, such as static code analysis, are a no-brainer. Taking every possible precaution to build security in from the start is critical to ensuring a successful, secure, and potentially quite profitable result for all involved.
Get the latest Software Integrity news, thought leadership, and more.