I was holding back to give it a try. Mark’s story was in my mind and I feared my money would disappear. I finally became initiated to virtual currencies and I developed some thoughts on their cyber security.
Mt. Gox, where are our bitcoins?
Mark Karpeles bowed in front of the Japanese press with his eyes closed. He looked deeply humbled and uncomfortable. He was apologising to his clients for having lost 750,000 of their bitcoins, and an extra 100,000 bitcoins owned by his company. Karpeles was the CEO of the Mt. Gox, a bitcoin exchange based in Tokyo, Japan. By 2013, Mt. Gox was the biggest bitcoin exchange in the world, handling 70% of global bitcoin trading. At a press conference on February 28, 2014, Karpeles referred to some “weakness in the system” and blamed hackers for the loss. At the time, the lost 850,000 bitcoins were worth $473M USD. By mid-October 2017, those bitcoins would have been worth $3.9B USD. The Mt. Gox’s clients impacted by the loss have been denied a substantial profit from their early investment in the cryptocurrency.
Hackers allegedly exploited an application business logic vulnerability on the exchange trading web app. Tokyo security company WizSec investigated the case and concluded that most or all of the missing bitcoins were stolen straight out of the MtGox hot wallet over time, beginning in late 2011. When discovered and reported in February 2014, it was a disaster overnight. The exchange shut down. Mt. Gox filed for bankruptcy and left many of their clients short of their valuable bitcoins.
There is more to the story of Karpeles and Mt. Gox. 100,000 client bitcoins were eventually recovered. Karpeles was also found guilty of fraud, embezzlement and financial mismanagement in a charge unrelated to the missing client bitcoins. He ended up in prison. The case of Mt. Gox shook the cryptocurrency ecosystem and created a strong precedent with the risks of cryptocurrencies.
Cryptocurrency security risks
Bitcoin and other cryptocurrencies are fast growing in popularity and not only with high-risk investors. They are offering a valid payment option with the likes of Microsoft, Dell, Expedia and a growing number of businesses including in Australia. Cryptocurrency exchanges are becoming mainstream. Bitcoin ATMs are also appearing in more places. Christine Lagarde, the Head of the International Monetary Fund (IMF), suggested that virtual currencies could offer better value, better payment services and would present a fresh idea to central bankers.
However, cryptocurrencies are virtual assets managed in an unregulated financial system. They are high risk. They can disappear very quickly when their security is compromised and a humble apology from a CEO may be all there is to get as a consolation.
The security risks I associate with cryptocurrencies include:
- Failure of the blockchain – Unlikely. This risk is very unlikely due to the blockchain architecture, especially with common cryptocurrency blockchains with large groups of participating nodes.
- Failure of the exchange – Possible. This risk is clearly possible. There are precedents of exchanges being hacked, such as Mt. Gox. Exchange hot wallets have been compromised.
- Failure of the wallet – Likely. This risk is likely. Hot wallets with no backups are simply lost. Unsecured wallets can be compromised through vulnerabilities applying to the endpoint (e.g. mobile phone), the wallet software and of course the user and how they protect their wallet private keys.
Michel Sassano recently published an amazing article reporting on how his team managed to recover a wallet private key from a screenshot image of a live TV program broadcasted by France 2. The image of a bitcoin wallet private key QR code and string had been purposely obfuscated. However, the picture was not obfuscated well enough and led to the private key recovery through an 8-step process and a bit of luck. The wallet contained a value of $1,000. This report clearly highlights the risk of wallet protection failure through private key compromise.
My initiation to cryptocurrencies
I strongly associate Karpeles apology picture with the risks of cryptocurrencies. Being cyber security conscious, and without an ounce of a gambler in me, I had never been tempted to risk my money with any virtual currencies until recently. I finally resolved to give it a shot and to reflect on the experience. The plan was simple. I had to procure some bitcoins and buy something with them.
Choosing an exchange
Before entrusting my money to a cryptocurrency exchange, I did some research and down-selected two exchanges. My selection was based on online reviews, some articles and forum discussions that I read. I paid attention to the volumes the exchanges trade and their lack of mentions in hacking news. I also considered their transaction fees, but it wasn’t a critical factor in my selection.
The first exchange I selected is based in Australia and the second one in the USA. I then proceeded to register myself to the 2 exchanges.
The process was similar between the 2 exchanges and included the following steps:
- Register basic account details. Set username (email address) and password, and verify the email address.
- Setup two-factor authentication. Exchange #1 uses SMS OTP. Exchange #2 uses Google Authenticator.
- Verify identity. The process was similar in approach and involved submitting some pictures of identity documents that are subject to verification.
- Exchange #1 required 3 documents: a driver’s license, a photo of myself holding an A4 piece of paper with a handwritten note stating my identity and including a secret code I was provided on the document upload page, and a recent utility bill. The verification process took about 1 week to complete. It finished with a phone call with an operator asking further questions including: Was the account for me or somebody else? And did I intend to invest my superannuation (pension) fund in cryptocurrencies?
- Exchange #2 required 1 document only: either a passport, a driver’s license or a photo ID. The verification process took about 2 minutes to complete. It seems the process was fully automated. I was actually curious to test the upload of a wrong picture (not an identity document) and it was not accepted. I then provided a correct ID document and it worked. There was no phone call.
Exchange #1 had called me as part of the identity verification process. I answered their questions and I then took the opportunity to ask them some questions about the security of their exchange. I simply couldn’t resist the opportunity to enquire. The operator who had called me was new to the company and she didn’t know much about how they handled security. She offered me the option to get a call from her manager, which I accepted. The manager called me soon after and she very kindly indulged a 30 minute discussion, taking all my questions and answering them clearly and directly. She was very transparent on what they did and didn’t do at a high level. At the end of the call, I was left with the following thoughts:
- The exchange was transparent on security. I felt they were honest with me. I was also very thankful for the opportunity to discuss the subject with them openly. That was great customer service.
- I didn’t find comfort in their security story. I understood that they took the matter seriously. They had reportedly never been hacked. However, I didn’t get a sense of any robust security risk management. There was no dedicated team or functions focusing on security. They also had no security certifications such as an ISO 27001. I don’t value security certifications very highly, in the sense that they don’t provide any guarantees, but in this case it would have been something at least and an element of comfort. The key recommendation I was provided with was not to leave too much credit online, in their hot wallets, but to move it to cold storage instead (i.e. – don’t leave too much money with us). It is indeed good advice. However, overall, I wonder whether she was the right person to communicate with on security. She may have undersold it to me and I was left with a persisting feeling of doubt.
Aside of the phone call I got, exchange #1 does not have much information on their website about security at all.
With exchange #2, I didn’t get the opportunity of a phone call. However, their website Q&A did provide some valuable information, covering:
- Insurance cover in case of a hack, and very importantly
- 98% cold storage. They would only store up to 2% of customer funds online and they would keep the rest in cold storage. Exchange #1 would not have such a practice – I had asked them the question.
The exchanges I registered to support the following methods to procure cryptocurrencies:
- Exchange #1: POLi payments, BPAY and cash deposit,
- Exchange #2: credit/debit card only (at least for Australia).
I went with exchange #2 (USA) for 2 reasons:
- I was ready to transact in a matter of minutes of registration, because the identity verification process was automated (1 week process with exchange #1); and
- Their security story gave me more confidence.
I registered a debit card and quickly procured a small amount of litecoins (LTC) and bitcoins (BTC).
I paid for my monthly private VPN fee with bitcoins, which also happens to be discounted when compared to using other currencies. It was very easy to do. The only inconvenience I experienced was a 35 minute delay for the transaction to be confirmed by 1 node, as a dependency from the recipient to acknowledge payment.
Cryptocurrencies security thoughts
I am still a novice cryptocurrency user, but my initiation left me with the following thoughts.
For novice cryptocurrency users like me, I would suggest:
- Select the exchange thoughtfully. Do your research. Consider large reputed exchanges. Check the regulations applying to them. Check their security information (e.g. 2FA supported). It is valuable for them to subscribe to a cyber security insurance and very importantly for them to store the majority of their client virtual funds in cold storage;
- Set a strong password for your account;
- Setup two-factor authentication;
- Don’t leave too much virtual funds on the exchange. Store your cryptocurrencies in cold storage (aka offline wallet);
- When using your own wallets (e.g. on your mobile phone or desktop as opposed to on an exchange’s wallet):
- Encrypt your wallet with a strong password (that you don’t forget!);
- Backup your wallet regularly; and
- Consider offline transaction signing (requires a computer disconnected from the network) or hardware wallets (e.g. Trezor) for higher security. Check Bitcoin.org or other sources for further advice on securing your wallet; and very importantly
- Do not share your private key. Keep it strictly confidential and safe.
If you are a new exchange, a startup perhaps, you may find it beneficial to consider:
- Taking security seriously. Dedicate some resources on the subject. Implement an ISMS;
- Not storing all your clients’ virtual funds in hot wallets (think Mt. Gox);
- Subscribing to a cybersecurity insurance;
- Attaining a security certification (e.g. ISO 27001);
- Implementing an efficient and automated identity verification process, which is also good for customer experience;
- Providing a good Q&A on key security questions on your website; and
- Seeking advice to professional cyber security advisors.