More

    Bitcoin’s Security Challenges

    The crypto-currency known as Bitcoin was first introduced in 2009 in a paper published by Satoshi Nakamoto. As Kaspersky Lab described the e-currency:

    Named “Bitcoin: A Peer-to-Peer Electronic Cash System,” the paper defined the foundations for a distributed, de-centralized financial payment system, with no transaction fees. The Bitcoin system was implemented and people started using it. What kind of people? In the beginning, they were mostly hobbyists and mathematicians. Soon, they were joined by others – mostly ordinary people, but also cyber criminals and terrorists.

    Since the introduction of Bitcoins in 2009, they have received a lot of attention: some of it good, some of it bad. Just like any other crypto-currency, they’ve been associated with numerous scams, hacks/thefts, defunct “stock exchanges,” and reported losses of wallets containing massive amounts.

    Kaspersky Lab’s experts explained that Bitcoin really began to hit its stride in 2013, in part because they are a secure, anonymous, way of paying for law-abiding citizens, especially for those who want to fly underneath the NSA’s surveillance radar.

    Bitcoin as a currency, itself, seems to function as-advertised, according to Andrew Brandt, director of threat research at Blue Coat. The math surrounding the creation and transmission of value through the currency exchange network is scientifically sound.

    As global commerce will only increase, e-currency in general, and in particular Bitcoin, could play a major role in how consumers and enterprises alike pay for goods and services. But first, it has to solve its security issues.

    Bitcoin’s Security Challenges - slide 1

    Click through for a closer look at Bitcoin and its associated security challenges.

    Bitcoin’s Security Challenges - slide 2

    The Bitcoin (BTC) wallet is a commonly targeted threat vector in the Bitcoin market, said Mark Vankempen, senior advanced R&D engineer at LogRhythm, adding:

    A BTC wallet is like a real wallet filled with cash. You should never keep all your eggs in one basket and the BTC wallet is no different from this age old idiom. So far there is no air tight solution to keeping your BTC safe and secured.

    According to Vankempen, one of the most notable BTC losses is the Bitomat.pl Loss. During a routine maintenance restart, the server that hosted their Bitcoin wallet was unknowingly configured to be irretrievable upon shutdown. This resulted in the loss of 17,000 BTC (about 14.5 Million USD at today’s value). This unfortunate disaster could have been easily prevented. He added:

    I’ve put together the following action items that can help protect your BTC investment: Backup and encrypt your wallet, make multiple copies of your backup, store them in more than one secure location and finally, don’t keep all your BTCs in one wallet.

    Bitcoin’s Security Challenges - slide 3

    In 2013, Bitcoin soared in worth in part because it is popular among cyber criminals. As Sergey Lozhkin, senior security researcher with Kaspersky Lab, stated in an email interview:

    Cyber criminals follow the money. Bitcoins are valuable and their value continues to grow.  Everything valuable on the Internet attracts cyber criminals of different types searching for security breaches and vulnerabilities.

    The ability to avoid surveillance means cyber criminals are more easily able to avoid law enforcement when using Bitcoin. In fact, it was the cyber criminal underworld that put Bitcoin into the public eye. First, the website known as Silk Road, a place to purchase drugs and other illegal items using Bitcoins, was shut down by federal agents. Second, the developers of the ransomware CryptoLocker wanted a ransom paid in Bitcoin to release computer files. (And since many victims either didn’t know what Bitcoin was or didn’t have immediate access to the e-currency, the CryptoLocker developers had to change their tactics in order to make money.)

    Beyond those two high-profile situations, 2013 saw a number of huge Bitcoin heists from exchanges, including the thefts at the Sheep Marketplace (96,000 bitcoins), GBL and Tradefortress. With the cash value of Bitcoin skyrocketing, these may turn out to be among the most financially costly thefts of the year, Brandt pointed out.

    Bitcoin’s Security Challenges - slide 4

    According to Lozhkin, the main threat surrounding Bitcoins is theft. Cyber criminals can steal Bitcoins by using malware to target Bitcoin wallets stored on a machine that’s connected to the Internet. They can also hack into Bitcoin exchanges and other third-party platforms, which are lucrative, high-value targets with mostly unproven security track records.

    The biggest concerns have appeared in the operation of various Bitcoin exchanges and/or storage facilities. Brandt added:

    All the largest thefts of coins have taken place in these “banks” of sorts, where people keep their bitcoins until they’re ready to spend them. Unfortunately, in this unregulated, kind of Wild West marketplace, there’s nobody to certify that security procedures are sound for the storage and management of coins and accounts.

    In a Business Insider article, Jim Edwards pointed out what makes a Bitcoin theft different from theft of traditional currency and how the security of Bitcoin also adds to the risk. It is the permanence of the transaction. Edwards wrote:

    Once a Bitcoin transaction has been approved by both sides, it cannot be reversed without the permission of the recipient. So when hackers engineer the transaction, the cash is gone forever.

    Bitcoin’s Security Challenges - slide 5

    The tactics used in Bitcoin thefts are fairly bold. According to a CSO article, E-Sports Entertainment admitted to “secretly installing Bitcoin mining software” on thousands of computers and has agreed to a $1 million settlement.

    The anti-malware company Malwarebytes has released a warning about software that uses computers to mine Bitcoins. As The Guardian reported:

    The program “installs a Bitcoin minter on the user system, not just for a quick buck but actually written into the software’s EULA [End User License Agreement]. This type of system hijacking is just another way for advertising based software to exploit a user into getting even more cash.”

    The majority of computer users have no idea that their computer has been turned into a Bitcoin-mining zombie – after all, how many people read the EULA for software? However, a good anti-malware program should be able to find the malware and get rid of it.

    On the positive side, The Guardian article added, developers may have outwitted themselves:

    The amount of processing power now being used to try to mine Bitcoins have increased exponentially in the past year, so that it now requires dedicated ASIC processing rigs to generate Bitcoins in any reasonable period. It’s now almost impossible to mine Bitcoins using a standard PC CPU – and even “botnets” of CPUs aren’t able to compete against the dedicated rigs in terms of computing power.

    Bitcoin’s Security Challenges - slide 6

    One notable scam that Vankempen thought was worth mentioning is the Ubitex scam. He explained:

    Ubitex was the first company to be listed on the now defunct Global Bitcoin Stock Exchange (GLBSE). The business model was simple – provide a service which allows anyone to buy and sell BTCs for cash while charging a small transaction fee. Sounds like a good idea. Ultimately you’re going to want to exchange your BTCs for cash and buy basic things like food, gas, etc. The service ended up raising around 1,100 BTCs before the founder disappeared with the Bitcoins.

    The Ubitex scam has done its damage regarding the future of Bitcoin exchanges. In an interview with GLBSE’s founder James McCarthy, Wired wrote:

    There have been a number of bitcoin exchanges to emerge in the UK, but they are at risk of being shut down by banks. Even if you manage to open a bank account to receive currency, if banks see lots of money shifting through an account they will investigate. “Banks are really worried about money laundering,” McCarthy explains. “You may launch a service and it may become successful but if you are not following the rules you will have to either shut down or face prosecution.”

    Bitcoin’s Security Challenges - slide 7

    Bitcoin wallets need to be kept safe and secured, and encrypted. Huge amounts of Bitcoin should not be stored in clouds, stocks and markets. Do not keep a backup copy of your wallet unsecured. Having good and updated antivirus software on a PC with a Bitcoin client and fully updated OS and third-party software is essential. Or, as Brandt said:

    Bitcoin needs its own version of the Pinkerton men, bonded and certified professionals whose job is specifically to safeguard the storage and transfer of bitcoins, and ensure that exchanges are performed fairly. I guess it would have to be something akin to the Nevada Gaming Commission, with the rights to waltz into a bitcoin exchange data center and take a look under the hood at any time. I guess it still kind of feels like funny money, but at a little over $1000 per bitcoin in today’s prices, I personally would need more assurances than just a promise to do no evil, and a handshake.

    Government, too, needs to step up to the plate. The Senate Committee on Homeland Security and Governmental Affairs has been alerted of the emerging threat and criminal exploitation of virtual currency systems and has held hearings with experts to discuss the concerns, particularly involving regulation, surrounding crypto-currencies.

    Bitcoin’s Security Challenges - slide 8

    Like any type of data, when it is not actively used, it is most at risk. Bitcoin is no different, according to Reza Rahimi, product manager with WinMagic, who points out that no matter where your wallet is stored, it still counts as data at rest, which makes it an easier target. Rahimi recommended using strong encryption, as this will prevent unauthorized access and theft of your Bitcoins. He also suggested using reliable and trusted third-party vendors for all forms of wallets, adding:

    But remember it is not good practice to keep large amounts of Bitcoins in an easily accessible manner such as a mobile wallet. Instead, keep small amounts on a computer, mobile or online for everyday use and the remaining part on physical media, encrypted and locked away safely. In addition to encrypting your wallet, create redundant backups of it in order to avoid data loss.

    Lozhkin and his fellow Kaspersky Lab expert Stefan Tanase wrote in a SecureList blog post that Bitcoins should never be kept in online stock exchanges. Unknown and untrustworthy banks should also be avoided. It is important to remember that the transfer of Bitcoin is anonymous and the transactions are done under nicknames or pseudonyms. While there is no 100 percent guaranteed safe storage or transaction – and that is true in traditional monetary storage and transactions – the better the reputation of the bank or service, the more secure the Bitcoin will be.

    Bitcoin’s Security Challenges - slide 9

    What is the future of Bitcoin, specifically, and crypto-currency in general? Brandt believes we will continue to see a growth of Bitcoin mining tools being added to software. Lozhkin said attacks on Bitcoin pools, exchanges and Bitcoin users will become one of the most high-profile topics of the year, adding:

    As for Bitcoin users, in 2014 we expect considerable growth in the number of attacks targeting their wallets. Previously, criminals infected victim computers and went on to use them for mining. However, this method is now far less effective than before while the theft of Bitcoins promises cyber criminals huge profits and complete anonymity.  There is also strong evidence to suggest that in 2014 Bitcoin will collapse and those in possession of the crypto-currency will face financial losses.

    Vankempen agreed, stating that with an unregulated, decentralized new currency like this, where each single coin is worth such a significant monetary amount, you can rest assured that bad actors are going to be looking to exploit it in any way possible for their own personal gain.

    Sue Poremba
    Sue Poremba is freelance writer based on Central PA. She's been writing about cybersecurity and technology trends since 2008.

    Latest Articles