Demystifying Security Flaws with Cryptocurrency

When you hear “Bitcoin”, or “Cryptocurrency”, what’s the first thing that comes to mind? Perhaps you think of people that made millions from buying them early. Or perhaps you may also think of it as currencies criminals use to fund their operations. In any case, there is no doubt that there has been an explosive rise in popularity of cryptocurrencies due to the increased value of Bitcoin and Ethereum as well as the adoption of these cryptocurrencies from mainstream companies such as Paypal and Tesla. While many sell and purchase cryptocurrency for investment and profit, few understand its underlying algorithms that ensure security and transparency. As these currencies are not backed up by any physical assets or government, some have voiced concerns about their potential flaws, saying that they can cause attackers to steal assets in a way that is almost to track. However, in this flood of media coverage, it becomes overwhelming to distinguish legitimate vulnerabilities and unnecessary fears. Today, we demystify some of these issues by categorizing and analyzing common security issues concerning cryptocurrencies, coming to a conclusion that many of them are not directly a result of flaws in cryptocurrency blockchain technology.

Type 1: Vulnerabilities in Blockchain Technology

This classifies vulnerabilities in the cryptocurrency algorithm itself. This includes the 51% Attack and quantum attack. 

Many cryptocurrencies, including Bitcoin, use proof-of-work to prevent double spending. In short, this method makes it impractical to make any attempts to double spend or reverse transactions, as doing so would cost incredible amounts of computational power. A 51% attack occurs when a single party is able to control over half of the mining power. This allows a wide range of malicious attacks, from stopping a requested transaction to allowing double spending. Although these facts are concerning, acquiring the necessary computational power to attack well known cryptocurrencies is incredibly difficult, considering that in Bitcoin, the largest out of them all, miners spend more energy than the United Arab Emirates and Argentina. This problem mainly exists in some 8,000 Altcoins created after the cryptocurrency boom, with much fewer total miners than established cryptocurrencies. In recent years, researchers, such as ones at MIT, have developed methods to detect and prevent such attacks. However, the fight is far from over, as hackers have successfully manipulated blockchain from Ethereum Classic, listed in Coinbase, a popular crypto exchange platform. 

Other sets of vulnerabilities rise from continuous technological development in quantum computing, which has been known to break many asymmetric cryptographic algorithms. Recent research showed quantum computers may break RSA2048 by 2035. Although quantum computers are in infancy, they will inevitably break current forms of cryptocurrency, posing a grave threat to them in the future. However, computer scientists already understand this threat, with the National Institute of Science and Technology, Microsoft, Google, and many others working on “Quantum-Proof” encryption. It is difficult to make speculations on what will happen, but with the development of quantum-proof cryptocurrency, “mass migration” from established cryptocurrencies such as Bitcoin and Ethereum (which are highly vulnerable to quantum attacks) is likely to happen. Only time will tell. 

This information may seem frightening, but let us compare the relative risks against traditional banking institutions. Unlike cryptocurrencies, traditional financial institutions have a centralized entity controlling and monitoring every transaction. This requires enormous trust from the users, and in general, putting all responsibility to one entity can lead to serious problems with security and integrity of the system. Take for example the banks in Australia, where they collected hidden fees without the customer’s realization. Wells Fargo, one of the largest banks in America, paid 3 billion dollars after creating multiple accounts without users’ consent. The list of scandals is growing each year, with users increasingly distrusting large banks and financial institutions. Cryptocurrency does not face the same problem, as its decentralization means no single entity makes any significant decisions on transactions. 

Type 2: Vulnerabilities Outside of Blockchain Technology

This type of vulnerability is really a generalization of all vulnerabilities that do not directly involve algorithms in the cryptocurrency. Here are two of the most prominent exploits that hackers use to gain unwanted access to people’s wallets.

Although cryptocurrencies are decentralized, many people, especially beginners, rely on centralized companies such as Coinbase to store their wallets. In 2020, Ledger, a hardware Bitcoin wallet company from France, was struck by a massive data breach impacting over 270,000 users. In another case, hackers stole 5.7 million dollars from Rolls as a result of a security breach. Even if people steal their wallets digitally, it is still vulnerable to any malware inserted on the computer, as the private key is usually the only information required to steal all assets on a cryptocurrency wallet. Some even run subscriptions to steal money from innocent people’s wallets, claiming to be undetectable by antivirus.  

Social engineering continues as one of the most effective tactics hackers use to extract cryptocurrency wallets from innocent users. With the explosive rise of cryptocurrency, attempts to scam users, and their success rates, are exponentially increasing as well. In less than a year over 80 million dollars have been lost to these scammers, who use tactics such as fake wallet recovery tools. Commonly called phishing, the scams are not unique to cryptocurrencies, and in fact exist in a wide range of areas from credit cards to personal identity. Other human errors, such as a weak password and a lack of a two-factor authentication also contribute significantly to vulnerabilities. In one case, an estimated 54 million dollars were stolen from hackers guessing passwords in 2019.

Conclusion and what you can do:

Based on the provided information, in the current state of cryptocurrency, traditional methods of hacking such as malware and social engineering pose a much higher threat to cryptocurrency wallets than exploitation of the blockchain in the cryptocurrency itself. Furthermore, traditional financial institutions present vulnerabilities that blockchain technologies were designed to prevent. Contrary to popular belief, owning cryptocurrency is not dangerous if the end user follows steps to ensure their digital assets are secure. Bitcoin, and many other cryptocurrency platforms, also have provided ways to keep them secure. These include having complex passwords, backing up wallets, keeping large assets offline, having softwares up to date, and arguably most important, choosing the right online platform to store wallets, as improper security procedures from centralized companies may create further security risks. 

The world of computers and the internet is a constant battle between malicious hackers attempting to exploit vulnerabilities and intelligent developers working to create more robust algorithms to patch those exploits. Although this applies to cryptocurrencies, by separating the difference between security flaws in and out of blockchain technology, it becomes clear that most prominent issues originate from threats such as malware and social engineering, not technology involving cryptocurrency. However, a successful blockchain system still relies on the work of  programmers to constantly update and maintain it. While this happens, end users can take advantage of current security measures such as robust encryption algorithms and two-factor authentication. If these sound plausible to you, and you can tolerate the volatility of the cryptocurrency (a story for another time), it is certainly a great resource for you.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You don't have permission to register