Cryptocurrencies aren’t the problem in recent hacks, user error is
As bitcoin gallops to new heights, any number of warnings have been issued by a mainstream press struggling to keep up. One of the most dire is that cryptocurrencies are vulnerable to digital attack.
When Tether, the company behind a cryptocurrency of the same name, announced in late November that an attacker had stolen $31 million worth of tokens from its digital wallet, the mainstream press sounded more alarms. A Bloomberg story was typical, declaring the theft had "renewed concern about the security of digital coins." (Whose concern it was, the article didn't say.)
Such scrutiny will only intensify if the value of digital assets keeps climbing. Now cryptocurrency veterans are speaking up, arguing that the Tether hack and incidents like it mean little for the health of the blockchain ecosystem and even less for the security of decentralized cryptocurrencies such as bitcoin.
The problem with such articles — and the root of misperception on the subject generally — is that "they equate the theft of the coin to a security problem of the coin," said Erik Voorhees, founder and CEO of the digital-asset exchange service ShapeShift. "In reality, it's almost always a security problem of the company that lost the coin."
An analogy is helpful. If a bank leaves its vault door open, and someone waltzes right in and makes off with the cash or gold inside, "it doesn't throw into question the security of dollars or the security of gold," said Voorhees, whose company processed $600 million worth of cryptocurrency trades in November. "It just means the bank f----- up."
While the Tether incident is another in a long string of hacks targeting bitcoin exchanges, digital-currency companies and individual users, the actual blockchains that undergird bitcoin and other major cryptocurrencies have never been compromised.
Digital assets are extremely secure if you handle them correctly, experts say. Mishandled, they are easy to lose.
Paul Puey, co-founder of the blockchain-based cybersecurity platform Edge, said it's "playing with fire" to try to secure cryptocurrency the way that banks store regular money, in a central vault or server. Because deposits of bitcoin and other digital currencies are generally uninsured and the coins themselves are mostly anonymous, with transactions every bit as irreversible as cash exchanges, "cryptocurrency is even worse to centralize than fiat money," Puey said.
That's what Tether did. But asking users to safeguard their own digital assets has historically been a dicey proposition. Puey calls himself "one of the guilty ones," relating how he lost "a Tesla's worth of litecoins" on an old hard drive that now appears to be corrupted.
His company, Edge, formerly known as Airbitz, offers a solution. Its digital wallet allows users to secure for themselves the private keys that grant access to their funds. The wallet syncs between multiple devices and even offers a form of account recovery, should the user need it.
Edge, for its part, can't access any users' wallets or even sneak a peek at how much digital money they have, meaning an attacker would find it fruitless to break into the company's system.
"Our platform is fully private. We don't collect any emails. No phone numbers, no addresses, no names," Puey said. "So it's incredibly difficult to associate any random blobs of encrypted data on our system with actual people."
Even the questions and answers people can use to recover their account in the event that they lose their mobile device are encrypted. Edge itself can't see what they are, says Puey. The company is thus able to provide users with a fail-safe without making their data more vulnerable.
The account-recovery process relies on something called split-key security. A key that encrypts the user's account data is split in half, with one half stored by the user in an email account and the other half stored by Edge. Once a user supplies the correct answers to the security questions, the other half of the key is provided and the user regains access to his account.
Edge's CEO sees these security advances as signaling a revolution not only in the storage of cryptocurrency but in data storage generally.
"The tools have all been there for us to properly secure data against attack, via encryption, and secure it against ourselves, via backups, it's just that we haven't had a strong enough motivation to put it all together," Puey said. "Crypto gives [us] that motivation."
Even Tether, despite making itself a target, managed to handle the recent hack better than a bank could have.
Unlike bitcoin and other decentralized cryptocurrencies, Tether's token is backed by dollars and fully controlled by the company. Users hand over dollars and receive tokens in exchange. The token's value is pegged to the dollar and redeemable at any time for cash, just as the U.S. dollar was once redeemable for a certain quantity of gold.
"Tethers are basically digital dollar receipts issued on the blockchain," said John Light, a blockchain industry veteran who has worked with a number of startups.
The idea is that Tether gives digital-asset exchanges and individual traders a token that is as stable as fiat currency but which moves around the globe as easily as any cryptocurrency.
It took some doing, but after the hack Tether was able to freeze the stolen tokens, preventing the attacker from spending them. "This is what prevents these 'marked bills' from ending up in the hands of innocent people who might accidentally accept them" only to find out they can't be redeemed, said Light.
None of Tether's executives have spoken publicly since the November attack. In a statement recently emailed to reporters, Ronn Torossian, an outside spokesman, said the company is "working closely with law enforcement" to investigate the hack.
"It does not appear that the hacker was able to do much with the coins that were stolen. The company was able to respond pretty quickly to the hack with this technical fix," Light added.
When a bank is robbed, by contrast, the Federal Reserve simply prints more money to make the hapless institution whole. What the Federal Deposit Insurance Corp. provides is merely "security by virtue of inflation," Puey said.
Thanks to inflation, he said, "you're not not losing money; you're just losing a small amount every year. And it's distributing that cost across everybody, even those who were not victims of those losses."
Such insurance will likely never be the norm for cryptocurrencies, insiders say.
"If your cash gets stolen from you, the FDIC does not give you your cash back. If your cash gets stolen from you, you can't reverse the cash back to you. It's gone," Voorhees said. "So crypto is more like cash than it is like a bank transfer."
But reversible transactions may be possible. Banks rely on chargebacks to fight identity theft, and cryptocurrency researchers have come up with the idea of "covenants," special accounts which, if any money is withdrawn, give their owner a window of time in which to reverse the transaction.
"You can imagine a bitcoin exchange putting all of their funds in an account like this, and then, if they get hacked, they have 48 hours — or something like that — to undo the theft," Light said.
Covenants are not yet possible. To make them a reality would require bitcoin's core developers to update the code and a majority of bitcoin miners, who secure transactions on the network, to agree to run the new version of the software.
For now, anyone holding cryptocurrency should take care. Yet the risks have done little in recent days to dampen the enthusiasm of bitcoin bulls, especially in Japan and South Korea. On Thursday, Bitcoin reached a new all-time high above $16,000, according to CoinMarketCap.
One of the advantages of cryptocurrency over mainstream finance, says Voorhees, is that it allows everyone to choose the type of security relationship they want.
"You can choose to hold everything yourself and be completely responsible for your funds, or you can choose to let someone else do it, or anything in between. So you have that freedom to choose how you want to secure your wealth," Voorhees said. "With traditional finance, you're always having to trust a bank."