How safe are cryptocurrencies?
Their use of blockchain and anonymity of transactions may make digital currencies seem safe, but hidden weaknesses lurk below the surface
The adoption of cryptocurrencies has surged in recent years. Unlike traditional monetary systems, they offer a more decentralised and secure approach for managing financial transactions. But with research showing that hackers profited from cryptocurrency-related crimes to the tune of more than $4 billion in 2019 alone, there’s clearly a significant security risk here. Which raises the question, are cryptocurrencies really that safe?
While cryptocurrencies are based on highly secure blockchain technology and use strong cryptographic techniques to ensure financial transactions can’t be hacked, other aspects of this ecosystem may not be as secure. Jake Moore, cyber security specialist at ESET, believes exchanges, wallets and human error all increase the threat of hacking.
“Cryptocurrencies have regularly been overshadowed by risk, whether it’s a story about their volatility or the possibility of being hacked. Not being policed in the same ways as banks leaves the users far more vulnerable to this risk but in my opinion that suffices. I believe people should only invest in something they know about and fully understand the risks,” Moore says.
As cryptocurrencies have become more popular over the past few years, the hacking threat has grown significantly. He adds: “There have been several high profile cryptocurrency attacks over the last couple of years in which cryptocurrency owners have lost their coins and been unable to get their currency back.”
Structural weaknesses
More recently, researchers at Kraken Security Labs discovered that hackers can take control of KeepKey cryptocurrency wallets within fifteen minutes by using a "voltage glitching". This enables attackers to extract encrypted seeds that are protected by a 1-9 digit pin. They claim that this pin is “trivial to brute force”.
But this type of attack isn’t easy, requiring specialised hardware and knowledge. Moore continues: “The complexity of this particular attack mentioned by Kraken Security Labs, however, means it cannot be done remotely as it requires physical access to the device making it far more difficult for the attacker.”
However, Moore points out that there are specific circumstances where this is possible, so shouldn’t be completely ignored. He adds: “KeepKey wallet owners can enable the KeepKey client’s passphrase functionality, which adds an additional layer of protection. It encrypts the seed words and creates a new wallet for every possible passphrase.”
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Just like cryptocurrency wallets, exchanges play an important role in this industry but these too aren’t impenetrable to cyber criminals. Tyler Moffitt, senior threat research analyst at Webroot, goes as far as to advise people against storing their cryptocurrency in them due to a number of security vulnerabilities.
Moffitt explains: “Crypto enthusiasts store large amounts of money in their crypto holdings, and like to know that the option they've chosen to store their crypto is secure. Storing crypto in exchanges is a terrible idea because you are at the mercy of the exchange to keep your private keys safe. Plenty of people have been burned by hacked exchanges, and there is nothing that can be done to get that money back.”
Securing crypto wallets
With cryptocurrency wallets and exchanges both clearly vulnerable to attacks, what can users do to protect themselves?
Moffitt suggests hardware may be the answer. “Many people who have large amounts of crypto, totaling billions, store in hardware wallets like Trezor or Ledger. They are renowned for being the most secure way to store crypto,” he says.
Professor Kevin Curran, senior IEEE member and professor of cybersecurity at Ulster University, also believes hardware could hold the answer, although according to him second factor authentication devices are the way forward.
“These devices can dramatically lower the risk of phishing attacks, as hackers would also need to gain physical access to the hardware as well,” he tells IT Pro. “Examples of such devices include YubiKey and Titan Security Keys.”
The downsides of these devices, according to Curran, is they often involve additional costs and require users to carry the device with them.
He adds: “Biometric, authenticator apps or hardware token solutions may not provide us with the complete authentication solution we need right now, to more fully secure our accounts and systems, but they will play an increasingly important role in the future. It is likely that, until some superior mechanism is created, proper multi-factor authentication via hardware security keys is the gold standard.”
Pascal Geenens, security evangelist at Radware, strikes a similar tone to Moffitt, advising never to put online what can be stored offline.“That advice is not limited to crypto keys, it goes for all sensitive data - think about scans of passports, which are still requested as proof of identity for banking products for example, and also with crypto exchanges for that matter,” he says.
“You have to remember that whatever is stored online is subject to being remotely snatched. I'm not saying it is easy to do, but the attack surface online is much larger and the threshold for trying is much lower for 'bad guys' than having to physically break into your home at the risk of being caught and exposing themselves to harm.”
Despite their volatility and shady reputation, interest in cryptocurrencies continues to grow. But anyone investing in or developing this technology needs to be aware of not just the inherent financial risks, but security threats too. Cryptocurrencies may be secure by design thanks to the blockchain technology that underpins them, but with hackers finding sophisticated ways to attack wallets and exchanges, taking mitigatory steps to stop criminals in their tracks is paramount.
Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, the Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan. You can follow Nicholas on Twitter.