Howard Altman_resized
Howard Altman Dec 8, 2017

Bitcoin’s potential underbelly: Is blockchain hackable?

When it comes to keeping your money safe, even the much-vaunted blockchain is no panacea, says Moran Cerf, a guy who knows a thing or two about cracking security.

“Nothing is safe in our world,” says Cerf, who used to be a hacker.

Cerf, who’s since hung up his black hat, is now a professor of neuroscience and business at the Kellogg School of Management. Among other things, he keeps tabs on the latest innovations in cybersecurity and advancements in technology such as blockchain.

That’s right: Blockchain. Expert after expert has praised the digital ledger system as 100 percent ironclad. Impossible to attack. But those might as well be fighting words to malevolent hackers, who in the past have treated such assertions as the equivalent of waving a red cape in front of cyber-bull.  

“If a hacker wants to get your money,” Cerf says, “they will succeed. It’s just as true if it is in the blockchain or in the Bank of America. Blockchain isn’t less unsafe, it’s just unsafe in a different way.”

Cerf is talking about the financial blockchain, created in 2008 by an individual or collective known as Satoshi Nakamoto—the same “person” responsible for bitcoin and supposedly worth more than $6 billion. It blockchain serves as a conduit for exchanging cryptocurrencies and promises a high level of security because it acts as an anonymous ledger that rests not in a central location like a bank that can be hacked, but distributed across a multitude of computers.

Once a transaction is verified, it is assigned a random “hash,” or cryptographic, time-stamped signature by a computation known as a “miner” thus “forming a record that cannot be changed without redoing the proof of work,” Nakamoto noted in the seminal 2008 white paper on the subject.

The bitcoin blockchain is currently the largest, decentralized blockchain with more nodes and miners connecting to and verifying transactions on the protocol, said Luke McNamara , a senior analyst with the cybersecurity firm FireEye. “The more miners verifying transactions, the stronger the integrity and security of transactions on the network.”

51 percent: the big hack attack

But even that can be vulnerable, notes Cerf, pointing to what is known as a “51 percent attack.” In this scenario, the potential for a massing of computer power can overtake the “miners,” thus altering the verification of the transactions in a way that won’t affect how the blockchain itself works—creating individual blocks, that, once verified, will be rejected by the chain if altered.

In the blockchain, “the entire system relies on everyone having the same amount of computing power,” says Cerf.

But if someone applies supercomputing or other methods of amassing computer power to do calculations much faster than anyone else, they will, in effect, be able to “print their own money,” says Cerf—because they could alter the transactions meant to be registered via the miners.

Such an attack took place in August 2016, on the blockchain of a newer cryptocurrency called Krypton, according to BTCManager.com, a cryptocurrency industry website.

The exploit was two-pronged in its execution, according to the website; first, a 51 percent attack allowed attackers to send Kryptons to Bittrex and sell them for bitcoin before rolling back the blockchain to reverse the transaction. In addition, network nodes experienced a distributed denial-of-service (DDoS) attack, allowing for the multiplication of network power.

“The Suprnova mining pool and Krypton stats servers were also impacted by the attack, providing the intruders with a massive advantage over the network,” according to the website, which said that about $3,000 worth of Kryptons were stolen as a result..

It was a breach, the website said, “that some believe to be a prelude for potential future attacks.” That could mean, in theory not just via blockchain but on blockchain itself. And with hackers adapting the methods and tools of artificial intelligence, machine learning could be just the ticket.

A key vulnerability

In essence, blockchain—created just a year after the first iPhone—displays a key vulnerability, says Steve Wilson, vice president and principal analyst at Constellation Research, a cybersecurity firm focusing on digital identity and privacy.

“Nakamoto's assumption that the network would always remain heavily distributed, such that no bad actor could ever take over a majority, turns out to be utopian,” Wilson says. 

“Some say cryptocurrency is ‘math-based money’ but it is really assumption based, ironically just like conventional economics,” says Wilson.  “If the cryptocurrency libertarians say it's a terrible thing for a reserve bank to control the money system, I say it's worse for an opaque unaccountable assortment of unknown self-interested programmers to control bitcoin.

Bitcoin’s ultra-volatile nature—slammed by the likes of JPMorgan Chase CEO Jamie Dimon. who has called its investors “stupid”—points to one salient fact: Crypotcurrencies are a bit like the wild west in that the lacks any real governance. Some defenders contend it’s not in the miners' interests to affect a 51 Percent attack, “because that would kill confidence in the network and the currency,” Wilson says. “But it's a hell of an assumption that these miners' self-interests can be counted in the long run.” 

Blockchain confidence, crypto cautions

FireEye’s McNamara has more confidence in the blockchain system.

“While in some cases adversaries may exploit aspects of ‘smart contracts’ encoded on a blockchain, there haven’t been any observances of actors successfully compromising the underlying protocol of a major, open-source blockchain,” he says.

But bad actors don’t have to worry about breaking into the blockchain. Classic cyber vulnerabilities exist when it comes to storing or transferring cryptocurrency, say several experts contacted by BAI.

And this remains a great concern considering that about $200,000 worth of bitcoin is transferred every day. And with the growing popularity of blockchain, Goldman Sachs believes the technology holds great potential—especially to optimize clearing and settlements. It could generate global savings of up to $6 billion per year, according to BlockGeeks.com.

It’s even becoming an issue in North Korea’s nuclear and ballistic missile efforts, notes McNamara.

“Recently, we have observed targeting of cryptocurrency exchanges in South Korea by North Korean cyber espionage actors,” he says. “These actors targeted employees of these exchanges by deploying malware via spear-phishing onto employees’ computers as an intrusion vector into their organizations. As cryptocurrencies continue to appreciate in value, it is likely this type of activity will persist.”

The first major intrusion into the cryptocurrency ecosystem took place in 2011. Known as the Mt. Gox attack, it was the first major bitcoin disaster, according to a report released in February by Konstantinos Karagiannis, Chief Technology Officer for the security consulting firm BT Americas.

In June, 2011, $8 million was stolen. Three years later, another $460 million was stolen.

But in that case (as well as another attack against a cryptocurrency exchange called DAO) the thefts were not the result of a blockchain hack, but exploitations of vulnerabilities in the rest of the system, says Wilson, the Constellation Research vice president.

“Mt Gox was theft of balance from managed accounts,” said Wilson. “And The DAO was a bug that was exploited.”

It is worth repeating, Wilson notes, “that the weak links in any of these ledgers will be at the edges. Users’ keys can be stolen. Ledger entries can be manipulated before being committed to the system.”

McNamara, the FireEye analyst, concurs.

“While in some cases adversaries may exploit aspects of ‘smart contracts’ encoded on a blockchain, there have not been any observances of actors successfully compromising the underlying protocol of a major, open-source blockchain,” he says. “Where we typically observe compromises within the bitcoin ecosystem, or other cryptocurrencies, are at the endpoints. These endpoints are typically either cryptocurrency exchanges—where individuals can buy, sell, and trade cryptocurrencies—or within digital, web-connected wallets where the coins or tokens are stored.”

McNamara says that by using such attacks as credential collection malware, “malicious actors can infect a victim's computer and steal their password, potentially allowing them access to their wallet or exchange account.”

 Other tactics, he says, include social engineering through the creation of websites designed to mimic the real website of a blockchain project or exchange.

“Criminals can register a fraudulent website that looks exactly the same, but uses different characters or a different top-level domain, and then harvest usernames and passwords inputted by unwitting victims,” McNamara says.

McNamara offers several steps to take to increase your cryptocurrency security:

  • Make sure you enter 100 percent accurate information onto blockchain. “Since transactions on blockchains are irreversible, it heightens the importance of security,” he says.
  • Store cryptoassets (such as coins or tokens) offline through a variety of means is typically one of most advisable ways to secure the private keys needed for transactions.
  • Use multi-factor authentication to secure login credentials for online wallets and accounts as a best practice.
  • Finally, ensure that you visit the correct domain and input your credentials into a legitimate website can prevent individuals from disclosing their information to criminals.




Want more Banking Strategies? Sign up for our free newsletter!

Howard Altman covers the military and national security for the Tampa Bay Times. He has won more than 50 journalism awards and his work has appeared in the New York Times, Daily Beast, Philadelphia magazine, the Philadelphia Inquirer, New York Observer, Newsday and many other publications around the world.

BAI Banking Strategies

Thank you for visiting BAI Banking Strategies. To view more, please Subscribe or Login.

Dismiss