How cyberthieves found blockchain’s weak link
Once upon a time, blockchain was hailed as an unbreachable means of transmitting wealth. But as BAI Banking Strategies pointed out in 2017, blockchain isn’t as foolproof as once touted. Yes, this was about a minority view as they come. But as experts noted, telling a hacker something absolutely can’t be hacked is like waving a red crypto-cape in front of a raging cyber-bull. After all, some hackers do it almost as much for blood sport as the loot.
“If a hacker wants to get your money, they will succeed,” said Moran Cerf, a former hacker turned neuroscience and business professor at Northwestern University’s Kellogg School of Management. “It’s just as true if it’s in the blockchain or in the Bank of America. Blockchain isn’t less unsafe, it’s just unsafe in a different way.”
In the BAI article, Cerf pointed to what’s known as a “51 percent attack.” In this scenario, a potential massing of computer power can overtake the system and allow bad actors to essentially “print” their own cryptocurrency.
Fast forward to 2019: Cerf’s warning has come to pass.
An attacker somehow gained control of more than half of the Coinbase network’s computing power and used it to rewrite transaction history, according to a February article in the MIT Technology Review.
The lesson here—aside from “never dangle the word ‘unhackable’ in front of seasoned cyber-thug—is that today’s hackers, for all their digital dark magic, are the spiritual spawn of old-school bank robber Willie Sutton. He went after banks “because that’s where the money is.” (Speaking of unhackable, he also escaped from prison. Three times.)
The Coinbase caper made it possible to spend the same cryptocurrency more than once. The attacker was spotted pulling this off to the tune of $1.1 million. Coinbase claims that no currency was actually stolen from any of its accounts. But a second popular exchange, Gate.io, has admitted it wasn’t so lucky, losing around $200,000 to an attacker (who, strangely, returned half of it days later).
So if the vaunted blockchain is no longer foolproof, which other technologies once considered unassailable are now vulnerable? Here are four examples of security measures that, to the dismay of many experts, no longer look as ironclad as once thought.
1. “Very secure” passwords
Remember how you breathed a sign of relief when the little green bar indicated that you just created a “very secure” password on your smartphone banking app? Well, take a deep breath and ask yourself if you shouldn’t see red instead. Even if the password is a seeming chain of gobbledygook that looks like a cartoon version of clown cursing, it’s no longer good enough.
“Passwords alone are extremely weak as a control, and the old thinking of eight characters as a strong password is out of date,” says Tyler Leet, director of risk and compliance services for Computer Services, Inc., a core bank processing and regulatory/compliance firm.
One reason, Leet says, mirrors the vulnerabilities of blockchain to computer power.
“With modern hardware, large character sets can be cracked in a matter of hours or even minutes,” says Leet, adding that bank customers should consider passwords of at least 12 characters.
2. Multifactor authentication
Like many financial industry security professionals, Leet recommends “solid multifactor authentication” (MFA) , a security enhancement that allows you to present two pieces of evidence—your credentials or unique physical traits—when logging in to an account. But even this method has been compromised, says Scott Hennon, chief information security officer for the Cetera Financial Group.
“MFA is essential for security but it can in some cases be bypassed if a bad actor ‘social engineers’ a bank customer via email or phone to use their valid credentials to login to the bank site and complete fake transactions,” Hennon says.
“Security questions that include family and location-based info [i.e., street lived on or high school mascot] could be answered through online searches and the threat actor could establish access, unless out-of-band authentication from text/app is implemented,” says Quach, a former IT examiner for the Federal Reserve Bank of Philadelphia.
3. Firewalls and anti-virus software
Yes, they’re getting stronger. But as the bad guys flex their tech muscles, “these traditional devices have failed to provide the adequate security,” says Ratan Jyoti, chief information security officer at India’s Ujjivan Small Finance Bank.
Jyoti points out that because so many people use smart phones, tablets and other devices to bank, those endpoints have become the new perimeter between bad guys and the booty.
“By compromising an endpoint, a hacker can give hacker access to your entire network,” Jyoti says. He recommends financial institutions deploy new systems such as Security Information and Event Management and Endpoint Detection and Response, which monitors endpoint and network events and records the information in a central database. There, IT staff can facilitate further analysis, detection, investigation, reporting and alerting.
You feel pretty safe logging into your bank account with your fingerprint, right? After all, they are unique, thus a seemingly foolproof security measure.
Maybe not so much. A study released late last year by researchers from New York University posited that “DeepMasterPrints,” which are real or synthetic fingerprints, “can fortuitously match with a large number of fingerprints, thereby undermining the security afforded by fingerprint systems.”
“This news of potential synthetic biometrics is alarming and could eventually turn out to be a new permutation in credential stuffing, as hackers are able to access parts of fingerprints, reproduce them, then use them in large scale attacks,” says Bimal Gandhi, CEO of the connectivity security firm Uniken.
Institutions seeking to thwart the threat of these attacks need to move beyond relying solely on biometrics, says Gandhi. Instead, he recommends “invisible multifactor authentication solutions” that cannot be replicated by third parties, such as cryptographic key-based ones that confirm a customer’s identity by using asymmetric cryptography algorithms with public and private keys.
The description may sound complicated. But, “By their very nature they are easy to use, issued and leveraged invisibly to the user,” says Gandhi, “defying credential stuffing and the threat of synthetic biometrics.”
Meanwhile, those who think facial recognition is bulletproof couldn’t be more wrong—in fact, you don’t even have to be particularly crafty to pull it off. As ZDNet reported earlier this year, printed photos of a smartphone user were sufficient to unlock 42 out of 110 devices (38 percent) with facial recognition, in a test by Dutch non-profit Consumentenbond.
All in all, not so comforting—on its face, anyway.
Want more Banking Strategies? Sign up for our free newsletter!
Howard Altman oversees coverage of issues affecting troops and their families as managing editor of Military Times. He has won more than 50 journalism awards and his work has appeared in the New York Times, Daily Beast, Philadelphia magazine, the Philadelphia Inquirer, New York Observer, Newsday and the Tampa Bay Times.