Recent theft of NEM brings up a safety issue in cryptocurrency infrastructure again
For any who tracks development of cryptocurrencies longer than five minutes the news which sounded at the end of January that from the Japanese exchange Coincheck about $500 one million in XEM were stolen, became shocking, but not unexpected — the scale hacker attacks like this became the frequent phenomenon for the cryptocurrency world for a long time.
What really shocks, so it is the fact that all of them still happen. From Mt Gox to Poloniex and Bitstamp — all of us already saw it, and more than once.
What does attack so offensive NEM, so is that it could be prevented with ease. Probably, much had to pick up jaws from a floor when at a press conference the Coincheck command said that the stolen XEM worth half a billion dollars were stored in a hot purse. Coincheck still poured salt on wounds, having admitted that this hot purse was not even protected by several signatures.
It is an awful example of the negligence of exchange services.
First, NEM token is unfairly branded; after the attack, many think that this currency in itself is not really reliable.
Secondly, enthusiasm of the Japanese government in support of cryptocurrencies — for anybody not a secret, however now the authorities, undoubtedly, will apply more careful approach (the single consolation — Coincheck was not one of 11 exchanges which obtained in October of last year the license from the Agency of financial services of Japan).
And at last, large-scale theft, of course, did not promote confidence-building from the state investors sitting on that side of barricades. It is unlikely they will believe now that the cryptocurrency sphere passed an era of the Wild West, and will want to enclose a couple of the pension funds in bitcoin.
Therefore questions of quite reasonably sound whether cryptocurrency infrastructure is rather safe and that can be undertaken for preventing of further large plunders.
The executive director of the New Zealand exchange Dasset Stephen Macaskill says that the threat from cybercriminals is continuous, it is a norm, but not an exception. He adds that the thefts committed by the employees — not such a rarity:
“Many exchanges were attacked from within, the workers. Therefore it is extremely important to guarantee that an employee does not own complete control over means. Control over money of clients shall be distributed between several sides — both internal and external”.
The more cold, the better
The majority of the attacks, including the attack to Coincheck and loss about 120 000 BTC with Bitfinex in August, 2016, were aimed at hot purses of users. Because of vulnerability of such purses most the exchanges uses a method of cold storage. For example, Coinbase stores up to 98% of cryptocurrency in offline places and ensures the rest.
There is the whole industry of the companies proposing personal solutions of safety for business on the basis of a blockchain. Xapo, for example, since 2014 offers “bank-like” storages for secret keys of cryptocurrencies. The company has several storages with the highest level of safety in the different countries, including the written-off military bunker about the Lake Lucerne in the Swiss Alps where secret keys of users are stored.
Such buildings work as good old banking storages into which it is necessary to penetrate physically to get a key. Storages have several security levels, including all possible — from traps and huge steel doors, to bulletproof walls and resistance to the electromagnetic pulses arising during the nuclear explosion.
But what if the criminal with an experience is able to bypass traps and to get access to your key? At it all the same nothing will quit if you adopted the Uinklvossov method. The famous owners of bitcoin divided secret keys into parts and store them in different boxes through the whole country. Even if you will open one box, all key you do not receive. This really distributed register.
Though cold storage makes impossible theft of secret key of the user, his shortcoming is that it also decelerates access to purses (on the website Xapo says that users can get access to secret keys from mountain storage within 48 hours). It is a big lack of cold storage, access to cryptocurrency traders is usually necessary much quicker.
Doctor Julian Hosp, the expert in the sphere of a blockchain and the founder of TenX, recommends the combined system of “hot, warm and cold storage”. Most the companies use this method which does purses easily accessible and at the same time safe.
Hot storage: the data access can be got instantaneous, as in cloud computing.
Warm storage: a compromise between hot and cold storage in case of which data acquisition is somehow postponed, but not as for a long time, as in case of cold storage.
Cold storage: data acquisition takes time — to several days.
Hosp reads that purses and their owners will always be the most feeble a link:
“Tokens in itself are protected from hackers. And here in case of their storage there can be problems. Tokens are protected, only if you store secret keys in the reliable place. If secret keys are lost, they cannot already be recovered”.
Really, “the wrong storage” of tokens and secret keys becomes a serious problem — according to the assessment of Chainalysis, from 17 to 23% of bitcoins can already be are forever lost.
Example of traditional banks
Considering such statistics, it is difficult to overestimate the importance of the system of safe storage of secret keys which would have protection against misuse. It is amusing that cold storage which is considered the gold standard of safety of cryptocurrency assets now as it is paradoxical, copies methods of safety of traditional banks which the blockchain technology hoped to force out decentralization. The director of the Dasset exchange Makaskill admits that his company took for an example of a security arrangement of normal banks.
“Banking methods are still relevant, and to that, there is an important reason — they were applied and improved within many decades. Many exchanges learned the lesson — it is impossible to create everything that is wanted it is impossible to make quick decisions or to put problems away for later, hoping that they in itself will resolve. It is very important to have the correct security aids. Many of them are borrowed traditional banks, therefore, it is amusing how we use these ancient systems for protection of our latest world”.