I’m not a hacker – except on the golf course! But I do know a bit about digital security. And lately, I’ve been wondering: Why are the cryptocurrency exchanges getting hacked…for Tens and Hundreds of $Millions?!
When I review exactly how I would participate in cryptocurrency investing, it doesn’t seem possible – after all, I’ve only got some small portion of a coin or two, and all of my digital wallet’s transactions are each supposed to be a single entity in a secure blockchain, right? I haven’t been hacked…and since the actual digital security structure of a cryptocurrency blockchain isn’t supposed to be hackable, where are these $Millions coming from, exactly? As Mr. Shakespeare said, Something’s rotten in Denmark!
In order to actually exchange a cryptocurrency coin, I can buy directly from you. This is the ‘landmark’ trust model of decentralized currency. From Fortune.com “What is the blockchain, you ask? Think of it like a digital version of a public ledger, in which all transactions are recorded for everyone to see. It serves as the primary mechanism for trust in this financial system.” But…$Millions are stolen in these exchange hacks. If you’re thinking like me, trust and $Million hacks don’t go together!
Obviously – unless the actual blockchain public/private key mechanism is being hacked – the exchanges are doing something wrong. And I’m pretty sure I know what it is: there are too many ways to get in. Because smash ‘n grab jobs don’t result in $Millions – that takes planning…and planning requires ‘casing the joint’…and that, requires unfettered digital access.
Whether or not some of these have been ‘inside jobs’ is irrelevant: a cryptocurrency exchange is an extra layer of ‘authority’ – and that, exactly, is what is being defeated, hacked, targeted. The blockchain is a wonderful concept, this decentralized public trust. But people – especially when it comes to their money – don’t work that way: they want to be sure you are you, and the way they do that is to ask someone about you – a trusted 3rd party. In cryptocurrencies, this is an exchange. They’ve become a bank, of sorts, a place you conduct financial transactions because you can trust them.
They are being hacked because of their position in the transaction chain; such a wonderful place to watch all of the decentralized transactions becoming…well…centralized. In order to accommodate your trust, they don’t want to alienate you with ‘too much security stuff’ because, first, you don’t have that expectation like you do from the cultural conditioning you’ve received from a real bank; and second, they don’t want to raise the convenience bar too high or you’ll take your business elsewhere. Because, after all, cryptocurrency transactions don’t require a bank – or them!
So let’s review all of the ways hackers can gain that necessary unfettered access:
- Through employee connections
- Through Internet connectivity
- Through wallet software, hot and cold
- Through…IoT devices, mobile networks, telephony wires, oh my!
Too many places, too many protocols, too much easy access. Then planning, then execution.
How do they do it? Too many ways. The real question is: Why doesn’t this happen to stock trading exchanges every other month? And the answer is simple: They limit the places, the methods, the access. They don’t appear any different from the customer’s perspective – you get an account, use their app, same login framework, and you trade. It’s just that your $Millions are safer.
So however these hackers are gaining access, you would think (and hope!) that the security investigators would tell us exactly how, right? Otherwise, it would be irresponsible…and since we’ve not been told anything other than ‘let’s all be careful out there’ (remember Hill Street Blues?!) – is it because they don’t know? Now that is scary.
Bottom line? It’s in the access – either the connectivity, the records storage of the exchange (which isn’t supposed to exist in blockchain transactions), the wallets (poor software development, leaving holes and data accessible)…or…our worst nightmare is actually taking place: From Coindesk: “This is what makes Bitcoin virtually tamper-proof. I say virtually because it's not impossible, just very, very, very, very, very difficult and therefore unlikely.”
Somewhere in the blockchain of all those ‘verys’, it isn’t that difficult after all.
Paul McGough, Founder and CTO of Qwyit, LLC, a leading cryptosecurity technology firm, is a telecommunications expert with over 35 years of progressively responsible experience managing IT technology teams for the development, integration, implementation and support of financial, project management, database applications and security systems.