Your crypto exchange may be less secure than your email account

Rob Pegoraro
Contributing Editor
Bitcoin mining computer servers are seen in Bitminer Factory in Florence, Italy, April 6, 2018. (Image: Reuters/Alessandro Bianchi)

NEW ORLEANS — Cryptocurrency exchanges and apps aren’t just among the most valuable targets for hackers, they also remain among the most vulnerable.

That’s the warning Chris Wysopal, chief technology officer at the security-tools firm Veracode, offered during a talk at the Collision conference here on May 1. It’s something that should be at the top of concerns for people looking to trade or invest in cryptocurrencies such as bitcoin, which are generated through increasingly complex mathematical “mining” and allow pseudonymous transactions online and across international borders — and have increased in value wildly, even after recent plunges.

“When we talk about cryptocurrency, we’re not talking about just stealing someone’s data that we then have to monetize,” he said. “We’re actually talking about stealing money. It’s a very, very attractive target for attackers.”

Mistakes were made

Wysopal recounted a series of embarrassing but preventable hacks of cryptocurrency exchanges and apps. A partial selection:

What you can do

Wysopal — who began his information-security career as one of the first members of the L0pht hacking collective and then co-founded Veracode, now owned by CA Technologies (CA), in 2006 — offered some specific tips to his audience.

Enabling “two-step verification” — in which you confirm a login with a one-time password sent to your phone or computed by an application on it — topped that list. “You definitely want to use two-factor,” Wysopal said. (Note that two-step systems that rely on text messages to deliver those codes can be defeated if an attacker can take over your mobile number.)

He also advised complicating the efforts of would-be phishers by not logging in with a publicly-known email or number. “Don’t use an email address or a phone number that’s associated with that account that you’re then going to publish somewhere,” he said. “They need that identifier to then go try to impersonate you, either through SMS or just through email.”

For local cryptocurrency storage, Wysopal endorsed using hardware wallets (see my colleague Daniel Roberts’ how-to post) instead of mobile apps, saying “they’re not too expensive.”

Finally, he advised a little social-media modesty. “Don’t brag about your crypto fortune online,” Wysopal said, noting a January home-invasion bitcoin robbery in the U.K. “If you’re bragging about it, you’re just making yourself a target.”

What you can’t do

Wysopal closed his talk on a semi-optimistic note: “I think in the future we’ll have services that will help people understand the security behind an exchange, behind a wallet, behind a smart contract; we’re just not there yet.”

(See, for example, Consumer Reports’ initiative to test and grade the security of internet-of-things connected gadgets.)

In a phone interview, though, he noted a structural obstacle to digital money attaining the same security as government-issued money in a bank: We don’t have regulations holding cryptocurrency firms responsible for losses due to hacking like those that hold banks accountable today.

“We’re so used to doing transactions and storing our money in places where there’s regulation and you have some liability by your provider,” he said. “That’s totally not there with cryptocurrency.”

Instead, it’s up to individuals in cryptocurrency markets to insist on better security. Wysopal is among them, although he said he only holds “a small amount” of digital currency.

“The thing that has to happen is, investors or customers need to demand some evidence that things are built securely,” he said.

The upside, as he noted in the talk, is that building a secure system for cryptocurrency should make other “infosec” problems look easy: “If you can make it here, you can make it anywhere.”

More from Rob:

Email Rob at rob@robpegoraro.com; follow him on Twitter at @robpegoraro.