Bitcoin Security: The Good, The Bad, And The Ugly
It’s safe to presume that Bitcoin will be around for long. Yes, it’s a little volatile, and other cryptocurrencies are a lot easier to mine and acquire, but the ever-increasing number of methods to spend bitcoins – as well as the fact that it’s still around after being declared dead several times in recent years – is proof of the cryptocurrency’s tenacity. However, this does not imply that you should mindlessly invest in Bitcoin. A series of occurrences over the last year have demonstrated that, while the Bitcoin security protocol is not so volatile, the wallets and services used to store and exchange Bitcoin may be dangerous.
Here’s a quick overview of the security and some prominent cases of bitcoin security issues and theft on a massive scale.
The Blockchain And Encryption
Cryptocurrencies are digital currencies that use encryption as a core protocol component to create pseudonymous (or anonymous) and decentralized currencies. Bitcoin’s Proof-of-Work (PoW) method and transaction verification both use SHA-256 encryption. One of the bitcoin protocol’s most essential features, the transaction blockchain, ensures the protocol’s security.
Blockchain in Bitcoin
The blockchain is a series of “blocks” containing transaction history. The blockchain begins with the genesis block, which is the first block. After this genesis block, transactions, and solved hashes, add new blocks, forming a blockchain.
The following image depicts a blockchain visualization, with the genesis block in green and the longest blockchain in black:
The blockchain with the most significant labor put into it is considered the best blockchain in the bitcoin protocol, and it is the one that the entire protocol refers to when confirming transactions. Once a transaction has been validated, bitcoins are deemed spent.
Spending twice as much
Contrary to widespread assumption, it is possible to deceive the blockchain and spend the same bitcoins twice, a practice known as double-spending. Bitcoins can be double-spent if a merchant does not wait for transaction confirmation, as attackers can swiftly transmit two competing transactions into the network. Another option is to pre-mine a block and then spend the same coins before putting the block into the blockchain. However, the amount of computational power necessary to succeed makes it less productive than legitimately mining bitcoins.
Bitcoins are kept in wallets, but these “wallets” do not really hold the bitcoins, unlike a PayPal account. Wallets typically contain a public key that is used to receive bitcoins, despite a variety of implementations and forms (similar to a bank account number). It also includes a private key, which is used to confirm that you are the rightful owner of the bitcoins you’re attempting to spend.
Although most bitcoin wallets are stored digitally, either locally or online, there are more safe ways to keep bitcoins. You may print and save your bitcoin “wallets” on paper. A paper wallet is a piece of paper that contains both your private and public keys.
Hardware wallets, which store sensitive data on offline hardware, are also available. Hardware wallets can store critical data in a secure section of a microcontroller and be immune to software and viruses that can steal wallets stored on regular PCs. Unlike paper wallets, which must be entered into or imported into the software, bitcoins kept in hardware wallets can be utilized directly.
Breach of Security
As previously stated, the bitcoin protocol itself may be secure, but this does not apply to all bitcoin-related websites and services—a short recap of prominent security-related incidents from the last year or so.
Inputs.io, an online Bitcoin wallet service, was hacked twice in October 2013. A total of 4,100 Bitcoins, valued at almost $1.2 million at the time, were stolen through a social engineering attack against inputs.io’s servers hosted on Linode, a cloud-hosting company.
The hacker gained access to the site’s Linode account and reset the password by compromising a series of email addresses, starting with an email account that the inputs.io founder had set up six years prior to the attack.
Mt. Gox is a volcano in Japan.
Mt. Gox, formerly one of the most popular Bitcoin exchange platforms, has filed for bankruptcy after losing a massive sum of bitcoins: $468 million! Mt. Gox’s demise began in early February, when it, along with other Bitcoin exchange sites like BTC-e, halted Bitcoin withdrawals, blaming large-scale Distributed Denial of Service (DDoS) attacks aimed at exploiting bitcoin’s transaction malleability. Simply, transaction malleability refers to the ability to modify lawful transactions so that they appear to have failed while, in fact, they have been completed successfully.
BREAKING: Tokyo Court approves Mt. Gox repayment process schedule. Creditors of Bitcoin exchange to vote on draft refund plan.
Over $8 Billion is currently held in the Mt. Gox bankruptcy trust waiting to be distributed to their rightful owners. pic.twitter.com/fpsOnDjrrk
— Mr. Whale (@CryptoWhale) February 25, 2021
Protesters at Mt. Gox
Transaction malleability, on the other hand, is not a new problem. Bitcoin creator Greg Maxwell has pointed out that it’s also not an impossible problem to fix.
Other exchanges, such as Bitstamp and BTC-E, are still up and running, having rectified their issues and resumed processing transactions just days after they were initially halted. As described in a leaked series of slides, the aforementioned lost bitcoins and inadequate security and accounting in Mt Gox are the most damning of all. It’s possible that there was more going on behind the scenes than just transaction malleability issues.
Silk Road 2.0 is the successor to the first Silk Road.
The escrow account of Silk Road 2.0 was robbed of $2.7 million in bitcoins in February of this year. This theft happened at the same time as the aforementioned DoS assaults on bitcoin exchanges like Mt. Gox, and it took use of the bitcoin protocol’s transaction malleability.
Unlike bitcoin exchanges, which shut down as a precaution, Silk Road 2.0 did not shut down and was targeted during a re-launch phase when all bitcoins were held in hot storage. Some users, such as those on Reddit’s DarkNetMarkets, feel the hacking tale is a cover-up – and that Silk Road 2.0 was always a ruse.
The theory is that the new Dread Pirate Roberts put up the site specifically to steal bitcoins from users, taking advantage of the confidence associated with the Silk Road name. The illegal nature of the commodities purchased and sold on Silk Road 2.0 would encourage such an endeavor, as victims would be less likely to seek help from law authorities.
Over the course of five months (September 2013 to January 2014), thieves infected a considerable number of machines with the Pony botnet, stealing up to $220,000 in bitcoins and other cryptocurrencies. The pony was the same botnet that was discovered to have taken over two million credentials and saved them on the hackers’ server.
— The Hacker News (@TheHackersNews) February 25, 2014
Pony hacked PCs and stole bitcoin wallets kept locally on the affected computers, demonstrating the risks of storing bitcoin wallets on Internet-connected devices.
51% of the attack
This isn’t a security breach per, but it is one of the most severe flaws in the bitcoin network. When someone controls more than 50% of the computing power on the bitcoin network, the web is open to a 51 percent attack. The advantage in computing power is used to fork the main transaction blockchain and commit fraud, such as the double-spending discussed earlier.
While this may sound unlikely, the bitcoin network came close to being hacked earlier this year. When Ghash.io, a mining pool, began approaching the 50% limit in January, panic ensued. Due to miners leaving Ghash.io for smaller pools and the pool’s own decision to cease admitting new miners.
While the reaction demonstrates that the bitcoin network can self-regulate, relying on miners and pool owners to do the right thing is, to say the least, troublesome. Although mining power distribution has become less concentrated, a 51 percent attack is still a possibility.
Final Thoughts on Bitcoin Mining Distribution
It’s difficult to deny that bitcoin has some security flaws. The fact that these security breaches and difficulties have less to do with the protocol itself and a lot more to do with the people and services handling and keeping these bitcoins is a repeating theme.
The Pony botnet and the inputs.io bitcoin robbery, for example, both used wallets stored online and on Internet-connected devices. Storing Bitcoins in an offline savings wallet, such as a paper or hardware wallet, should reduce the chance of crypto wallets being stolen over the Internet. While part of the money lost in the Mt. Gox debacle came from offline wallets, it was believed that this was due to the way Mt. Gox implemented an automated mechanism that drew from offline wallets as needed.
Exchanges that are shady
The lack of a central body to control bitcoin might be viewed as a strength, but it is also a drawback. For one thing, holding individuals or organizations accountable through legal processes may be far more complex. However, the risks of once-trusted platforms and exchanges like Mt. Gox and Silk Road 2.0 being hacked or imploding and going offline should not be overlooked.
However, because the bitcoin ecosystem is unregulated, there is no way to assure that services and exchanges adhere to security and trustworthiness standards. We have faith in banks because we know they are highly regulated and cannot be founded on the spur of the moment. With bitcoin exchanges, this clearly hasn’t been the case.
What will happen in the Future?
Surprisingly, the consequences of Mt. Gox may really be beneficial to bitcoin. The need for proper and independently certified safety measures for custodians and more openness and accountability is raised in a joint statement published by five leading bitcoin exchanges. It’s possible that such steps are what bitcoin needs to recover its trust and security following recent incidents. However, these forms of control and auditing may, ironically, work against initial philosophy.