With the recent heightened interest in blockchain and cryptocurrencies, there has been an increased emphasis on the question of security, both relating to blockchains as well as to holders of cryptocurrency, whether they be individuals or companies, and to the cryptocurrency exchanges that store large amounts of funds.
This article aims to give an overview of relevant issues, as well as advice regarding best practices and an explanation as to why Cognosec is well-positioned to provide assistance to concerned companies and individuals.
Blockchains themselves are generally secure in comparison with traditional databases: due to their distributed nature, any attempts to compromise a public blockchain are far more difficult than would be the case with a centralised database because there is no central target for attack, rather the nodes across the entire network are all custodians of the blockchain record.
To take the example of the Bitcoin blockchain: bitcoins are created via a process called mining, whereby the Bitcoin blockchain authenticates and records Bitcoin transactions.
The consensus method underpinning this blockchain is called Proof-of-Work, wherein a computer must solve an algorithmic puzzle that increases in difficulty (i.e. the ‘work’) as more Bitcoins are mined. These require very powerful machines and great energy resources, with greater resources required as mining becomes more and more difficult.
To launch a double-spend attack (where the same Bitcoin is spent twice) and thereby compromise the blockchain, a fraudster would have to spend a prohibitive amount of money (the cost to mine Bitcoins) in order to record the fraudulent transaction due to the number of nodes participating in the blockchain: the fact that there are so many nodes means that this would be very difficult to do.
The economic argument against compromising a blockchain, coupled with the decentralisation element would make a robust, well-populated blockchain difficult to compromise for hackers.
Therefore, the danger posed to a blockchain itself is relatively minimal and would require sophisticated and large-scale attackers: the greater risk lies in the wallets of individual users or attacks on exchanges where many cryptocurrency holders store their funds, due to the fact that unlike a blockchain itself, there is a central point of attack
Many users hold at least a proportion of their cryptocurrency funds on an exchange, such as Kraken, Poloniex or Binance, to facilitate trading these cryptocurrencies. These exchanges are for the most part secure (though large-scale hacks have occurred), but they are nevertheless a target for attackers, being frequently subject to Distributed Denial-of-Service (DDOS) attacks. In addition, individual users of such exchanges can have their login information stolen either through malware on their devices or through social engineering methods, where they unwittingly give up their login information to a malicious party.
It can be argued that users holding their cryptocurrency funds on such exchanges are to a large extent at the mercy of the relevant exchange’s technical team’s competence.
As explained above, blockchains are themselves generally secure: far less secure are individuals and companies who are in possession of cryptocurrencies, the transfer of which is recorded on the blockchain.
Many people store their funds on cryptocurrency wallets, and these can take many forms, there being mobile wallets, desktop wallets and cold storage wallets, where funds are held offline on a secure device.
There are many ways for cyber criminals to misappropriate funds from digital wallets: a user’s private key acts as proof of ownership of the funds in a wallet, and if the criminal obtains this, for example by gaining access to a user’s computer and finding that the user has saved a password in an obvious place (e.g. a marked folder or even the desktop), the criminal can gain access to the wallet and send any cryptocurrency contained therein to a wallet of their choosing. The blockchain would only act to confirm the transaction: once this happens, it is not easily possible to reverse the transaction.
There are significant risks to funds where individuals hold their funds in wallets: cybercriminals can for example use phishing software to infect mobile wallets, and even take over network endpoints (such as laptops) and obtain vital security information.
As another example, the use of steganography is a growing threat in this arena: this is the practice of concealing a file within another file, which means that information can effectively be hidden in plain sight. Steganography can be used to hide embedded mining tools which criminals can then run on the host computer: cybercriminals simply have to get users to open images within which the mining tool is hidden. This method allows cybercriminals to take over network endpoints such as laptops and use them to mine or even create cryptocurrencies.
There is also the danger posed by more traditional means: a browser-based malware script can run in the background even after a user ends his browsing session. If there are not sufficient endpoint detection tools then a user’s system can be compromised, their passwords stolen, and with these, their funds.
For companies who either participate in the blockchain space and hold cryptocurrencies, or those who accept cryptocurrency assets as payment, the same applies. Furthermore, it is a generally accepted principle of cybersecurity that the weakest link in a security chain is not the technology used to protect a company, but a person who would in this case, be an employee.
Many security breaches in a company are the result of an employee who does not possess sufficient awareness of the dangers posed by a malicious link or an email that looks like it is from a trusted source. If such an event were to occur, such a company’s funds may potentially be at risk as well as its other assets (e.g. sensitive employee personal data).
For individuals and companies alike, the key is to take the same approach as blockchains themselves and not store funds in one location, particularly if that location has a network connection.
- With regards cryptocurrency exchanges, it is recommended to spread funds across a variety of established exchanges with no history of major security breaches.
- You should never provide your exchange login information to anyone claiming to an admin for the exchange.
- If storing funds on a digital wallet, a mobile wallet is not recommended and nor is storing on any device that is used to access a public wi-fi connection as these can be used by criminals to gain remote access to your device. A cold storage wallet would be the best choice, and the private key safely stored (c.f. below).
- Private keys or seed phrases should be saved, the file encrypted and stored on an external hard drive, preferably more than one, with one stored onsite (i.e. home) and one offsite in a secure location (e.g. safe deposit box in a bank). The key or seed should also be written down on paper and securely stored. Under no circumstances should you store any security information on a device with an internet connection.
How Cognosec Can Help
As evinced above, the danger posed to individuals and companies in the cryptocurrency space is acute and it is for this reason that Cognosec has expanded its operations into the field of cryptocurrency security, building on our extensive knowledge and experience in traditional cybersecurity.
Cognosec are cybersecurity experts with significant knowledge of blockchain technology and its security implications: if your organisation is concerned with the security aspect of operating blockchain technology, be it for a project such as an Initial Coin Offering (ICO) or holding and accepting cryptocurrency as payment or an asset, Cognosec possesses a suite of security products and protocols, as well as qualified personnel who can provide specialist cryptocurrency and blockchain security and training services.
We are confident that with our assistance, organisations and other actors in this fast-growing but uncertain space can ensure maximum security both relating to their funds and businesses.