Why it’s easier to rob bitcoins than banks

Why it’s easier to rob bitcoins than banks.
By Quentin Fottrell.

“The CFPB advises consumers to be aware of potential issues with virtual currencies such as unclear costs, volatile exchange rates, the threat of hacking and scams, and that companies may not offer help or refunds for lost or stolen funds,” the government agency announced in an advisory on Monday . Consumers who’ve experienced problems with the virtual currency can also submit a complaint with the bureau, the CFPB said. “Virtual currencies are not backed by any government or central bank, and at this point consumers are stepping into the Wild West when they engage in the market,” it warned.

Given that the currency can easily, and anonymously, be moved online, “there are almost an infinite number of ways you can screw up and lose your bitcoins,” says Jesse Powell, CEO of Kraken, a trading platform for Bitcoin in San Francisco.

The virtual currency bitcoin has had some rocky times over the past year. But more companies are beginning to accept the so-called cryptocurrency.

Most trading exchanges have rules to ensure that the company’s accounts match what’s in the customers’ online wallets. Even so, there are still things that could go wrong, Powell says. “It’s still possible we could be hacked, all the employees could be taken for ransom and asked for our bitcoins, or we could screw up and send the bitcoin to the wrong address or lose the key,” Powell adds. “But we double and triple check to make sure that doesn’t happen.”

Bitcoin does have one thing in common with other currencies: The exchange rate of both bitcoins and the US dollar are set on the open market. In its short life, as the CFPB pointed out, bitcoin has proved to be volatile. It’s currently valued at around $585—around half what it was worth in December 2013 ($1,151), two months before Mt. Gox trading exchange declared bankruptcy.

To ensure they don’t have a limitless supply, there are built-in limitations to prevent more than 21 million bitcoins from being in circulation by the year 2140. Since there are over 13 million bitcoins already, bitcoins are collectively valued at around $7.6 billion at current market rates.

Earlier this year, the now bankrupt Mt. Gox trading exchange announced that hundreds of thousands of bitcoins disappeared, and bitcoin bank Flexcoin announced that it was robbed of all of its coins, making clear the potential vulnerabilities of investing in digital cryptocurrencies and trading them online.

Details of the losses at Mt. Gox, a trading exchange based in Tokyo, and Canadian-based online wallet Flexcoin are sketchy and industry players can only guess at how the trading exchange’s bitcoins were wiped out. At Mt. Gox, 750,000 customer bitcoins and 100,000 company bitcoins were lost or stolen, representing a loss at current market prices of around $556 million; it later found over 200,000 lost bitcoins in an old bitcoin wallet. Mt. Gox blamed what it called a “transaction malleability” hack for the losses.

Flexcoin put a notice on its website saying it had been “attacked and robbed” of 896 bitcoins (worth around $586,000).

Why these sites failed to prevent these cyberattacks remains unknown, says Rob Banagale, founder of Gliph, a secure messaging tool that allows Bitcoin transfers. He welcomes the CFPB’s statement. “For bitcoin to go mainstream in the US, we need to educate everyone on the basics.”

Bitcoin doesn’t act like other currencies

For investors, there’s an advantage to limiting the supply of bitcoin, experts say. In any other, normal currency system, the central authority that manages and produces the currency would generate more units of the currency to accommodate expansion of demand and temper the wild price swings, says Alan C. Reiner, CEO of Armory Technologies, an open source Bitcoin wallet based in Fulton, Md.

But since the supply of bitcoin is limited, “the price has to increase instead,” he says. “In this sense, it behaves very much like gold. If someone develops an amazing new technology that everyone in the world wants but it requires lots of gold in the manufacturing process, then the price of gold has to increase since no one can create more.”

Bitcoins themselves have been around for less time than even Facebook. Founded in 2009 by a developer (or group) using the name Satoshi Nakamoto, bitcoins are a form of electronic currency generated by a computer code and overseen by a community of “miners” and computer algorithms. Bitcoin is a peer-to-peer currency that doesn’t require a bank or oversight from the Treasury Department. For the most part, people trade bitcoins for other actual currencies like the US dollar, Yen or euro. But there are also limited places—mostly online—where consumers can spend them.

Transactions are made using a private key—a secret code that allows bitcoins to be spent—and a public key that can be shared with the world. Bitcoin can be stored in “wallets”—encrypted, online storage systems where the bitcoins are kept. The golden rule: If you lose your private key to a thief—even if you maintain a copy of it—you lose your bitcoins. Buying and selling bitcoins creates a “transaction” that is recorded, time-stamped and displayed in one “block” of the block chain—a database of all bitcoin transactions. Public-key cryptography ensures that all computers in the bitcoin network can access a real-time, verified record of all transactions. They are (in theory) unalterable, which prevents double-spending and fraud.

Theories on how exchanges melted down

The biggest theft—at Mt. Gox—remains a mystery. But Reiner gives one theory as to what happened there: A malicious user logs into his account and requests a 10-bitcoin withdrawal, and Mt. Gox sends 10 bitcoins from its wallet to his wallet, with the transaction ID “ABCD.” The malicious user tweaks the transaction ID to become “EFGH.” There are now 10 fewer bitcoins in Mt. Gox’s wallet and 10 more bitcoins in his wallet, but the hacker nonetheless contacts Mt. Gox and says, “I never received my 10 bitcoins.” Mt. Gox doesn’t recognize that “EFGH” is the same transaction, so it sends another 10 bitcoins to the user. “Rinse and repeat,” Reiner says.

This “transaction malleability” flaw was known in 2011, but it wasn’t until last February that one developer from within the community that manages the bitcoin standard came up with an official solution, says Alex Daley, chief technology investment strategist for Casey Research, a global independent finance research company based in Stowe, Vt. To be fair, some experts say companies were taking their own security measures. “It would be incredibly incompetent for any company not to know that they were slowly being bled of most of their funds,” says Jerry Brito, a senior research fellow at the Mercatus Center at George Mason University and director of its Technology Policy Program.

Last March, Flexcoin closed its doors after all its bitcoins stored online were stolen. Flexcoin users who had put their coins in cold storage—kept offline in a safe or bank vault for a 0.5% fee—weren’t in reach of the cyberattack and will get their bitcoins back. (Also read: To secure your bitcoins, print them out .)

For a hacker to access the “hot wallet,” he or she only needs to control the system in which it resides, Daley says. “So any successful hack attack is likely not of the wallet itself, but of the computer that houses it,” he says. “Once you control that computer, including the private key used to open the wallet, you simply instruct the wallet to do what it does best: Transfer the coins.”

How to protect your bitcoin

The good news: There are protective measures bitcoin owners can take.

Only invest what you can afford to lose and use more than one trading exchange, experts say. “Bitcoin fulfills every definition of a highly speculative investment,” Daley says. “It’s thinly traded and it has no value beyond the trust of other users. Let Mt. Gox be a lesson.” There’s obviously no Federal Deposit Insurance Corporation—the government agency that preserves and promotes public confidence in the US financial system—for bitcoin, Daley says, “so put your money in a real bank if you can’t afford to lose it.” Given recent high-profile thefts, he advises against using an online wallet. Again, “If you must, then use more than one,” he says.

There are other options for those who don’t want to use cold storage. One example: two-factor authentication. It basically means that a digital wallet like Coinbase or Blockchain will send a text message with a code to your phone to access your digital wallet. “This way, someone needs to be in control of your phone in addition to knowing your password to break in,” Banagale says. Also, Hybrid wallets like Armory allow you to maintain an encrypted wallet on an offline computer to keep it safe from online attackers.

Bitcoin will get more secure with each flaw they find, Daley adds, “but it’s naive to think that any software this complex doesn’t have any flaws in it. Mt. Gox has proved that it’s not 100% secure.”
Source: Market Watch – The Wall Street Journal, 11/08/14.
——————————————————————————

Feds to bitcoin users: You’re on your own.
By Priya Anand.

In a consumer advisory released on Monday, the Consumer Financial Protection Bureau (CFPB) outlined four major risks: hackers, a lack of protections, cost and scams. This comes after a year of industry, state and federal regulators waving warning signs about bitcoin .

The Securities and Exchange Commission issued its first alert last year, calling bitcoin a vehicle for Ponzi schemes. It issued another notice this May, citing bitcoin’s “potential to give rise both to frauds and high-risk investment opportunities.” Wall Street’s self-regulator, the Financial Industry Regulatory Authority, called bitcoin “more than a bit risky.” (Read: Regulators line up to crack down on bitcoin .)

“Virtual currencies are not backed by any government or central bank, and at this point consumers are stepping into the Wild West when they engage in the market,” CFPB Director Richard Cordray said in a release.

Bitcoin users are very, very susceptible to hacks: The advisory includes four separate hacking warnings. Using bitcoin makes your computer and phone data an attractive target. Thieves will try to pry into your virtual currency “wallet.” “Even if you use best practices, anything that connects to the Internet—even big companies—can be hacked.” And by the way, this also puts your traditional bank account at risk, if you link it to the digital wallet. Bottom line: The CFPB really wants you to know that more Internet money means a lot more Internet problems.

Watch out for huge price fluctuations: To call bitcoin’s value unstable is putting it mildly. Bitcoin was trading at about $585 midday Monday, according to CoinDesk, which tracks digital currency prices and news. In early December, it reached a record $1,147.

Bitcoin ‘ATMs’ are not ATMs at all: They may charge high fees and, like bitcoin generally, they lack the safeguards associated with normal ATMs that connect to your checking and savings accounts.

Virtual currencies are still experimental: The agency thinks that the unregulated “elements” that run bitcoin computer networks “could abuse the power” that comes with maintaining them.

You are on your own if something goes wrong: “There is no other party to help you,” the advisory says, also noting that there’s no government deposit insurance for virtual currency accounts, so “if an exchange or wallet company fails—and many have failed—the government won’t cover your losses.” And…

If you lose your private keys, you’re out of luck : Your bitcoin private key is like a password. “If you lose your private keys, you have lost all access to your funds. No one can help you with password reminders and no one will refund your loss.”

If you are still brave enough to venture into the land of virtual currencies, the agency warned—twice—that you should read your agreement with your wallet provider carefully . Would the company reimburse you for fraudulent transactions (read: a fifth hacking warning), and who benefits from changes in exchange rates? Does the wallet provider offer insurance? Without firm answers to these questions, venture no further.
Source: Market Watch – The Wall Street Journal, 11/08/14.
——————————————————————————