The cryptocurrency hack is a reality of the modern age. Despite this, there’s a lot we still don’t know. Consider this the answer to any questions you may have.
Having been asked the above question forever (it seems) and being asked again recently, I’ve decided to turn my response into a reference article.
So why do hacks keep happening?
Before we answer that, we need to better understand a few key fundamentals around hacking (particularly in this space).
By the end of this article, you’ll know exactly what to do, and what not to do.
What do you mean by “being hacked”?
Being “hacked” is such a poorly understood concept. When the average person thinks about hacking, they imagine a Hollywood scene where some guy in a dark room gets access to your computer with a few strokes of the keyboard.
This could not be further from the truth.
In real life, most “hacking” comes in the form of social engineering, which is defined as:
…the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.
This has nothing to do with a hacker getting “access” to something, and more to do with people who are great communicators and master manipulators.
Let’s illustrate via an example: the hacker wants to get access to your personal information, so they decide to hijack your phone and/or email.
The process usually takes the form of:
Hacker walks into a phone shop.
Oops, I lost my wallet and phone yesterday, I just need to grab a new SIM card to re-activate it.
Sure, I just need to check some personal details.
Yep, here’s my (your) address, DOB, mother’s maiden name.
(All of this information is easily gleaned from Facebook, Google or your physical mailbox.)
Great. Here you go, sir/ma’am. A new SIM.
From there, access to your emails is a mere SIM setup away.
• Step 1: Forgot password
• Step 2: Input recover phone/Mother’s maiden name
• Step 3: Reset password
And there you have it.
Now, you might ask, “Why would someone go into the shop and do all that? Can’t they just call up your phone provider and pretend they’re you?”
Well, yes – and to be honest, that’s what they do most of the time. The above illustrates how easy it is in person; over the phone, it’s even easier.
Another very common, and even more “scalable” way, (also a form of social engineering,) is phishing. This is by far the most common form, especially when it comes to cryptocurrencies, because it’s just so easy and so scalable.
Phishing comes in many forms. One method is where you get an email from a “trusted” company, like PayPal, or eBay, or your bank, asking you to “log into your account” to check a balance or rectify some personal information. The branding of the email looks legit, the link even looks legit, and after you click on it, the landing page also looks legit.
So, you log in as you normally would – only to find that you can’t. Most people then think, “Stupid Paypal. Ask me to log in and then I can’t even log in,” so they leave it for later. What they don’t realise is that they’ve just input their username and password into some hacker’s database, who proceeds to input those details into your real PayPal (or Netbank, or email, or whatever) account, changes the password, locks you out, then clears out all your money/funds/crypto/whatever.
The problem is compounded when the average person uses the same password across every service.
Now, Mr or Mrs Hacker have access to everything. And unless you realise it quickly, you’re screwed.
Modern phishing scams are quite advanced and can impact even the most security-conscious of us. I personally lost about 20 bitcoin in the early days when I clicked on the link to an exchange after I searched for it in Google (I was using a friend’s laptop because I didn’t have mine on me).
I Googled the exchange I wanted to log into to quickly place a trade. The top result in Google (I think it was a Google Adwords Ad) took me to the page I recognised as the trading platform, so I input my username and password and – voila – it didn’t log in. So I refreshed the page, went back to Google, clicked on the top link again (this time, unbeknownst to me, I actually went to the correct site) logged in, everything worked, I placed my trades and left for the day.
I had no clue that I’d just given up my username and password.
Two weeks later when I tried to log in, I couldn’t.
I reached out to support, they verified it was me, they helped me reset my password, but it was all too late – the funds were gone.
Back then it wasn’t worth too much, but looking at today’s price and writing this, it’s about $200k out the window, which leaves a slightly sour taste in my mouth.
It was 100% my fault.
Every industry has risks. If you want to play with money or sensitive information online, you should probably learn some basic information security (infosec). This is the same as how you’d want to understand the risks associated with building a house, before you build it; how if you were to transport one tonne of gold, you wouldn’t do that in a wheelbarrow for everyone to see but rather an armoured truck with four guards; the same way you don’t go to the bank, withdraw a bunch of cash and walk down the street waving it around.
Understanding what you’re doing before you do it is important.
Something like 2FA (2-factor-authentication) would’ve saved me, and after having learned it the hard way, I hope my war story can serve a purpose to teach other people not to do the same.
Moving along. Now that we understand how actual hacking works, let’s take a moment to understand what’s going in Crypto Land, and why there’s such a prevalence of so-called “hacking” going on (hint, it’s overexaggerated).
“Lost Bitcoin” is not “lost”
Neither should it be labelled as “hacked”. The following article talks about how “20% of all Bitcoin is lost”:
This is just poorly articulated and designed to freak people out.
First of all, you don’t just “lose” Bitcoin.
All of the Bitcoin that the Bitcoin network has ever produced are still on the network. It’s the “access” to some of that Bitcoin that’s been lost. This access is what’s known as “private keys”.
A private key is like a password, and is the actual thing that decrypts the encrypted information.
Public and private key cryptography, and the standards of encryption in basically all cryptocurrencies today, are exactly the same as what secures VISA, MasterCard, every credit card, Internet Banking and personal or sensitive information databases – anywhere.
It’s not the encryption that’s being broken, but the management of the keys to access the encrypted data that’s being mismanaged. You can think of your data as being stored in a letterbox. The only way to access and view what’s inside is with the private key.
Passwords are generally a useful “abstraction” of a private key, so instead of you needing to know how to use a private key to sign a transaction or perform a function to access data, a program you’re using generates you a password, or you create a password which the program assigns to that private key (which is easier for you to remember) so that when you do input that password, the application performs functions (for example: “view data”, or “send Bitcoin” etc) with your authority (because you logged in).
The private key is the magic word.
Once data is encrypted, it’s basically unreadable.
If passwords, usernames and personal information are stored on encrypted databases, which most are these days, it’s basically impossible (or highly improbable) that the data is going to be viewable by way of the encryption being broken.
If something gets leaked or “hacked” it’s because the private key was leaked, or the password that represents the private key was leaked.
Security is less about encryption, and more about the protocols used which ensure the access codes, passwords and/or private keys are not leaked.
Now that we understand that, let’s have a look at how these so-called “hacks” actually happen.
Exchange hacks – the crypto honeypots
A honeypot is basically a metaphor for something that stores a whole lot of valuable information, data, money, etc. It’s termed that way, because if a hacker gets “in”, they get the gold (or the honey).
Cryptocurrency Exchanges are major honeypots. And to make matters worse, most of these exchanges have bad information security protocols. The majority of crypto exchanges built over the last few years were built by people who just don’t get infosec. They’re not security experts, they generally come from finance, which has 100 years’ worth of custodianship protocols built around it (with no requirement for infosec), and simply don’t realise how easy it is for data to be leaked.
When you hear about exchanges being “hacked”, it’s generally because the master password or access codes were somehow leaked, or were poorly protected in the first place.
Now. When you hold your “crypto” on an exchange, what you’re doing is entrusting the security/storage of the private keys that are associated with your funds, to the owners/operators of the exchange. This is where the risk is. They are holding everyone’s private keys, and although most of the time they’re stored in encrypted databases, the issues are around the management of said passwords and keys.
- What happens when the password or private key that encrypts all that data is generally known by one or two people?
- What if something happens to that person?
- What if their personal stuff is hacked (like in the social engineering examples above)?
- What if they’re phished?
- What if, like most people, they use the same password for the company database that they use for Facebook?
- What if a key employee, who has access to that password or private key, decides to go rogue?
- Or even if he doesn’t but is fired or quits and knows enough about the boss to perform a social engineering type takeover of the boss’s accounts..
All of the data that’s protected by their private key (or password) is now compromised. And herein the problem lies.
The reality is this happens all the time. Equifax, the world’s largest holder of private data, leaked hundreds of millions of people’s personal data. Not once, not twice, but…well, we don’t know how many times.
The difference between Equifax (or a traditonal business) and crypto exchanges is:
- the Equifax leak meant hackers got access to peoples’ personal data. They could then go and hijack their identity and get access to a whole lot of other things (including their crypto exchange accounts) if the person wasn’t aware of the breach;
- with a crypto exchange, the data breach involves access directly to cryptocurrency private keys, which in this case means direct access to funds, which are natively digital, which can be moved across the Internet instantaneously and which, once associated with a new set of private keys, cannot be returned.
Data breaches, in centralised systems, are almost inevitable. And that’s because most people have bad information security protocols. Most people have no idea how to store their passwords, where to store their passwords, they slap their personal information all over the web. They have no idea what hacking actually entails and they think phishing is when you go out on the boat for a weekend:
In the crypto world, the 35-year-olds are actually the grannies above, getting taken for a ride because this space is so new, and they just don’t have the knowledge or understanding to compete with their 18-year-old digital native counterparts.
The digital world is similar to the real world. Losing your password, or accidentally leaking it somewhere means you have physically given the “keys” to your house to someone, who’s intent it is to take what’s in your home, but because it’s digital, they can do it from anywhere, at any time.
You might say, “This is ridiculous, it can’t happen with a bank, they’d give me my money back!”
And whilst this is mostly true, because the money is traceable, note the following:
- giving away your password negates their terms and conditions, so if they don’t want to, they won’t help you;
- if they do, it has a huge cost in terms of resources etc, in the banking world – which we all end up paying for in the end.
This is a new technology and just like we needed to build roads for automobiles, we’ll need to build new (better) infrastructure for the new digital world. Every new technology has its pros and cons and the same arguments were made for the original automobiles: “They were dangerous”, they would “kill people” – and the British (for example) mandated laws which stifled the development of the automobile in England.
The Red Flag Act mandated three operators to legally drive a car:
- one at the wheel,
- one in the passenger seat, to refuel the car,
- one to run 150m ahead of the car and wave a red flag to notify that a car was on the way.
The automobile was basically invented in Britain, but it’s no wonder that the innovation moved to the USA, and with Ford, led the world in the industrial revolution and creation of the middle class.
Regulation has long stifled innovation. Moving toward a world where value is natively digital, always on, open, instantaneous, and accessible by anyone anywhere at anytime, having to learn some basic infosec is a small ask.
Bitcoin and cryptocurrency hacks
Cryptocurrencies are never really “hacked”. Their core protocol or their consensus mechanism can be compromised, especially if they’ve not been thought through properly or if the game theory is not sound, in which case the rules of the network can be changed and the data (funds) associated with certain private keys can be changed (funds re-appropriated).
But this is different to a “hack”, as described above, and is generally the result of:
- a poorly designed consensus protocol;
- no understanding of game theory
- and a very non-decentralised (i.e., centralised) system that can be controlled (network rules changed) by a majority. That’s not hard to achieve (the more decentralised, the harder it is to get a majority, therefor the more secure).
Bitcoin is the only digital network that we’ve ever created (as humans) that has had 99.9999% uptime. It’s basically never been compromised. Other than the 0.0001% downtime due to a bug from the early days, where Bitcoin was still worth only cents, it’s the most secure digital network in history.
It’s not because of some fancy, incredible encryption that nobody else has. It’s because of the rules of the network, that the participants of the network adhere to. It’s a mix of economics, game theory, incentives and dis-incentives, cryptography, encryption and more.
Bitcoin is a technological solution, to a social problem, with far-reaching political impact. Bitcoin represents a new form of social “agreement” or “trust” that’s been applied to solve (or improve) the oldest form of “shared fiction” our species (Homo sapiens) has ever built societies on top of: money.
To learn more about how money has evolved over the years, and how we’ve come to bitcoin and digital currencies, go here.
And to understand how all the economics, cryptography, game theory etc, comes together, read this.
Now, I can hear you saying it: “If Bitcoin is so hacker-proof, then why do I hear about hacks all the time, people losing their funds, their wallets being hacked, huh, huh?”
There is an answer…well, a few actually:
1. You lost your private keys.
This has nothing to do with Bitcoin. This is a PEBKAC problem (look it up).
In the early days, when Bitcoin was purely experimental, nobody gave a real crap (including me). We had no concept of private key hygiene and why storing things securely back then would be so important.
Fast forward six years and with that $1,000 now worth $10m, you’ve got people who had that private key stored on a hard drive on an old computer, which ended up in a dumpster, now going out, digging up a dumpster, looking for that computer, hoping they can somehow salvage the data on there, hoping that they can get that magical private key.
I’ve lost my fair share of private keys from the early days because I buy a new computer every two years. I wouldn’t even know where to begin looking.
The above article (linked earlier) talks about people going to hypnotists in the hopes of remembering that private key by bringing it from the subconscious to the conscious mind. It talks about people with corrupted or broken hard drives looking for data retrieval experts to get it back.
They’re doing this because, as I mentioned earlier, all of that Bitcoin is still there, on the network, associated with a set of private keys. He who controls the keys, controls the Bitcoin associated with them. Perhaps a hypnotist or some other wallet recovery service might be able to help. I wouldn’t hold my breath, but either way, best of luck!
2. Your wallet was hacked/corrupted.
There are two types of wallets. Hosted and client side.
Client side means you control the private keys, and they’re not stored with the wallet provider. If this kind of wallet is corrupted, etc, you take the private keys and just set up a new wallet, and restore the funds with the private key. Nothing is lost.
Hosted wallets, on the other hand, store your private key. This is no different from an exchange, in that every user’s private keys are held there. If the hosted wallet service is compromised (I’ve had this happen to me too, and lost $10k in crypto – yeah, I’ve had some bad luck), then there is nothing much you can do.
At first glance, it might sound like hosted wallets suck, but there is a place for these services. Remember: most people really, really suck with custodianship, and personal information security hygiene. Most people (remember Ready Player One?), have their freaking computer password written on a post-it note on their computer.
So for these people, holding their funds on a reputable exchange or a reputable hosted wallet service is actually a better idea because if they forget their password, they can just identify who they are and have it reset. Otherwise, if they lose their wallet, or their phone, or their laptop, and then go to restore their wallet (i.e., their funds), but have also lost their private keys, then goodbye Bitcoin.
It all comes back to you! You need to choose the right service, the right provider, with the right method of accessing, and storing, your keys. If you’re paranoid (like me) and want to do it all yourself, you have options. If you’re useless with things like that and lose your keys every week, then maybe a reputable hosted wallet or exchange is the best solution.
In closing, digital currencies are still nascent technologies. And because this is all happening at the intersection of cutting-edge technology, social and societal transformation and the most important building block/shared fiction of them all (money), it’s going to be a wild ride.
We are barely nine years into a global revolution – most probably the greatest we’ve seen in our lifetimes, if not since the Internet. In the early days, nothing moves in a straight line. When email first came out, people had no idea what they were doing. As the tech evolved, and companies like Hotmail came out, with the aim of making email easier, adoption began to accelerate.
We went from this:
…to now this:
The interface, the process and the user experience (UX) evolved there, as it will evolve in this new world too.
We are currently sending crypto like it’s 1984.
But that’s going to change, and this nascent tech will be used by hundreds of millions, and billons around the world.
So if you want to come and play, do so, but spend some time learning and get your head around what you’re doing before you do it. Take responsibility for the areas in which you screw up, and understand the risks, and the pros and cons.
It’s no different to the real world. It’s an exciting new frontier, where there is lots of risks, but a hell of alot of opportunity to be had.
Be safe out there, ladies and gents!
Aleks Svetski, Co-Founder @ Amber Labs and CEO @ Fabric.
Download Amber now.
For each friend you refer, you’ll get $2.50 in Bitcoin, deposited to your Amber wallet on Launch day.
Download on the App Store, or on Google Play.