Category Archives: Security Response News

The value of Bitcoin has surged dramatically in recent weeks, fuelling fears that a bubble is forming around the virtual currency. As investors pile in, a crash in Bitcoin prices isn’t the only thing they have to worry about. There has been a spate of incidents in recent weeks in which Bitcoin wallet and banking services have been attacked and millions of dollars worth of the currency stolen.
 

Figure 1. Size of recent Bitcoin heists (US$ value on November 29)
 

Multi-million dollar heists

The current round of attacks began on November 7, when Australian Bitcoin wallet service Inputs.io announced that it had closed its doors after two attacks resulted in around 4,100 Bitcoins (US $4.34 million at the time of writing) being stolen. Inputs.io said the attackers were able to bypass two-factor authentication due to a flaw on the server host side. The attacks left the site unable to pay all of its user balances.

Why did people keep their Bitcoins with Inputs.io? One of the services it offered was that it “mixed wallets up”, swapping Bitcoins around between users. It effectively was a type of anonymizing service, making Bitcoin transactions harder to track. However, giving Inputs.io that level of access to Bitcoin wallets may have left it more vulnerable to attack.

Inputs.io was run by a young Australian who goes by the moniker of TradeFortress. Following the theft, he gave an interview to Australia’s ABC news, denying that he taken the Bitcoins himself. Interestingly, he said that he wasn’t going to report the incident to the police. “The police don’t have access to any more information than any user does when it comes to Bitcoin. Some say it gives them control of their money,” he said.

Within days, there was another incident, this time in China. GBL, a Bitcoin exchange, suddenly closed its doors on November 11. Approximately US $12.7 million in investors’ money disappeared along with the site. A closer look at GBL revealed that it wasn’t all it claimed to be. It asserted it was licensed by the Hong Kong government, but it transpired that it was simply registered as a business there and had no license to operate as a financial services company.

This incident was quickly followed by news of an attack on Czech exchange, Bitcash.cz. Roughly 4,000 people were affected by the breach, which saw the equivalent of $514,000 taken by attackers. Obviously this haul wasn’t enough as the attackers then used Bitcash.cz email addresses to send emails to site users, claiming that they were using a U.S. recovery firm to retrieve the stolen money and asking for 2 Bitcoins from each user to cover the costs. 

The most recent incident involved BIPS, a Danish Bitcoin payment processor and wallet provider, which this week confirmed it was the target of a coordinated attack that resulted in a breach of its systems. The company said that several consumer wallets had been compromised. It is estimated that around 1,295 Bitcoins (worth approximately US $1.37 million) were taken in the attack, but most of the Bitcoins stolen belonged to the company itself rather than customers. Following the attacks, BIPS has said that it will close its consumer wallet services to focus on merchant processing.
 

Protecting your investment

While Bitcoin is commonly talked about as being secure, that, in essence, refers to the fact that it cannot be counterfeited, at least not yet. However, it doesn’t mean that it can’t be stolen, as these recent thefts have illustrated.

What can Bitcoin owners do to prevent theft? Given the kind of attacks we have witnessed, proper due diligence on where you are storing Bitcoins should be a priority. For example, GBL claimed that it was licensed in Hong Kong, but it wasn’t. Similarly, while Inputs.io’s service of mixing wallets up might have appealed to the privacy conscious, the level of access it had to user funds was a possible security risk.

After Inputs.io was attacked, its owner TradeFortress said: “I don’t recommend storing any Bitcoins accessible on computers connected to the internet”. The attack on BIPS also prompted its chief executive Kris Henriksen to change his opinion on the security of online wallets. He went as far as to advise his customers to avoid online wallets altogether.

While a lot of people think that the only way to store Bitcoins is in online, virtual wallets, it is also possible to store them offline. This involves creating a wallet that is stored on an offline device, such as a USB key and then sending your Bitcoins to this wallet address. The best practice procedure for creating an offline wallet is somewhat lengthy, but it is, in theory at least, safer than online storage. Technically, the Bitcoins themselves remain online. What is being taken offline is the means of accessing them, the private key.

It is also possible go one step further in offline storage, by taking electronic devices out of the equation entirely and creating a paper wallet. However, a paper based wallet bears the same risk as cash. It needs to be stored somewhere securely.

Online service providers have also begun to beef up their own security. Mt.Gox, ones of the world’s biggest Bitcoin exchanges, has implemented an additional layer of security by introducing a One Time Password (OTP) card, which will be shipping to all of its users immediately. The company said that the card can be used on its own or in conjunction with other two factor authentication methods, such as a Yubikey, a USB key the user must insert to verify their identity.

Once the user has input the card into their preferences on Mt.Gox, they can configure their account to require an additional password on login. Pushing a button on the card will generate a unique password for every login.
 

Bitcoin’s explosion in value

The upsurge in Bitcoin theft is more than likely linked to the fact that the value of the currency has shot through the roof in recent weeks. At the time of writing, one Bitcoin was valued at approximately $1,060. Its value has grown by more than 45 times this year and much of the gains have come in recent weeks. One month ago, it was trading at around $190.

The result of this boom is that what were once relatively minor holdings of Bitcoin can now be quite valuable. Nothing illustrates this better than the story of the IT professional who realized he had thrown out a laptop with a wallet containing 7,500 Bitcoin. He had mined the Bitcoins himself in 2009 and at the time they were only worth a few dollars.
 

Figure 2. Bitcoin/US$ exchange rate for the past six months (Credit: bitcoincharts.com)
 

Since then, their value has increased dramatically, with occasional dips along the way. When Silk Road, the underground drugs bazaar was shut down by the FBI in early October, it led to some speculation that the value of Bitcoin would plummet, since the currency is widely used in the underground. While there was a sell-off in the immediate aftermath of the bust, Bitcoin recovered within days and then began to climb quickly.

Part of the surge may be attributable to the fact that regulators are beginning to take the currency more seriously. For example, the U.S. Senate’s Homeland Security and Governmental Affairs Committee last week held a hearing on virtual currencies, at which the Department of Justice’s representative described Bitcoin as a “legal means of exchange”. Committee chairman Tom Carper meanwhile said Congress and government needed to develop “smart, sensible, and effective policies” around the currency.

However, Bitcoin’s steep appreciation has led to widespread fears that a bubble is forming. One look at the graph charting its dollar exchange rate is enough to prompt questions. While the number of businesses accepting Bitcoin as a form of payment has undoubtedly grown, it has not been at the same rate as its appreciation. Instead, speculation appears to be driving much of the current boom and, as history has shown; such buying frenzies can often end in tears.