Cryptocurrency trading has taken off in recent years. Apps, wallets, and online platforms have made trading Bitcoin and other cryptocurrencies accessible. But hackers and cybercriminals and targeting cryptocurrency traders and exchanges more than ever.
The number of online cryptocurrency exchanges has risen to 190, from just 70 three years ago. And as of this year, around 1,500 different cryptocurrencies are on the market for traders to buy, sell, trade, and invest in. Unfortunately, the rise in popularity has also been met with an equal determination of malicious actors to hack crypto traders. One need look no further than some of this year’s most high-profile crypto hacks like BitThumb, CoinCheck, and BitGrail.
But are cryptocurrency traders more protected from hackers and malicious actors than traditional asset classes? Or are they actually more susceptible to hackers? And what role do regulatory frameworks, like the Cryptocurrency Security Standard (CCSS), have in protecting traders from potential hackers?
Below we’ll break down the basics of cryptocurrency trading, hacking risks specific to cryptocurrency, and render a verdict on whether or not crypto-traders are actually at greater risk. We’ll also cover how traders can best protect themselves via CCSS compliance and basic security measures.
How Does Crypto Trading Work?
First, it’s important to understand the basics of how the cryptocurrency trading platform works, as well as some of the crucial differences and similarities to more traditional currency trading. Cryptocurrency trading functions much like the foreign exchange (FOREX) trading market. But instead of trading U.S. Dollars for Japenese Yen, or Euros for Canadian Dollars, crypto traders move between different cryptocurrencies, as well as fiat money. As we’ve mentioned, there are now a plethora of different cryptocurrencies, or ‘virtual currencies,’ on the market, each with various traits, market caps, and usages. Some of the most common (and widely used) that many people are aware of are BitCoin, Ethereum and Litecoin.
In order to buy, sell, or trade these cryptocurrencies, investors need access to exchanges. These operate (in theory) much like traditional asset class exchanges, such as the New York Stock Exchange, NASDAQ, or FOREX markets. Crypto traders need these exchanges not just to trade BitCoin and the like, but to purchase cryptocurrency with fiat money or cash out when they so choose. Some of the world’s largest and most popular exchanges include Coinbase, Kraken, and Binance. Traders, or investors, store their crypto funds in virtual “wallets,” either through the exchange platform they use or on separate applications. Each wallet has differing levels and forms of encryption and security, which we’ll get more into later in terms of the risks posed to traders.
All cryptocurrency trading takes place using what’s known as Blockchain, a decentralized digital, public “ledger” of sorts. Blockchain is the engine behind what makes cryptocurrency trading possible, as all transactions are verified and can be viewed by both parties at any given time to ensure there’s no fraud or counterparty risk. In short, people engage in cryptocurrency trading because they’re speculating on the rise in the value of coins like Etheureum or Bitcoin, while many also view cryptocurrency as a form of “digital gold” that’s immune to potential hyperinflationary effects of fiat currencies that governments can manipulate on a whim.
What are the Risks to Traders?
Despite the precautions taken by wallets and exchanges, cybercriminals have in fact managed to hack into various systems, making away with millions of dollars worth of cryptocurrencies virtually overnight. And with large financial institutions like Goldman Sachs beginning to get into the cryptocurrency trading game, many security analysts are predicting even higher levels of hacking in relation to cryptocurrency. That being said, here are some of the specific tactics that crypto hackers employ, and the associated risks to crypto traders:
- Email Phishing – One of the oldest (and simplest) hacking tricks in the book, email phishing is more effective than you’d think as it relates to hacking the funds of crypto traders. In a typical email phishing scenario, traders might receive an email from their crypto exchange or wallet recommending a change of username and/or password due to purported suspicious activity. Little do they know that this email is a hacker in disguise. The trader might then provide their credentials, or follow a hyperlink that will pull data from their computer that will allow hackers to access and transfer their funds. Despite the simplicity of email phishing schemes, many newbies to crypto trading do continually fall for it on a regular basis. RSI Security can assist in implementing an email encryption strategy, which can help avoid situations such as email phishing.
- Private Key Theft – Whether it’s email phishing, or gaining access to a device through third-party systems, once hackers gain access to a user’s private key there’s almost no limit to the amount of damage they can do. Private keys are more complex than the average username/password combination and are what traders use to access their cryptocurrency wallets. Once the key is compromised, attackers can send the victim’s bitcoin to themselves or an intermediary (or even worse) simply delete the key and digitally eliminate the currency.
- Hot Wallet Hacks – Without getting too technical, there are basically two types of digital wallets that store cryptocurrencies. One type is “cold” wallets, where users typically store their assets over the long term. Cold wallets are more secure and harder to break into, but trading cryptocurrency from cold wallets is more difficult and time-consuming. “Hot” wallets, on the other hand, are what many exchanges use. Hot wallets trade security for fungibility, as traders need to be able to quickly move in and out of various coins. Hackers often target hot wallets, as exchanges are less focused on security and more on meeting the transactional needs of their user base.
Case Studies of Crypto Hacks
Unfortunately, 2018 is on pace to become the worst year for cryptocurrency traders and exchanges in terms of total assets lost. In just the first half of this year, reported losses due to crypto-hacking has amassed to over $1.73 billion U.S. dollars. That’s more than any other six-month period in cryptocurrency history, and over half of all total recorded losses since 2011. Moreover, hackers are now also attacking smaller alternatives to big players like Bitcoin, also known as a category called “Altcoins.” Here are just a few of the most recent crypto hacks, which serve to further illustrate the risks posed to cryptocurrency traders:
- Zaif – A Japanese based exchange, Zaif was hacked on September 14th of this year when access to one of their hot wallets was compromised. This resulted was a loss of $60 million in Bitcoin and an altcoin called MonaCoin being stolen.
- Coinrail – Despite being one of the smaller exchanges in Korea, Coinrail was a tempting target considering its lack of robust security typical of smaller exchanges. In June of 2018, over $40 million in various altcoins were stolen from Coinrail users.
- BitGrail – Perhaps the biggest hack of 2018, the BitGrail exchange rendered itself vulnerable by attempting to use a new, underdeveloped centralized exchange to support its new architecture. The result was $195 million in lost Bitcoin, as hackers easily navigated their way through the “front door” of an insecure, centralized currency exchange.
- Decentralized Autonomous Organization (DAO) Hack– The biggest Ethereum (ETH) back of all time, the DAO hack resulted in the loss of around 3.6 million in lost ETH, or around $60 million worth of U.S. dollars. While blockchain developers were trying to iron out various bugs, hackers were able to drain the ETH into a “child DAO” they’d constructed.
These are just a few of the recent examples which show the risk that hackers pose to crypto traders on various exchanges and wallets. How (and when) the next hacks will take place is obviously unpredictable, but they show that crypto exchanges of all shapes and sizes are indeed vulnerable and that crypto criminals are expected to increase their efforts in hacking millions of dollars through 2018 and beyond. Learn more about RSI Security’s threat and vulnerability management by requesting a consultation.
Protection with CCSS Compliance
By now you should realize that, without a doubt, cryptocurrency traders are at substantial risk of being hacked. But that doesn’t mean that there aren’t precautions that can be taken to substantially minimize the risk of crypto funds being lost or stolen. In fact, one of the strongest frameworks introduced in recent years is the Cryptocurrency Security Standard (CCSS), developed by the independent Cryptocurrency Certification Consortium.
CCSS is basically a set of requirements for any systems that make use of, hold, or process cryptocurrency. This includes exchanges, web applications, and crypto storage solutions (ie hot and cold wallets). CCSS has a twofold purpose, the first being to provide an open set of standards that exchanges and wallets can use to bolster their defenses. The second is providing traders, users, and consumers a consistent framework with which they can use to make decisions about which exchanges, wallets, applications, and service providers they choose to use. The focus of CCSS is protecting private data and keys that might be used to access exchanges and wallets, as well as sensitive information loss and data breaches.
For example, CCSS can certify the effectiveness of multiple aspects of any exchanges security as either Level I, Level II, or Level III. If an exchange is protecting private keys with the most sophisticated defenses and encryption, for instance, their CCSS certification for that specific area might be Level III. Traders can then use these certification levels to make the most informed decision possible about which exchanges to use. Moreover, organizations that are CCSS compliant benefit from knowing that they’re taking all the right steps to avoid being hacked, and more effectively attract new users who feel more secure when they see an exchange or wallet is CCSS compliant.
One of the most effective ways that organizations go about increasing their level of CCSS compliance, and in turn reduce the risk of their users and traders being hacked, is through leveraging a compliance partner to aid them in the process. This usually includes some of the following core activities:
- CCSS advisory, assessment, and auditing of Levels I, II, and III.
- Gap analysis and with regards to CCSS compliance
- Network penetration testing to spot weaknesses
- Vulnerability scanning of the internal network.
- Risk analysis of the connected crypto environment, including crypto keys and wallets.
- Crypto security awareness and training for multiple levels of staff.
Moreover, traders can take basic steps to minimize the risk of being hacked. Traders should keep all cryptocurrency that they don’t plan on trading on a disconnected, physical cold wallet, that’s locked and stored either in their home or in a safety deposit box. They also shouldn’t leave cryptocurrency stored on exchanges for more time that is necessary. Simply complete the transactions and transfer the funds into a cold wallet if possible. Finally, make sure that whatever exchange you’re using employs multi-factor authentication, so that hackers will need more than just a username and password to gain access to your private keys.
Closing Thoughts
The rise in cryptocurrency investing and trading can be well justified. Bitcoin, Ethereum, and other coins provide immunity to inflation, ease of cross-border transaction, and inter-currency fungibility that many fiat currencies often lack. On the flip side, the result is that crypto traders, exchanges, and wallets are now on hacker’s radars more than ever. The important thing is to understand how cryptocurrency trading works and the unique risks posed versus traditional equity or FOREX trading.
Some of the recent hacks like the DAO and BitGrail show the level of sophistication and innovation that crypto hackers are reaching. Whether it’s a phishing scam or hot wallet breach, millions (if not billions) of dollars worth of crypto have gone missing in the blink of an eye. To avoid becoming a casualty, traders should evaluate exchanges and wallets based on CCSS standards, and take practical precautions to ensure all of your digital investments and as safe, secure, and risk-free as possible. Contact the experts at RSI security for cybersecurity solutions today.