Crypto Security in 2016: A Tale of Two Weaknesses

Bill Shihara is the CEO and co-founder of cryptocurrency exchange Bittrex, and a former security engineer at Amazon, Blackberry and Microsoft.

In this CoinDesk 2016 in Review special feature, Shihara reviews the major cybersecurity events in the industry this year, drawing clear trends that could inform firms and individuals seeking to better protect their funds in 2017.

Bitfinex, The DAO, Gatecoin...

Security has always been a concern in the bitcoin and larger cryptocurrency community, and unsurprisingly, there was no shortage of malicious attacks on industry companies in 2016.

This year, we saw several hacks on major business that suggest malicious attackers are likely to continue to be a threat to cryptocurrency startups, putting users and investors in the blockchain industry at risk.

As startups and investors prepare for 2017, let's look at some of the major incidents in the hope that hackers will have less luck in the year ahead.

First Half of 2016: Centralized Services Attacked

Centralized services (or large pools of cryptocurrencies) have always been enticing targets for hackers.

But what's notable is that the three cryptocurrency exchanges that were hacked during this period were compromised using very different methods. I would argue the development raises issues for customers trying to manage the risk of putting their digital assets in centralized services.

ShapeShift, for example, lost its own funds through multiple hacks by an insider, while both Gatecoin and Bitfinex lost user funds through external hacks (and have been working to repay their customers).

We can't forget the biggest hack of the year though: The DAO.

The DAO, a decentralized venture capital fund, raised approximately $150m in March from digital currency investors across the globe.

Unfortunately, the promise of smart contracts and "code as law" was put to the test when a hacker was able to use The DAO code to withdraw $50m worth of ethereum. Remember, smart contracts are software and not immune from logic bugs that can lead to security flaws.

Just as with putting your money into exchanges, you should think carefully about smart contracts and decentralized solutions, and how they work, to understand how your funds are protected.

Second Half of 2016: Individuals Targeted

As the services built in the cryptocurrency industry have raised the bar on security, hackers have moved on to easier targets, attacking individual users.

Even sophisticated bitcoin industry veterans like Bo Shen and Jered Kenna, as reported by Forbes, were not immune from this wave of hacks.

In the second half of 2016, several people in the cryptocurrency space had their phone numbers stolen. Hackers were able to "socially engineer" their phone carriers and convince support engineers to switch their phone number to one that the hacker controls.

This is particularly insidious because SMS text messages and phone numbers are used as an authentication mechanism by many services that you rely on daily such as Google, Facebook and a few cryptocurrency services.

In some cases, your phone can be used as a single factor to reset a password or otherwise get into an account. Your phone company protects your digital life with the cheapest labor they can find, and those support engineers don't always follow their security processes.

The best thing to do is to remove your phone number from any services that it may currently be tied to. Another best practice – although not always foolproof because your phone carrier may not follow their own security processes – is to put a password on your account and require that any SIM swap or carrier change only happen if valid identification is shown in a store.

On the topic of social engineering, be careful of where you put your credentials and any information about yourself – on LinkedIn, Facebook and Twitter, for example.

Hackers can collect this information and use it to social engineer their way into your accounts. Think of the answers to your security questions and whether someone could determine them by looking at your Facebook profile.

And, obviously, if you are reusing the same username and passwords across multiple sites, you should consider alternatives. Use hardware- or device-based two-factor authentication on every site that supports it.

Keep in mind that there are fake sites designed to trick you into giving your credentials. Hackers routinely buy Adwords so that their malicious sites are at the top of web searches.

Looking to the Year Ahead: 2017

2016 was a big year for hackers, but 2017 doesn’t have to be that way.

By paying attention to trends and protecting your business and personal accounts with advanced protective measures, we can all benefit from a safer, more secure cryptocurrency ecosystem.

Yet, we're not exactly there yet. In 2017, I'm expecting the industry to heavily invest in privacy technology and identity solutions in blockchains.

Safe cracking image via Shutterstock