Earlier this week, Coincheck, one of Japan’s most prominent cryptocurrency exchanges reported the loss of 500 million NEM tokens, worth roughly $400 million. Not only is this the biggest crypto bank heist in history, it may well be the most costly breach of any type of bank. Major breaches are often a catalyst for change in security practices. They spawn a lot of speculation about what may have gone wrong and how the shock waves may impact the industry at large.
How safe is cryptocurrency? We asked six industry experts how they think the Coincheck breach is likely to change the notion of security for crypto banks.
Learn from Traditional Banks
Infosec strategist Allan Pratt feels that crypto banks must learn security lessons from their counterparts at traditional banks.
Thanks to blockchain, I believe the security of cryptocurrency itself will be safe, at least until compute speeds reach the point where everyday computers can make massive complex calculations. However, the exchanges will always be the weakest link. Using social engineering techniques, malware, DDoS, or even insider bad actors, as cryptocurrency becomes more mainstream, attacks on the exchanges will only increase.
That said, as with traditional banking, security for crypto banks must become an integral part of doing business. Checks and balances must be put into place either digitally or with human intervention so that it is not just a matter of keystrokes to make a withdrawal. Protocols such as multiple firewalls, multifactor authentication, hardened servers, system and software updates, and advanced IPS all have roles here. Vulnerability scanning and penetration testing should be used frequently (for example, monthly) to test exchange networks.
By design, cryptocurrencies are anonymous. They were meant to be used, bought and sold without banking regulations and government oversight. Unfortunately, as a result, crypto banks will always be targets. (@Tips4Tech)
No Major Changes
IT security consultant Chris Payne predicts that there will be few changes, just business as usual for crypto banks
There is some speculation that this is the largest recorded bank heist ever. Despite this, it really goes to show how much money has been made in crypto as the exchange has reported it will pay back 90% from its own funds and remain open. That’s a huge reserve fund. This of course has happened before with the famous case of Mt. Gox.
I’m not sure if it will change security for crypto exchanges. They seemed to do everything right, they spotted fraudulent activity and halted transactions. They also had hot and cold storage, maybe the lesson is to hold less in hot storage. Will more heists take place? Absolutely, exchanges are holding vast sums of currency now, so are a natural target. Not all coins are untraceable but it is easier to launder crypto. (@ChrisPayne804)
Cybersecurity writer Kim Crawley sees more regulation in the future for crypto exchanges.
I think the attack on Coincheck will definitely put pressure on the Japanese government to better regulate the cybersecurity of cryptocurrency exchanges. But coming up with regulations and enforcing them will probably be a frustration. Many more cyber attacks on exchanges are inevitable no matter what governments do. But making sure that exchanges have better security technologies and policies will certainly help.
Cryptocurrency and their exchanges are new enough to be in their Wild West phase. Conventional banks and fiat currencies have been around in some form or another for hundreds of years. As computer networking became a part of banks starting perhaps in the 1960s, government regulations were created in almost all capitalistic countries in order to protect the digital aspects of customers' money. Conventional banks are not completely safe from cyber attack, and incidents happen to bank computers all the time. Nonetheless, conventional banks have a lot more regulations and systems in place to assure security than cryptocurrency exchanges have.
The international nature of cryptocurrency exchanges and their customers is an additional challenge. Banks are tied to specific countries and the federal regulatory bodies of those countries. The customers of a bank that operates in one country are predominantly citizens and residents of the same country. The same doesn't usually apply to cryptocurrency exchanges. Therefore as governments are pressured to come up with security regulations for cryptocurrency exchanges, they'll have a real mess on their hands. It also doesn't help that many cryptocurrency holders think that blockchain is the only thing that's needed in order to keep their digital money secure. (@kim_crawley)
Tighten Existing Security
Infosec analyst Bob Covello believes that crypto banks probably have the right security, they just need to use it better.
It is unfortunate every time crimes like this happens. Cryptocurrency storage is very much like the early days of traditional banks, where a holdup required little more than a bandit with a mask and a gun. As traditional banks started to study their problems, they learned that the weakness was not in the banking system. Rather, it was a weakness in their security implementation. The same holds true for cryptocurrency. The system is reliable, but some of the implementation is flawed. Isn't that the failing of most of the encryption breaches in history? (@BobCovello)
Become More Involved
Cyber Security Practice Manager Matt Pascucci urges users to take a greater role in the security of storing their own cryptocurrency.
The compromise of Coincheck is a major concern for those looking to invest in cryptocurrency. This wasn’t the first time that the compromise of a Japanese exchange (think Mt. Gox here) allowed attackers to make off with hundreds of millions of dollars. I’m personally a huge fan of cryptocurrency and see the value of it being used in the future. But it’s deregulated nature, which makes it so popular and alluring, will lead towards issues like we saw with Coincheck and Mt. Gox if gone unchecked.
To limit these types of issues in the future users should seriously consider leaving their coins on a hardware wallet, like the Ledger Nano S, to mitigate the risk of having their coins sitting on exchanges that are at risk of compromise. The deregulated nature of cryptocurrency means that the authority over the exchanges isn’t well regulated and can lead to error. This doesn’t mean that crypto banks are less secure than other banks, most large banks have had issues too, but that the legality about refunding losses can be anyone’s guess. (@matthewpascucci)
Writer Jack Walker recommends that investors ask the tough questions about security.
The Coincheck theft not only shows the volatility of the nascent cryptocurrency market but also that its relative immaturity means there’s still some catching up to do in terms of security and regulatory oversight.
Cybercriminals will always go ‘where the money is’, and in that sense the hack is not so surprising - after all, researchers have long found that some wallets can be insecure and thus more likely to be compromised or stolen.
Investors should know the risks when investing in a cryptocurrency, whether that is CoinCheck, LiteCoin, Ethereum or Bitcoin. In particular, given the MxGox bankruptcy and the fact that CoinCheck is reimbursing affected customers, they need to question how secure these platforms are and how sustainable the companies are too.
How do you think security in crypto banks is likely to change?