NEM hack returns security spotlight to crypto infrastructure

For anybody who has been tracking the evolution of cryptocurrency for more than five minutes, the announcement in late January that Japan-based exchange Coincheck had been hacked for around $500 million worth of XEM (the NEM token) was simultaneously shocking — and no surprise. No surprise because monster hacks like this have been par for the crypto-course for years.

What is shocking about this one, though, and others like it, is that they’re still happening. From Mt Gox to Poloniex to Bitstamp, we’ve all seen this before — and more than once. What makes the NEM hack so frustrating is that it was eminently avoidable. Whose jaw didn’t hit the floor when during its mea culpa press conference, the Coincheck team revealed that the half-a-billion dollars worth of stolen XEM was sitting in a hot wallet at the time it was lifted? That was bad enough, but to add insult to injury they followed up by admitting the hot wallet in question wasn’t even using multi-signature authentication.

It was an appalling example of negligence on behalf of the exchange operators and its impact goes far beyond the victims whose coins were stolen (who Coincheck have offered to compensate for their loss). First, NEM was unfairly blemished, with many thinking the currency itself was somehow inherently insecure as a result of the hack.

Second, the Japanese government’s enthusiasm and support for cryptocurrencies had been widely lauded, but they’ll no doubt be taking a more cautious approach now too (one saving grace in that respect, though, was that Coincheck was not one of the 11 exchanges officially licensed by the Japanese Financial Services Agency last October). And finally, the massive theft has done nothing to reassure institutional investors sitting on the crypto-fence, that the industry has left its wild-west days behind it and now is a good time to drop a pension fund or two into bitcoin.

It is entirely reasonable, therefore, that after the NEM hack questions are again being asked about whether the security infrastructure around cryptocurrencies is as secure as it ought to be — and what can be done to prevent further large scale thefts.

At New Zealand based exchange Dasset, CEO Stephen Macaskill says the threat from cyber-criminals is constant “it’s the norm, rather than an exception” and he says ‘inside jobs’ are not uncommon. “A number of exchanges have been compromised from the inside, and that's something really important to be aware of making sure that no single individual has complete control over the funds. Control over customer funds needs to be distributed to multiple parties both internally and externally.”

The colder the better

Most of the attacks, including the Coincheck hack and the August 2016 loss of approximately 120,000 BTC from Bitfinex, have targeted user's hot wallets. Because of the vulnerability of the hot wallets, most exchanges are using the cold storage method. Coinbase, for example, holds up to 98% of its cryptocurrencies in offline locations and insures the rest.

Consequently, an entire industry of security companies is emerging, intent on providing bespoke security solutions for blockchain based businesses. Xapo, for instance, has provided bank-like vaults for cryptocurrency private keys since 2014. The company operates several highly secured vaults internationally, including a decommissioned military bunker near Lake Lucerne in the Swiss Alps where it stores user's private keys.

These facilities operate like old fashioned bank vaults, where someone has to physically access the vault to retrieve the keys. The vaults are bolstered with multiple layers of security, including everything from man-traps and enormous steel doors, to bulletproof class and protection against the type of electromagnetic pulse emitted during a nuclear explosion.

But what if a master criminal does manage to evade the mantraps and gain access to your private key? Again, all is lost  unless you’re smart like a Winklevoss. The famed Bitcoin hodlers have cut their private keys into pieces and secured them in different safety deposit boxes across the country. Crack one box and you still won’t get the whole key. Distributed ledger indeed.

While cold storage makes it virtually impossible for someone to steal a user's private key, the compromise is it also limits the speed at which people can access their wallets (Xapo claims on its website that users can access private keys from its mountainside vaults within 48 hours). This compromise is a major downside of cold storage since cryptocurrency traders typically require faster access.

Dr Julian Hosp, a blockchain expert and the founder of TenX recommends a unified system of ‘hot, warm and cold storage’. “Most companies use this method, which makes the wallets easily accessible and secure at the same time.” (Hot storage: data can be accessed without any delays, like in cloud computing; Warm storage: a compromise between hot and cold storage where data retrieval is somehow delayed but not to the extent of cold storage; Cold storage: data retrieval takes time from a few seconds to days).

According to Hosp, wallets and their owners will always be the weakest link in the blockchain. “The coins themselves are safe from hackers. But when the coins are stored, that’s when the biggest compromise can happen. The coins are only safe when you store the private keys in a safe location. When the private keys get lost, there is no way of getting them back.” Indeed the ‘misplacement’ placement of coins and private keys is becoming a serious problem with Chainalysis research estimating that between 17 and 23% of bitcoins may already be out of circulation forever.

Bank on it

With such statistics, the importance of a foolproof system for safely storing private keys cannot be overemphasized. Interestingly, while cold storage is currently the gold standard in securing crypto assets, it paradoxically mimics the traditional banking security protocols, the same practice the blockchain has looked to wipe out through decentralization. The irony of the situation isn’t lost on Dasset’s Macaskill, who acknowledges his company has looked to bank-style security systems for its security. 

“Bank controls are in place for a reason,” he says, “as they've been built on and improved upon for decades. Plenty of exchanges have learned the hard way that you can’t just do it however you want and make rash decisions and question or patch it up later, hoping that there are no compromises. It's really important to have the right controls in place on the security side. A lot of those controls actually come from these legacy banking systems, so it's funny how we're using those dinosaur systems to secure this new world.”