Recently, more than a thousand crypto traders had their personal data pilfered from a crypto tax reporting service. A hacker gained access to a marketing and customer service employee’s account and was able to make off with personal information including customer names, email addresses, messages, and in some cases, crypto income data. To an outsider, this only adds to the mystique surrounding crypto platforms and decentralized technology. However, this is really no different from any other third-party hack wherein a household retailer or department store is compromised. While some high-profile security breaches have contributed to the average person’s confusion about the industry, crypto and blockchain are actually quite secure - and only getting stronger.
The Evolution of Cryptocurrency Security
Hacks during the early days, like NiceHash and Mt. Gox, served to shape both the way the public views crypto and how seriously the industry itself mitigates threats. Following those breaches, cryptocurrency exchanges and wallets took serious steps to prevent similar events, while those outside the industry saw the occasional breach headline as evidence of a sketchy marketplace. The cryptocurrency industry is one of the few in the world with such incentive to safeguard sensitive information.
Billions of dollars’ worth of crypto assets are under custody within crypto exchanges (a third party), with the prime hurdle to outright theft being a private key. Private keys are cryptographic algorithms used to encrypt and decrypt code that protects messages, transactions, and other information stored on the blockchain. It is a critical bit of encrypted information that allows the exchange of funds from user to user, exchange to exchange, and so on. Think of it as a long, complicated password that you can protect with a vault or two-factor authentication, without a guarantee for safety.
Let’s start with the basics. In the decentralized world of crypto, the onus for protection is often placed on the currency holder. There are two basic forms of cryptocurrency storage. Hot wallets are connected to the internet, often through a website, app, or plug-in extension. This is how crypto exchanges operate. Similar to banks, users have access to not only their funds, but are able to buy, sell, and trade in the same place. Cold storage, on the other hand, comprises methods of safekeeping not connected to the internet, like wallets in the form of external devices such as USB sticks.
While many crypto investors have their funds on third party exchanges, a large portion keeps their crypto in cold storage. These are less vulnerable to hacks, as cold wallets can be carried on your person and are exceptionally resilient to malware. Additionally, cold wallets provide anonymity when transacting, which eliminates the risk of leaking personal information.
Sophisticated Attacks Expand
The infamous Mt. Gox hack resulted not only in $460 million stolen in the form of bitcoin but also in a realization that the fully decentralized, digital nature of cryptocurrency attracts an increased risk of attack. The $28 million hack on crypto exchange Bitpoint in July of 2019 affected half of its customer base through a compromise in the Bitpoint’s hot wallets, connected via the internet. While the event did not cause Bitpoint to completely shut down, such as in the case of Mt. Gox, the hack raised legitimate questions on security and privacy of the exchange between both its hacked and non-hacked users.
It’s not just about crypto exchange hacks, which can be compared to a hacker gaining access to one’s bank account and draining its supply. Other forms of compromise include theft of private keys, manipulation of secure passwords, or something called a double-spend attack. More recently, Ethereum Classic experienced a type of double-spend attack, a 51% attack, which resulted in almost $5.6 million worth of the currency being double-spent. The hacker was able to go undetected by converting stolen funds in a series of small, barely noticeable operations. 51% attacks often target exchanges, or in some cases, PoW-specific tokens and protocols– anything from BTC to Dogecoin. While some protocols have created defense strategies against double-spend hacks, others are still trying to find a solution in avoiding such an existential threat.
While hacks involving stolen assets can be detrimental to crypto exchanges, investigation teams are often able to return the stolen assets to affected users. Hacks of personal data, often due to leaks of KYC information, are often deemed more dangerous, and irreversible, as once personal information is exposed, there is no erasing it from the public sphere.
Binance openly pointed fingers at its KYC vendor after customer information was leaked in August of 2019. Just last month, Ledger announced that its database was hacked through a faulty third-party API key. These examples, along with the recent attack on the crypto tax reporting service, show that personal data safety measures must keep up with the implemented safety measures for the custody of assets.
Zero-Knowledge Solutions
One fascinating solution within crypto, even used by government agencies and banks, is the use of zero-knowledge proofs to protect user data on-chain. The basis of a zero-knowledge protocol is to verify that party A can know something specific about party B’s information, X, without exposing the underlying data itself. This limits the need to reveal information on-chain. If businesses were to build applications, or conduct transactions, on blockchains using this technology, they could verify proofs of information validity without revealing the underlying information. By shrinking the attack surface, or the amount of information shared and relayed on-chain, hackers will have a much more difficult time exposing data.
Security and privacy may be an afterthought for some platforms, especially those that are just trying to get off the ground. There is great complexity in collecting data, as well as how to protect it, thanks to a lack of enforced regulation and streamlined processes. Regardless, data safety is undoubtedly an industry problem and one that needs to take precedence. By sharing ideas and technology, such as zero-knowledge cryptography, platforms can work together to make privacy and safety a top priority.
About the author: Rob Viglione is the Co-Founder of Horizen and CEO of Horizen Labs. Horizen Labs is a blockchain development company that makes blockchain technology accessible for businesses. It enables businesses to create distributed ledger solutions that are fast, secure, private and scalable. Horizen is an incentive-driven application platform with optional privacy features that aims to provide everyone with complete control of their digital footprint. Launched in May 2017, the leading-edge platform enables real-life uses beyond the ZEN currency, including the ability to privately chaste with others and eventually enable users to publish information and go anywhere on the web, with complete privacy.