There is no traditional financial institution that will provide a layer of protection to your earnings and no law enforcement agency to catch cryptocurrency thieves. Government agencies have only just begun to regulate cryptocurrency exchanges.
But how can you best safeguard your cryptocurrency holdings? We’ve talked with several security experts to give you the tips to safeguard your own devices and research the exchanges with whom you’ll be doing business.
How Bitcoin Gets Stolen
The cryptocurrency exchange and mining marketplace NiceHash reported on Dec. 7 that it had been hacked, with more than $60 million in bitcoin — NiceHash’s entire bitcoin “wallet,” or holdings — stolen.
At the same time, phishing attacks against Bitcoin exchanges and private Bitcoin holders have mounted along with the price of bitcoin. The phishers are looking for administrative passwords or Bitcoin private keys, either of which would give them access to Bitcoin wallets.
Last week, an iOS app that masqueraded as the official app for the MyEtherWallet exchange (which trades in the Ethereum cryptocurrency) appeared in the iOS App Store for several days. In November, fake Android apps for the cryptocurrency exchange Poloniex showed up in the Google Play Store.
People who installed the phony apps and thought they were legitimately connecting to the exchanges might have given up the passwords to their accounts. (Neither exchange was itself actually compromised.)
Secure Your Devices to Secure Your Holdings
As with any other type of online financial transaction, ensuring that your money remains safe and secure has to be a top priority for both you and those with whom you trade. And as with so many other types of online dealings, cryptocurrency security isn’t always something you can control.
“The security risk for any cryptocurrency is with the Bitcoin wallet and how secure the owner keeps it and any systems they use to make transactions,” said Joseph Carson, chief security scientist at Thycotic, an information-security firm based in Washington, D.C. “When using cryptocurrencies, you need to make sure you take extra security to protect your wallet, keep it secret, add multifactor authentication and use encryption.”
In other words, you need to take the same precautions with cryptocurrencies as you would use to protect other personal assets, such as your Social Security number, bank accounts and credit cards. Install and run antivirus software on your Windows PC, Mac and Android devices. Screen your emails carefully, and set up two-factor authentication on every online account that lets you. Encrypt your hard drives and mobile devices, and make regular backups of them.
It’s All About Protecting the Private Keys
How can you best safeguard your cryptocurrency holdings? The answer lies in the private key, a 256-bit number that unlocks a cryptocurrency wallet. That sensitive data, that investment, is all tied up in your private keys. You need your private keys to spend your bitcoins, so if someone gains access to your private keys, they can (and will) spend your bitcoins, and your bitcoins will be lost to you.
“Bitcoin hacking is a popular criminal enterprise, because holding bitcoin requires maintaining confidentiality of a bitcoin address’s private key,” said Andrew McDonnell, president of AsTech, a San Francisco-based security-consulting company. (The address is another number, derived from a private key, that establishes ownership of a unit of bitcoin.)
“If that key is compromised, the attackers can send all of the victim’s bitcoin to themselves or an intermediary, or simply delete the key and digitally eliminate the bitcoin,” McDonnell said. “Without the private key, as there is no central bitcoin authority by design, there is no way to claim ownership of a set of bitcoin.”
Once you ensure that your private keys have a layer of protection, you need to safeguard your cryptocurrency wallet. A wallet is both a collection of one or more private keys and the software you use to interact with the cryptocurrency protocol.
“I would consider the same standards of safeguards for a Bitcoin wallet as I would for a mobile banking app,” said Jared Nishikawa, director of immersive programs at SecureSet, a Denver-based cybersecurity academy. “Strong passwords, two-factor authentication, unlock code for the phone … It is rare to hear about wallets being compromised if the private keys are not stored online somewhere.”
Trusting the Exchanges
To trust cryptocurrency exchanges requires an understanding of how they work. There are two different types of cryptocurrency exchanges.
A centralized exchange means that you trust the exchange with your cryptocurrency funds and your private keys, and you trade with the exchange for what basically amounts to IOUs. You allow the exchange to manage the security of your funds on your behalf. That can be beneficial if your own computer gets hacked or its hard drive dies, but it also makes exchanges prime targets for cybercriminals.
Centralized exchanges let you withdraw units of cryptocurrency and convert them to dollars or other “real” currencies, and also transfer units of cryptocurrency to your own privately held addresses of bitcoin or other cryptocurrencies. The exchange will generally charge between 0.1 and 0.25 percent of a traded amount.
Decentralized cryptocurrency exchanges allow for simple and direct peer-to-peer trading of cryptocurrencies. At no time is the exchange in control of your funds. The decentralized exchanges are less convenient and more difficult to use for the average user than centralized exchanges are, but they often don’t charge a brokerage fee.
More importantly, decentralized exchanges have no access to your private keys. If a decentralized exchange gets hacked, there would be no immediate way for the hackers to steal your private keys, said Nishikawa. But if your own machine gets hacked, your money is gone.
As for trusting a cryptocurrency exchange, whether it’s centralized or decentralized, Nishikawa said you need to do your homework first by researching the exchange’s reputation and history.
“I don’t see a huge problem with using a decentralized exchange, but I would probably stay away from centralized exchanges,” he advised. “However, if I had to use a centralized exchange, I would withdraw frequently to a private account not connected to the exchange, making sure not to leave a significant amount of money in the online account if I didn’t have to.”
Retrieving Stolen Currency
Unfortunately, once cryptocurrency is stolen, it’s gone for good. Remember, said Nishikawa, cryptocurrencies are digital and largely anonymous; therefore, the only things worth stealing are the private keys. Once those keys are stolen, the currency is almost always immediately spent.
Both consumers and businesses using and investing in cryptocurrency need to ensure that they can adequately protect and secure private keys and establish the integrity of any exchange involved in their transactions. After all, as Bitcoin and other cryptocurrencies continue to increase in value, you can count on cybercriminals following the trend.
The price of a single bitcoin surged to more than $17,000 in early December, and (for now) it is still going up. But cryptocurrency isn’t quite like other assets, and Bitcoin and other cryptocurrencies are surprisingly easy to steal. They’re also not always easy to protect.