Security experts point to ease of access for bitcoin thieves
RSA conference hears bitcoin exchanges are easily compromised by malware
A Mt Gox customer wears a badge featuring a Bitcoin symbol while protesting outside a building housing the headquarters of Mt Gox and its parent company Tibanne Co. in Tokyo, Japan. Mt Gox, the bitcoin exchange that halted withdrawals this month, went offline this week. Photograph: Kiyoshi Ota/Bloomberg
Looking for a fast, virtually untraceable method of making money from easily hacked websites? You could do worse than become a bitcoin thief.
The increasingly popular web-based cryptocurrency is likely to become a target of choice for thieves, security expert Uri Rivner, head of cyber strategy, BioCatch, told an audience at the RSA Conference last night.
The easiest entry points are the bitcoin exchange websites people use to send, receive and store their bitcoins in an electronic wallet.
His comments came in the wake of the closure this week of Mt Gox, the oldest and most famous bitcoin exchange, with customers fearing the loss of $400 million. It was alleged that hackers had taken close to 750,000 bitcoins, 6 per cent of the currency in circulation.
US federal prosecutors have subpoenaed Mt Gox – and other bitcoin businesses – to seek information on a spate of disruptive cyber attacks.
“The bitcoin exchanges are basically sitting ducks,” Mr Rivner said, because they have little to no inbuilt security and are easily compromised by standard, widely available malware.
“And if you are inside a bitcoin exchange, you can get away with all their bitcoin,” he said. “It’s like robbing not a branch of the Bank of America, but all of Bank of America.”
Etay Maor, fraud prevention solutions manager, IBM, used malware to hack Mr Rivner’s own bitcoin account on Coinjar. com during their session, successfully transferring a bitcoin from Mr Rivner into his own wallet.
Because of the nature of the currency, tracing where the bitcoin had gone was impossible, he said.
“The security these websites have is so lax, you can just do it,” Mr Maor said. It’s easy to buy malware for targeting bitcoin, too, with an estimated 700 types of malware available now just for bitcoin.
He showed an image from an underground discussion site on which someone was requesting to buy malware to target specific bitcoin exchange sites. “And where there’s a demand, there’s going to be a supply,” he said.
“If you want to do this, you have a huge opportunity here,” he joked. “There are big opportunities for [using] trojans, and phishing. Exchanges are sitting ducks because the wallets are so insecure. It’s really, really easy.”
There are other ways of stealing bitcoin – for example, the currency is created by being “mined” – but to do this requires massive computing power. Coins are created as payment for solving extremely difficult mathematical equations that require enormous computer networks.
A skilled hacker could use a botnet – a network made of other people’s compromised PCs – to mine bitcoins. But even a 5,000 PC botnet would only be able to earn about $280 a month, Mr Rivner said, because mining the coins is so slow, and demands so much computing power.
“That’s not much – but if you have 500,000 computers [on a botnet], this gets interesting,” he said.
(Additional reporting, copyright The Financial Times Limited 2014)