One of the more recent items in cryptocurrency news is the Poly Network hack, in which over 600 million dollars in cryptocurrency were stolen and then returned. Cryptocurrencies provide fascinating challenges in terms of cybersecurity, thus I’d want to discuss the security aspects of cryptocurrency and cryptocurrency exchanges.
The Three Layers of Cybersecurity
One useful approach to cryptocurrency security is to divide it into three layers. The lowest layer is a mathematical foundation layer. This layer includes the basic mathematical algorithms used to secure cryptocurrencies. The application layer, which consists of applications written around cryptocurrency, is the next layer. The final layer is the human layer, which includes how people use the technology.
One can talk about these views of security in physical terms. The mathematical foundation layer includes the mathematics necessary to create the locks needed to secure cryptocurrencies. Once you have a lock, it can be used to make a safe vault for banks or businesses. All the pieces used to create the online store are the application layer. Finally, if you want to run the service, you need human beings running the business. All the interactions involving people are the human layer.
Bad guys that want to steal money can try to attack each layer. For example, if you figure out a way of breaking the locks or have a machine that tries every single password to brute force the system, you are attacking the mathematical foundation layer. Alternatively, you can find loopholes, bypass the lock, or enter via a window. This type of attack would be an attack on the application layer. Finally, you can attack the system by tricking a human into giving you the combination or sending you money.
Let's discuss each layer in detail.
The Bedrock of Cybersecurity - The Mathematical Foundation Layer
This layer includes the essential mathematical locks that keep things secure. The mathematics in this area is difficult to comprehend. However, going to a bunch of high-level mathematicians and computer scientists and having them hand you the blueprints for a working software lock and key.
There are different parts of the mathematical foundation layer, but one critical part of cryptocurrencies is called public-key encryption. A traditional encryption system has one key that you used to lock and unlock a piece of data. Public key encryption is a lock with two matched keys. One key locks the data, and the other key unlocks the data.
Public key encryption becomes very useful if you keep one key a secret and then share the other key with the world. In cryptocurrency, your wallet address is a public key that can unlock information about transfers you have done. Therefore, when you send cryptocurrencies, anyone can see that you sent them. However, the secret key is unique to you, and only you may move funds from your wallet.
Some of the world’s smartest people created the mathematics used in these systems, and they are busy trying to break their own locks. This is not impossible but breaking things at this level requires more computer skills than most ordinary computer people have, and if you are at this level, you would not be merely breaking into cryptocurrency exchanges but would be hired by intelligence agencies to do James Bond things.
For an ordinary computer guy, it is much easier to break things at the application level rather than trying to break the lock. Also, you can check if someone installed the lock incorrectly or left a window or back door open.
Building a Secure Room with Locks - The Application Layer
Even if you have a perfect lock, if it is not correctly installed, the system might be compromised. Your typical cryptocurrency exchange not only has a software lock but also websites and databases that must be connected with the locks, and these can have security issues that can be broken into. Most of the work in computer security involves securing things at this layer. One thing that makes cryptocurrency particularly challenging is that once you have released a system, every bad guy on the internet is going to be looking for holes, and if there is a hole in the system, it can be hard to fix because you have already released the contract.
An example of an application layer attack happened in the early days of Ethereum. A very clever programmer figured out that you could tell a smart contract to give you some coins and call itself before subtracting those coins from your account. So the system would give the attacker some coins and then go into an infinite loop before subtracting the balance from their account. Hence, the attacker could withdraw funds without changing balances and continue until the attacker drained the entire system. Someone diverted several tens of million dollars before the Ethereum Foundation intervened and then reversed the transaction by issuing a new coin.
The issue with application-layer attacks is that they can be performed with people with reasonable computer skills, but there is another layer of attacks that are on top that requires a unique set of skills, and this involves attacking the human layer.
The Hardest and Weakest Link - The Human Layer
The human layer involves having an attacker either trick someone into giving them a private key, having an inside person with enough information to steal money from them, or pretending to be someone else.
An example of a human layer attack happened when ICOs became popular. With ICOs, you had people that copied a website advertising an ICO and then copied everything except that they changed the address that you were to send your coins to. They also bought Google Ads so that the first ad goes to the scam site.
The Poly Network hack seems to have involved a human element. Somehow the hacker got control of the private keys, and once they had the keys, they could get the coins in the wallet. The thing about attacks and defences involving the human layer is that they require a different set of skills.
They also have a unique set of opportunities. The trouble with dealing with the human layer is that while we are not all mathematicians or computer programmers, we have to decide every day about whom to trust and who not to trust. By making these decisions, we can work on computer security issues.
The Role of Regulation
The useful thing about cryptocurrencies is that they work with both legacy trust models and new trust models. If you are not a mathematician or computer programmer but can find one that you can trust, you can have them look directly at the systems to see how safe they are. Most businesses and individuals, however, may not have access to this level of technical expertise. And increasingly, exchanges are discovering that they must be regulated by governments. Having a government approve an exchange or cryptocurrency service is one way that the ordinary person can decide to trust an exchange or service provider since you assume that a government can validate the internal processes of the service provided.
New Models of Finance and Old Systems
Finance is all about trust and security, and cryptocurrencies can use both old models of trust and security, such as government regulation, and new ones that involve pure mathematics. It is the mix of these systems that provide a fascinating future for the industry. For people that want to work with pure mathematics and computer programming and avoid traditional trust systems, this is possible with cryptocurrencies. Governments are putting together regulatory systems to monitor and approve exchanges so that you can trust exchanges to handle your money in the same way you can use government regulation to ensure trust in the traditional financial system.
How do I know whom to trust and who not to trust?
The important thing is to start with what you know. You can find people around you, such as friends and family, whose judgment you respect or don't respect, and then work through them to figure out what to believe and what not to believe. When working through crypto-services, it is always best to start with local businesses, since you have experience with those businesses, and you know what is valid and what is not.
How will this change with technology?
One thing that people are worried about is brute force attacks. If you have a system with a five-digit keypad, you can try starting with 00000 and then run through all possible combinations. As we have faster and faster computers, systems that were immune to brute force attacks become easier to break, and one thing that computer scientists are trying to figure out is how long you have to make the keys so that our systems are immune to these attacks.
The reason the human layer is important is that while technology changes quickly, people don't. We have the technology today that didn't exist a few years ago, and we are likely to see some massive technology breakthroughs. However, we are still the same human beings that we were thousands of years ago, and how people behave, both good and bad, are still the same.
How do programmers secure systems at the application layer?
Because cybersecurity is becoming important, there is a lot of training for computer programmers to become good at creating secure systems. You learn how to make security systems by learning how to break systems, and a lot of security training involves learning how to break systems. You learn to design better locks and safes, by learning how to break into them and in computer science schools, cybersecurity is often taught by contests in which students are given a locked piece of information that they try to break into.
*This communication is intended as strictly informational, and nothing herein constitutes an offer or a recommendation to buy, sell, or retain any specific product, security or investment, or to utilise or refrain from utilising any particular service. The use of the products and services referred to herein may be subject to certain limitations in specific jurisdictions. This communication does not constitute and shall under no circumstances be deemed to constitute investment advice. This communication is not intended to constitute a public offering of securities within the meaning of any applicable legislation.