This article covers the advantages and weak links of the Bitcoin infrastructure from a security perspective and compares this cryptocurrency to regular fiat currencies.

Speaking of different forms of digital currencies, Bitcoin stands out from the crowd due to its decentralized nature and strong encryption practices propping its architecture. Importantly, Bitcoin owners needn’t disclose any sensitive information when performing transactions. This does not hold true for the classic payment workflow via a credit card, where you need to at least provide the card number and security code.

There’s also an opinion that although services related to Bitcoin have been hacked or otherwise abused multiple times, cybercriminals never actually compromised the underlying protocol. But are things really so serene in the cryptocurrency landscape? Let’s try to figure that out.

 

Components of Bitcoin security posture

To get the big picture, it makes sense to draw the line between the following layers of Bitcoin security architecture:

  • The security of the protocol proper and the blockchain.
  • The security of Bitcoin wallets, exchange services, and payment systems.
  •  

    This split is important because people mostly deal with services built on top of the protocol itself. The kernel system is only tasked with issuing coins and keeping track of transactions afterwards. Everything else, including ownership-related operations, is outsourced to third-party services.

     

    Blockchain security challenges

    The blockchain technology is protected by military-grade cryptography. Ideally, it should be immune to all types of malicious interference. And yet, there are two main security challenges stemming from the objectives of the blockchain:

  • Validating transactions. This technology is supposed to make sure that the spent amounts match unspent outputs within the previous blockchain. To this end, it checks for transaction signatures created with valid private keys.
  • Verifying the authenticity of the blockchain that’s being mined. The easiest way to perform this function is to ascertain that miners work with the longest blockchain available. Since extending the blockchain is very resource-consuming, the longest one is most likely authentic because miners have spent the most effort working with it.
  •  

    Despite the fact that these security practices appear to be reliable, cybercrooks have some abuse mechanisms up their sleeve. They can pilfer Bitcoin by guessing private keys and signing transactions. They can also brainwash the sender of Bitcoin into thinking that the transaction was rejected and the funds were not spent, while they actually were. The more competent threat actors can look for zero-day vulnerabilities and use them to manipulate the blockchain.

     

    Abusing the protocol

    Perpetrators may leverage the following techniques to compromise the Bitcoin protocol:

  • Brute-forcing private keys. Because the key space is gigantic, it is extremely problematic to pull off a heist like that. It is currently more of a theoretic attack vector. A fairly viable method, though, is to simply scour the blockchain for unspent outputs. Hackers with enough time and computing resources on their hands may be able to succeed doing that.
  • Dictionary attacks. Criminals can try to guess the private key for a Bitcoin address that has unspent outputs. If it works, they leverage bots to figure out if any coins were sent to the compromised address. If stars align, the crooks steal the funds easily.
  • The double spending trick. Confirmation blocks for Bitcoin transactions are not generated instantly. It is usually a matter of 10 minutes or so. Hackers can take advantage of this timeframe to perform double spending of the funds. This tactic is the most viable in case a user is reluctant to wait for confirmation and prematurely thinks the transaction has been completed.
  • Flooding the network. It is very problematic to knock such a powerful network offline for a certain amount of time. If an attacker manages to cause an outage like that, though, it will lead to a hiatus of most miners’ work. Meanwhile, the black hats may be able to take advantage of other users’ transactions.
  • Harnessing vulnerabilities of the protocol. Hackers reportedly used the infamous transaction malleability bug to steal about 7% of all Bitcoin via the Mt. Gox exchange. This demonstrates how successfully cybercriminals can weaponize protocol flaws.
  • Cracking the crypto. Cryptography per se is nearly impossible to circumvent as long as it is implemented right. The associated flaws can play into perpetrators’ hands. In a recent move, for instance, attackers leveraged a factorization flaw in a popular code library to get hold of private keys belonging to millions of users.
  •  

    How about the security of affiliated services?

    This is a nontrivial question because people mostly interact with a bevy of services built on top of the protocol and the blockchain, including exchange systems and wallets.

    Bitcoin exchanges usually hold large amounts of cryptocurrency and fiat currencies. Furthermore, they have bank accounts facilitating their business operations. Wallets are utilities keeping private keys. They use regular authentication mechanisms, such as passwords and biometrics. Bitcoin payment systems allow users to buy things with their digital cash. They keep coins in internal wallets.

    These third-party services are the weakest link in the entire cryptocurrency paradigm. They aren’t any more secure than run-of-the-mill digital payment processing systems and engage the blockchain to simply monitor transactions.

    By the way, exchanges are the most heavily targeted entities in this whole framework. The latest incident hit the headlines on January 26, 2018. Coincheck, a popular cryptocurrency exchange headquartered in Japan, admitted having lost a whopping $500 million worth of tokens as a result of a well-orchestrated hack. Just imagine the scope of the problem. That’s the biggest reported cryptocurrency compromise ever.

     

    Bitcoin security: pros and cons

    The protocol and the blockchain are nearly bulletproof. The flip side of the coin is that the associated services listed above don’t bode that well in terms of security.

    Here are the things on the plus side of Bitcoin in this regard: transactions cannot be reversed; transactions cannot be censored as long as they are signed with a valid key; and there are no links between ownership and a Bitcoin address, which translates to better privacy.

    On the other hand, there are numerous caveats. You end up losing your Bitcoin in the following cases:

  • If you lose your private keys.
  • If you type a wrong destination address.
  • If your computer gets hacked.
  • If your wallet gets compromised.
  • If the Bitcoin exchange you use gets hacked.
  •  

    To top it off, the blockchain will not generate any alerts if someone transfers your funds away.

    Another issue has to do with authenticity. The number of miners and generated transactions is constantly growing, which may cause a split of the network. In fact, that’s exactly how the fork of the Bitcoin system called Bitcoin Cash emerged in August 2017. The problem is, the authenticity of the forked blockchain can be questioned at some point, and so can the validity of the cryptocurrency mined within it.

     

    The takeaways

    As far as security goes, Bitcoin is a mixed blessing. To its credit, this cryptocurrency boasts a competently tailored set of innate protection mechanisms relying on cryptography and well-thought-out operational algorithms. However, any system is only as strong as its weakest link. The affiliated third-party systems are susceptible to hacks and manipulations and therefore do a great disservice to Bitcoin security-wise, ultimately making it just about as safe as fiat currencies.

     


    Editor’s Note: This blog article was written by an outside contributor – a guest blogger – for the purpose of offering a wider variety of content for our readers. However, the opinions and recommendations expressed in this guest blog are solely those of the contributor, and do not necessarily reflect those of The Security Awareness Company, LLC. If you are interested in writing something for us, please do not hesitate to contact us: blog@thesecurityawarenesscompany.com.

    David Balaban

    Computer Security Researcher at Privacy PC
    David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.

    Latest posts by David Balaban (see all)