Bitcoin exchange floored in virtual bank robbery - $250,000 stolen in security lapse

Filed Under: Data loss, Featured, Vulnerability

Bitcoin is a an open-source, peer-to-peer digital cash system launched in 2009.

The Bitcoin "currency" has no physical manifestation - there are no banknotes, metal coins, or promissory notes signed with a flourish.

You "mine" Bitcoins synthetically by solving a cryptographic problem.

You then imbue these these cryptographic tokens with value and exchange them, and their assumed value, using a mostly-anonymous cryptographic protocol.

By design, the cryptographic problem you need to solve to mint a Bitcoin gets exponentially harder over time, because computers get faster. This also has the effect of limiting the total number of Bitcoins that can ever be created. By the early 2030s, we'll be close to the asymptotic maximum of about 21 million Bitcoins.

Forget regulations, forget Central Banks, and forget Her Majesty's Treasuries. Given enough computing power and electricity, you can make Bitcoins at home. But while that's good news for the Bitcoin-mining community, it's not much use to anyone else.

That's where Bitcoin exchanges come in - websites which buy and sell the cryptographic data representing Bitcoins in exchange for regular currencies.

(Actually, there are also exchanges which trade between virtual currencies, such as swapping Bitcoins for Linden Dollars, the "currency" used in the game Second Life. Anyone remember that?)

Sadly, Bitfloor, the fourth-largest Bitcoin-to-US$ exchange, recently imploded following a security breach.

The losses are modest by the standards of the big banks - some 24,000 Bitcoins, which currently go for about $10 each.

But that's cold comfort for Bitfloor founder Roman Shtylman, who admits he makes only about $2000 per month from the fees he collects, based on a 0.3% charge on handling about $700,000 per month in trades.

In short, Shtylman - who's a JavaScript fan and open source contributor in his other life - has just racked up a quarter-million dollar loss that will take him ten years of Bitcoinery to make up, assuming he can resume trading at the levels he had before shuttering his exchange following the breach.

Ouch!

The cause of the breach was a temporary security lapse made by Shtylman during a system upgrade:

Last night, a few of our servers were compromised. As a result, the attacker gained accesses to an unencrypted backup of the wallet keys (the actual keys live in an encrypted area). Using these keys they were able to transfer the coins.

A commentator retorted:

Unencrypted backup ?!??!?

And Shtylman admitted:

Yes. It was made when I manually did an upgrade and was put in the unencrypted area on disk.

It's easy to be dismissively critical of Shtylman. If you want to, you can dismiss him as a youngster who wanted to be a retail banker in his spare time, knitted together a website to do so, accepted fairly substantial sums of money from other people and didn't look after it properly. Now he has to face the consequences.

You could write him off simply because be embraced the controversial ideal of unregulated "currency", and leave him to pay the price for trying to buck the system.

If you're a customer, you might even try to sue Bitfloor, as happened to an exchange called Bitcoinia, which suffered its own virtual bank robberies earlier this year.

But what happened to Shtylman is a salutary reminder to us all. Security is a full-time job. Even small lapses can be costly.

What Shtylman did is akin to propping the server room door open "because it'll only be for a moment whilst I nip to my desk for those spare cables," or leaving a document containing customer details on your desk "because no-one's likely to look at it."

Most of us have committed this sort of security sin at some time, a point for which I have three simple words: "Don't do that."

Oh. And this: "Anything worth encrypting is worth encrypting always."


-

, , , ,

You might like

6 Responses to Bitcoin exchange floored in virtual bank robbery - $250,000 stolen in security lapse

  1. Digital Adrian · 595 days ago

    What baffles me is that there are actually people waiting for this guy to updrade his systems, gambling that the makes a mistake, and when he does, they attack.

    What a life these hackers must have . . .

  2. Candy · 595 days ago

    @ Digital Adrian: that "he" makes a mistake.. ;)
    stand-in for the Masked Proof-Reader, yw

  3. Nigel · 594 days ago

    Bitfloor was a magnet...an obvious target because it represented a concentration of data assets convertible to ca$h. The clear lesson here is that any individual or entity that provides such a target must be permanently and continually vigilant.

    The lesson that is perhaps less clear is that even individual, private users shouldn't count on the fact that they're smaller, less obvious targets as a shield against the bad guys. As nefarious hacking tools become more sophisticated, a momentary lapse of vigilance is all it takes to expose the private user to unrecoverable loss.

    • Paul Ducklin · 594 days ago

      What he said!

      Very well put...the fact that we're all targets, even thought there might be little wealth and no cachet in hacking us as individuals, is obvious from the fake anti-virus scene. Those guys can literally make tens of millions in a year, $50 at a time from 100s of 1000s or millions of people.

      If you're a potential target over $50, imagine how attractive that makes something like Bitfloor look!

  4. @MobileCasinoBoy · 592 days ago

    It would take him 10 years to make the equivalent of what was taken in 1 day, $250,000.00., you wrote? A young, open source loving, wide eyed youngster with a scruffy beard and a knitted wool hat ... no you wrote something else whenyou used the word 'knitted'. I personally would have used the word razor, of the occam's variety to describe my initial thoughts about this entire incident.

  5. Mike · 68 days ago

    Time for bitcoin insurance like the USA FDIC. The insurance can be contributed by all of the exchanges dealing with bitcoin. The insurance can be an association of all the exchanges. When a crime occurs they all pitch in to cover the expense.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog