Bitcoin is a an open-source, peer-to-peer digital cash system launched in 2009.
The Bitcoin “currency” has no physical manifestation – there are no banknotes, metal coins, or promissory notes signed with a flourish.
You “mine” Bitcoins synthetically by solving a cryptographic problem.
You then imbue these these cryptographic tokens with value and exchange them, and their assumed value, using a mostly-anonymous cryptographic protocol.
By design, the reward you get whenever you “mine” a new coin halves every few years, as an anti-inflationary measure built into the Bitcoin system.
This also has the effect of limiting the total number of Bitcoins that can ever be created. By the early 2030s, we’ll already be close to the asymptotic maximum of about 21 million Bitcoins.
Forget regulations, forget Central Banks, and forget Her Majesty’s Treasuries. Given enough computing power and electricity, you can make Bitcoins at home. But while that’s good news for the Bitcoin-mining community, it’s not much use to anyone else.
That’s where Bitcoin exchanges come in – websites which buy and sell the cryptographic data representing Bitcoins in exchange for regular currencies.
(Actually, there are also exchanges which trade between virtual currencies, such as swapping Bitcoins for Linden Dollars, the “currency” used in the game Second Life. Anyone remember that?)
Sadly, Bitfloor, the fourth-largest Bitcoin-to-US$ exchange, recently imploded following a security breach.
The losses are modest by the standards of the big banks – some 24,000 Bitcoins, which currently go for about $10 each.
But that’s cold comfort for Bitfloor founder Roman Shtylman, who admits he makes only about $2000 per month from the fees he collects, based on a 0.3% charge on handling about $700,000 per month in trades.
The cause of the breach was a temporary security lapse made by Shtylman during a system upgrade:
Last night, a few of our servers were compromised. As a result, the attacker gained accesses to an unencrypted backup of the wallet keys (the actual keys live in an encrypted area). Using these keys they were able to transfer the coins.
A commentator retorted:
Unencrypted backup ?!??!?
And Shtylman admitted:
Yes. It was made when I manually did an upgrade and was put in the unencrypted area on disk.
It’s easy to be dismissively critical of Shtylman. If you want to, you can dismiss him as a youngster who wanted to be a retail banker in his spare time, knitted together a website to do so, accepted fairly substantial sums of money from other people and didn’t look after it properly. Now he has to face the consequences.
You could write him off simply because be embraced the controversial ideal of unregulated “currency”, and leave him to pay the price for trying to buck the system.
If you’re a customer, you might even try to sue Bitfloor, as happened to an exchange called Bitcoinia, which suffered its own virtual bank robberies earlier this year.
But what happened to Shtylman is a salutary reminder to us all. Security is a full-time job. Even small lapses can be costly.
What Shtylman did is akin to propping the server room door open “because it’ll only be for a moment whilst I nip to my desk for those spare cables,” or leaving a document containing customer details on your desk “because no-one’s likely to look at it.”
Most of us have committed this sort of security sin at some time, a point for which I have three simple words: “Don’t do that.”
Oh. And this: “Anything worth encrypting is worth encrypting always.”
6 comments on “Bitcoin exchange floored in virtual bank robbery – $250,000 stolen in security lapse”
What baffles me is that there are actually people waiting for this guy to updrade his systems, gambling that the makes a mistake, and when he does, they attack.
What a life these hackers must have . . .
@ Digital Adrian: that "he" makes a mistake.. 😉
stand-in for the Masked Proof-Reader, yw
Bitfloor was a magnet…an obvious target because it represented a concentration of data assets convertible to ca$h. The clear lesson here is that any individual or entity that provides such a target must be permanently and continually vigilant.
The lesson that is perhaps less clear is that even individual, private users shouldn't count on the fact that they're smaller, less obvious targets as a shield against the bad guys. As nefarious hacking tools become more sophisticated, a momentary lapse of vigilance is all it takes to expose the private user to unrecoverable loss.
What he said!
Very well put…the fact that we're all targets, even thought there might be little wealth and no cachet in hacking us as individuals, is obvious from the fake anti-virus scene. Those guys can literally make tens of millions in a year, $50 at a time from 100s of 1000s or millions of people.
If you're a potential target for $50, imagine how attractive that makes something like Bitfloor look!
It would take him 10 years to make the equivalent of what was taken in 1 day, $250,000.00., you wrote? A young, open source loving, wide eyed youngster with a scruffy beard and a knitted wool hat … no you wrote something else when you used the word 'knitted'. I personally would have used the word razor, of the occam's variety to describe my initial thoughts about this entire incident.
Time for bitcoin insurance like the USA FDIC. The insurance can be contributed by all of the exchanges dealing with bitcoin. The insurance can be an association of all the exchanges. When a crime occurs they all pitch in to cover the expense.