The Latest in IT Security

BitCoin – A matter of trust going bad

12
Jul
2011

In 2009, Satoshi Nakamoto had and idea: A digital currency that could be used without bank or central entities, based on the trust the users had for each other. With the help of public key cryptography and the Internet, members of this peer-to peer network could tell if a user vas a legitimate one and allow transaction from and to it, without revelaing personal details that were apart from the public identity. So BitCoin was born.

It took a couple of years for this system to be known, used mostly by people who wanted to develop and experiment with something new. Little by little, as more people became members of the network, small bussiness and professionals started to accept it as payment, and a currency exchange was started. Sites like Mt.Gox or TradeHill could let you buy and sell bitcoins for US Dollars or Euros among others and thus, BitCoins became not only an electronic currency, but also a physical one, that you could use in the “real world”. BitCoin prices started to grow at an awesome rate, from less than a cent to almost U$20. It was an excellent investment tool and its uses started to become more and more interesting and varied.

But as with everything with foundations based on trust, the slightest mishap can make the system start crumbling, and that is what happened here. BitCoins were used as currency for illegal digital drug markets and when those were taken down, the wrath of certain organizations and parties was directed at BitCoin. They wanted to ban it for being supposedly untraceable and thus, a great tool for criminals.

We have to note here that BitCoins transtactions ARE traceable, as every transaction is broadcasted to the network with a public log. What is difficult to do is to know who is the actual person behind any BitCoin user, beacuse what is logged on the transaction is the public key of the user.

With the system under the public eye, the second strike came: A user reported the theft of almost U$500.000 in BitCoins and the first weaknesses of the system appeared: because this is based on peer-to-peer networking and has no centralizated database, it was impposible to confirm or refute the claim, even by the architects. A lot of dobut was cast over the report, becasue some people say that the system can’t handle such a big transanction, but that is not important. The thing is that if a pc is compromised, the system is not secure and it can’t be trusted implicitly, because you never know if the user is who he or she claims to be. You trust him or her because they have the correct credentials, but you can’t really know there is impersonation going on.

That on early June. A couple of days later some malware was found. Designed just for infiltrating BitCoin computers, detecting the digital wallets and uploading them to an FTP server, it allowed whoever was behind it to do legal transactions with the wallets of other users, because it had the correct credentials. Clever.

And then, for the coupe de grace, the hacking of its biggest exchange site was reported. The media says that almost 60.000 accounts and passwords were stolen in the hack. The price of BitCoins have plummeted and the order to rollback given by the site has not been well received at all.

If you look at the big picture, is a logical chain of events. With the credentials that the malware stole, one can access the currecy exchange site of those particular users. Even when the trades has been stopped until the situation has been normalized, the implicit trust of the system has been completly broken by now because there’s a new and unknown player. It is fair to ask if the same group that wrote the malware is the same group that compromised the exchange site. Coincidence? Difficult to say either way.

It is certainly hard to say whether this system could survive another “Black Thursday”. Trust from the users and from the environment, maybe, but can you trust something that you is so distributed with no central verification?

Sources:

http://www.wired.com/threatlevel/2011/06/silkroad/

http://www.theregister.co.uk/2011/06/16/bitcoin_theft_claims/

http://forum.bitcoin.org/index.php?topic=16457.0

http://forum.bitcoin.org/index.php?topic=1958.0

http://www.zdnet.com/blog/security/new-bitcoin-malware-steals-bitcoin-wallets-infostealercoinbit/8804?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+zdnet%2Fsecurity+%28ZDNet+Zero+Day%29

http://www.zdnet.com/blog/btl/bitcoin-a-guide-to-the-future-of-currency/50601

Leave a reply


Categories

SUNDAY, DECEMBER 17, 2017

Featured

Archives

Latest Comments

Social Networks