4IRC Recap: Bitcoin isn’t dead, say cryptoassets experts
At the latest 4IRC event on 2 April, experts from banks and cyber security organisations discussed cryptoassets.
Host Emer Maguire discussed how the FT wrote, in paraphrase, ‘The Treasury and Financial Conduct Authority should have more power to oversee the Wild West of cryptocurrency – stopping money laundering, cyber criminality, etc.’
The year 2018 wasn’t great for bitcoin, Emer noted, having been worth $20,000 per coin at the end of 2017, falling to less than $4,000 by end of 2018.
The first speaker was Roland Bone, VP of the Financial Crime Screening Programme at Barclays.
“We’ve been on an interesting journey over the last 3 years with cryptocurrency,” Roland said.
“Financial compliance, payment transactions, the risk it presents to bank, the threat it poses to the whole financial ecosystem and the compliance regimes is yet to be totally understood,” he went on. “It’s a true disrupter in terms of how money is managed and how it moves.”
Roland noted that the HMRC, like the FCA, don’t recognise bitcoin as a currency or money. “This is quite substantial to how we treat exchange tokens,” Roland said.
The ‘Wild Wild West’ will face stricter regulations soon, Roland noted. “Terrorist financing and money laundering recommendations are being transposed into further legislation this year.”
There are three key challenges to the regulation of cryptocurrency – regulation that is required to bring it to mass market:
- control over custody
“But if you look at the origin of bitcoin a decade ago, it was all about being anti-establishment, Occupy Wall Street, and so on. Now Barclays has a partnership with Coinbase. Who would have thought 10 years later we’d be here?”
Roland questions whether cryptocurrency works as a decentralised concept.
“You need a framework – an enforcement mechanism and you need an enforcer – how does that happen in a decentralised environment?”
In the development community, agreement is hard to reach, he said.
Roland presented a series of questions that, he says, banks need to answer before cryptocurrency will go mainstream.
- What does bitcoin allow you to do that mainstream money doesn’t at the moment?
- How do you manage volatility – if your bank balance rises and falls all the time?
- Custodial wallets and custodial exchanges can be subject to ID, verifying you and monitoring your transactions for anti-money laundering. But what about non-custodial wallets?
- For catching financial criminals: how do you freeze assets if you don’t know where they are? How can you catch up with the end person who owns an asset if they own and store their own private keys?
- How does a regular person get legal recourse if a key is stolen?
“Another point is around anonymity,” Roland said. “The FCA has a consultation paper out at the moment that goes above and beyond EU’s anti-money laundering objectives. It’s hard to square that with a decentralised system.”
Finally Roland discussed Barclays’ relationship with Coinbase, saying: “The amount of control work as an institution to get into this is phenomenal – so you’ll see that comes at a cost, so Coinbase isn’t as cost effective as other platforms.”
The next speaker, David Stubley, founder of 7 elements, presented: “Gone in 60 Seconds, How to Steal $15.4m.”
David said his “Day job is hacking into things – wireless networks, infrastructures – then we leverage that knowledge to understand what the bad guys are doing.”
“Today’s talk is based on a real case study we dealt with last year.”
“We helped an individual that had lost the equivalent of $500,000 in bitcoin.”
The person in question wanted to use the money for a house purchase, and noted a huge fraudulent transaction on their crytocurrency account.
“How was it done? A classic phishing attack? What was it?”
David said it was a simple phishing attack. Bitgo – the website that held the wallet – was mimicked by a site called ‘Bitggo’ with an extra ‘g.’
David explained, “Hackers used link seeding – so they paid for an advert that sits at the top of a Google return – sending the user to the malicious site.”
When the legitimate user visited the malicious site, the criminal read in real-time as they entered their login details.
David explained the process:
Login>log in credentials taken>Hackers now have everything needed to get into site> But then they did something clever, to ask them to provide a second OTP > They pretend the log in failed > User thinks they’re at the front door, but the criminal is already inside their wallet > User thinks they’re still logging in, but really they are legitimising the criminal transaction
“83 bitcoins, within three minutes, were transferred out of the wallet,” David said.
As they traced the movements of the bitcoin, the sheer scale of the criminality began to be revealed, David said.
“Suddenly we saw that we were at a much bigger scale of theft because now there’s $1.4m in the wallet – adding our customer’s money to other people’s money. We revisited the wallet sometime later, and found that it had been onward moved to a final wallet containing $15.4m.”
David discussed how security holes in Bitgo’s system would have been untenable, had they been a traditional financial institution.
“The provider had a responsibility that in my view they didn’t meet.”
“The IP address was a geography the user had never been in, suddenly they’re logging in from a completely different country and moving all their money out – that should have raised red flags. The actual wallet itself was set up in a very weak fashion – the password for the wallet was the default password for logging into the system – those two should never be allowed to be the same.”
David said that if cryptocurrency was subject to regulation, crimes like these could be stopped by alerts.
The next speaker was Rapid 7’s Claire Burns, who discussed “The Weakest Link in the Blockchain.”
Claire discussed the Mt.gox disaster – first bitcoin exchange set up in 2010 by Jed McCaleb.
“Two vulnerabilities that he unwittingly left in his code were exposed,” she said.
“When transferring money from one person to another there was an exploit – and the gist was this – a user could inject XML to override parametres to ask for more money than they’d asked for.”
“Secondly the transaction accepted negative inputs, allowing users to withdraw money when they should be depositing it.”
Other disasters ensued, such as the hot wallet being stolen. “This is different from a cold wallet stored in a secure location further away.”
Claire said that 80,000 bitcoins were stolen out of the hot wallet that are still sitting on the blockchain today.
She said, “Mt.gox was now insolvent, the Department of Homeland Securities seized $5m in total. When it shut down altogether they lost 7% of all the bitcoin in the world – people couldn’t grasp how all that bitcoin was just lost.”
What have we learned? Claire pointed out the following:
- It’s not a good idea to leave cryptocurrency on the exchange – keep an encrypted wallet on your computer, or a hardware wallet that you keep on your person
- Back up wallet keys often, use strong passwords
- Do research. Check to see if the exchange complies with audits from UK and US
- Don’t go onto an exchange that has just popped up yesterday
- Use two factor authentication
Claire finished with, “Cryptocurrencies shift control back to the people using it – so it gives you increased financial freedom – but you yourself are responsible for your own crypto assets. The decentralised system is only as strong as its weakest link.”
“Our motto is Prepare, Protect and Persist. Basically we help train people – then break things – then make sure things are aligned with security principles.”
Simon said, “I began in the oil and gas industry – companies that were selling software to them – in the US, Middle East etc.”
“Security couldn’t have been further from the agenda, and then we started working with a Russian oil and gas company – all the sudden security became the most important thing.”
“We started learning how to break stuff. I knew where developers hid the bodies and where shortcuts were being taken.”
Simon said his experience of security is that nothing really ever changes – we have basic flaws that are still impacting the most critical apps:
- Obfuscation rather than security – people hiding things
- Automated scans – in one case, AWS keys had been put into a public-facing GitHub repository – within 55 seconds AWS had notified the user of the problem – within 2 mins and 20 secs those keys were being used maliciously – “That’s quite a short timeframe if it happens at 3am on a Sunday night”
- Volume of trades is extraordinary and that’s why we’re under attack
- gox issues were happening for years
Simon said some recent events demonstrate flaws in protocol:
- Blackwallet – 400k dollars stolen
- Russian Federation Nuclear Centre – used a supercomputer to mine virtual currency – if you’re going to do it, a supercomputer sounds like the way to go, much more effective than a Raspberry Pi
- uk was infected with a cryptocurrency
- Binance – credential stealing scheme and it appears it was a very basic phishing scheme – “This was very 2011 but what we’re seeing is that the same basic attacks are working,” Simon said.
In summary, Simon said, “What we’re seeing is that they’re old attacks, but with new targets.”
- Script injection to perform mining
- Mining instead of encryption scams – mining is happening in background – have had instances where a customer’s AWS bills were much higher last year because their account was being used for mining
- Server compromise now being hidden
- Web applications and infrastructure are targeted
The next speaker was Stephen McPeake, founder of CivicDollars.
“We’re using blockchain for smart cities projects – incentivising people to use parks more often,” Stephen said.
His original idea was called ReportAll. “There was no app to report water leaks – or any problems to local councils – especially dog poo, that’s a favourite one at the moment, or flytippers.”
“I liked the idea of the technology behind blockchain but I was scared of bitcoin and cryptocurrencies,” Stephen said.
“That’s where CivicDollars comes in. it’s going to be earned not by who has the fastest computer but by citizens in the community.”
How to earn:
Volunteer, donating blood, organising litter picks, etc
How to spend the civic dollars:
Gaining free gym tokens, a free swim, Glider and Metro vouchers, or V Bucks in Fortnite
“We’re going live on the 1stof June with a GeoFence around Connswater Greenway and Victoria Park in Belfast.”
If people check in to the park, they’ll earn CivicDollars for every 30 mins they spend there.
Stephen said, “QUB’s Centre of Excellence for Public Health have been involved with a study – and they found that if 2% of people in the Connswater area who are inactive become active, it will cover cost of the infrastructure for the next 40 years.”
The speakers were joined on the panel by Mark Woods, who does asset recovery for Wilson’s Auctions.
Mark said, “The government were seizing cryptocurrencies and needed a solution – what happens when these assets are seized?”
“We designed a facility for the storage and disposal for cryptocurrencies – we signed a contract with the Belgian government and did an auction for £300,000 of bitcoin.”
The audience then asked the panellists some questions.
Q: The criminal with the $15.4m wallet – were they found?
David said, “We passed all of the details of our investigation to the authorities, to Europol and the Feds. We knew the wallets that were implicated – the paperwork was submitted to seize those wallets. After that we didn’t hear anything further.”
Q: Do we know what people are spending bitcoin on? Is it still mostly illegal?
Mark said, “Chain Analysis did a study this year on where it’s being spent – 1% of crypto currency transactions are centred around criminal activity, obviously this is very small, but take that with a pinch of salt because the accuracy is difficult to ascertain. But there is a stigma around it, for people who don’t know and understand it. That’s just a factor in how new it is. If you compare with the internet we’re probably around the late 80s to where the internet was. So we’re still looking for the killer app.”
Stephen said, “Over the weekend I worked on someone’s personal computer that was hit with ransomware, they paid £4,000 GBP to unlock it. There’s a lot more people paying than you think, to get their data unlocked.”
Simon said, “Mostly these ransomware cases are from open RDP sessions – the archetypal crap password which is at the crux of every issue we’re seeing. How that relates to what percentages are spent on illegal goods is difficult to determine. From our point of view, we only get to see the bad things.”
Roland said, “If you think about it in a practical way and you look at the mining cycle – a block is mined every 10 minutes – so in terms of transactions, that’s seven per minute going through. But compare that to 7,000 a minute in Visa etc, which can scale up to 20,000 a minute at Christmas when they need to scale. It’s just not a practical application at the moment.”
He went on, “I went into Computer Exchange, one of the only places you can spend bitcoin in Glasgow, and I decided to buy a ChromeCast. It took 15 minutes with a manual to see how to do this at the cashpoint – so you can see what the challenges are.”
“If you look at the transactions happening, it’s mostly institutional arbitrary transactions.”
The host Emer asked the final question: What are the challenges to widespread adoption?
Steven said, “The age gap will be a huge challenge between what older and younger people are comfortable with.”
Mark said, “Moving away from the stigma, of the exchange as being hacked.”
Simon said, “Trust and security… getting away from idea of storing money in a mattress – getting rid of the fear.”
Claire said, “Security issues, transaction time and UX.”
Roly said, “Regulatory alignment – regulators writing code that’s suitable for crypto rather than shoehorning in into current regulations.”
David said, “Volatility – until it’s stable it won’t be adopted widely.”