Coincheck Theft Highlights Exchange Vulnerability

Cryptocurrencies are secure. At the very least, they are as safe as your bank account.

They are stored in digital wallets, which are primarily public addresses where cryptocurrencies are sent to or from. They also use private keys for empowering the sender to do the transaction.

Private keys are crucial for cryptocurrencies. It is like a personal bank account password that only you know. So when sending cryptocurrencies from your digital wallet, you need to use your private key to enable the transaction. In other words, if a hacker wants to steal your cryptocurrency, they need your private key, which is difficult to hack using by brute force.

So how can Coincheck lose around USD 500 million in digital tokens, making it the largest cryptocurrency heist to date? The actual problem, especially with Coincheck's, lies with the exchange.

Exchanges Need to Wake Up

What are exchanges? They are public addresses where cryptocurrencies can be sent, stored and exchanged. Essentially, a large digital wallet. The difference is that the transactions incur larger fees and exchanges do not give you the private keys. To enable easy transfer and exchange, they keep these to themselves.

You authorize transactions using passwords, not private keys. Exchanges then use these as instructions to transfer the stored cryptocurrencies using the stored private key. This model simplifies cryptocurrency trading. Besides, you can always reset your password when you forget it--unlike forgetting your private key.

A better user interface, access to a community of cryptocurrency holders, the ability to exchange for fiat currency, near real-time market information and customer service are other reasons why exchanges are attractive.

As you can imagine, exchanges are prime targets for hackers. And what they are targeting at are the private keys. And they are hoping that these keys are stored in insecure or poorly managed servers--which in many cases are.

The Security Gaps

The truth is that many exchanges run like startups. In fact, many still are.

Also, many are not being forced to the same standards of a stock exchange. So while new exchanges are sprouting to offer convenient places for cryptocurrency trading, they are also faltering amidst the onslaught of cybercriminals who see them as easy targets.

The main problem is the platform. Some are running on less secure; many do not have the rigorous standards. And a lack of regulatory legislation or governance regime leaves many to operate with much less vigilance.

To be fair, many cryptocurrency exchanges adopt strong policies and secure hardware. They are also continually upgrading their infrastructure and introducing new policies. But because they are not held to the same standards of a stock exchange, investing in penetration tests and disaster recovery facilities may not be as important as being cash positive and building a broader community.

It was the same attitude that got Coincheck into trouble. An unidentified thief was able to steal 523 million NEM coins because of a lack proper security protocols. The hot wallet, where the customer assets resided, was connected to other addresses and networks. In proper practice, exchanges keep these assets in cold wallets that are not connected to other networks.

Coincheck also did not use multisignature--a security measure that NEM’s blockchain (the technology that the cryptocurrency uses) supports. Why? “The difficulty of the technology and a lack of staff able to carry out the task,” Chief Executive Officer Koichiro Wada, who also serves as Coincheck’s chief technology officer, said at a press conference at the Tokyo Stock Exchange headquarters on Friday.

What Next?

Confidence is rattled. Some observers say that some traders may look at peer-to-peer exchange rather than use exchanges. It will also stall institutional investors from diving into a market that is still evolving and finding its feet.

Meanwhile, regulators need to start moving in to check on these exchanges. In fact, the incident occurred just when Japanese regulators were rolling out a new licensing scheme.

And it will only get worse. Exchanges are growing due to growing interests surrounding cryptocurrencies. Obviously banning cryptocurrency activities is one way to go, but it will only drive the market elsewhere or underground. Instead, regulators need to start defining what a cryptocurrency is and align it with the same policies that govern fiat currency and commodity exchanges.

Meanwhile, cybercriminals, who are learning and honing their skills with each attack, are looking for their next less secure target.