| Share

Bitcoin exchange floored in virtual bank robbery - $250,000 stolen in security lapse



Blog post by Paul Ducklin, Sophos

Bitcoin is a an open-source, peer-to-peer digital cash system launched in 2009.

The Bitcoin "currency" has no physical manifestation - there are no banknotes, metal coins, or promissory notes signed with a flourish.

You "mine" Bitcoins synthetically by solving a cryptographic problem.

You then imbue these these cryptographic tokens with value and exchange them, and their assumed value, using a mostly-anonymous cryptographic protocol.

By design, the cryptographic problem you need to solve to mint a Bitcoin gets exponentially harder over time, because computers get faster. This also has the effect of limiting the total number of Bitcoins that can ever be created. By the early 2030s, we'll be close to the asymptotic maximum of about 21 million Bitcoins.

Forget regulations, forget Central Banks, and forget Her Majesty's Treasuries. Given enough computing power and electricity, you can make Bitcoins at home. But while that's good news for the Bitcoin-mining community, it's not much use to anyone else.

That's where Bitcoin exchanges come in - websites which buy and sell the cryptographic data representing Bitcoins in exchange for regular currencies.

(Actually, there are also exchanges which trade between virtual currencies, such as swapping Bitcoins for Linden Dollars, the "currency" used in the game Second Life. Anyone remember that?)

Sadly, Bitfloor, the fourth-largest Bitcoin-to-US$ exchange, recently imploded following a security breach.

The losses are modest by the standards of the big banks - some 24,000 Bitcoins, which currently go for about $10 each.

But that's cold comfort for Bitfloor founder Roman Shtylman, who admits he makes only about $2000 per month from the fees he collects, based on a 0.3% charge on handling about $700,000 per month in trades.

In short, Shtylman - who's a JavaScript fan and open source contributor in his other life - has just racked up a quarter-million dollar loss that will take him ten years of Bitcoinery to make up, assuming he can resume trading at the levels he had before shuttering his exchange following the breach.

Ouch!

The cause of the breach was a temporary security lapse made by Shtylman during a system upgrade:

Last night, a few of our servers were compromised. As a result, the attacker gained accesses to an unencrypted backup of the wallet keys (the actual keys live in an encrypted area). Using these keys they were able to transfer the coins.

A commentator retorted:

Unencrypted backup ?!??!?

And Shtylman admitted:

Yes. It was made when I manually did an upgrade and was put in the unencrypted area on disk.

It's easy to be dismissively critical of Shtylman. If you want to, you can dismiss him as a youngster who wanted to be a retail banker in his spare time, knitted together a website to do so, accepted fairly substantial sums of money from other people and didn't look after it properly. Now he has to face the consequences.

You could write him off simply because be embraced the controversial ideal of unregulated "currency", and leave him to pay the price for trying to buck the system.

If you're a customer, you might even try to sue Bitfloor, as happened to an exchange called Bitcoinia, which suffered its own virtual bank robberies earlier this year.

But what happened to Shtylman is a salutary reminder to us all. Security is a full-time job. Even small lapses can be costly.

What Shtylman did is akin to propping the server room door open "because it'll only be for a moment whilst I nip to my desk for those spare cables," or leaving a document containing customer details on your desk "because no-one's likely to look at it."

Most of us have committed this sort of security sin at some time, a point for which I have three simple words: "Don't do that."

Oh. And this: "Anything worth encrypting is worth encrypting always."