Vulnerability of Endpoints and The Problem With Cryptocurrencies

Every few months, a crypto exchange fails.  Crypto exchanges–the sites and systems where you can convert regular currency  to cryptocurrency–have a habit of failing, and the results have been a steady stream of people losing money.  The losses seem to get bigger and bigger.

The recent failure of  BTX is by far the largest and most spectacular.  It’s probably the most damaging to the perception of crypto due to its intersection with political drama.  But it’s by no means the only failure:

Mt Gox 2014– The first really large exchange fell to hacking.  The site, originally intended as a place to trade “Magic: The Gathering” cards was hacked.  The losses at the time were $450 million dollars.

QuadrigaCX 2018 –  A Canadian site went down when the owner mysteriously died, and investigators subsequently couldn’t find any of the funds.

Thodex 2021 – A Turkish exchange went down when the owner disappeared.  Loss was upwards of $2 billion.

BTX Failure
The Mt Gox failure was one of the first high profile exchange failures. Mt Gox, short for “Magic, the Gathering Online eXchange” was originally designed for trading cards, what could go wrong? (src: Stanford Review)

These are just 3 failures in a list of 50+ since 2009.  Many people have lost billions of dollars, and many people have illicitly benefitted.   When this happens, it is usually tacitly called a failure of crypto itself.   All of cryptocurrency–as a technology–is called a scam, pyramid scheme, etc.

But why is this happening, and does it mean there’s no future in blockchain based money?  We can answer that, but first we have to look at a basic principle in crypto.

Cryptography is always vulnerable at the endpoints.

This is a key principle in understanding how to secure things with cryptography.  If you want to defeat cryptography, attacking cryptography itself is hard.  Attacking things outside cryptography is easier.  

The movie The Imitation Game shows just how hard it was to defeat a cryptosystem itself. It took plenty of luck and brainpower. Modern crypto systems are not vulnerable like this.

For example, a message that hasn’t been encrypted yet can be read.  So you can compromise the computer and read it before it’s encrypted.  Or you can setup a “man in the middle” attack where you secretly put yourself between the sender and the cryptographic system.

In its most simple implementation, a “rubber hose” attack can be used to physically threaten a person and get the key to decrypt something.  This may be applied illicitly and illegally, or even by a legitimate court who threatens jail time for not revealing a key.

In all of these examples, the method of cryptography is secure.   It’s the ‘stuff’ around it that’s not.  So an attacker attacks that ‘stuff’.  So it’s not enough to use good crypto.  You have to secure the other ‘stuff’ around it, as well.

Modern cryptography is secure.  Blockchain technology is secure.  If you maintain crytpocurrency in a wallet, and you take basic steps to secure it, you’ll be fine.  Wallets, as an endpoint, are very secure. 

Wallets are super cool.  They make you feel like James Bond when using them.  But Blockchain wallets are also hard and unforgiving.   Maintaining a blockchain wallet of any kind is not for the faint of heart.  If you lose it, forget the password, or mismanage your wallet in other ways, you lose everything. 

Crypto Wallets
Trezor and Ledger Hardware Wallets.  regularguy.eth/Unsplash

As a result, many average people are delegating that duty to an online exchange and leaving huge sums of money in them. But exchanges are just websites that reside at the endpoints of blockchain technology.  So they can be compromised.

What we’re seeing in current cryptocurrency and blockchain scandals is that nobody is securing the endpoints.  

Until wallets become more fool-proof, we must anticipate a continued reliance on exchanges.  And these endpoints must be hardened to prevent loss.  There are some ways to do that, and I’ll discuss that next.


Leave a Reply

Your email address will not be published. Required fields are marked *