No Safety in Numbers?
Two smoking colts and a pantyhose over the head: they used to rob banks with style in the Wild West.
When banks started using the Internet as their main infrastructure, the wild days of brazen robberies made quite a comeback, only with less shooting and more hacking.
In the 19th century, the banks built thicker walls, ordered better safes with more complicated locks, and hired more security. Then, there were alarm systems and time locks and the dancing laser beam rooms (totally real! probably).
The online bank heist era did not last long, either: over a single decade, the banks rapidly improved their cybersecurity in a very similar way.
GTA, Money Heist and other pop-culture projects make it look so easy. Grab a couple of guns and a ski mask, and then chill on a beach somewhere on a non-extradition tropical island. Today’s reality is very far from that though: you’d probably get caught before you’ve even entered that bank.
And then, along came the brave new world of crypto.
And with it, came the first wave of crypto hacks. It is probably safe to assume that many of the hackers involved in cyberattacks against banks moved into the crypto space with its underdeveloped security and fresh, irresistible vulnerabilities.
Now, does this mean crypto was a bad move that created all the dangers to the users’ funds?
Nope, unless you are convinced the banks should’ve stuck to pigeon post instead of using the Internet.
Let’s take a look at just a few colorful cases from the early days, when the banks had just recently moved from direct dial-up connections to the TCP/IP protocol…
“In early 2008, a Russian hacking ring stole $2 million after penetrating a network of Citibank-affiliated ATMs across New York City. The group gained access to a server that processed ATM withdrawals within 7-Eleven stores. This enabled them to steal debit card numbers and PINs from 2,200 machines, which they used to withdraw the $2 million.”
So they stored non-encrypted PIN codes on the server, no big deal. Can you imagine something like that happening in a bank in the 2020’s?
“A Bank of America employee was charged with computer fraud after installing malware on 100 ATMs to steal $304,000 over seven months, in an early example of ATM “jackpotting.” The man was jailed for twenty-seven months after admitting to writing code that ordered the ATMs to issue cash without a record of the transaction.”
Just two years later, it’s already much harder to hack a bank: this robbery required an inside man, and the criminal got caught very soon after committing the crime.
“Tesco Bank, a retail bank based in the UK, was the target of thieves who used vulnerabilities in its card issuing process to guess bank card numbers and steal £2.26 million in November 2016. The unknown attackers likely used an algorithm to generate bank card information.“
6 more years passed, and it’s now virtually impossible to hack a bank server or an ATM. The hack still happened, but it was obviously way more elaborate this time, as all of the easy-to-exploit vulnerabilities have been eliminated by then.
Robbers vs. security is a never-ending arms race.
Locks and picklocks, face recognition and camouflage makeup, credit cards and ATM readers. But even with the robbers trying as hard as they can, it seems like they’re gradually losing that fight. Let's look at some statistics. In 2018, 6.1% of all robberies in the US were linked to banks. In 2020, mere two years later, the number was only 1.4%.
The modern gentleman’s favorite type of bank robbery, an internet attack, had seen a huge drop in number of cases as well: only 1,400 attempts in 2021 compared to 2,513 in 2018.
It looks like at some point of their technical evolution, banks became so secure that it was not economically feasible to try and rob them anymore.
So what does that mean for the blockchain scene?
Millions of dollars drained just recently in a wallet hack. Numerous high-profile exploits of bridges, smart contracts, protocols and services. Is crypto inherently flawed? Is it doomed?
No, neither the crypto world in general, nor the Solana blockchain in particular are doomed or broken. These are the growing pains of technological evolution.
First crypto hacks were like taking candy from a baby, and now it takes months of hard work, looking for that tiny opening at the confluence of circumstances: a developer’s mistake, missed by the audit, outside of the protocol’s safeguards…
Once again, let’s take a look at some notable cases.
Mt. Gox: Version control? Never heard of it
Before Coinbase, Binance, and any other CEX, there was Mt. Gox. It was the only exchange where you could sell your Bitcoins, so it had a near-monopolistic place in the crypto world. Consequently, it had A LOT of Bitcoins. Before they all got drained.
The exact facts about the vulnerabilities exploited in each of Mt. Gox’s hacks are scarce. However, it is clear that there were a number of vulnerabilities to exploit. Anonymous insiders reported that the exchange lacked such basic features as version control software and a test environment. Without these features, a developer could accidentally modify another dev's code. There was no change history nor a reliable mechanism for reverting to a known working build. Since it lacked a test environment, Mt. Gox put its largely untested code in front of the general public, and the rest is history.
4 years later, another centralized exchange, and another gigantic hack: KuCoin, according to some experts, was hacked by the North Korean Lazarus Group. Only this time, hackers could not find an easy way in by exploiting a vulnerability in the code.
There is still no exact data on the specific weaknesses exploited. One thing is clear: the attackers gained access to the private keys to KuCoin’s hot wallets. Some sources suggest that the KuCoin hack may have been an inside job, while others speculate that the hackers may have had stolen the private keys using a social engineering attack: phishing, malware, or a backdoor in a responsible employee’s account. Whichever it was, the badly written code from blockchain’s early days was not at fault anymore; the hackers either had to have someone on the inside of the KuCoin, or to dupe someone into “letting them in”.
If Mt. Gox hack was like taking a first-grader's pocket money, then the KuCoin hack was more like tricking someone into giving you the code to their safe. Nothing to do with cybersecurity: just human factor, pretty much unpreventable as long as there are humans involved — although a lot changed in that area since, and there are so-called Multisig solutions enabling companies to only release funds when multiple company executives have signed the transaction with their private keys.
The industry evolves by learning from its own mistakes.
The exact same thing happened in the banking sector: there were hacks, money was lost, security got improved. And hey, look, the banks are still there.
Crypto is walking the same path as any other early financial technology.
It began with lack of security, multiple hacks, and people losing their funds to thieves.
It will end with successful hacks being as rare and far between as a successful exploit of a major bank or stock exchange.
Remember this tweet :)