The price of bitcoin took a tumble early Wednesday after a major South Korea-based cryptocurrency exchange, Bithumb, admitted that hackers made off with more than $31 million worth of virtual currency.
The incident is the latest in a long string of thefts at the online portals where investors trade cash for digital coins such as bitcoin and ether. Bithumb has not said how the attack occurred.
But what makes exchanges vulnerable to these sorts of attacks in the first place?
For starters, cryptocurrency experts blame lax security at the hacked exchanges, as well as the booming popularity of digital currencies more generally.
“Bitcoin and other cryptocurrencies have risen dramatically in popularity and value over the past few years,” said John Sedunov, an assistant professor of finance at Villanova University. “This fast run-up may have caught some exchanges off-guard, and they may not have had the capital on hand, time, or even the technical ability to ramp up security features fast enough to ward off potential attackers.”
In other words, hackers love going after exchanges because they’re a rewarding and often easy target. In this respect, exchanges are little different from healthcare providers with lucrative medical data, or credit reporting bureaus that hold Social Security numbers.
But unlike those types of institutions, cryptocurrency exchanges are purpose-built to move actual assets from one person to another. And that can raise additional risks.
What can you do to shield yourself?
Begin by considering your personal financial situation. If you’re like many people, you have both a checking account to cover daily transactions and a savings account or safe deposit box where you keep money that you know you won’t be spending anytime soon.
A lot of cryptocurrency exchanges work the same way. They run what’s called a “hot” wallet that’s connected to the internet, where they store the virtual currency they know they’ll use to quickly fulfill their customers’ trades. Meanwhile, they might keep some — or even the bulk — of their customers’ funds in a “cold” wallet. This cold storage is disconnected from the internet and inaccessible to customers, partly to ensure that it’s off limits to remote hackers.
While many exchanges have adopted techniques to protect their hot wallets, such as obtaining insurance on the funds inside or requiring multiple secret keys for access, it’s impossible to eliminate the risk of a hack completely. Just as online criminals are constantly developing new forms of malware that exploit bugs in software that its developers haven’t caught, hot wallets are vulnerable to the same kinds of risk.
That doesn’t mean hot wallets are inherently bad. Imagine if every time you paid a bill at a restaurant or bar, you had to visit your savings account to physically pull out the money. It would be a massive inconvenience, and settling your tab would take ages. Hot wallets speed things up, at the cost of some built-in security risks.
For these reasons, many cryptocurrency investors recommend storing your coins not in a wallet that’s controlled by an exchange, but rather in a cold wallet that you control. This wallet could be a hard drive you’ve unplugged from a computer, a USB drive you store in a drawer in your house or even codes written on a piece of paper. When you want to sell the coins in the wallet, just reconnect the wallet to the internet.
This approach is not without headaches too, but it’s still a better option. On reddit, stories abound of investors who’ve misplaced their cold wallets or the access codes needed to open them. In these sorts of cases, it’s as if your money may as well have been lost to hackers. Other investors on reddit still say trusting yourself is preferable to trusting exchanges.
“It’s frustrating to see people lose money to this consistent mistake,” wrote user PM_ME_YOUR_NANO on a recent thread. “No one should be losing even 10% of their available coins because an exchange is bad. Crytocurrency is about being trustless. Exchanges are trusted systems without great regulation.”