Cryptocurrencies and WannaCry

I have been doing extensive research on Blockchain Technology (BCT), focusing on its potential impact in developing and emerging economies. I am particularly exploring BCT’s role in tackling the most vexing socio-economic gaps in these countries. One of my early findings suggests that BCT usability might prove to be a formidable challenge for the billions of people sitting at the bottom of the pyramid.

Both cryptocurrencies and BCT use cryptographic tools, with public-key cryptography being at the core. The advantages are clear: These technologies enhance privacy, security and transparency, among others. However, from the end-user perspective, using such tools effectively might not be that simple. Recall how Snowden had difficulty getting journalists to use encrypted channels to communicate and securely exchange information.  Even though cryptographic tools are freely available on the Internet, most people do not use them for personal communications due to their complexity. Granted, cryptocurrencies have developed a wide variety of wallet software and applications that ease use. But recent research show complexity levels are still high for most users to effectively use such tools.

Security by obscurity

A more recent and perhaps surprising example of this is the recent Wannacry ransomware attack. Malicious hackers created three Bitcoin accounts and demanded payments in bitcoins to “liberate” hijacked sites. But many of those affected were not familiar with cryptocurrencies, never mind with how to get and spend them.

WannaCry is a product of the principle of security by obscurity. Software development is prone to bugs, many of which could provide backdoors for hackers to gain full control of a network or device. Such bugs should be reported in an ideal world at once to the software developer and patched on the spot. However, security agencies sometimes prefer to not disclose such bugs as they can be used against potential enemies. This assumes that no one else has the capabilities of finding such bugs, a strong assumption indeed.

With WannaCry, a group of hackers learned about a bug in the Windows operating system that allowed remote users to execute arbitrary commands. This bug was already known to security agencies, who apparently failed to inform Microsoft once it was discovered. WannaCry hackers used this backdoor to run a program that encrypted most of the information and data on local storage devices and demanded payment in bitcoins to restore it. Thus, users affected by the attack faced an additional challenge: Getting access to bitcoins to pay the ransom and recover their data.

Getting cryptocurrencies

The simplest way to get bitcoins or other cryptocurrencies is to buy them via exchanges, the private companies dedicated to trading digital money. Some even accept payments via credit card, particularly for small transactions. Fees and commissions vary but are not more than 0.5% for every USD 1,000 spent. So far, so good.

However, users cannot deposit cryptocurrencies in their regular bank accounts, at least not for now. Rather, they need to use cryptocurrency wallets to store bitcoins. Here things already get a bit more complicated. There are several wallets already available, and users must decide which one to use. The key decision-making issue here is the security of the private keys users must generate to store or spend bitcoins or use BCT for other purposes such as land titles or identity management.

There are two generic wallet types: Hot and cold. Hot wallets are connected to the Internet and run on either the cloud or on laptops, cell phones, or other personal devices. A cloud-based hot wallet stores private keys on the cloud provider site and is less secure than having them on your own gadget. But if a personal device is compromised, then hackers might gain access to private keys. In both cases, private key generation is completed with a connection to the Internet that could compromise its security from the start.

Cold wallets are those not directly connected to the internet and include both paper and hardware wallets. The latter, which sometimes use USB smart cards, have gained market share over time as the only way to access the wallet is via direct physical contact. Private key generation is done offline. They are thus pretty secure  – as hardware wallets also offer PIN protection. However, unlike other types, hardware wallets have a cost with prices ranging from 50 to 100 USD. In this light, hardware wallets make more sense for those making hefty investments or holding large quantities of cryptocurrencies.

Managing private keys

Protecting and securing private keys is essential to the Bitcoin and/or BCT ecosystems. Losing your private key implies losing access to all the assets recorded on a Blockchain and make you WannaCry. Hackers stealing private keys will gain immediate access to all associated assets and identities. Proving that a Bitcoin or BCT private key is indeed yours might be cumbersome if not impossible now.

Users could also encrypt private keys to enhance security. Using the private key will first require decryption. However, this method usually requires generating a password that must be safely managed by the end-user.

Thus, end-users need to properly manage private keys that might need some investment in wallets and demand good skills.

Cheers, Raúl