Digital transaction security

Bits and bytes can be stolen just like the cash under your mattress.

The high-flying bitcoin digital currency took a big hit when MtGox, once the world’s largest bitcoin exchange, suspended withdrawals until it can resolve a problem with what it calls transaction malleability:

A bug in the bitcoin software makes it possible for someone to use the Bitcoin network to alter transaction details to make it seem like a sending of bitcoins to a bitcoin wallet did not occur when in fact it did occur. Since the transaction appears as if it has not proceeded correctly, the bitcoins may be resent. MtGox is working with the Bitcoin core development team and others to mitigate this issue.

Tyler Shibata attributes last week’s losses at Silk Road to the same software flaw:

The Bitcoin community suffered another shock on Thursday morning when it was revealed that the Silk Road 2.0 had been hacked, and that all 4,474 Bitcoins– roughly valued $2.7 Million at the time of the attack– had been stolen. This heist, as some people have been calling it, was caused by a flaw in the Bitcoin protocol itself called “Transaction Malleability.”

Others argue that the problems result from the software used by some exchanges to handle bitcoin wallets rather than the open-source architecture of the currency itself. BBC reports:

Gavin Andresen, chief scientist at the Bitcoin Foundation– which oversees and develops the Bitcoin software– denied the problem was its fault.

“The issues that MtGox has been experiencing are due to an unfortunate interaction between MtGox’s highly customised wallet software, their customer support procedures, and an obscure (but long-known) quirk in the way transactions are identified and not due to a flaw in the Bitcoin protocol,” he told the BBC.

The value of bitcoin has fallen to half its December peak on the news. But nobody’s giving them away– one bitcoin will still cost you $560 at the current “depressed price”. And bitcoin proponents like Timothy Lee are not deterred:

And this is one of Bitcoin’s great strengths. Right now, companies such as Mt. Gox, BitStamp, BitPay and Coinbase are important players in the Bitcoin ecosystem. But Bitcoin itself is an open-source technology platform. It’s not owned by anyone, and its success doesn’t depend on the success of any specific bitcoin-based company. If the current crop of Bitcoin businesses fail, a new generation can and likely will emerge to take their place.

Dollar value of one Bitcoin.  Source: Blockchain.

Dollar value of one Bitcoin. Source: Blockchain.

In case you hadn’t noticed, we’re also learning more about the vulnerabilities of more conventional digital transactions. The most dramatic recent development on this front was the December theft of credit account information for 70 million customers of Target. Bloomberg reported last month that this may be showing up in the retailer’s bottom line:

Target is already suffering from the hacking of its customer data. Sales at its U.S. unit were “meaningfully weaker” after the data theft was disclosed, the company said. U.S. same-store sales will fall about 2.5 percent in the quarter through January, compared with an earlier projection they would be little changed. Adjusted earnings per share will be $1.20 to $1.30 for the division, down from a previous estimate of at least $1.50.

Price of Target stock.  Source: Yahoo.

Price of Target stock. Source: Yahoo.

Bob Eisenbeis worries that vulnerabilities in our system for conventional credit card and debit card payments could end up causing bigger problems:

The points of vulnerability are many, especially since many institutions have outsourced the actual processing and warehousing of data, and this trend is accelerating as more and more businesses move their computing into the cloud….

The overarching issues concern threats to the payment system itself and the risks that breached information will be used to commit wholesale electronic theft that might threaten the solvency of a major financial institution, be it a bank, investment bank, insurance company, etc. Additionally, such insolvency could have systemic implications for the financial system as a whole. The systemic risks are further amplified by the complex interrelationships among traditional business firms, operators of the private-sector payments-transfer infrastructure, and financial firms. A hack of customer data held by a nonfinancial firm or payments processor could result in losses that can quickly bleed over into the financial system if data are compromised and transactions are initiated and consummated before the breach is discovered or reported.

Is that overstating the concerns? Maybe so. But I do believe that it’s easy to get lulled into complacent confidence in our payment systems given that technology, both in the hands of the good guys and the bad guys, is changing so quickly.

4 thoughts on “Digital transaction security

  1. Rick Stryker

    The reactions of Mt. Gox and the bitcoin foundation just represent the usual fingerpointing that goes on after something like this happens. The transaction malleability problem has been know since 2011 but nobody really did anything about it. The problem is that the bitcoin signing protocol signs most fields of the transaction in a way that makes it impossible to change those fields without invalidating the signature. However, it is possible to change some non-signed fields in a way that changes the transaction ID, allowing the possibility to conduct a fraudulent transaction. This was thought to be a somewhat academic problem so it was not addressed.

    The fingerpointing is about who should have addressed it. The bitcoin businesses are implying that it’s a problem with bitcoin itself, which the designers should have fixed. But the bitcoin designers can equally say that vendors, who knew about the problem, should have built there software so that it checked the non-malleable details of transactions rather than relying on the transaction ID. This sort of dispute I think is a necessary growing pain of a new technology.

    I do think the Eisenbeis piece is an overstatement, although cybersecurity is a serious and important issue. For whatever reason, the US is behind the rest of the world in implementing fraud technology into credit cards. Europe has used chip and pin technology for some time and credit card fraud is lower there. The US is starting to make the transition to chip and signature cards. Certain cards will allow you to upgrade to the technology now.

  2. Ricardo

    Professor,

    Excellent post, an thank you for taking on the Bitcoin issue. There do not seem to be many talking about it and yet it has exploded in on line transactions.

    My biggest concern with Bitcoin is not about theft, as you point out that is present in any system. My biggest concern is that Bitcoin is Milton Friedman’s monetarism with all the problems with monetarism. Bitcoin is an inflexible currency and, if it became the dominant currency, it is highly likely to be a drag on economic activity. It has a tendency to be deflationary in a growing economy and inflationary in a declining economy, because of the strict controls on its supply. While a properly operating Bitcoin is much better than a floating currency system that tends to distort every transaction and always leads to value of currency uncertainty, it is not the best system. Once again a system using gold as a standard is the best monetary system ever devised.

  3. baffling

    the bitcoin issues brings up the problem of who, if anybody, is guaranteeing the currency. if things go bad with bitcoin, or any alternative currency, does anything exist which protects the holders of the currency? in particular, a technology based currency will be constantly subjected to attempted manipulation by hackers, etc. when they succeed, will the currency holders be made whole or will they be forced to absorb the loss? not sure whether this risk is priced into the bitcoin market yet…

Comments are closed.