The price of bitcoin took a tumble early Wednesday after a major South Korea-based cryptocurrency exchange, Bithumb, admitted hackers made off with more than $31 million worth of virtual currency. The incident is the latest in a long string of thefts at the online portals where investors trade cash for digital coins such as bitcoin and ether. Bithumb has not said how the attack occurred.
What makes exchanges vulnerable to these sorts of attacks in the first place?
For starters, cryptocurrency experts blame lax security at the hacked exchanges, as well as the booming popularity of digital currencies more generally.
"Bitcoin and other cryptocurrencies have risen dramatically in popularity and value over the past few years," said John Sedunov, an assistant professor of finance at Villanova University. "This fast run-up may have caught some exchanges off-guard, and they may not have had the capital on hand, time, or even the technical ability to ramp up security features fast enough to ward off potential attackers."
In other words, hackers love going after exchanges because they are a rewarding and often easy targets. In this respect, exchanges are little different from health-care providers with lucrative medical data, or credit reporting bureaus that hold Social Security numbers.
Unlike those types of institutions, cryptocurrency exchanges are purpose-built to move actual assets from one person to another. And that can raise additional risks. Here is how and what you can do to shield yourself.
Begin by considering your personal financial situation. If you are like many people, you have both a checking account to cover daily transactions and a savings account or safe-deposit box where you keep money you know you will not be spending anytime soon.
A lot of cryptocurrency exchanges work the same way. They run what is called a "hot" wallet that is connected to the Internet, where they store the virtual currency they know they will use to quickly fulfill their customers' trades. Meanwhile, they might keep some — or even the bulk — of their customers' funds in a "cold" wallet. This cold storage is disconnected from the Internet and inaccessible to customers, partly to ensure it is off limits to remote hackers.
While many exchanges have adopted techniques to protect their hot wallets, such as obtaining insurance on the funds inside or requiring multiple secret keys for access, it is impossible to eliminate the risk of a hack completely. Just as online criminals are constantly developing new forms of malware that exploit bugs in software its developers have not caught, hot wallets are vulnerable to the same kinds of risk.
That does not mean hot wallets are inherently bad. Imagine if every time you paid a bill at a restaurant or bar, you had to visit your savings account to physically pull out the money. It would be a massive inconvenience, and settling your tab would take ages. Hot wallets speed things up, at the cost of some built-in security risks.
For these reasons, many cryptocurrency investors recommend storing your coins not in a wallet that is controlled by an exchange, but rather in a cold wallet you control. This wallet could be a hard drive you have unplugged from a computer, a USB drive you store in a drawer in your house or even codes written on a piece of paper. When you want to sell the coins in the wallet, just reconnect the wallet to the Internet.
This approach is not without headaches, too, but it is still a better option. On Reddit, stories abound of investors who have misplaced their cold wallets or the access codes needed to open them. In these sorts of cases, your money may as well have been lost to hackers. Other investors on Reddit still say trusting yourself is preferable to trusting exchanges.
"It's frustrating to see people lose money to this consistent mistake," wrote user PM_ME_YOUR_NANO on a recent thread. "No one should be losing even 10% of their available coins because an exchange is bad. Cryptocurrency is about being trustless. Exchanges are trusted systems without great regulation."