Bitcoins provide one of the most secure modes of digital payment in the world. As a peer-to-peer electronic payment system, it does away with a trusted third party and instead, uses cryptographic proof. The blockchain technology that supports bitcoins is a publicly visible pseudo-anonymous ledger which allows for transparent transactions while preserving the anonymity of its users. This means that transactions can be carried out without the user having to worry about information being traced back to him or her.
Furthermore, the bitcoin has put in place incentives to prevent the hacking of its blockchain system and in turn prevents double-spending. Firstly, as long as the longest chain of blocks is an honest chain, it will be very difficult for an attacker to disrupt it. The attacker will not only need to redo the proof-of-work on every block in the chain, but will need to outpace the current honest chain. Secondly, because miners get paid in bitcoins to complete the proof-of-work, it takes less effort and is more time and economically efficient to partake in mining instead of attacking.
However, the bitcoin system is not totally impenetrable and still presents vulnerable points for a potential attack. With more and more people joining the bitcoin network, it also increases opportunities and incentive for hackers to target the system.
There are over seven known types of attacks on the system which includes the Sybil attack and Race attack. In a Sybil attack, the attacker creates numerous false nodes and leads victims to connect. The attacker then isolates the victim from the main network to one which contains only his or her blocks, opening the victim to risk of double-spending.
Because it takes about 10 minutes for a transaction's proof-of-work to be mined and about an hour for the transaction to be officially complete, attackers can capitalise on this time space. This is seen in the Race attack, where the attacker secures a transaction with two merchants using the same bitcoin. The attacker will pre-mine the bitcoin into the first block and before its proof-of-work is completed, he sends out the same bitcoin to another merchant. Since the bitcoin network will only accept one transaction, one of the merchants will land up not being paid while the attacker would have successfully double-spent his bitcoin. The Race attack is one of the attacks with the highest success rates till date.
Other vulnerabilities include exploitation of anonymity which can lead to illegal uses of bitcoin such as money laundering or ransomware. Attackers can also limit the transaction usage of bitcoins by attacking bitcoin banks or exchange webpages through a Distributed Denial-of-Service (DDoS) attack. One case study recalled a group named 'DD4BC' which attempted to extort bitcoins through a DDoS. They flooded the bandwidth up to 13.34Gbps, with the largest at 56.2Gbps, and demanded an average of 10 to 20 bitcoins in order to stop the attack. Transactional malleability can also take place by modifying the hash function of bitcoin transactions before they are successfully mined and entered into the network. This way, attackers can make it look like the transaction never took place.
Apart from hackers attempting to directly attack the bitcoin system, bitcoins do pose other security issues. In March 2015, an American teen, Ali Shukri Amin, was sentenced to over 11 years in jail for using bitcoins to mask terrorist funding activities. Apart from helping to fund ISIS' activities, he created a blog to teach fellow supporters how to use bitcoins to do the same and even assisted a man in travelling to Syria to join ISIS. The group has been looking to create its own cryptocurrency in an attempt to function as a legitimate country. This would be menacing because it could open a floodgate of money laundering activities and untraceable fund movement.
Despite the many vulnerabilities posed to the bitcoin system, existing approaches have already been put in place to ensure bitcoin cyber security. To counter Sybil attacks, running more independent full nodes (where blocks and transactions are validated and relayed to other full nodes) can make it more difficult for attackers to collect copious amounts of data. To counter Race attacks and double-spending, bitcoin's blockchain is already working in a way where only one transaction from one block will be approved and then added to the chain.
Apart from inbuilt systems, users are expected to play their part as well in ensuring the security of using bitcoins. Users are recommended to wait for more than six confirmations to ensure that their transaction is sufficiently confirmed, and should avoid nodes with low hash rates as this could be an indication that it is fake. Users are also advised to connect to well-established nodes and disable incoming connections.
Similar to a physical wallet, users should ensure the safety of their digital wallet by storing it in a safe place. This safe place can either be in the form of encrypted online backups or storing your bitcoins in multiple secure locations. The highest level of security would be to create an encrypted offline wallet (using hardware security) that is not connected to any network as being online still leaves room for possible attacks.
Currently, blockchain mobile clients only have a password which acts as their user identification. There is no tight binding to phones, no anti-copy mechanisms and hardly any ability to handle a mass subversion of the network. With no viable user-side backups and the inability to support workflow, it is vital that mobile security be introduced to blockchain and bitcoin mobile clients.
It is important to protect mobile clients and ensure secure execution. Cyber security providers should aim to protect by securely connecting to external hardware key stores and to the database backend. They must be able to detect malware and specific target attacks as well. On top of detection, security providers must have the capability to efficiently and effectively stop attacks that are based on redirection, such as man-in-the-middle attacks.
Due to the surge in demand for bitcoins, the digital currency platform is struggling to cope and some bitcoin payments across the world could land up failing. When the bitcoin network reaches its capacity, a result of the technical upper limit on the number of transactions processed per second, transaction timing is extended up to 43 minutes instead of the usual 10 minutes. For example, bitcoin payments to Expedia, which has a 10-minute expiry, could fail because the transactions cannot be processed fast enough. This has resulted in the failure of many bitcoin payments across the world.
To address this issue, there would be two future developments taking place, namely Hard Fork and Soft Fork.
Hard Fork will increase the current size limit of each block from 1MB to 2MB by changing bitcoin protocol and creating a permanent separation in the blockchain. This will allow for faster transactions to take place. However, the security issue lies in the fact that it increases the propensity for double-spending if users do not upgrade in time. Users who do not upgrade might end up making transactions in the old blockchain or be led into mining fake bitcoins. Another downside is that the mining system will become undemocratic as miners will be forced to upgrade their system or risk being sidelined.
Soft Forks refer to changing the bitcoin protocol where blocks and transactions that were previously made valid, are now considered invalid. Soft Forks are forward compatible. This means that the old nodes will recognise new blocks where transactions will appear as a pay-to-anybody transaction. This way, the new nodes will eventually build a stronger chain that old nodes will accept as the most valid blockchain. Furthermore, it allows for a greater number of transactions to take place. However, Soft Forks run the risk of opening an opportunity for attackers to double-spend because of the creation of two separate blockchains.
Currently, 80% of the mining power is inclined towards Hard Fork and hence, it might become the new standard in 2017. There are also plans to increase user transaction fees while halving of miner rewards may take place in 2016. Higher transaction fees increase the incentive for attackers to target the transaction. On the other hand, reducing miner rewards causes miners to lose incentive to mine as the time and effort being put in would outweigh the profits earned. Coupled with the increase in number of mining farms, individual miners who cannot compete may turn to attacking the system instead. These developments might ultimately diminish user confidence in the system and they will go back to using traditional but more reliable forms of payment.
While the general outlook for bitcoin may seem bleak, the game changer lies in heightened security efforts. It is therefore paramount for cyber security providers to ensure that the security of the network is addressed. Also, as a good practice, enterprises who own significant amounts of cryptocurrency should have an offline wallet which stores their funds on a computer that is not connected to the Internet. They can also use a paper bitcoin wallet generator as an additional security measure because it generates two separate keys for obtaining funds and withdrawing bitcoins respectively.
It is only with top-notch security that user confidence will be maintained and enhanced. How alert and responsive the security system is to threats, will ultimately determine the future use and continuity of the network.