by Mike Orcutt
February 1, 2018
The plunder of more than $500 million worth of digital coinsfrom the Japanese cryptocurrency exchange Coincheck last week has added to a growing perception that cryptocurrencies are particularly vulnerable to hackers.
It’s an expensive reminder that like many things in the cryptocurrency world, security technologies—and the norms, best practices, and rules for using them—are still emerging. Not least because of its enormous size, the Coincheck hack could go down as a seminal moment in that process.
This piece first appeared in our new twice-weekly newsletter Chain Letter, which covers the world of blockchain and cryptocurrencies. Sign up here – it’s free!
First, hackers laid bare the fact that Coincheck had opted not to implement some basic security measures. The company’s executives told news reporters that the stolen coins had been stored in an internet-connected “hot” wallet. It’s far more secure to keep funds offline, in “cold” storage—often hardware specially designed for the task. Many exchanges already claim in their marketing material that they hold the vast majority of their users’ funds offline. Going forward, this will presumably become standard practice.
With that taken care of, there’s a more weighty question on the table. Every public cryptocurrency address is associated with a private key; without it, money can’t be moved from that address. Someone who manages to acquire your private key, though, can send your money away. That’s what happened in the Coincheck heist. So how do we make the private cryptographic keys owners need to access their coins more secure?
One answer, known as a multisignature address, is conceptually simple: a “multisig” requires more than one cryptographic key in order execute a transaction. It’s a bit like the multifactor authentication process you may use to access your e-mail account. Business partners can use multisig technology to, for example, create a wallet that requires each of them to sign off on transactions. That would make it substantially more difficult for hackers to access funds.