Digital currencies hold appeal to some enterprises, but the security of exchanges is a weak point. The latest to fall is Canadian exchange CaVirtex over what its says is a possible breach.
On February 15 “we found reason to believe that an older version of our database, including 2FA secrets and hashed passwords, may have been compromised,” the Calgary-based company said in a statement on its Web site. “This database did not include identification documents.
“As a result of the potential compromise of our database we cannot be certain of the confidentiality of account credentials. Please log into your account and change your password immediately. Please also clear your CaVirtex browser cookies.”
It stopped taking deposits Tuesday. Trading on the exchange will be halted effective March 20. Starting March 25th no withdrawals will be processed.
In an interview this morning Kyle Kemper, vice-president of business development, said no customer funds have been lost. “But they felt that the compromise was going to lead to such reputational damage, and in a business where trust and security are of tanatmount importance, that it would be too much to continue.”
The company’s CTO “noticed something abnormal” last week which led to the decision to close the exchange.
CaVirtex says the exchange has 100 per cent reserves, is solvent and “remains in a position to accommodate all customer (cash) withdrawal requests received prior to March 25.”
However Kemper said that because of the announcement there has been a rush on cash withdrawals, forcing the company to put some limits. CaVirtex’s payment provider won’t let process direct deposits of more than $150,000 a day . That means withdrawals could take at least five days.
Crypto-currency holders still can’t get access to their digital wallets until security it assured. Owners are being asked to log into their accounts and re-set their withdrawal address. Kemper couldn’t say when it will be ready to send the coins to owners, adding “we’re close.”
CaVirtex handles digital wallets for Bitcoin and Litecoin for people who buy and sell the digital currencies. It saw so much promise in digitial currencies that it opened a number of ATM machines in several Canadian cities.
Its Web site lists a number of technologies to ensure security including encrypting communications, two-factor authentication, not using the MD5 hashing algorithm, programming to prevent SQL injections and registering a token from a user’s browser to prevent unauthorized browsers from accessing the account.
In addition, it sends encrypted backups of the entire CaVirtex database and live wallet keys off site to backup locations on standby. “If needed, we can also rollback our database,” the company adds on its Web site. “This allows us to cancel suspicious trading activity and do our best to restore accounts and fund balances to the values prior to any attacks and resume operations with minimal downtime.”
Digital exchanges are tempting targets for attackers. Among the victims have been Sheep Marketplace (loss of $100 million in Bitcoin); Mt. Gox (loss of $447 million in Bitcoin); Alberta’s Flexcoin, forced to close after a theft; and Ottawa-based Canadian Bitcoins, which was defrauded last March.
The promise of digital currencies is their portability, which means they can solve some inefficiencies in the global payments system, and, for some, the fact that they are not under the control of governments. They have become popular enough that some enterprises allow goods and services to be bought with them. In fact yesterday Dell Inc. said Canadian and U.K. customers can now buy products with Bitcoin as well as those in the U.S. According to Bitcoinada.com, there are 338 businesses in this country that accept digital money. Last year a Forrester Research report said crypto-currencies will “inspire innovation and disruption for payments and commerce globally.”
However, their portability and lack of industrial-scale security also makes digital currencies vulnerable. As Forrester noted, if a Bitcoin address or key is hacked, the entire contents of the owner’s digital wallet can be stolen — and the user has no recourse. No bank, credit or debit card stands behind it.
A presentation on digital currencies I attended last August at the Toronto Area Security Klatch (TASK) IT security user group left me in no doubt that they are a big risk. After all, as Robert Beggs, CEO of Burlington, Ont.-based security consultancy Digital Defence and a founder of TASK said, a digital currency is merely a digital file.