Patrick Walsh
Originally published at blog.ironcorelabs.com.

Bits, Banks and Burglars

Most stolen digital data has really just been copied. A typical digital theft is the stolen emails of the Democratic National Committee (DNC). These emails were considered private when written, but were later accessed by hackers and then released to the public. This sort of viewing of private data is often referred to as data theft, but at the time it was stolen, nothing went missing from the DNC and no one knew cyber burglars had taken their emails.

Traditional thefts, where someone gains something and someone else loses something, do happen online and primarily with digital currencies like bitcoin. Digital currencies are built on technology that allows data to be possessed by only one person at a time, and that is significant. But the digital implementation is very different from the real world and those differences make it much harder to reclaim stolen digital currency.

Quick Primer on Digital Currency

Here are the five key things you need to know about digital currency in order to understand how it gets transferred and why it’s hard to get it back:

  1. Many currencies: There are at least 21 active digital currencies, according to Wikipedia. The two most popular are Bitcoin and Ethereum, but the list goes on.
  2. The blockchain: These currencies work on top of a technology called the blockchain. Think of every bitcoin as having a serial number, much like physical currency has serial numbers, but every one of these is tracked so that only one person can possess it at a time. The blockchain is the distributed ledger that tracks every transfer and where each serial number currently resides. Everyone can view this ledger, but no one owns or controls it. New transactions can only be added to the end.
  3. Pseudonymous: Anyone can create a wallet (or multiple wallets). A wallet is like a bank account for digital currency and it has an account number. Rather than hand out this account number, wallet holders can generate addresses, to be used in transactions once or many times, which are like account number aliases. These help protect privacy. A wallet is not tied to a person’s real identity, but in the process of buying something or converting real currency, the owner may have to disclose her name and address. The person on the other end of the transaction can then tie the address to a person. Also, since all transactions are public, determined investigators can follow money flows and tie addresses together and discover who is behind them.
  4. Secret-based security: You can give out instructions for others to send currency to one of your wallet’s addresses, but to take money out of the wallet, you have to possess the secret information, the private key, associated with it. Anyone who can access this secret information, which could include malware or hackers on your computer, can send money elsewhere. If you trust your digital money to one of the many eWallet companies or to currency brokerages, it becomes easier to use and to exchange. This can come with features that bring extra privacy and convenience, but you must trust the company to keep your wallet safe. If your broker gets hacked, attackers may potentially get full access to your accounts. And unlike with stolen credit card numbers, the liability is all yours.
  5. Irreversible transactions: There is no way to void or otherwise undo a transaction. Once currency has been transferred to another party, the original party cannot get it back. Police cannot seize it unless they can identify the thief and get access to their wallet by getting access to their secret. In short, there’s no undo and no facility for recovering stolen money.*
    * See “The DAO” section below for the exception to this statement.

Notable Digital Currency Thefts

In recent times, we’ve seen a number of massive digital currency thefts with some pretty fascinating back stories and lessons. Here’s a summary of the most interesting thefts:

Credit: Quartz Credit: Quartz

Summary

Before digital currencies, financial institutions that fell prey to a malicious insider or exploited software bug would result in the copying (theft) of customers’ personal data, financial records and possibly even transfers out of their accounts. In many cases, when money is stolen, it can later be reclaimed by law enforcement and agreements between banks. With digital currencies, a malicious insider or software bug can transfer money that cannot be recovered unless authorities are able to find the perpetrator and get full access to their secret keys.

That said, in many ways digital currencies are more secure and more trustworthy. If you can protect your wallet’s secret key, no one can seize or steal your money.

These lessons are important because traditional banks are embracing the technology underlying these digital currencies to build stock exchanges and marketplaces of the future. The technology has a lot of promise, but there’s much still to learn and improve. Without a doubt, we’ll continue to see high profile, large sum thefts of digital currency.