The dramatic fall of BitCoin: No end in sight

We’ve discussed BitCoin at some length on Memeburn, including how it works, its potential downfalls, and its genuine merits. BitCoin has experienced its ups and downs in the few years that it has emerged as an online currency. Last year, a major ‘pick-pocketing’ scandal when an anonymous BitCoin user claimed that thieves had managed to steal nearly US$ 500 000 worth of BitCoin. Although the case was unverified, a series of similar incidents caused the BitCoin exchange rate to crash at the time.

This year, a number of new attacks on BitCoin have raised further concerns for the online currency. The first major incident was when Linode, a linux-based hosting provider, was hacked and BitCoin wallets of eight users were pilfered to the tune of nearly USD $228,000. Last week, servers owned by Bitcoinica, a BitCoin trading site, were hacked and more than USD $87,000 worth of BitCoin was stolen by online thieves.

Proponents of the online currency claim that there is no fault with the currency itself. In principle, they’re right, each of these attacks seem to have been simple theft operations. The currency itself still functions without a breach, in the sense that nobody (as far as we know) has been able to fraudulently generate usable BitCoins. In fact, due to the currency’s strength and the speed with which it is being adopted on the Internet, along with many of its unique features, the FBI has published a report damning the currency as a tool that facilitates illegal activity on the internet. Certainly the FBI is not the only organization that has called the digital currency into question. Last year the Electronic Frontiers Foundation (EFF) backed out of using the currency as questions over its legality came to light.

While BitCoin proponents fight hard against any critique of the economic viability of the currency (see comments), some more serious technical challenges are slowly emerging that may not bode well for BitCoin’s long-term survival.

Recently, a paper was published online, showing a ‘double-spending’ attack that could be achieved using BitCoin. This attack relies on what the paper calls ‘fast-payments’, which are transactions that take place where the exchange between the money and the goods takes place within a few seconds. The attack results because BitCoin payment verification actually takes time to complete.

Currently, BitCoin suggests that for fast-payments of relatively low value, vendors should provide service without verification of the transaction. This isn’t quite as bad as it sounds, since the actual BitCoin will appear within the vendor’s wallet almost immediately and it only takes a few seconds for the transaction to be noted by the rest of the network and this should be sufficient proof that the payment will ultimately be properly verified.

However, if the attacker has enough nodes within the BitCoin network to verify a second transaction made to a colluding account within a very short space of time, the BitCoin network will ultimately refuse the payment to the original vendor. The paper concludes that as BitCoin stands at the moment, it is possible to achieve double-spending on fast-payments and this could prevent uptake by vendors who need to be able to process transactions quickly. To be fair, the paper does suggest a way to get around the problem with a minor modification to existing BitCoin clients, but until this is done BitCoin cannot be relied on to handle these kinds of payments.

Another interesting paper was published recently, discussing the anonymity that BitCoin advocates and adversaries both see as a feature that is facilitated by the peer-to-peer technology that underpins the whole currency. While BitCoin developers have tried to make it clear that anonymity is not a feature that exists by design, it is something which appeals to many BitCoin users and is also one of the points that its opponents use to attack it. Notably, in the FBI’s recent paper, they suggested that the anonymity afforded by BitCoin makes it difficult to track illegal cyber-activity.

The problem is that it is actually very easy to build a profile of a BitCoin user and all of their transactions using a combination of the information that is actually available within the BitCoin network and by gathering publicly available information from off-network resources. This paper shows a brilliant analysis of the ‘pick-pocketing’ theft that I mentioned earlier, where the equivalent of a half-million US dollars were stolen from a BitCoin user. Using a combination of techniques, the researchers are able to draw some interesting conclusions about where the money went and what actually took place prior to and after the theft. In this case, the researchers only studied BitCoin using passive analysis, however they warn that by ‘marking’ BitCoins or by collaborating with interested parties, it would be relatively easy to discern much more detailed information about users within the system.

This attack on anonymity is not particularly new, and certainly, the FBI makes a point about it within their own paper. As I have already said, it is not meant to be a designed feature of the currency, but many people use the currency as if their anonymity is assured. As researchers spend more time investigating the currency, BitCoin’s future (at least from a technical standpoint) becomes increasingly uncertain.