Cryptocurrency Investors on Edge after Two Ethereum ICO Breaches in a Week

Initial Coin Offerings (ICOs) powered by the Ethereum blockchain platform are the hottest thing going right now, but are they secure? On July 24, 2017, the second Ethereum ICO hack in a week hit the news, as digital wallet firm Veritaseum disclosed to Bleeping Computer that a hacker stole approximately $8.4 million from its Ethereum ICO.

Ethereum ICO Hacks Rattle Investors

Ethereum has had a rough month. A week before the Veritaseum hack, cryptocurrency trading startup CoinDash had $7 million stolen from its Ethereum ICO within minutes of the offering being launched. A few days later, smart contract coding company Parity issued a security alert regarding a vulnerability in its wallet software that had led to approximately $30 million worth of Ether cryptocurrency being stolen. In early July, an unidentified hacker or group breached and took control of the web domain belonging to Classic Ether Wallet, redirecting the domain to their own server and transactions to their own account.

What is an Ethereum ICO?

An ICO is similar to an IPO (Initial Public Offering). Investors use regular, or fiat, currency to invest in the ICO, but instead of receiving units of stock in return, they get units of cryptocurrency, called “tokens.” The investors can either hold the tokens until the issuing company decides to buy them back or sell them to other users in exchange for units of cryptocurrency. Any unit of cryptocurrency can be used; in ICOs powered by the Ethereum blockchain, the cryptocurrency used is called Ether. If all goes well, the cryptocurrency will increase in value, and the investors will profit off their tokens.

Unlike IPOs, initial coin offerings are completely unregulated. This has made them very attractive to disruptive tech startups that wish to bypass the highly regulated IPO process required by banks and venture capitalists. Ethereum ICOs have become extremely popular due to the power of the Ethereum blockchain platform they run on. Unlike competitor Bitcoin, Ethereum is far more than just a cryptocurrency platform; it was designed to be a virtual machine that uses what are called “smart contracts,” or decentralized, self-executing agreements coded into the blockchain itself. Smart contracts are a disruptive technology with enormous potential to replace all manner of traditional financial, social, and legal agreements, from options contracts to bonds, which is one reason why Ethereum is quickly becoming the ICO platform of choice.

Are Ethereum and ICOs Safe?

Because they are unregulated, ICOs are risky. There is no requirement for companies to provide the voluminous investor disclosures that they would have to for an IPO. There are fears that ICOs could be used for money laundering purposes or that the issuers themselves could “hack” their own ICOs and steal tokens. These problems have not escaped the attention of the SEC, which is reportedly eyeing the ICO market warily in preparation for future regulations. Update: After this article went to press, the SEC, NFA finally weighed in on ICOs, declaring them “securities” and paving the way for regulation.

As to the inherent cybersecurity of Ethereum, Ether wallets, and ICOs launched on the Ethereum platform, it is important to note that, as in the SWIFT Network attacks that rocked the international banking world last summer, the Ethereum blockchain itself was not breached during any of these attacks. Instead, in each case, hackers took advantage of website vulnerabilities or coding errors in third-party tools built to make use of the Ethereum blockchain, such as Ether wallets. The blockchain, in and of itself, is very, very secure – it would take massive amounts of computing power to even attempt to hack it – but the applications used to access it, including those used to buy, sell, and store tokens and cryptocurrency, may not be. The Parity breach, for example, was traced back to a single missing word in a line of code for its Ether wallet. The CoinDash and Classic Ether Wallet breaches were the fault of security holes in the issuers’ company websites.

Although cryptocurrency investors are concerned about the recent spate of Ethereum ICO attacks, only time will tell whether they’re rattled enough for permanent damage to be done to the ICO craze. Certainly, anyone who is considering investing in an ICO, regardless of which platform it is being run on, should tread carefully. The lesson all enterprises can take from these hacks is the importance of website security, secure software development, and proactive cyber security and GRC practices in a digital world where most money, including fiat currency, is moved and stored electronically.

After all, just one missing word in a software program resulted in a $30 million loss.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.

SEC, NFA cyber security enforcement is set to intensify in light of recent global attacks and new enforcement chiefs

Public companies and firms operating in regulated industries, especially finance, should expect more SEC, NFA cyber security enforcement in the wake of new and emerging threats, like WannaCry and NotPetya, as well as the appointment of two new cyber-minded enforcement chiefs. Reuters reports:

On Thursday, the U.S. Securities and Exchange Commission named Stephanie Avakian and Steven Peikin as new co-directors of enforcement.

In an exclusive interview ahead of the formal announcement, the two said they were deeply concerned about cyber threats and see the topic as a major enforcement priority.

“The greatest threat to our markets right now is the cyber threat,” said Peikin, who was still wearing a guest badge because he has not yet received his formal SEC, NFA credentials yet. “That crosses not just this building, but all over the country.”

The SEC, NFA has started to see an “uptick” in the number of investigations involving cyber crime, as well as an increase in reports of brokerage account intrusions, Avakian said. As a result, the agency has started gathering statistics about cyber crimes to spot broader market-wide issues.

This follows on the heels of a risk bulletin the SEC, NFA released in response to the WannaCry attacks, urging broker-dealers, investment advisers, and investment companies “to assess industry practices and legal, regulatory, and compliance issues associated with cybersecurity preparedness.” The bulletin directed readers to a website established by the Financial Industry Regulatory Authority (FINRA), a self-regulatory organization overseen by the SEC, that provides numerous cyber security tips and resources.

Cyber Security Problems Uncovered During Regulatory Exams

Also contributing to the new SEC, NFA cyber security focus are widespread security lapses the SEC, NFA found during recent regulatory exams at financial companies, including:

Unauthorized disclosures of personally identifiable information (PII).

Issues with phishing emails; employees were found to click on suspicious attachments more than 20% of the time.

Third-party wires not being properly authenticated.

Organizations not conducting periodic risk assessments, penetration tests, and vulnerability scans.

Penalties for non-compliance with SEC, NFA cyber security standards can be severe. Last June, the agency fined Morgan Stanley Smith Barney LLC $1 million for failing to sufficiently secure its systems to prevent a breach; sanctioned Craig Scott Capital LLC for $100,000 for using non-firm email addresses to receive faxes; and made R.T. Jones Capital Equities Management Inc. pay $75,000 for “failing to implement proper cyber policies” after the firm was breached.

Financial firms aren’t the only ones on the SEC’s radar. Law360 reports that the SEC, NFA is investigating Yahoo for its numerous data breaches.

Sound GRC Practices Will Keep Your Organization on the SEC’s Good Side

A panel held at the recent 2017 FINRA Annual Conference discussed five best practices organizations should adopt to prevent cyber attacks and maintain compliance with both FINRA and SEC, NFA cyber security standards: governance, risk assessment, cyber security training, access management, and vendor management.

Some organizations, especially small and medium-sized businesses, struggle with the cost and time commitment that proactive cyber security and GRC require. To slash the time and money companies must devote to cyber security, Lazarus Alliance utilizes the Continuum GRC IT Audit Machine (ITAM), a proprietary RegTech software package with user-friendly self-help modules, including modules for the FINRA SEC, NFA Cyber Security Report Card and the FINRA Small Firm Cybersecurity Checklist. ITAM saves money, simplifies the compliance process, eliminates audit anarchy, and speeds up the GRC assessment and reporting processes by 180%.

The cost of cyber attacks and non-compliance penalties are much higher than preventing attacks and maintaining compliance in the first place.