PGP Could Have Prevented BitPay Phishing Attack
Editors Note: We have updated the article to clarify that Mr Krohn’s email was compromised not Mr Pair’s. Also we have updated to link Mr Zimmerman as the creator of PGP and linked his Wiki page. We apologize for the confusion.
Two weeks ago, it was revealed that BitPay suffered a phishing attack in late 2014, costing the company $1.8 million USD. According to documents obtained by the Atlanta Business Chronicle, a hacker gained control of BitPay CFO Bryan Krohn’s email account, and somehow got access to an account where he authorized the transfer of 5,000 bitcoins.
Also read: Bitcoin’s Commodity Label is Positive News
This event seems to be the latest in a series of issues BitPay has been having. These problems include layoffs, high-cost and low return marketing expenses, and an inability to get Bitcoiners to use the digital currency for retail purchases.
The hacker stole the credentials from Krohn, and used his accounts to request Bitcoin payments from CEO Stephen Pair. Pair sent two payments of 1000 BTC, one 3000 BTC payment to Bitcoin addresses outside of BitPay’s control. These were made in three separate transactions to SecondMarket, curiously one of the BitPay’s clients, from whom the company doesn’t require advance payment.
What Actually Happened
According to documents filed by BitPay, the company was in negotiations about the purchase of BitPay’s magazine business, yBitcoin.
David Bailey, founder of yBitcoin, saw his email account compromised first. Then Krohn received an email coming from Bailey requesting that he review modifications made in a Google document. That was when his login credentials were stolen. The hacker also obtained details about how BitPay transacts with its customers, like SecondMarket’s advance payment exemption.
On Dec. 11, Stephen Pair, received an email from someone posing as Krohn, requesting the transfer of 1,000 bitcoins to SecondMarket. Pair made the transaction and shortly after, he received another email requesting another 1,000 bitcoins. BitPay’s wallet on Bitstamp was the account used to send those coins. The following morning, Pair got another email, requesting 3,000 bitcoins to be sent to SecondMarket at a different wallet address.
Pair then confirmed the transaction in an email to Krohn and SecondMarket’s Gina Guarnaccia. Gina immediately replied back denying her company purchased the bitcoins, or that she sent a previous email verifying the 3,000 bitcoins and the wallet address. That’s when the company became aware of the phishing attack.
Days later, BitPay filed a claim for losses to Massachusetts Bay Insurance Company, which denied insurance for the loss in a June 8 letter.
On September 15, 2015, BitPay filed a suit against MBIC for breaching contract, bad faith failure to pay and statutory damages. It is seeking $950,000 in damages plus court fees.
How Could the Phishing Attack have Been Prevented?
According to the description, we assume that the fatal flaw started when the hacker gained access to Khron’s email credentials. It looks like Khron didn’t have any extra security implemented, and somehow the hacker got hold of his credentials.
Today, there are several security software options that could have prevented this from happening. If the BitPay used an extra security layer of encryption with digital signatures to authenticate email messages, this could certainly have been prevented.
For example, Pretty Good Privacy (PGP) could have been the best option for BitPay to secure its staff email list, since it uses a variation of the public key system to secure and authenticate emails.
Pretty Good Privacy, or PGP, is a popular program used to encrypt and decrypt email, as well as authenticate messages with digital signatures and encrypted stored files. In this system, developed by Phil Zimmerman, each user has a private encryption key that is known only to that user. When you encrypt a message, you send it to someone else using their public key. When they receive it, they decrypt it using their private key. PGP uses a faster encryption algorithm to encrypt the message, and then uses the public key to encrypt the shorter key that was used to encrypt the entire message. Both the encrypted message and the short key are sent to the receiver who first uses the receiver’s private key to decrypt the short key and then uses that key to decrypt the message.
PGP can be used in just about every conceivable case where strong encryption is needed. Anyone who has a certain user’s public key can send encrypted emails, which only the specific user can view. Likewise, he or she can send encrypted emails to other contacts by first downloading their public keys. Only the body of the email will be encrypted. The subject and metadata (to, from, cc, and timestamp) will still be visible to anyone spying on a user email. Users can encrypt whole folders and files with their own public keys to protect them from attackers who may gain access to their hard drives.
This security software makes phishing attacks nearly impossible; had the company been using it, the attack likely wouldn’t have happened.
The Community Reaction
The community previously considered Bitpay a shining example of how to play a part in the ecosystem. Now, members of the community have been accusing the company of staying far behind with developments, saying that if BitPay had implemented Multisig or 2FA, the hack wouldn’t have happened.
Like Mt. Gox, BitPay has been a big player and one of the first companies that would come to mind for many. The shadow of Mt. Gox seems to more present than ever, and news like the BitPay causes concern in the community.
BitPay was founded in 2011, aiming to revolutionize the financial industry by making payments faster, more secure, and less expensive on a global scale.
BitPay started with the intention of making it easy for businesses to accept bitcoin payments, and it is currently the one of the largest bitcoin payment processor in the industry, with over 60,000 merchants across six continents.
Now that BitPay’s insurer declined to pay the amount requested by the payment processor to cover the Hack, BitPay will have to bear a huge loss. As of press time, the future of the company remains unknown.
Besides PGP, what other security options could have prevented the attack? Let us know in the comments below!
