Would Bitcoin Have Prevented the Biggest Credit Card Theft in History?

On Wednesday, security investigator Brian Krebs revealed that Target had been hit by hackers just after Thanksgiving during the most frenzied period of holiday shopping. Target stayed mum, perhaps privy to the gravity of the fuck up, before finally going public Friday. In total, the data for 40 million credit and debit cards were jacked, the largest heist of its kind ever, and the goods are already being schlocked on the deep web for anywhere between $20 and $100 apiece. Could Bitcoin have made a difference?

Since the data was ripped straight from every cards’ magnetic strip, the cyber-thieves can easily create working clones, which for all intents and purposes are as good as the original. If they also have access to the PIN for debit cards, which is impossible to rule out, they can start pulling out cash from your account straight from the nearest ATM.

For bitcoiners, it was the perfect opportunity to heckle the establishment, pointing out a fundamental security flaw within the current digital payment system. Every time you make a purchase, your finances are inherently at risk. "If Target accepted Bitcoins, 40 million individuals would have been protected," they proudly proclaimed. It was a common joke among some of the crypto-scenesters I had beers with after a bitcoin holiday party in downtown New York City, even if they were only half serious.

On the one hand, they have a point. Bitcoin utilizes public-key cryptography, which means that the transaction data left after any payment is useless to would-be criminals. To steal your funds, they’d need your private key, which remains safely hidden even when you’re buying stuff. On the other, that statement is totally fallacious. If Target accepted bitcoins, like Overstock soon will, a handful of crypto-nerds and your local libertarian would have been protected. The rest of us, about 39,999,992 in total, would have still been robbed.

Even so, Bitcoin represents an undeniable technological solution to credit card fraud. There are over 11 million victims of identify theft annually and growing, according to the Department of Justice, which amounts to $21 billion in total losses this year alone, up from $13 billion in 2010. Since your bitcoin wallet isn’t linked to your identity, cryptocurrencies conveniently sidestep this gaping security epidemic.

Perhaps more distressingly, victims become subject to the whims of a corporation’s bottom line. Target waited two full days before going public and you have to wonder how long higher-ups knew about the heist before Krebs blew the lid. And despite eventually acknowledging the lapse, the company has been less than forthright about the severity of the issue and even whether or not they’ve successfully protected their systems. The credit card companies, too, have resisted taking a more proactive approach, given the cost of replacements and the potential interruption to lucrative Christmas shopping.

"My source was anxious to determine how many of the bank’s cards were most at risk of being used for fraud, and how many should be proactively canceled and re-issued to customers,” writes Krebs. “The bank wasn’t exactly chomping at the bit to re-issue the cards; that process costs around $3 to $5 per card, but more importantly it didn’t want to unnecessarily re-issue cards at a time when many of its customers would be racing around to buy last-minute Christmas gifts and traveling for the holidays.”

Instead, they’d rather take their chances. As a Chase customer, I know that I can get a replacement card at my local branch on-site in about 15 minutes. This is a case where cost clearly trumps customer security or alleged convenience.

But to be fair, most credit card companies have zero liability policies to protect their customers from theft. In the end, they’ll be the ones eating the losses. With Bitcoin, you’re on your own, and this is where the crypto-security argument starts to break down.

Yes, in the techno-utopian fantasy world that bitcoin followers believe to be inevitable, the Target hack would be hypothetically obsolete. But rather than eliminating the potential for fraud outright, it merely shifts the risk to the end-user, most of whom are ill-prepared to handle that kind of responsibility.

If Target’s point-of-sale systems are vulnerable, your grandma’s desktop running Windows ME and Internet Explorer 6.0 is veritable swiss cheese. When your credit card gets stolen, Bank of America will send you a new one and reset your account. If you lose the thumb drive storing your bitcoin wallet, you’re shit out of luck, like the dude haplessly digging through his local landfill who presumably never recovered his $9 million worth of BTC.

I found out that my mom’s Yahoo account was hacked last year after she stopped responding to emails (something only I’m allowed to do without prompting hysteria). When I told her she should immediately update all of her accounts—she uses the same login for just about everything—she stared at me blankly, totally oblivious and unconcerned. After I insisted, she waved me off, annoyed that I was giving her homework while we were trying to enjoy a rare dinner together. The woman has a master’s degree in computer science, but like most of us, prefers the illusion of perceived safety over the grim reality, not that I blame her. Everyone’s personal bandwidth is limited and the protocol settings on your home firewall—if you’re astute and ambitious enough to have one (highly unlikely)—is the last thing anyone wants to think about.

It doesn’t help that our personal computing platforms are woefully inadequate at protecting us, a fact most corporations try to sweep under the rug. When put through the stresses of the Dennis test, Microsoft Security Essentials missed 39 percent of incoming malware. I’m not sure if my Macbook even has anti-virus software so it’s probably smart that my bank account isn’t saved on my hard drive. The last time I can recall contemplating Apple security, the company was still claiming that “OS X doesn’t get PC viruses,” which happens to be a flat out lie. They’ve since nuanced their marketing, but only enough to ward off potential lawsuits.

The tech-savvy aren’t immune either, like the sorry Wired editor whose “entire digital life was destroyed” all “in the space of one hour.” Corporations, like Target, are starting to get the hint, but it’s usually reactionary rather than preemptive. At Motherboard, we’ve implemented heightened security protocols but only after VICE was unceremoniously hacked by the Syrian Electronic Army.

In order to access our content management system, I had to first acknowledge that I used Google’s 2-step verification feature, which puts me with a small minority of Gmailers (because it’s fucking annoying), and had to have my password texted to me. Before that, my username was “admin,” a shared account my editor sent over unencrypted instant message. We’ve learned from our nonchalance and naivete, but when someone’s financial livelihood is at stake, there aren’t always second chances to learn from our mistakes.

That’s the thing with internet security: it’s a perpetual game of cat and mouse. Any functional, open network is by definition insecure, the reason why cyberwarfare not only exists but is rapidly expanding. In the case of personal finances, security is one thing, insurance is another, which luckily, our current system provides. Bitcoin does not.

It likely will in the future as the ecosystem matures and regulations that serve to protect the country and its people are further refined. Today we have exchanges and online wallets. Tomorrow, we might have an actual Bitcoin bank, one with a rainy day fund in case it all goes wrong. Presumably, every new layer of service will incidentally pose fresh opportunities for bitcoin bandits.

Then there’s the protocol itself, which presents unique challenges. Satoshi’s code has proved incredibly resilient, perhaps miraculously so, but it’s far from flawless, admits lead developer Gavin Andresen, aware of the havoc faults in the code could wreak.

“The most serious, which has never gotten wide coverage, was a bug in the early days that let anyone spend anyone else’s Bitcoin,” Andresen told Forbes in November. “It was an edge case that someone found and a fix was quickly deployed. If that happened now, it’s almost unthinkable. It would cause immense chaos. We’re at the point now where so many people have gone over the code with huge financial incentive to break it that we’re fairly confident that kind of big flaw doesn’t exist.”

While the four-year run continues to build confidence in the project’s underlying security, it doesn’t necessarily rule out possibility for future discoveries, like the recent vulnerability allegedly found by Cornell researchers who concluded that “Bitcoin is broken.” And since the open source protocol is in ongoing development, each new software update is itself invariably a threat, like the one that shook the network in March when it created a fork in the blockchain.

Which finally brings us to encryption, or at least our faith in its invincibility that allows Bitcoin to become a multi-billion dollar market. Only time will tell if that trust is ultimately misguided. I’m not smart enough to speculate on the theory of unbreakable cryptography, but experts far more intelligent than me have been caught off-guard. Thanks to documents leaked by Edward Snowden, Reuters uncovered a probable NSA “back door” that used popular encryption products. Known as dual elliptical curve encryption or secp256r1, the algorithm was widely considered the industry standard—at least until it wasn’t.

To Bitcoin’s credit, it’s a potential landmine that Satoshi inconceivably sidestepped, either out of genius foresight or just dumb luck, explains Chris Pacia:

The unbelievable thing is that rather than using secp256r1 like nearly all other applications, Bitcoin uses secp256k1 which uses Koblitz curves instead of pseudorandom curves and is still believed to be secure. Now the decision to use secp256k1 instead of secp256r1 was made by Satoshi. It’s a mystery why he chose these parameters instead of the parameters used by everyone else (the core devs even considered changing it!).

“I did not know that BitCoin is using secp256k1,” Dan Brown, Chairman of the Standards for Efficient Cryptography Group, told Pacia. “Indeed, I am surprised to see anybody use secp256k1 instead of secp256r1.”

Such are the fine lines between the once secure and the suddenly insecure, which can come down to the flip of a coin and the reason why the notion of a fundamentally more secure system is a complete fallacy.

Security, like the idea of perfection, is a transient state, something to work toward but a destination we’ll never actually reach. This is also why Bitcoin, in practice, may never be more secure than the system we already have. Rather than based on theory, the strength and security of a system is defined by actual effort put toward security, made stronger yet through its continued resiliency and resulting regulations.

With the luxury of time and experience on their side to derive their strength, these amorphous entities have had the opportunity to evolve, react, and grow, like our body's immune system, which grows ever stronger with each subsequent disease it successful defeats, not to mention the preventative measures we pick up along the way. By contrast, Bitcoin is still in its infancy, too young to have made enough mistakes to be truly wise or gotten sick enough to develop proper antibodies; it’s still the proverbial Wild West.

There’s something to be said about stability through longevity. Instead of outright revolution, it might be preferable to simply amend the Constitution we already have. Which isn’t to say that there isn’t room for spunky upstarts next to legacy systems; Bitcoin undeniably offers its own unique set of advantages. But it does mean that it isn’t secure as its followers would like for us to believe. That can certainly change. In the meantime, we should all be glad Target still accepts Visa.

@sfnuop