Turning a blind eye to security in favor of optimism

If you have any take-away from reading KuppingerCole research, hopefully it is that APIs are a critical element to protect. This is true regardless of the industry. Even cryptocurrencies.

IOTA, the blockchain-like cryptocurrency and transaction network was compromised in mid-February. The API access to the IOTA crypto wallet via a payment service was targeted and exploited for potentially two to three weeks. Approximately 50 accounts were compromised, leading to the eventual theft of around 2 million Euros.

There is a risk in trusting the promises of hyped technology. Blockchain is often praised as being tamperproof and highly secure, and it still is. The blockchain – or more specifically, the DAG protocol that is similar to blockchain – didn’t cause the vulnerability. However, somebody – perhaps network overseers, third-party services, or Content Delivery Networks – trusted this claim a little too much and neglected to protect the mundane aspects of the solution.

Do we want decentralization?

A delay in communication caused the attacker to exit with their payload. The third-party service that was compromised became aware of the breach on February 10th and removed the attacker’s entry point to stealing private key information. Only five days later did the third-party service communicate and collaborate with the IOTA Foundation to freeze the network and all transactions. In that period of time, the attacker was able to empty the compromised accounts of approximately 2 million Euros.

The damage to individual accounts wasn’t higher because the IOTA Foundation has some degree of control over the network. This level of control allows the network to be arbitrarily halted, and for the Foundation to implement a claims registration tool to offer some degree of user protection. These basic tasks are completely absent from fully decentralized solutions like Blockchain or Ethereum. But in instances like this, perhaps some centralized support is not amiss.