Originally seen on: TechTarget
Cloud cryptomining as a service is a security risk to users. Expert Frank Siemons discusses cloud mining service providers and what to look out for if you use one.
One of the more interesting news stories over the last year has been the rise — and, currently, the fall of cryptocurrencies.
Bitcoin is the best-known variety, but other cryptocurrencies, such as Litecoin, Ripple and Ethereum, also saw dramatic increases in their worth during 2017. While some of this value dropped off in the first few weeks of 2018, there exists significant value in these currencies.
These virtual coins or their transactions can be mined for a fee, though some coin varieties are more profitable than others. Bitcoin, for instance, has passed the stage where mining at home returns a profit. The complexity and the mining workload have increased so much that the generated electricity costs far outweigh the value of the mined coins.
To avoid individual initial setup costs and to benefit from some of the efficiency increases that large specialized clusters bring, prospective miners can sign up with a cloud mining service provider.
Cloud mining service providers
The main benefit cloud cryptomining providers offer is their economy of scale. Primarily, these providers operate large data centers filled with specialized mining rigs. Everything from purpose-built hardware and software to power consumption is built around gaining maximum efficiency for cryptomining operations.
This significant investment has already been made, and the customer rents a small part of the processing power — expressed in mega or giga hashes per second — based on their expectancy that the currency will be at a certain price point during the rental period.
Security concerns for cloud cryptomining
The mined virtual coins need to be stored in a digital wallet eventually. Home miners are advised to store this wallet on an encrypted offline medium, such as a detachable USB drive, or to use a secure online digital wallet service.
However, both options carry the risk of losing the stored cryptocurrency. This could be due to the theft or loss of the USB drive, a compromised computer, or a hack or bug within a digital wallet service, for instance.
A cloud cryptomining provider is not bound by the same regulations as a traditional bank. This lack of regulation brings with it significant risk. The providers potentially hold a significant amount of value in the form of virtual money, which makes them an attractive target for cybercriminals.
Some research into where data centers are located and under which jurisdiction they fall is fundamental. After all, technically these data centers could hold a significant investment in their virtual vault. Even physical security is an essential factor to consider.
Because cloud cryptomining services depend on distributed networks and require access to the internet, fully air-gapped storage is not possible in a cloud system. This opens up an entry point for external attackers, which is what the NiceHash hackers exploited when they stole an estimated $64 million worth of bitcoin in 2017.
The attackers gained access to a corporate machine through an engineer’s VPN account and started making transactions via NiceHash’s payment system. This simply could not have happened if an offline wallet was used, as is often the case in smaller, individual setups.
Of course, attacks do not need to come from the outside. When relying on a company that is located in another country, the risk of internal fraud is high because it is handling a large amount of money without the protection of banking regulations. Several cases have been reported where either a staff member ran off with a significant amount of virtual currency or the entire cloud mining company was based on a scam.
Several provider comparison sites exist that discuss the reputations of cloud cryptomining companies. It is also advised to check online forums and social media channels before committing to any investment. Research is critical.
Where there is money, there is crime. The substantial increase in cryptocurrency investments and their meteoric rise in value over the recent months have paved the way for many scams and breaches that are traditionally linked to banks and investment schemes.
Does this mean cloud cryptomining is always unsafe? It does not, but it is essential to look at the providers with at least the same amount of scrutiny as one would use when looking at a more traditional investment firm.
Probably even more scrutiny should be applied because of the lack of proper regulation at this point. As always, technology has outpaced policy.