An exchange for virtual currencies, which have been extremely popular lately, has been the victim of a major theft.
Coincheck, one of the larger exchanges, announced that the equivalent of 58 billion yen worth of the virtual currency NEM had been stolen. The company, which is based in Shibuya Ward, Tokyo, appears to have used a vulnerable system to manage the assets it held.
Flawed data storage
"In running the exchange, we were aware of the possibility [of fraudulent access]. We had a sense of urgency about implementing [safety measures]," Coincheck President Koichiro Wada said at a press conference that started late Friday night.
As the head of what was considered a major virtual currency exchange, one that even ran commercials on television, Wada appeared deeply troubled. Much of the press conference focused on the system the company used to manage its assets.
Virtual currencies are managed on computers using what are called "wallets." The exchanges that broker transactions on the internet are vulnerable to a risk of fraudulent external access, so most exchanges store their data in "cold wallets" that are not connected to the internet.
However, Coincheck did not use this method to manage its NEM, instead keeping the currency in "hot wallets" that were connected to external networks.
Yusuke Otsuka, a Coincheck director, said the company had been slow to address the situation. Cold wallets "are highly difficult in terms of the system. We had started on them, but we weren't fast enough," Otsuka said.
Yet an executive of a Tokyo-based security company said, "From a safety standpoint, it's unthinkable to manage data 'online.'"
Moreover, much of the virtual currency industry is implementing "multisignatures," which use several protective measures, such as PIN numbers. Coincheck said it was preparing to introduce such a system, but did not know when it would be ready.
Suspicious activity
The first remittance of NEM to an outside party occurred at about 3 a.m. on Friday, but the company did not realize anything unusual was happening until around 11:25 a.m., eight hours later.
Almost all of the NEM the company was holding had been taken, but it was not withdrawn all at once. Several withdrawals were made.
"We became aware of the situation due to an alert" that is sent out when something unusual is detected, Otsuka said.
"Whether [eight hours] is a long time is a matter of perspective," he added, declining to be more specific.
However, Takayuki Sugiura of the data security firm L Plus LLC said, "If there had been a system that allowed them to quickly grasp that something had happened, they could have responded faster."
Long screening process
According to the Financial Services Agency, there are 16 virtual currency exchanges registered in Japan, such as the large exchange bitFlyer Inc.
Coincheck's application is being processed and the company is considered a quasi-operator, which is a special category for businesses that were operating before the registration system was put in place.
Legally, these entities are subject to the same regulations as registered vendors. Coincheck submitted its application in September, but the screening process has been protracted.
It seems that it has taken a considerable amount of time to examine such aspects as whether its system is secure as the company deals in 13 virtual currencies, a large number.
Read more from The Japan News at https://japannews.yomiuri.co.jp/
