The past few years have been a watershed moment for security in crypto. As the asset class has gained popularity, more and more security breaches have been highlighted and more institutions targeted.
The burgeoning industry is ripe with opportunity, but also with risk. Two incidents that highlight this lapse in security spring to mind.
Back in January 2018, Coincheck Japan was targeted, with attackers succeeding in stealing $530 million worth of NEM tokens from the crypto exchange. It is one of the biggest crypto exchange heists in the relatively short history of the industry and stands alongside the infamous attack on Mt. Gox, when around 800,000 BTC was stolen — a sum worth over $6 billion today.
Further back in February 2016, the Bangladesh Bank was targeted. Thieves tried to steal a total of $850 million via properly authenticated transactions in ordering the Federal Reserve Bank of New York to transfer the money through the SWIFT network. While “only” $101 million was transferred to final beneficiaries in the Philippines and Sri Lanka, this ended up resulting in a whopping total of $81 million successfully stolen during the incident.
What do these incidents have in common? The complacency of the victims — central banks and top crypto exchanges — and their management of security credentials (be it passwords or private keys) in giving access to the transfer of fiat money or cryptocurrencies.
The SWIFT network used for the Bangladesh Bank and other similar heists was not hacked, the users of the network were. The blockchains utilized to transfer the NEM out of Coincheck and the BTC out of Mt Gox were not hacked, the exchanges — i.e., the users of these blockchains — were. Their systems and credentials were so poorly protected that hackers were able to take control and impersonate their victims with ease.
The SWIFT community reacted to these events by reinforcing cybersecurity controls, by identifying the weakest players and by ensuring hackers’ modus operandi were shared among the community to prevent further incidents. Has the crypto industry done the same and learned from its mistakes? Probably not at the level this issue deserves. Will 2020 see more collaboration to prevent these incidents or to enable the recovery of stolen funds in case of successful hacks? The jury is still out.
The industry has progressed, but a lot of work remains
In the last two years, security in the crypto industry has evolved dramatically. The technological solutions offered by noncustodial and custodial wallet providers are more and more robust.
Organizations have used hardware- or software-based multisignature wallet access, encryption of operating environments, whitelisting of addresses, tightening of operating procedures and many other methods to improve security. Other advancements include wallet management systems powered by multiparty computation protocols or hardware security modules, which enable the secure, fast and effective transfer of assets on a day-to-day basis.
When hacks happen, the security community talks about it; blacklisting addresses used to siphon stolen funds, reducing cash-out attempts and using other methods to stop hackers. But the simple fact that these types of hacks have continued to occur in 2019 demonstrates that many in the industry are still not geared up properly to handle cybersecurity breaches.
It is not only the technology that needs to move forward. It is also about enterprise-grade operational risk management, and improving upon the necessary checks and balances on individuals with access to customer assets at exchanges or crypto funds.
It is about securing customers’ investments, and adhering to basic business practices with regard to, for example, the necessary segregation of duty between roles and entities to avoid conflicts of interest.
No traditional exchange in the world plays within the same legal entity, the roles of exchange and depository or custodian. There are no traditional asset managers in the world who have custody over the assets they manage for underlying investors.
Why does the crypto industry still believe it is okay for them to ignore such common-sense principles? Why do people keep hoping for institutional money to flow into the industry when it is clear it will not happen before these necessary finance best practices and rules are in place and inherited from the traditional financial industry?
In the past 12 months, many exchanges, funds and foundations have started to realize the crypto industry will not thrive without proper business practices and transparency being put in place to protect the assets and interests of customers — the only players who matter.
Third-party independent custodians are being increasingly approached to provide the necessary neutrality and transparency — on top of the expected security — to ensure the assets of these customers or investors are safe in an auditable way. Enterprise-grade solutions have emerged to reduce the risk of hacks. Insurance companies are no longer shying away from covering third-party custodians using the right technology — still at a high premium cost, but with a promising downward trend.
2020: The year of professionalization?
In 2020, more education and awareness will be required. Exchanges, funds, projects, foundations, and all the other crypto players servicing underlying customers must put in place the proper transparent and secure processes around the safekeeping of the assets of their customers. Most will rightfully opt for the outsourcing of that critical task to third-party custodians whose job is to do precisely that.
This year will hopefully also be the year when digital asset service providers such as crypto exchanges and custodians will not only collaborate about the implementation of the Financial Action Task Force rules but also about the exchange of information on hackers’ modus operandi and blacklisting of addresses.
By the end of the year, the cashing out of hacked funds should be so difficult — thanks to a more formal collaboration between players — that thieves will be discouraged from targeting cryptocurrency organizations.
Beyond the adoption of the right established technology, it is only when common-sense operational and business practices — those of segregation of duty, focus on core activities and established risk management — are put in place that the digital asset industry will become mainstream. Today, it is not, and now you know why.