Protecting the Riches
Part 3: Out of Thin Air? Physical and Digital Security for Cryptocurrencies
When news leaks of a bank liquidity crisis, what comes to mind? Perhaps the bank runs of the 1930s fueled by the stock market crash. Or maybe 2008’s crash caused by balance books swollen with bad mortgage debt. Fears that a bank can’t or won’t allow withdrawals are usually tied to a bigger economic calamity.
Instead, imagine the uproar if a bank stopped allowing withdrawals solely because the owner had lost the only key to the bank’s vault.
For a brick-and-mortar bank, this scenario sounds preposterous, but it has become all too real for clients of Quadriga CX, a Canadian cryptocurrency exchange. The company announced that it cannot pay out over $250 million to clients after the death of CEO Gerald Cotton because only he knew the security keys required to access the money.
As cryptocurrencies have surged into the limelight over the past decade, so have complex security challenges. The plan to Be Your Own Bank (BYOB) was always known to create vulnerabilities for individual users, but the opening of exchanges and vaults for cryptocurrencies has generated systematic threats that are leading many in the industry to turn to surprising measures to enhance security.
In the earlier parts of this series — Part 1 about safes and vaults and Part 2 about locks and keys — we reviewed the development of these mechanisms of physical security and what that history could teach about protecting digital assets. Today’s Part 3 looks at how defending cryptocurrency poses unique challenges at an intersection of physical and digital security.
The Cat Out of the Bag? Cryptocurrency Security Risks
Cryptocurrencies are founded on the premise of decentralized financial transactions. Movements of coins within the system are tracked and transparent, but no central arbiter exists to restrict or regulate how wealth moves.
With this freedom comes risk because traditional methods of oversight can no longer be counted on to eliminate fraud. No regulator exists to step in and scrutinize a deal before it happens, and there’s no reversibility of transactions that provides security in other banking contexts. Losses are mounting, and it is estimated that the value of cryptocurrency theft amounted to $1.1 billion in the first half of 2018 alone.
One direct threat comes from hackers accessing the accounts of individuals. If an attacker can steal a person’s private key, for example by getting access to their email and porting their mobile phone number, they can effectively steal all of the funds in that person’s wallet. While the system shows where that money went, it’s extremely difficult to ever identify the thief.
Another threat comes from hackers taking funds not by manipulating individuals but by gaining access to the systems of cryptocurrency exchanges. Exchanges play an integral role in making it easier to hold and use cryptocurrencies, but this simultaneously makes them a high-value target for attackers.
Kicking It Old School: Back to the Physical Vault
Accessing cryptocurrency requires having a private cryptographic key, and the need to safely store these keys has led individuals and exchanges to interesting tactics.
Keys stored in a “hot wallet” — storage that is connected to the internet — are considered to be at higher risk because their very connectedness brings vulnerability. As a result, many have turned to “cold wallets” that are entirely disconnected. For an individual, that might mean writing the keys down on paper or putting them on a USB key and hiding them in a mattress or burying them in the backyard.
On the level of a cryptocurrency exchange, cold storage has meant burying keys even deeper. For example, cryptocurrency wallet and vault company Xapo has placed their keys within the granite confines of a mountain in Switzerland. Xapo employs a combination of limited access, hardened protection against a wide range of threats, and separate facilities for both hot and cold storage to create sophisticated lines of defense for cryptographic keys.
Coinbase, a popular exchange, follows an elaborate method to generate and protect keys that involves multiple laptops, destruction of one of said laptops, a Faraday cage to block electromagnetic fields, mixed QR codes, and printed paper stored in binders kept in physical vaults.
In what strikes some as a comic twist, the cryptocurrency industry, despite its profound break with traditional banking, has come to rely in many cases on the same kinds of secure facilities — physical safes and vaults — that banks have depended on for centuries. In some cases, cryptographic keys may even be stored in actual bank vaults within safety deposit boxes.
Coining a New Phase: Evolving Digital Security Needs
As a developing industry facing multi-faceted security threats, cryptocurrency is still working through how to balance decentralization, accessibility, and security. A noted failure is Quadriga CX, whose system without redundancy — that protected keys in the memory of only one person — has left nearly 115,000 customers holding the bag.
Despite the notion that these currencies are fundamentally digital, many cryptocurrency users and exchanges have gone back to vaults, a la traditional banks, to find secure cold storage.
With all types of digital assets under attack, the cybersecurity field has, out of necessity, become a locus of innovation. As we have seen with cryptocurrency, decentralization of resources can bring risks, but it can also be harnessed for protection. Moving Target Defense (MTD), a new strategy for defending keys and secrets, fragments and continuously re-encrypts vital data, giving a strategic advantage against attackers.
CryptoMove’s Tholos Key Vault is an exciting example of MTD with a notable list of use cases. The Early Access Program for this product provides an opportunity to try out the technology and understand the upside of this new paradigm in cybersecurity.
