Carbon Black estimates that more than $1 billion in cryptocurrency was stolen in the first half of 2018 alone. And though cryptocurrency custodians must wrestle with some of the same security risks as traditional financial markets do, the crypto environment presents some unique challenges.
The digital environment needs fortification, of course, via a secure network, encryption technologies, and other anti-hacking defenses. But the other, not so obvious, risk area is protecting the cryptocurrency assets held in cold storage. With cold storage, private crypto keys are physically stored offline or on a computer that is isolated from the network. In many ways, it’s considered a safer alternative to hot storage, in which private keys are stored online.
To protect these small, but highly valuable assets, custodians must identify and mitigate the risk exposure associated with storage and transportation of the private keys. Those risks include the size of the devices, identity management, access control, physical and operational risks, and the potential for violence.
In the infographic that follows, we explore each of these risks in more detail and highlight why cryptocurrency fraud prevention requires special consideration.
Demand is on the rise for cold storage vault services for cryptocurrency. As CIT and vault providers work to meet the demand, they are facing risks that are at once similar and very different from those they encounter with their cash services.
As a vault or transport provider, how well do you understand the risks of cold storage?
Our latest slideshow highlights 7 components of a risk assessment for cold storage providers of cryptocurrency. It looks at the following:
The fundamental risk of cryptocurrency (‘crypto’), aside from market risks, is custody. Simply put, the high value of crypto, with the equivalent of over $100 billion in circulation (at this time), provides ample motivation to steal it.
Hot vs Cold Storage
If the crypto is stored in a “hot” (online) environment, strong encryption is the essential safeguard, but the entire environment must be secured. The digital asset and the private encryption key that accesses it must be stored separately. Since the online account storing the asset is generally known to the public through the blockchain, the biggest risks are hacking attacks on the online storage or theft of the private key. Whoever holds the private key controls the asset. History has shown that online storage is highly vulnerable to theft.
If the crypto or its private key are held in “cold” storage (offline)—as many experts recommend—then both digital and physical risks exist. As large and more traditional investors choose cryptocurrencies for value stores and transactions, the cold storage option is likely to increase. The need for strong encryption remains, and specific kinds of threats against digital assets, like electromagnetic radiation, have to be mitigated.
That said, once the crypto and its private key are in the physical realm, many of the risks of crypto are similar to those that apply to compact high value objects like gems, bearer bonds and cash. A small cold storage “wallet”—a digital device that might be the size of a thumb drive—can hold and transfer any amount of cryptocurrency. These tiny devices are highly vulnerable to damage or theft, and even if a thief does not get the private key, they can still hold it for ransom.
A second major source of risk to crypto is the very reason it exists: it is outside of any traditional currency ecosystem, without the insurance and security protocols that accompany fiat currencies. No institution is monitoring crypto transactions, and no law enforcement agency is routinely tracking suspicious actors. In fact, the identities of investors in crypto may not be publicly known.
Financial institutions are beginning to evolve private ways to duplicate some of the protections of traditional currencies, like Know Your Customer (KYC) and Anti-Money Laundering (AML) protocols. Cash in Transit providers are building on their experience in cash management to devise secure ways to store and transport crypto.
Crypto is still in the wild west phase. It is growing very rapidly, and a financial system is developing to make it a reasonable option to fiat currencies.
Cryptocurrencies such as Bitcoin and Ethereum are emerging from the dark side of the web. These currencies have multiplied in number and increased tremendously in value despite their volatility.
However, sad experience has taught storing crypto safely in online exchanges is risky at best. In the infamous case of Mt. Gox, almost $500 million worth of bitcoin was hacked. Some of it seems to have emerged in the hands of potential thieves, but there’s still mystery surrounding the incident. Many other hacks of exchanges have occurred since Mt. Gox, leading to a scramble to find more secure ways to manage cryptocurrency.
The super-hacks have shined a spotlight on the issue of custody. As Philip Martin of Coinbase, a large cryptocurrency exchange, stated in a recent Wired Magazine interview,
“Cryptocurrencies have a threat model that’s fundamentally different from what’s come before. We’re taking the lessons from the past about physical security and blending them with well-structured cryptography.”
Crypto investors are understanding that a diversified approach to storage is wise. They are turning to cold storage (offline storage) for at least a percentage of their coin as a way of managing their risks of loss.
Many are finding that the simplest way to avoid the threat of losing digital coin to a hacker is to move it to an offline storage device, called a “cold wallet”. At the same time, the 128-bit encryption codes that permit access to the currency (especially the private key) have to be securely stored where they can be retrieved.
The moment digital files or keys are transferred to a physical medium, whether it’s a device or plain paper (which may be a legitimate way to store an encryption key), custody is the crucial issue. Many of the same risks exist for offline cryptocurrency as apply to other easily transported high-value items like gems.
The encryption keys add a layer of complexity. There are two high-value items, the currency and the key that accesses it, that must be transported and stored separately in a way that they can be rejoined when the legitimate owner wants access.