Cryptocurrency (crypto) is hot. Sixteen percent of Americans have invested, traded, or used crypto such as Bitcoin and Ethereum and more than half of investors who own Bitcoin began investing in them in the last year. The cybersecurity industry has taken notice of the risks involved in these increasingly complex chains of digital transactions. Recently, our CEO and Co-Founder Paul Petefish, raised these concerns and talked best practices during one of Evolve Security’s 2022 online Meetups. Here is a summary of his discussion with Evolve Security Advisor and Chief Security Officer at Kraken Digital Asset Exchange, Nicholas J. Percoco.
What are the current Cryptocurrency Cybersecurity Standards?
Cryptocurrency is growing rapidly in popularity as an alternative to the existing financial system. Kraken estimates that the market cap was over $200 billion in early 2022.
Security concerns around crypto arise from the fact that it is a peer-to-peer payment system that does not have the standard protections of the U.S. banking system. A crypto account is a digital asset. There are no brick-and-mortar entities where account holders can retrieve their funds, and there is no FDIC insurance.
There is a difference between security and regulation. Crypto investing and trading is largely run through exchanges which provide and monitor the IT infrastructure to support digital commerce. The role of large exchanges like Kraken is to test common third-party products and services, work with vendors to fix security issues, and inform the public about ways they can best protect their investments.
Crypto functions like cash when it comes to security. Once someone has an account, they create a set of seed words to generate a key to that account, and the responsibility for securing those keys is up to the currency owner(s). If an authorized user is able to get access to your holdings, you cannot recover the money. This is true whether you are an individual investor or the finance manager in charge of crypto for a large multinational company.
How can you ensure your digital investments are secure?
Percoco suggests a few key things that all investors can do:
- Learn about the security commitments and capabilities of Exchange(s)
- Understand the features of the products you use for transactions
- Keep up with all software updates and enable all security features on your work and personal devices, particularly 2-Factor Authentication
- Write down your seed words and keep them in a safe location or give them to someone you trust
- Use a digital or hardware wallet
If you use apps to keep track of your transactions on phones know that they may be susceptible to bugs or malicious code that allow bad actors to intercept your information. If your account is compromised you will lose access to your funds, but you should report problems to the exchange so that they can help you find and fix any future vulnerabilities.
Digital or hardware wallets are a more secure way to have control of your account(s). The application or the hardware manages the process of signing transactions, bypassing a computer that could have malware running in the background. Hardware wallets are physical pieces of equipment that can be purchased from different manufacturers and stored anywhere. If the wallet is lost, the manufacturer can make you a backup, provided you (the owner) knows the seed words that constitute the keys.
Should security be approached differently for commercial or corporate crypto accounts?
Commercial trading still begins with setting up accounts and wallets with keys. The main security difference is in the management of the keys, with multiple people or entities handling transactions.
Exchanges help generate the keys and provide the trading platforms. Their OTC desks can match buyers and sellers and secure a set price for each trade. However, it is up to the account owner(s) to give instructions to the Exchange regarding key management. If, for example, a vendor asks to have your updated account information everyone involved should know who can give approval.
The safest strategy for most corporations is to have two sets of keys—a public key that can be listed on an exchange for receiving funds, and a private key so that only authorized individuals can move funds within an account. Only one person or entity should hold the private keys to access any hardware wallets.
All crypto transactions are traceable on a blockchain ledger, allowing people to cryptographically sign off on transactions before they flow. However, there are cybersecurity risks as transactions may go through multiple interconnected computers. Corporate investors should approach key management using the same protocols such as PGP and RSA that they use to send encrypted emails, and they should have systems in place to continually monitor their IT infrastructure using training, static code analysis, bug bounty hunting, and other tools.
The two most important strategies to help with loss prevention are:
- Use a “qualified crypto custody provider” for trades
- Build a clear management process that identifies who can manage flow of crypto and agree on that process with your Exchange or fund provider.
Should company leaders and investors be considering creating their own cryptocurrency?
Everyone should carefully consider their comfort level with the security risks, and whether they have the tools and custody agreements necessary to keep their investments safe. Developers in blockchain do not always have the experience to build a platform for crypto exchange. In crypto there are malicious breaches, but there can also be “off-bypasses” in software that lead to breaches caused by human error. Managing crypto trading currently requires a layered approach to security that can take many years to establish.
Are these methods foolproof, and what about other dangers?
The fast growth of the crypto market brings continuous exposure to new risks. One example is in wallets. They can be sold on the secondary market which raises the possibility that they can be pre-initialized or already encoded with direct access to another account. Therefore, it is critical to understand the roles and capabilities of all players involved in crypto transactions.
Evolve Security will continue to monitor the situation and will provide the most up-to-date information to its consultants, clients, and students. Connect with us, to learn more how we can help you.