Why should I care about Crypto Security?
Welcome to the world of cryptocurrency: a new and exciting frontier. According to CZ (founder and CEO of the world's largest cryptocurrency exchange Binance), cryptocurrency has yet to penetrate even 1% of the global population - it is very early days, and it is dangerous out there. This article will summarize the primary categories of risk to cryptocurrency investors, and explain the importance of learning enough about crypto security to protect yourself.
Risks with Cryptocurrency.
There is a big difference between using traditional financial institutions to trade in stocks and manage your bank accounts, and the world of buying and selling digital currency. A key difference is highlighted in the following scenario: If you forget the password to your bank account, you can obtain a password reset from the bank, but with crypto, there is no one who can give you access to your funds. Why? Because crypto is protected with a list of words, known as a seed phrase, and without this phrase, you cannot access your funds. This means that protecting your seed phrase is the same as protecting your funds.
You could avoid the responsibility of protecting your seed phrase if you were to rely on a centralized exchange like Coinbase or Gemini to hold your crypto wallet for you as a custodian. When a custodial exchange controls your wallet, they are responsible for protecting the keys, and they can give you access to your cryptocurrency again if you forget your password to the exchange. Although this is super-convenient, you must keep in mind that whatever entity controls your keys or codes also controls access to your cryptocurrency, and that comes with downsides as well as the upside of convenience. In uncertain times, a primary benefit of owning cryptocurrency is the ability to be your own bank and to control your own funds - this is the very promise of The Blockchain and cryptocurrency - but to realize this benefit, you must control your own keys, and thus, your own security.
The risks to your seed phrase, and hence to your cryptocurrency, range from hackers attacking centralized exchanges and stealing millions of dollars worth of cryptocurrency, to fraud by the owners or employees of less well-known exchanges, to the theft of USB drives with seed phrases on them. However, the most likely risk is simply the risk that you will lose access to the seed phrase because you lost the paper that you wrote it on. (9 out of 10 wallets tell you to only back up your seed phrase onto a piece of paper). Other risks include the seed phrase being lost in some kind of accident (e.g., the floods and fires that plague certain regions like California), or even - despite your diligent efforts to religiously back up everything - you could simply forget the password to the encrypted drive where you stored your seed phrase.
These risks affect everyone, and the best way to reduce them is to make sure that you carefully back up your seed phrase. This site describes for you the most common options available. Supplementing this guidance, the crypto Wallet Guides show you how to create wallets in a secure and safe manner, highlight where you have options, and suggest when you need to follow the default instructions.
We hope that these articles, written by security experts, help you to navigate crypto security in a practical way so that you can enjoy participating in the exciting and empowering world of crypto.
Let's explore this in a little more detail and point you to the right resources to protect yourself.
Safeguarding money is necessary for the crypto economy to flourish."
Cameron Winklevoss, Winklevoss Capital
What "owning your own money" really entails.
In a traditional banking scenario, clients don't have to worry about the theft of their account funds, or incorrect transactions. This is because banks work with consumers to block potentially fraudulent transactions, and to issue chargebacks for unintentional transactions. The role of the traditional bank is to provide and ensure such security.
A distributed database on a blockchain network is also extraordinarily secure and resilient. When cryptocurrency advocates explain blockchain technology, they highlight the fact that blockchains have no single point of failure. By this, they mean that there is no single place where an attacker could maliciously halt or modify the network. From a technical standpoint, blockchain transactions are extremely secure in the validation, resilience, and integrity that they provide.
However, points of failure associated with a decentralized blockchain database migrate towards the user's end of the spectrum: by managing your own money, you become the potential single point of failure in protecting your funds. How? As a cryptocurrency owner, your access to this resilient network is through your crypto wallet, and that access is granted through a digital private key that is stored in your wallet. Your seed phrase was used to generate this private key, and your seed phrase can also restore your private key if your wallet is damaged. Your careful storage and use of this private key - and your seed phrase backup - determines whether your crypto funds remain secure or are exposed to loss or theft. In this way, as the guardian of your wallet and seed phrase, you are fully responsible for the safety of your funds.
Blockchain transactions are fast and permanent.
The decentralized finance movement introduces a new paradigm in which owning your own money and participating in a decentralized financial network creates a whole new form of economic mechanics. The key idea is that instead of central authorities solely determining an economy's fate through monetary policies, monetary policy is also greatly affected by how blockchain software evolves and by how people interact with it. How a blockchain network settles and records transactions for a cryptocurrency is determined through the exercise of its defined operational protocols. As its history publicly unfolds, the transactions, once completed, remain immutable forever. The part of that last sentence to pay close attention to is "immutable." Immutability is a characteristic that offers great security to monetary transactions since once a transaction is completed, it is committed permanently and can not be reversed for any reason. Settlement is very fast compared to traditional banking, where charges may be reversed long after the transaction has been completed. However, because a blockchain is immutable, any losses as a result of a security breach or accident are irreversible. This opens digital asset finance up to a whole new array of security threats.
The challenges of crypto key management.
Taking control of your own crypto keys puts your funds at risk of environmental disaster. Should an earthquake demolish your home and crush your hardware wallet or hard drive with your paper wallet stored in it, it most likely will not be recoverable. If this happened, your funds would be abandoned on the blockchain forever since no one would be able to guess or restore that lost digital key.
Poor key management is by far the most common way that cryptocurrencies are lost. Consider that if many of us need to rely on a "forgot password" option to recover simple 9-character passwords, it's unrealistic to believe that we can be trusted to casually maintain a 48-character string of ciphertext. One U.K. resident, James Howell, mined Bitcoin in the early days, storing his private key on his hard drive. At one point, he accidentally threw that hard drive away. That hard drive held 7,500 Bitcoins, which amounts to over $352 million at today's (quickly-changing) coin price of $47,000. Ouch.
Key management is difficult even for people that are technology-savvy — it is even harder for people that aren't regularly involved in technology. Because of this predictable difficulty, estimates show that between 17 and 23 percent of all bitcoins have been lost as a result of losing a private key.
Lost keys, lost funds.
In case all of this wasn't enough perspective, consider the fact that about US $4.5 billion in Ether is stuck on the Ethereum blockchain since its inception, presumably because the users that this Ether was airdropped to did not save their private keys.
Hostile actors.
It isn't just self-imposed threats that are risks to cryptocurrency holders. For insight to this next excerpt, we refer to the Ross Ulbricht legal case. In this case, Ross was given a life sentence for running an illegal "free market" online marketplace which subsequently became a haven for drug traffickers. When he was arrested in 2013, the FBI seized all of Ross's bitcoin holdings, worth over $33 million at the time. The reason that police were able to seize Ulbricht's holdings is that they were able to retrieve his crypto wallet from computer hardware that he kept at his home.
Hackers pose one of the most serious threats to cryptocurrency holders. In 2017 alone, 13.7% of the entire world's population reported a hack of some digital asset — including both bank account balance and cryptocurrency. This indicates two key and important points: One, hackers are rampant, and will relentlessly continue to steal from consumers. Two, consumers are not effective at personal digital security. Should the world switch over to blockchain-based finance — where transactions are irreversible — this would be far greater of a threat than it is right now.
Hacking attacks are possible through targeted malware or virus attacks, and through other deliberate compromises. In 2017, a WannaCry virus attack yielded a loss of over 108,000 Euros from everyday consumers using applications compromised by the virus. In July 2018, a Chrome browser VPN extension was hacked and used to retrieve private keys entered into a MyEtherWallet browser tab — leading to a loss of over US$1.2 million from average consumers. In 2018, a MyEtherWallet browser plugin DNS hack let hackers steal over US$365,000 from users.
Exchanges have also not been left out of the fun — numerous major exchanges have seen thefts through security breaches. Some of these include Mt. Gox, BitInstant, CoinCheck, and BitGrail. Hundreds of millions have been lost, and not all of these exchanges went on to cover the losses exchange users faced. This all goes to show that hackers indeed pose a risk to both cryptocurrency holders and cryptocurrency custody handlers.
Challenges will be addressed as the industry matures.
The valuation of the cryptocurrency market capitalization is increasing rapidly, leading to a higher valuation of digital assets as a whole. The combination of security threats discussed in this article, and the increasing valuation of digital assets will yield a future where digital custody — centralized or decentralized — will be an important theme. The market will begin to offer ways to understand and control the risks, and to manage the fundamental threats to digital assets. Vault12 is an important step forward in the maturation of this new market of digital management.
The Winklevosses came up with an elaborate system to store and secure their private keys. They cut up printouts of their private keys into pieces and then distributed them in envelopes to safe deposit boxes around the country, so if one envelope were stolen the thief would not have the entire key."
Nathaniel Popper, New York Times, December 19, 2017
Risks and Recommendations.
Below is a short summary of risks and some poignant examples, together with some common-sense recommendations. More details on how to implement security are found throughout this site.
Risk 1 - Leaving cryptocurrency on an exchange.
When they first start trading cryptocurrency, many people end up leaving their crypto on the exchange. It's convenient, the funds and the coins are on hand to easily do transactions, but unfortunately, hackers love the fact that such crypto is in one central place, ready for the taking.
A large hack happened on the KuCoin centralized exchange in September 2020, with hackers stealing $275 million from the Singaporean exchange.
Hackers have gotten their hands on $11 billion in stolen cryptocurrency since 2011. More than US$11 billion has been stolen from supposedly secure crypto exchanges, wallets, and mining platforms since 2011, mostly due to hacking incidents, research from Inside Bitcoins has revealed. - July 2020
Exchange hacks are not just limited to third parties - employees, and even founders of exchanges have perpetrated massive fraud. This is why it is essential that you not leave your crypto assets on exchanges, regardless of assurances to the contrary.
Recommendations:
Move your crypto into a wallet that you control.
Create a secure backup of your seed phrase - not on paper but through some other mechanism.
Don't leave any casual paper backups lying around.
Exchanges are the main target for hackers. Those are the biggest honeypots. So the number one rule in Crypto is, do not keep your money on an exchange, and if you're going to custody that money, you need to do it off of the exchange..."
Joe DiPasquale, BitBull Capital
Risk 2 - Storing Cryptocurrency locally.
There are many, many stories of seed phrases being backed up onto local devices and then getting lost or stolen, or the PIN/Password being forgotten - in contrast with leaving seed phrases in centralized cloud storage. The trouble with local storage is that it's easy to lose, or even for someone to target you and steal the storage device.
Recommendations:
Consider storing your personal storage device somewhere safer, like a safety deposit box. Just remember safety deposit boxes are not impervious to risks.
Create a secure backup of your seed phrase - not on paper but through some other mechanism.
Don't leave any casual paper backups lying around.
Risk 3 - Being targeted by criminals.
With so much of our personal information available to anyone who wants to target us, the risk of your crypto being targeted is very real. Personal attacks include email phishing attacks, SIM Swap attacks that can sidestep 2-factor authentication, and various other ingenious social engineering attempts. The majority (50%) of crypto thefts in 2020 occurred on Defi protocols.
"We know how some hackers passed away their time during the lockdown: By running Bitcoin-related hacks and potentially netting "nearly $3.78 billion" in 2020," according to a report from Atlas VPN. - Jan 2021
Recommendations:
Use an authentication app to thwart people trying to take over your phone
Create a secure backup of your seed phrase - not on paper but through some other mechanism.
Don't leave any casual paper backups lying around.
Risk 4 - Accidental loss and natural disasters.
Data on cryptocurrency lost due to accidents and natural disasters is hard to come by, but estimates indicate it is north of $10 Billion. Accidents - losing your hardware wallet, or leaving your paper seed phrases behind because you had to evacuate California wildfires and earthquakes, have contributed. Many believe that the biggest loss comes from simply forgetting PINs and passwords - something that can happen even if you take precautions.
Tens of billions worth of Bitcoin has been locked by people who forgot their key. Of the existing 18.5 million Bitcoin, around 20 percent — currently worth around $140 billion — appear to be in lost or otherwise stranded wallets, according to the cryptocurrency data firm Chainalysis. - Jan 2021
James Howells, a Welsh I.T. worker, began mining Bitcoin on a personal computer in 2009. By 2013 he had mined 7,500 Bitcoin which is worth about $270 million in Jan 2021. In 2013 he stopped mining and sold the computer he was using for parts on eBay. He kept the hard drive with the hope that Bitcoin would rise in value. In 2013 when cleaning his house he accidentally threw the drive away and it, along with the rest of his trash was taken to the local landfill in Newport, South Wales and buried. Asked how it ended up in landfill, he explained that it was "thrown out into a bin bag during a clear-out in a case of 'mistaken (hdd) identity' in summer 2013. There were two HDDs in the same drawer, the wrong one got binned? s*** happens."
The landfill reportedly contains about 350,000 tons of waste and 50,000 more tons are added every year. An article reported that "a council spokesperson said their offices have been "contacted in the past about the possibility of retrieving a piece of IT hardware said to contain bitcoins," but digging up, storing and treating the waste could cause a "huge environmental impact on the surrounding area."
Recommendations:
Move your crypto into a wallet that you control and use a password manager.
Create a secure backup of your seed phrase - not on paper but through some other mechanism.
Don't leave any casual paper backups lying around.
Risk 5 - Loss of Generational wealth.
We usually don't think of death or incapacitation while contemplating how to enter the brave new world of crypto, yet the consequences of how crypto is secured means that to ensure the accessibility of funds by future generations, specific protective steps must be taken. This starts with talking to a trust and estate lawyer to draw up a will and a plan for how beneficiaries can access assets. This can be a convoluted process. As a result, companies like Vault12 have identified solutions to provide simple and easy to use solutions for digital inheritance.
There is a steady drumbeat of these stories happening with worrisome regularity:
In December 2018, Gerald Cotten, the founder of the bitcoin trading exchange, died (under somewhat mysterious circumstances) resulting in the loss of $250M and the exchange going bankrupt. Gerald was only 30 years old and had not created an inheritance plan, nor were instructions of how to access the centralized assets ever found.
In April 2018, Matthew Mellon, heir to Mellon family banking fortune and former chairman of the NY Republican Party finance committee, and cryptocurrency proponent, died. Prior to his death, he held an estimated $1B in Ripple (XRP) - all of this remains were inaccessible as he left no instructions, even though he protected the cryptocurrency via cold storage in multiple locations around the US in different people's names.
In 2017, an unidentified young crypto investor in Colorado died with a small fortune in cryptocurrency held in a coinbase account. The family, however, had no access to the account and eventually had to petition Coinbase directly. Eventually the assets were released after a lengthy process. If the account holder had not been a U.S. Citizen, this would have been a much more complicated process.
Beyond the personal tragedies, there are farther-reaching consequences of such "death events" in the crypto economy: they permanently and forever remove large amounts of coins from circulation, reducing the total available resources for all future users. Left unchecked, this might develop into a far bigger issue for the crypto industry as a whole since right when the industry enters mainstream use in the coming years and decades, fixed supplies of some digital resources available to new entrants will gradually shrink.
Recommendations:
Talk to a lawyer and write a will.
Create a secure backup of your seed phrase - not on paper but through some other mechanism.
Look at Digital Inheritance solutions.