The sad state of crypto custody

Not a few weeks goes by without another report of bad news in the crypto world: monies get lost, stolen or compromised with little or no possible of recovery.

This is a problem we don’t genuinely have with typical fiat money — where our funds and banks are insured. And it illustrates how shattered the current state of affairs is in the industry.

Ten years in blockchain have already rendered a wide range of solutions to host and keep your crypto funds safe. But can you really trust any of those services?

The risky BYOB promise

You have received or bought your first crypto-currencies and now you need to decide where to keep it safe. Your first option is to be your own bank or “BYOB.” Finally! The dream of any post-modernist society: no more need for mediators and greedy banks to oversee your funds. You can finally be in charge. But can you?

Yes, blockchains are safer because there are incentive mechanisms aimed at building sure the networks are unbreakable( not “5 1 percent attacked” ). But you need to get your crypto assets somewhere safe. You need to “be your own bank”( BYOB ). Crypto custody starts with a requirement: Crypto currencies being encrypted, you need to own and keep your own private keys, which will enable you to sign your transactions and you will own a secret code( a passphrase) that will allow you to recover your funds( a “seed” ). The management of this private key and codes is at the origin of nearly all the problems you may have encountered to date.

And it starts with an important difficulty to solve: the management of the secret passphrase.

If you have ever used all kinds of billfold app, “youve been” exposed to the perplexing on-boarding and alerts: 12 or 24 terms to recollect or “keep safe” and multiple reminders that they are “not a bank” and that you are in charge of your own security. You get a private key to “keep safe.”

But what does “keeping safe” entail? Do you have to publish it and keep it under your bed until someone else detects it and accidentally hurls it away, or the ink on the paper fades-out? Do you throw it in a safe deposit box … at your bank( at $200 per year on average )? In a vault in Switzerland? Threw it in a password manager, protected by a single password or worse in a word record? Encrypt it( again) so no one gets to read it?

Centralization for simplification?

Then you speedily realize that being your own bank is more complex and dangerous than you thought, and you decide to leave your monies on your exchange, which will manage your cryptos for you. It is actually comforting to rely on the security of an established company.

But can you really trust a centralized service? What if the government had low reliability or abusive maintenance intervals and your monies get stuck when you need them? What if they get hacked or DDOSed? Or even shut down by authorities( like it may happen in Korea )? Or are simply unreliable or unavailable. And if you thought your funds are better with an exchange, think twice: first they depend on the legacy finance system, and oxygen could be cut off any time .

And what you gain in delegated security you may lose in convenience: Some of those exchanges will not let you withdraw or deposit new coins( because you simply trade coins, and not own them ). For those who want to participate in ICOs you likewise will be limited because transfers from exchanges are not accepted.

Sure, if you can afford it, you can decide to place all your crypto funds in trade secrets air-gapped bunker 30 feet under in Switzerland. Your funds will be safe there, but is that convenient when you may need them handy? Yes, there is a trade-off between absolute security( is there such a thing ?) and convenience.

Hardware: a most appropriate solution?

Everyone with minimum knowledge will tell you that the best lane to solve the problem of storing your crypto funds is to use a hardware wallet( “cold storage” ), and certainly it is one of the best solutions to date. Hot billfolds( i.e. software) are more prone to assaults because they are “permanently” connected to the network. But hardware billfolds are “air gapped, ” intending not connected by design, until you connect them. So your funds are protected by your hardware key, itself protected by secure hardware elements.

But who safeguards your hardware key? Where do you keep it? Even hardware degenerates over hour, has software issues or even stolen. Sure, you can always restore your hardware in a new one. But if you are able, so can an attacker, and we’re back to the beginning: How do you protect your hardware passphrase phrase?( Read above .) And what the hell are you gain in security you lose( significantly) in convenience: You need to be in front of personal computers with a micro USB cable to connect your hardware( read above on UX ). In persons under the age of mobile, this is not ideal.

How do you make sure your private keys and passphrase/ mnemonic codes are safe* over period* when you are in charge. Good luck with that.

Finally you likewise have to “trust the code.” Those apps also suffer from major vulnerabilities, which result in loss of quasi loss of funds. The reality is that even decentralized services are at risk — because no code is perfect.

Facing crypto fragmentation

One currency, one wallet: this is close to the reality today when you move past the four largest or five currencies. You will find some wallets that are supporting up to 10 currencies( and I am not referring to ERC2 0/ ICO tokens ). But there are hundreds of chains and forks out there, each with their light wallet. One wallet for NEO, one for MONERO, one for Ripple and so on. “Were not receiving” solution that can help you host all the main currencies at once( even the top 30 ), in particular on mobile. “Its like” get a different browser for every website, or a different remote control for every TV channel.

Even hardware billfolds that support multiple( but not all currencies) have important limitations as you quickly recognize they can’t support at once more than a few currencies.

Each crypto service also has its own wallet and more often than not they do not play nice with other services. Most ICO-backed networks have their own billfold: TON( telegram upcoming chain ), Crypto Kitties too, exchanges have their own wallets and so on, building it quickly complicated for customers to recollect where all their assets are stored, but likewise multiplying the chances of exposures to onslaughts. Those billfolds are not talking to each other except via the transactions tubes for sending assets to one another. It promptly becomes challenging to remember what you own and where. You end up with a list to manage your wallets and private keys. Not ideal.

The current state of crypto custody is forcing customers to have multiple assets hosted in various wallets, increasing the risk of exposures. Some users will find in this a security-by-design precaution: If all your funds are not in the same place, then you are less uncovered at once to an attacker. On the other side, you need to invest much more in managing all those access points and you lose significantly in convenience.

The responsibility of platforms and manufacturers

No matter how secure the solutions at hand, current crypto custody solutions have another set of weak spots: mobile operators, browsers, app storages and ad platforms have become the main target of hackers to steal your funds.

Hackers are ingenuous at finding ways to hack your mobile phone number, which usually protects your SMS 2FA. Some hackers regularly build fake mobile billfold apps under the snout of Apple and Google and hope to get you fooled to provide your private keys. And eventually it has never been easier to buy an ad on Googleor Facebook and pretend to be the service you think you need , not mentioning the ingenious social hacks to get you to provide your private key( live instance below on Facebook ).

Even domain registrars and DNS providers have become targets to hackers and can result in loss of funds.

Those platforms have a critical responsibility and liability in service industries. They can’t ignore it, it is just too important.

And we are genuinely do not want them to adopt arbitrary regulations to ban a whole category of apps or advertisers because of a few rogue players. They need to up their game, read, follow the space and legit players to prevent or crack down on the attackers with knowledge of what they’re doing.

The same moves for hardware manufacturers: the most recent Meltdown and Spectre debacle only showed how exposed we are and how easy it is, even for the savviest consumers, to get their passwords and keys stolen.

You can trust the blockchain, but are you able trust yourself?

Normal human beings are not equipped to deal alone with security, and even less with safety. There are reasons banks have been created and why they are still here today. It is better to trust a network than to trust yourself.

Individuals induce mistakes, men are the phase of failing: Even savvy people can easily induce the incorrect call about how to keep their private keys or you can end up buying “fake” hardware wallets, your memory could painfully fail you, you may toss out your computer by mistake, forgetting your keys on it. Sometimes “its more” subtle than that; you supplant your mobile phone and forgot to migrate your 2FA keys.

Some mistakes can be course corrected, some cannot.

Assuming you find a secure answer, how safe do you feel about it? How safe do you feel retaining at home significantly more money than you can store in your pocket wallet? How would you deal with ransomware, kidnapping? How would you act under duress? Even if your keys are securely protected, do you feel safe strolling in the street or even at home with your crypto keys in your pocket or an app that holds a little virtual fate?

Finally, what would happen to your crypto funds if, like we will all do the working day, you die. Did you consider how private accounts should be transmitted?

Can you trust yourself to even hold or deal with all those situations? Those are important issues crypto detention answers are not addressing yet.

The future is brighter

Custody for cryptos has to be improved; the industry will not grow without it. We need better security — which involves both solution both providers and platforms — more convenience and a better approach to safety. This is actually something that prevents institutional money from being run in the industry and of course if you are a company raising hundreds of millions of dollars in crypto money for an ICO, custody is an even bigger issue( right Kodak ?).

Multi-Sig for example is a clear a positive step forward in crypto security( not necessarily in convenience though ). The basic notion instead of one single private key( either managed by you or by a centralized service on your behalf ), there are 2 sets( or more) of keys that are required to sign transactions: one owned by you and one by the service which operates the custody.

As a user you can delegate some of its own responsibility to a “centralized” service without committing full control to it: no more “single point of failure” as the private key is hosted on multiple sides. Another great advancement relates to the fact that governed services like Robinhood or Square are jumping in the space and will enable millions of people buy safely crypto currencies and store it for them

Blockchains are safe and secure by design( at least the best ones ). But the weak spot is the human being. Human beings, as customers or as service designers and operators, are single phases of failure. And the blockchains won’t fix that.

The future will bring new answers where trust can be redefined and programmed thanks to mathematics, cryptography decentralization and play mechanics. The way private keys are managed today is just not good enough. What service industries needs is a placed of answers bringing peace of mind to users.

Maybe banks will at some point jump in the space and bring their own answer, although I actually don’t see that happening anytime soon. For this to become reality, a new regulation framework needs to be created.

No matter how many existing services and solutions operate in the space( 40 based on my own count ), and how much money is being invested in it, crypto detention is one of the biggest unsolved opportunities in the blockchain space( even Naval Ravikant, a prominent crypto investor and thinker, says it) and we’re still pretty much in Jurassic( Crypto) Park.

You can build the fastest and most scalable crypto protocols you crave. What’s the degree if no one has peace of mind.

Read more:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s