By Roberto Gallo, coordinator of the Security and Cyber Risks Committee at ABES
After almost 20 years of working with cybersecurity and especially cryptography, we notice a few things. The first is that new companies, new processes, new technologies are always fun (at least from the point of view of those who work safely), as it guarantees new problems.
Let's take as an example a recent case of a Canadian Bitcoin Exchange company that is involved in a scandal in which they claim to have more than USD$100 million unavailable after the CEO, the only bearer of the company's Cold Wallet password, dies from complications of illness from Crohn on a trip to India!
In this specific case, a lot of evidence points to fraud, but let's assume for a hypothesis that the story released by the company is true - “The CEO died and only he had the password (s) for the Cold Wallet (s) who were on his personal computer, and the individual died on a trip to India. ”
If this is the case, it is a mixture of amateurism with criminal sloppiness. I comment below three points that are absolutely unthinkable for any Bitcoin Exchange (and that you who use this type of service need to know):
* Cold Wallets control, in which the (permanent) unavailability of a person prevents their movement is, at the very least, reckless management (which is a crime). Every manager or business owner needs to be diligent, that is, to anticipate existential risks for the business itself and for its customers;
* Using a personal laptop to charge the Cold Wallets is another nonsense. Would you carry a suitcase with USD$ 100 million locked only by a password that the bearer knows? It is obvious that, after all, for much less, criminals kill and torture. Well, with the personal laptop the problem is even greater, as it can be hacked, whether online or not (see side-channel attacks and Stuxnet / Iran).
This specific case has a series of other absurdities, but the two above are enough to illustrate the other perception that I commented at the beginning of this text: the causes of the "new" problems are generally classic. Most of the time it is young people making an old mistake.
For example, the question of the unavailability of the Canadian company's portfolio, could be easily prevented with a classic risk analysis (according to ISO 31,000, which as a rule is already 10 years old).
Technically, the implementation of a mathematical “secret sharing” scheme could easily have avoided this problem and at the same time increased the company's level of security and availability. It is something that traditional payment companies have known for decades.
The question of having a “safe” to store the cold Bitcoin wallet needs to be on “tamper-proof” systems (and never on a laptop or x86 server). For this, there are vault rooms and HSMs (hardware security modules), used with resounding success in the areas of digital certification and, once again, payments.
Assumptions aside (since the Canadian case, it seems that it increasingly seems to be a big case of fraud), it will be interesting and not surprising if central banks take advantage of the cue to regulate the sector more strongly.
And that is the final lesson: in safety, the market rarely regulates itself. It is up to society to ensure that this regulation is well done and complied with.