Safety in numbers
18 Sep 2019
Alexandre Lemarchand of Ledger Vault says with digital assets on the rise, the industry must consider the challenges and solutions aimed at keeping them safe
Image: Shutterstock
Institutional investment and digital assets
We are clearly in the midst of a mainstreaming of cryptocurrency and digitised assets. At the time of writing, the top crypto exchange handles a volume of around $50 billion and Bitcoin is trading at or around $10,000. Bitcoin price fluctuations are covered by the mainstream media and a growing number of institutional investors are turning to digital assets to build out their traditional investment portfolios.
Last year, the largest academic endowment in the world, the Harvard Management Company, put somewhere between $5 and $10 million into cryptocurrency. In May, a Fidelity survey asked institutional investors including pensions, hedge funds and endowments what they thought about crypto and digital assets. Just under half, 47 percent, of respondents reported an “overwhelmingly favourable” opinion of digital assets while 72 percent of respondents said that they prefer to buy investment products that hold digital assets. The study indicated that “institutional investors are finding appeal in digital assets and many are looking to invest more in digital assets over the next five years”. We’ve been talking about Bitcoin, Ethereum and so on for years. In February, JPMorgan Chase launched JPM Coin, making it the first US bank to create a digital coin representing a fiat currency. Their token is in a prototype phase and is being tested solely with J.P. Morgan institutional investment clients.
According to Reuters, “several of the world’s largest banks are in the process of investing around $50 million to create a digital cash system using blockchain technology to settle financial transactions, according to people familiar with the plans”.
Building security for tokenisation and digital assets
With digital assets on the rise, we must consider the challenges and solutions aimed at keeping them safe. As cryptocurrency awareness grows, the digital custody landscape will as well. In the future, there will be more institutional investors on the scene diversifying their portfolios with digital assets. More regulated custodians will be on the scene supporting serious long-term growth for individual investors, asset managers and family offices.
However, industry reports have shown that some $1.7 billion in cryptocurrency was stolen in 2018. The threat landscape faced by investors is similar to those facing security professionals in all tech spaces and will only become broader as the industry grows. From social engineering to traditional cyberattack methods like site clones, phishing and SMS hacks, to basic hardware tampering, there are many entry points in this new frontier.
But cryptocurrencies aren’t physical goods that can be locked up in a safe or transported in a Brink’s truck. Digital assets like Bitcoin, Ethereum and Ripple exist on the blockchain and are maintained in a decentralised environment. To establish “ownership” of cryptocurrencies, the transaction activity is tracked on a public ledger—the much-heralded blockchain itself—by public and private keys.
Understanding digital asset custody
Proper custody of digital assets isn’t as easy as locking up gold or paper currency in a bank vault. Since cryptocurrencies like bitcoin and Ethereum exist completely digitally on a blockchain and are by nature maintained in a decentralised environment, they present an enticing target for hackers. Further, institutions dealing with public and private keys on such a large scale isn’t easy. Secure storage of large digital asset funds is complex, and institutions need safe, comprehensive and integrated security solutions.
In the cryptocurrency world, there are several ways to store your digital assets but they all generally involve some form of wallet. Very simply, a ‘crypto wallet’ is a device on which your private keys are stored. Your private keys are a critical piece of information used to authorise spending and selling crypto on the blockchain. The wallets in which you hold them can be physical devices, software- or solution-based or simply the online exchange from which you’ve purchased your currency.
Of those wallets, there are two types: hot and cold. Hot wallets are connected to the internet, while cold wallets are not.
Hot wallets
There are two main types of hot wallets:
Web/online/exchange: Leaving your crypto on an exchange is an example of hot wallet storage. Any type of storage that is online is considered “hot.” These types of online wallets are the most insecure and susceptible to being hacked, having your email and login info being stolen, or to counterparty risk.
Software wallets: A software wallet is an application that you download to your computer or phone. It is considered safer than a web/exchange wallet because you, rather than a third party, have control of your private keys. However, since your computer and phone are vulnerable to hacks, software wallets still aren’t the best option.
Cold wallets
There are two main types of cold wallets:
Hardware wallets: Hardware wallets are widely considered the safest option for storing your crypto. Typically in USB format, a hardware wallet can be connected to the internet to transfer exchange for trading, but it can be disconnected, with your crypto stored totally offline and inaccessible to hackers. The main principle behind hardware wallets is to provide full isolation between the private keys and your easily-hacked computer or smartphone.
Paper wallets: A paper wallet is an offline mechanism for storing. You literally print out your public and private keys on paper and keep them somewhere safe. This is extremely safe—and cheap—but obviously not the best method. If you lose the paper, you completely lose your private keys.
Hardware wallets like the Ledger Nano X have become the de facto best practice among individuals serious about their investments but think about enterprises handling millions of dollars’ worth of crypto. In the early stages of institutional investing, asset managers would find themselves securing massive amounts of wealth on hardware wallets with no convenient and efficient way to implement meaningful segregation of duty. As cold wallets are not always connected to the internet, they are considered the safest option for personal investment and crypto holding, but institutional investors can not rely on one over the other.
While USB-based hardware wallets are undeniably the best way for individuals holding cryptocurrency to protect their investment, they’re not practically viable for enterprises handling millions of dollars’ worth of crypto. In the early stages of institutional investing, asset managers would find themselves securing massive amounts of wealth on hardware wallets with no convenient and efficient way to implement meaningful segregation of duty. The financial industry needs custody solutions that are more holistic in their approach, combining both hot and cold approaches, and encompassing both hardware and software technology solutions.
The most secure way to manage crypto assets is through an end-to-end multi-authorisation governance infrastructure. Secure storage of large digital asset funds is complex, and exchanges and institutions need safe, comprehensive and integrated solutions. An effective approach employs a multi-authorisation self-custody system of management and gives financial institutions security, control and speed of execution. A reliable governance framework provides instant access to funds without compromising security whether data is at rest or in transit.
Addressing the future of security
So clearly you can’t be running crypto on a bunch of jump drives. Even the most novice crypto holder needs a wallet that has both a secure element and custom operating system without compromising security and convenience. While blockchain aims at revolutionising financial systems, many investors are still decades in the past when it comes to the way they are safekeeping their digital assets.
The appetite to hold digital assets across institutional investors has increased over the past few years. There are a few primary considerations when it comes to the custody of digital assets.
Effective cryptocurrency custody solutions should ensure there are no single points of failure within an organisation. Think about the QuadrigaCX case during which $163 million disappeared. While it’s now clear that it was a matter of extreme fraudulence and one bad actor, it showed—on a tremendous scale—the danger that lies in trusting single points of failure.
There is no denying that the digital asset world is one that is constantly under attack. We spend significant time and effort to assess the security of our technology along with our industry’s. As hackers become more sophisticated, there is no question that our industry will be forced to adapt and create novel technology, which is exactly where our work leads us.
Designing security is serious, hard work and that’s what we do at Ledger Vault. Those working in this field spend a lot of time and resources trying to create secure solutions.
We consistently seek to publish findings to raise awareness about the security of our industry, and also to lay the groundwork for other security researchers. Our intention is that this work will lead to additional research and improve the overall security of the industry.
We are clearly in the midst of a mainstreaming of cryptocurrency and digitised assets. At the time of writing, the top crypto exchange handles a volume of around $50 billion and Bitcoin is trading at or around $10,000. Bitcoin price fluctuations are covered by the mainstream media and a growing number of institutional investors are turning to digital assets to build out their traditional investment portfolios.
Last year, the largest academic endowment in the world, the Harvard Management Company, put somewhere between $5 and $10 million into cryptocurrency. In May, a Fidelity survey asked institutional investors including pensions, hedge funds and endowments what they thought about crypto and digital assets. Just under half, 47 percent, of respondents reported an “overwhelmingly favourable” opinion of digital assets while 72 percent of respondents said that they prefer to buy investment products that hold digital assets. The study indicated that “institutional investors are finding appeal in digital assets and many are looking to invest more in digital assets over the next five years”. We’ve been talking about Bitcoin, Ethereum and so on for years. In February, JPMorgan Chase launched JPM Coin, making it the first US bank to create a digital coin representing a fiat currency. Their token is in a prototype phase and is being tested solely with J.P. Morgan institutional investment clients.
According to Reuters, “several of the world’s largest banks are in the process of investing around $50 million to create a digital cash system using blockchain technology to settle financial transactions, according to people familiar with the plans”.
Building security for tokenisation and digital assets
With digital assets on the rise, we must consider the challenges and solutions aimed at keeping them safe. As cryptocurrency awareness grows, the digital custody landscape will as well. In the future, there will be more institutional investors on the scene diversifying their portfolios with digital assets. More regulated custodians will be on the scene supporting serious long-term growth for individual investors, asset managers and family offices.
However, industry reports have shown that some $1.7 billion in cryptocurrency was stolen in 2018. The threat landscape faced by investors is similar to those facing security professionals in all tech spaces and will only become broader as the industry grows. From social engineering to traditional cyberattack methods like site clones, phishing and SMS hacks, to basic hardware tampering, there are many entry points in this new frontier.
But cryptocurrencies aren’t physical goods that can be locked up in a safe or transported in a Brink’s truck. Digital assets like Bitcoin, Ethereum and Ripple exist on the blockchain and are maintained in a decentralised environment. To establish “ownership” of cryptocurrencies, the transaction activity is tracked on a public ledger—the much-heralded blockchain itself—by public and private keys.
Understanding digital asset custody
Proper custody of digital assets isn’t as easy as locking up gold or paper currency in a bank vault. Since cryptocurrencies like bitcoin and Ethereum exist completely digitally on a blockchain and are by nature maintained in a decentralised environment, they present an enticing target for hackers. Further, institutions dealing with public and private keys on such a large scale isn’t easy. Secure storage of large digital asset funds is complex, and institutions need safe, comprehensive and integrated security solutions.
In the cryptocurrency world, there are several ways to store your digital assets but they all generally involve some form of wallet. Very simply, a ‘crypto wallet’ is a device on which your private keys are stored. Your private keys are a critical piece of information used to authorise spending and selling crypto on the blockchain. The wallets in which you hold them can be physical devices, software- or solution-based or simply the online exchange from which you’ve purchased your currency.
Of those wallets, there are two types: hot and cold. Hot wallets are connected to the internet, while cold wallets are not.
Hot wallets
There are two main types of hot wallets:
Web/online/exchange: Leaving your crypto on an exchange is an example of hot wallet storage. Any type of storage that is online is considered “hot.” These types of online wallets are the most insecure and susceptible to being hacked, having your email and login info being stolen, or to counterparty risk.
Software wallets: A software wallet is an application that you download to your computer or phone. It is considered safer than a web/exchange wallet because you, rather than a third party, have control of your private keys. However, since your computer and phone are vulnerable to hacks, software wallets still aren’t the best option.
Cold wallets
There are two main types of cold wallets:
Hardware wallets: Hardware wallets are widely considered the safest option for storing your crypto. Typically in USB format, a hardware wallet can be connected to the internet to transfer exchange for trading, but it can be disconnected, with your crypto stored totally offline and inaccessible to hackers. The main principle behind hardware wallets is to provide full isolation between the private keys and your easily-hacked computer or smartphone.
Paper wallets: A paper wallet is an offline mechanism for storing. You literally print out your public and private keys on paper and keep them somewhere safe. This is extremely safe—and cheap—but obviously not the best method. If you lose the paper, you completely lose your private keys.
Hardware wallets like the Ledger Nano X have become the de facto best practice among individuals serious about their investments but think about enterprises handling millions of dollars’ worth of crypto. In the early stages of institutional investing, asset managers would find themselves securing massive amounts of wealth on hardware wallets with no convenient and efficient way to implement meaningful segregation of duty. As cold wallets are not always connected to the internet, they are considered the safest option for personal investment and crypto holding, but institutional investors can not rely on one over the other.
While USB-based hardware wallets are undeniably the best way for individuals holding cryptocurrency to protect their investment, they’re not practically viable for enterprises handling millions of dollars’ worth of crypto. In the early stages of institutional investing, asset managers would find themselves securing massive amounts of wealth on hardware wallets with no convenient and efficient way to implement meaningful segregation of duty. The financial industry needs custody solutions that are more holistic in their approach, combining both hot and cold approaches, and encompassing both hardware and software technology solutions.
The most secure way to manage crypto assets is through an end-to-end multi-authorisation governance infrastructure. Secure storage of large digital asset funds is complex, and exchanges and institutions need safe, comprehensive and integrated solutions. An effective approach employs a multi-authorisation self-custody system of management and gives financial institutions security, control and speed of execution. A reliable governance framework provides instant access to funds without compromising security whether data is at rest or in transit.
Addressing the future of security
So clearly you can’t be running crypto on a bunch of jump drives. Even the most novice crypto holder needs a wallet that has both a secure element and custom operating system without compromising security and convenience. While blockchain aims at revolutionising financial systems, many investors are still decades in the past when it comes to the way they are safekeeping their digital assets.
The appetite to hold digital assets across institutional investors has increased over the past few years. There are a few primary considerations when it comes to the custody of digital assets.
Effective cryptocurrency custody solutions should ensure there are no single points of failure within an organisation. Think about the QuadrigaCX case during which $163 million disappeared. While it’s now clear that it was a matter of extreme fraudulence and one bad actor, it showed—on a tremendous scale—the danger that lies in trusting single points of failure.
There is no denying that the digital asset world is one that is constantly under attack. We spend significant time and effort to assess the security of our technology along with our industry’s. As hackers become more sophisticated, there is no question that our industry will be forced to adapt and create novel technology, which is exactly where our work leads us.
Designing security is serious, hard work and that’s what we do at Ledger Vault. Those working in this field spend a lot of time and resources trying to create secure solutions.
We consistently seek to publish findings to raise awareness about the security of our industry, and also to lay the groundwork for other security researchers. Our intention is that this work will lead to additional research and improve the overall security of the industry.
NO FEE, NO RISK
100% ON RETURNS If you invest in only one asset servicing news source this year, make sure it is your free subscription to Asset Servicing Times
100% ON RETURNS If you invest in only one asset servicing news source this year, make sure it is your free subscription to Asset Servicing Times