By Paul G Smith CEO, MTP
By Paul G Smith CEO, MTP

Operational security: wallets, trust and safety

A few years ago, one of my acquaintances was involved in the development of a Bitcoin client and had a nice little holding. At the time it was several hundred coins, bought relatively cheaply in today’s terms. He spent a lot of time bigging-up Bitcoin on social media, telling people why they should invest in it. It was around then that I bought a few myself, so I have skin in this game, though it was not because of anything he said. Until quite recently, I kept these coins securely in offline storage in my home, because I didn’t trust any form of centralised custody.

First Published: e-Forex Magazine 85 / Blockchain and CryptoCurrencies / March 2019

A few years ago, one of my acquaintances was involved in the development of a Bitcoin client and had a nice little holding. At the time it was several hundred coins, bought relatively cheaply in today’s terms. He spent a lot of time bigging-up Bitcoin on social media, telling people why they should invest in it. It was around then that I bought a few myself, so I have skin in this game, though it was not because of anything he said. Until quite recently, I kept these coins securely in offline storage in my home, because I didn’t trust any form of centralised custody.

Another thing my acquaintance did was talk about how great the Bitcoin exchange Mt Gox was, and how he was keeping most of his coins there for ease of trading. I remember having a few fairly pointed exchanges with him on Facebook about the sense or not of trusting a distant third party to look after what were the bulk of his assets (for the benefit of future readers of this article, Facebook used to be popular as a medium of individual expression and communication, before they lost the trust of their customers due to multiple security breaches - most of which were intentional, which is a whole different story).

You might remember that Mt Gox ended very badly indeed. Thanks to what they represented as an operational security problem (ie a leak of coins due to a security hole in the core transaction protocol) but was more widely thought to have been plain and simple fraud, more than 650k Bitcoins were lost. Eventually most participants got something back, but at the time my acquaintance was facing a loss of well over £250,000, and he never saw the upside on those coins (he would have been a multimillionaire with them by Christmas 2017, if he had retained them by some other means).

That was not the last big cryptocurrency theft. Traders and investors in the years since then have been met with failure after failure. In the current news, investors who held virtual currency in Quadriga have been on a rollercoaster, first being told that the founder had unexpectedly died and that the coins were safe, but locked on cold storage to which the keys were on a locked laptop, and then that the laptop had been cracked, the keys found, and ... wait for it ... the cold storage was empty. No coins. However, the company said, it has “found evidence of 14 other accounts created by the founder outside the normal process” that may have been used to trade the coins out on the exchange.

Given all the above you might wonder why I have recently entrusted my own coin holdings to the custody of an exchange. I’ll try to answer that in a moment.

Crypto theft got a lot of press during the BTC bubble
Crypto theft got a lot of press during the BTC bubble

Relevance for brokers

It’s pretty obvious that the above stories of crypto loss have a lot of relevance to broker operations, whether they deal with cryptocurrencies or not, and to the topic of financial and information security in general. Crypto theft got a lot of press during the BTC bubble, but financial fraud comes in many different shapes and colours, it’s widespread, and it’s not always fraud - loss will often also result from accident or incompetence.

I wanted to be an artist when I was at school, but I was very good at logic and maths and discovered a talent for computing technology early on. In the technology industry, I have never represented myself specifically as a security specialist, but from my first days working on accounting, finance and trading systems security was at the heart of every project I worked on. So I do know something about this subject.

A couple of memories stand out.

One was of how we received through the post one afternoon a marketing pack and sample for a “copy-proof” floppy disk distribution system for software. At the time we were the UK’s market leader in small business accounting software (this predates Sage by a few years, it was the very early days of the personal computer industry) and things like this mattered a lot to my boss, because he was famous. The package stated quite clearly that if we were to use this “unbreakable” system, they were sure that no bad actors could come along and steal / duplicate / copy our work.

I remember taking this indefensible claim (eg that the system was impossible to break) very personally. I took the disk home that night, disassembled the code on it, created a system for creating copies that would load the same software (but with an extra message of my own on the screen) and posted two copies first class back to that company with a cover letter, to arrive on Monday morning. We received a grovelling phonecall that afternoon, followed a few days later by another letter in the post to say that they had withdrawn this copy protection system.

The second memory is of a training course in information security, a few years later, that taught that the number one risk in information security is what the ex-army trainer called the “rubber hose attack”. You send a very large person to find the person with the key, and then the large person hits them until they give up the key. No hacking or IT skills required, works every time.

Operational security is holistic and cuts across the whole business
Operational security is holistic and cuts across the whole business

Operational security is holistic

The point I am trying to make here is that operational security is not something that can be “solved” with a bit of technology alone, just as there is no magic piece of technology that will solve all the problems of a business. There is no way to get an “edge” using technology alone. I’ll return to that subject in future articles but the takeaway for today is that operational security is holistic - it cuts across the whole business - and cannot be solved just by installing a better wallet or a magical security tool. It’s also smart to not automatically trust claims made by vendors, and to do very careful due diligence.

So, what has this got to do with the importance of trusted, reliable technology and safe infrastructure to brokers and banks? Rather a lot, actually. Brokers depend upon the trust of their trader clients - without that, they have no business at all. The broker needs to trust their staff and suppliers, and so on up the chain of demand and supply.

Across the FX and Crypto businesses there has been increasing focus on the importance of firm and reliable liquidity, which comes from speciality liquidity providers. Likewise, brokers are used to partnering with suppliers of technology, this is nothing new. Very few brokers built their own trading platform.

IT outsourcing and, subsequently, complete business process outsourcing, became very big businesses in the 1990s and after the millennium. Many brokers today outsource one or both of these. It makes sense to concentrate on what one knows and to let others take the strain. The logical conclusion of which is the “broker in a box” model that most readers will be familiar with.

However I don’t believe that sufficient trust can be gained by this model, when taken to that extreme. The end customer, the trader, is being asked to trust the broker when really they should be doing due diligence on the broker’s suppliers and partners, which may be difficult if not impossible to do. So this means the choice of technology partners and suppliers is a critically important decision, one not to be taken lightly. I believe that for this to work well, the broker needs to “own” it’s own core business processes, and pick suppliers very carefully. This argues against very small brokers, who won’t have the staff nor the resources to do that, but so be it. It’s a time for everyone to raise their game and move up market, which is in need of a bit of long-overdue consolidation.

Another cautionary tale

In another cautionary tale, last year, I met a crypto business that suffered a disaster because all the business processes around settlement were concentrated in the mind of one of the founders. Settlement is hard, and this is particularly true in the crypto business where there was until recently a paucity of reliable providers of liquidity and exchange. In this case there were two notable problems. Firstly that the processes were not sufficiently automated. Secondly that once the responsible person fell ill, there was no one else with the keys or knowledge to continue the settlement process, which then pretty rapidly ran into the ground. It wasn’t the end of the business, they are slowly recovering, and one should not blame the individuals concerned: they were acknowledged to be pioneers and risk takers and this kind of thing goes with the territory. Nonetheless this was an entirely avoidable problem.

My own decision, about where to keep my crypto coins, came about quite simply. I am a digital nomad, moving from place to place, and I don’t see my real home for months on end. I cannot say that keeping cold storage in that home is more secure than an external vault, because in all honesty, I might get back to find it’s not there any more. Or that, post-brexit, they won’t let me back in. Carrying my assets with me is no better. Yes I could carry a paper wallet but since I can’t even be trusted to file the invoices, the chances of me losing it are high and of finding it in case of need are pretty low. Carrying them on a laptop just seems foolish. So, as the value of BTC fell last autumn, I had a need to cash some in, so I transferred them into an account I hold with an exchange I trust, where they now reside and can be traded more easily (it became possible to diversify my holdings once the coins were there).

Back to Quadriga, it seems that the issue may have been as much one of a failure of internal compliance (business processes, on-boarding, risk management, lack of compartmentalisation) as one of information security (ie it wasn’t really a matter of lost keys). How was it ever OK that one person held all the keys, and owned all the rules? As soon as the company made the transition from the wild west of risk-taking pioneers into the real world where investors need to trust where they are keeping their assets, that ceased to be appropriate.