Hacking of crypto-asset exchanges and losing access to accounts 66. Crypto-asset exchanges enable people to use fiat currency to buy crypt...
Hacking of crypto-asset exchanges and losing access to accounts 66. Crypto-asset exchanges enable people to use fiat currency to buy crypto-assets, such as Bitcoin.101 Crypto-asset exchanges can be custodial and non-custodial. Custodial crypto-asset exchanges hold crypto-assets on behalf of their customers whereas noncustodial crypto-asset exchanges do not have custody of customers’ money. In these cases, customers have complete ownership of their money and are responsible for its security. David Raw, Deputy Director of Banking and Credit at HM Treasury, told the Committee it is the custodial exchanges that are at a greater risk of being hacked.102 To hack a noncustodial exchange would be to hack the blockchain itself, which, as far as is known, has not yet been successfully done. 67. Several custodial crypto-asset exchanges have been hacked and customers’ cryptoassets have been stolen.
For example, on 28 February 2014 Mt Gox, a Japanese Bitcoin exchange, filed for bankruptcy after announcing that it may have lost all of its investors’ virtual coins, after its computer system was hacked.103 More recently, over the weekend commencing 9 June 2018, South Korean exchange Coinrail suffered a cyber-attack which caused a loss of approximately 30 per cent of the crypto-assets traded on the exchange.104 68. Martin Etheridge, Head of Notes Operations at the Bank of England, noted the importance of distinguishing between the hacking of crypto-asset exchanges and the hacking of the blockchain: This reinforces the need for a distinction between the underlying technology and the tokens themselves, because people will tell you how resilient and secure distributed ledger technology is but, when you look at the system that is currently in operation, it is not the distributed ledger that is being hacked; it is the custodians [i.e. the custodial wallet providers and exchanges] that are being hacked.
69. When asked why crypto-asset exchanges appeal to hackers, Izabella Kaminska, Editor of the Financial Times Alphaville, argued that the characteristics of crypto-assets and the underlying technology incentivises and facilitates their theft: On the hacking point, it is important to put this in lay terms. What we have here is the creation of a bearer asset.
We hear a lot about how amazing it is that the blockchain is immutable. The downside of immutability is that if somebody steals your asset it continues down the chain, unless we start to blacklist said coins that have been stolen.
[…] In terms of what we are talking about physically, we are talking about [crypto-asset owners’] capacity to remember a very complicated string of numbers [which] is what gives you access to your funds. It is all about how securely those numbers can be kept.
[…] If a criminal finds your string they have full access. By the time it has gone and been spent you have lost access. You are only as secure as your own capacity to remember those numbers.
[…] The real weak point is the user 70. When asked how crypto-asset exchanges can mitigate the risk of hacking, Iqbal Gandham, Chair of Crypto UK and Managing Director of eToro, explained that by keeping customers’ details offline, greater security can be achieved. He said: We at Crypto UK have created a self-regulatory code of conduct, one aspect of which is that any member exchange needs to keep 90plus per cent of customer currency in cold storage, so not connected to the internet, to avoid [hacking]. People are moving their assets, they are disconnecting them from the internet. They are also now insuring any assets that are connected to the internet. It is very difficult to get insurance, because the insurance products have not matured enough, but they are working to address these concerns.107 71. Obi Nwosu, Chief Executive Officer of Coinfloor, elaborated on the concept of cold storage further: [An individual’s] private key, the stamp for authorising [a transaction], can be kept online, in what is known as hot storage, on an internet-connected device, or it can be kept in cold storage, offline, on a device that is not connected to the internet. It would be created offline, stored offline and used offline. That is known as cold storage. This is important, because every single successful hack of an exchange has always involved the hot element.108 […] This is the equivalent of money in your purse versus money in a bank vault. One is online, available for other people to access, while the other is money offline and behind various security
72. However, Ms Kaminska argued that the use of cold storage highlights the inefficiencies of the crypto-asset exchanges, and creates market liquidity issues:
Cold storage has been put forward as a solution here, but we need to recognise what that actually means. It means total inefficiency. There is something called a security access paradox, insomuch as if it is secure it is not accessible, and if it is accessible it is not secure. When everything is in cold storage, it is very difficult to maintain the liquid availability of funds to manage things in real time
73. When asked if exchanges had mechanisms for compensation in the event of a hack and subsequent loss of crypto-assets, Mr Nwosu stated that most exchanges did not have any mechanisms for compensation at this stage.111 74. An additional risk that consumers may not be aware of came to the attention of the Committee during the inquiry relating to the storing and access to passwords of cryptoasset platforms. The Committee has heard of instances where customers that have lost their passwords (and consequently access to their accounts) and have been told by the firm that runs their account that the passwords cannot be restored. For example, in response to a customer who had forgotten their password and recovery phrase, Blockchain, a noncustodial software platform that provides wallets to customers, stated that “your recovery phrase is the only way to restore access to your wallet if you forget your password.”112 Thus, there is no recourse for customers who have lost their password and recovery phrase.
75. Investors typically access and invest in crypto-assets through exchanges. A number of these have been hacked, with customers losing significant amounts of money as a result. 76. There is no collective deposit insurance scheme to compensate investors in the event of a hack, nor do individual exchanges generally have arrangements in place to do so. The risk of hacking associated with crypto-assets may not be something investors in conventional assets have experience of, and therefore they may not be well placed to judge this risk. It constitutes further evidence that crypto-assets are particularly illsuited to retail investors. 77. There have also been instances of investors losing access to their crypto-assets when they have lost their passwords to their accounts with exchanges or crypto-asset platforms. Exchanges and crypto-asset platforms have subsequently been unable to recover their customers’ details, so customers are locked out of their accounts permanently. This often unexpected outcome for investors is a stark contrast against how customers of banks, and other regulated financial services firms, are treated when they have forgotten their details.
No comments