It has been reported that users of Canada’s largest Cryptocurrency Exchange, QuadrigaCX are unable to access most of their funds amounting to around C$180m (£105m) as the sole password holder, Gerald Cotten, died apparently taking a vital password with him to the grave.
One of the main attractions of cryptocurrencies is the enhanced security afforded to financial transactions. Cryptocurrencies are seen by their advocates as extremely secure as each transaction is independently verified by Blockchain technology, a form of ‘unbreakable’ ledger. The increased mainstream use of cryptocurrencies has proved the robustness of this new technology but highlighted significant security issues that can jeopardise investments in cryptocurrencies and have a direct impact on the price of these assets.
Security breaches haven’t revealed issues with Blockchain itself, however, hacking attacks have demonstrated significant security protocol failures at certain cryptocurrency exchanges. It appears that cryptocurrency exchanges lack the security expertise and investment in security and are a good target for digital thieves. Lax security at cryptocurrency exchanges is concerning as there is evidence of growing networks of criminals focusing on stealing cryptocurrencies.
Using a cryptocurrency exchange is similar to a real life bank account. A cryptocurrency exchange, such as QuadrigaCX allows customers to trade cryptocurrencies for fiat money (legal tender such as pound sterling or euro) or other cryptocurrencies. As you would expect, the assets held in by cryptocurrency exchange need to be kept securely but cryptocurrency exchanges have been the subject of recent high profile attacks by hackers. To date, the greatest perceived risk to cryptocurrency exchanges is from hackers and cryptocurrency exchange security measures have been focussed almost exclusively on hacker prevention. Business continuity planning and physical security appears to have been overlooked at QuadrigaCX given the huge repercussions of a lost password.
To protect against hacking it is recommended that the majority of funds should be kept in a computer that is inaccessible from the internet, otherwise known as ‘cold storage’. QuadrigaCX implemented this safeguard and stored the majority of its cryptocurrency in ‘cold storage’. However, the day to day access and security of the cold storage appears to have exposed the business to catastrophic risk. Gerald Cotton’s widow has filed a sworn affidavit confirming that QuadrigaCX cannot access the funds in ‘cold storage’ because Gerald Cotton had sole responsibility for handing the funds and coins and it has not been possible to discover its password or recovery key to his encrypted laptop.
The unfortunate circumstances resulting from Gerald Cotton’s untimely death highlight the danger posed by having a single individual with complete password access particularly if there is no backup. At the very least, it makes such an individual a target of criminal attack such as kidnap, physical threats or other criminality. It has been noted that the impact of loss of passwords could have been minimised if, as previously stated, QuadrigaCX had used a multiple signature system of ‘cold storage’. There has been criticism from security experts of the fact that the ‘cold storage’ was on a laptop as evidence of inadequate protection against theft. In addition, there are some as yet unsubstantiated reports that Gerald Cotten’s death may have been faked or used as a cover for an exit scam by individuals with access to the assets in ‘cold storage’.
Cryptocurrencies have waxed and waned in popularity in recent months and years but investors should remember that they remain an emerging form of investment and significant financial institutions such as Fidelity, which recently announced Cryptocurrency operations, are only now applying their sophisticated investment management experience towards the safe trade and custody of cryptocurrencies. Lessons on appropriate physical security measures need to be learnt and will hopefully result in greater protection for all investors in cryptocurrencies. Physical security should not be overlooked in the drive to improve cyber security, which the loss of £105m of customer assets demonstrates.