By Ron Stoner, Head of Security at Casa
Digital security is premised on fear. And with good reason. The world is awash with cybercriminals who will exploit any vulnerability to steal your money, your passwords, and even your identity. And yes, often, the smartest thing to do is to entrust your valuables (whether corporate or personal) to third parties that employ enterprise-grade security systems that provide the best defense against hackers.
But not with Bitcoin. Handing over the keys to your coins might seem like the smartest thing to do, but that’s only because we’ve been conditioned to believe that technology firms (such as exchanges and trading platforms) must be inherently more secure.
Two stories from last month illustrated just what’s wrong with this approach. At the beginning of October, federal prosecutors charged crypto trading platform BitMEX with facilitating unregistered trading violations. Two weeks later, one of the world’s largest crypto-fiat exchanges suspended withdrawals indefinitely after one of their key holders went AWOL.
As Noelle Acheson pointed out, these stories highlight one of the biggest ironies of the cryptocurrency market, which is that an industry born on the basis of decentralization is dominated by centralized businesses with centralized vulnerabilities.
Somewhere along the line, Bitcoin’s defining ethos of decentralization was forgotten, leading new users (and some experienced ones) to believe the impossible: that their Bitcoin is safer when someone else holds the keys.
Exchanges aren’t banks
Let’s be clear: without exchanges, there would be no Bitcoin ecosystem. Period. The problem isn’t with these platforms per se but with the assumption that an exchange is like a bank: an online vault that’s the safest place to store bitcoins.
This is a hangover from years of users being told that security is best left to the professionals. And in most cases, this remains true. With bitcoin, however, people make the mistake of assuming that bitcoin functions just like cash, and that the safest place to keep them is on the exchange where they buy and sell coins. But there’s a crucial difference: unlike cash, you never ‘hold’ bitcoins; you only own the keys that control them on the blockchain.
Bitcoiners who don’t realize this can therefore believe they are putting their coins into a digital Fort Knox, but all they have actually done is cede all control (and therefore ownership) of their Bitcoin to a third party. The only way to ensure that your bitcoin is highly secure is to self-custody your keys in a cold wallet.
So, what’s gone wrong? Why is this message not filtering through to Bitcoiners? And why aren’t exchanges educating their customers on best practices for keeping their coins secure?
The most obvious answer is that it suits exchanges to keep hold of their customers’ Bitcoin since it makes it easier for people to actively trade. There are other less savory reasons why an exchange might want to keep control over the keys that secure bitcoin, but overwhelmingly the main motivation is to make the whole process of buying, trading, and storing Bitcoin as seamless as possible. But if this comes at the cost of making Bitcoin significantly less secure, all these advantages count for nothing.
Bitcoin has transformed the world so fast that it’s easy to forget how recently it was introduced. In seeking to improve user education, we have to remember that it takes ordinary people time to grasp any new infosecurity concept. Self-custody is no exception.
It certainly hasn’t helped matters that our industry has, wherever possible, appropriated language and concepts associated with fiat cash, which provides poor analogies for explaining an entirely new concept of money. After all, bitcoin wallets don’t contain any bitcoin: they hold your keys. We need to educate people so that they would no more trust a stranger with their crypto keys than they would their house keys.
Fortunately, it looks like people are beginning to get the message. Since March, the value of bitcoin held on-exchange has fallen by about 10 percent or $2.85 billion following high-profile hacks at exchanges and trading platforms, including KuCoin, Eterbase, Cashaa, and many others. Even though hackers weren’t to blame for the debacles at BitMEX and OKEx, they still served to highlight how vulnerable your coins are when you don’t self-custody the keys.
In view of these repeated coin catastrophes, it’s difficult to see how exchanges and other Bitcoin platforms can continue to ignore user education. And since anything that harms adoption or damages consumer trust is bad for everyone in the wider Bitcoin ecosystem, I believe that this effort is everybody’s business.
And in all fairness, there are exchanges that do a really good job at promoting self-custody to their customers, with Kraken being just one example. But this commitment to user education must become the rule rather than the exception.
Bitcoin was never meant to be merely a competitor to fiat currency, but a revolution in our very relationship with money. If we want people to embrace the ethos of decentralization that enables anyone to be their own bank, let’s help them avoid the biggest mistake they can make.
Bitcoin security is simultaneously one of the easiest and hardest things to teach since there really is very little to learn. The real challenge is to change a mindset that has been ingrained upon people’s psyche for so long: that security is always better when someone else is responsible for it. That’s why educating people on keeping their bitcoin secure starts with two simple words: Trust yourself.
Ron Stoner is Head of Security at Casa, the world’s most respected Bitcoin custody provider. Ron is responsible for ensuring Casa infrastructure, products, and customer services meet strict security standards, conducting internal penetration testing, and providing best practice security education to help customers keep their secure funds fully secure.
Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.