The best practices for cryptocurrency storage have been top-of-mind recently across the media, largely due to the QuadrigaCX scandal that left over a hundred thousand exchange users without access to their funds. Although a hack didn’t take place, the exchange’s poor security practices led to the loss of millions of dollars’ worth of cryptocurrency.
Recently, Finance Magnates spoke to Alena Vranova, cryptocurrency security expert and head of strategy at personal security cryptocurrency company Casa. Previous to her position at Casa, Alena was one of the founders of cryptocurrency hardware wallet manufacturer Trezor. Drawing from many years of excellence and experience, Alena spoke with Finance Magnates about her company, the best practices for cryptocurrency storage, and the future of keeping crypto safe.
In a madhouse,
you’ll know the sane
for they have the keys.
Happy 2019, Bitcoiners!#ProofOfKeys
— Alena Vranova (@AlenaSatoshi) December 31, 2018
Casa is “The Exact Opposite” of Banking
Alena explained that Casa’s first service offering, Casa Diamond, was designed for entities who hold a substantial amount of Bitcoin. “We want to make it easy to be secure,” she said.
“First of all, what we basically do is help our clients keep complete control over their funds–[they don’t] give away their keys, because I think that’s one of the biggest sins that you can commit when you invest in cryptocurrencies.”
She went onto explain that Casa enhances the “physical security” of its customer’s assets. “We provide a multi-sig app as a base, and we provide three hardware wallets that our customers distribute in separate locations.”
The funds are not exactly distributed among the wallets themselves. Instead, each of the wallets holds a piece of the keys to the wallets that hold their owner’s cryptocurrency; therefore, if one or two of the wallets are lost, the funds will still be safe. This is why the Casa security system is ‘multi-sig’: accessing the cryptocurrency requires authentication from several different sources.
“There’s a total of five keys in the ‘key set’,” she said. In addition to the three hardware wallets, there’s also a mobile wallet; Casa itself owns the final key. “That’s for emergency recovery. In the highly unlikely event that you would lose not just one, but two hardware wallets at the same time, we can help you recover your funds and gain access to your multi-sig wallet.”
“We’ve been thinking a lot about how we can structure the service and how we can structure the multi-sig so we can never be ‘evil’,” she said, “so we can never run our customers into a position where their funds could be locked up for any reason–security reasons, hacks, insider fraud, or even new regulatory burdens that influence custodial services.”
Alena explained that it could be possible that a custodian service could one day require its customers “to provide extra documentation for AML and KYC, otherwise we cannot allow you to use your funds.”
“So, that’s banking,” she said. “We are the exact opposite of that. We make sure that your or team members or family has access when the time is right in a secure way.”
Casa Could Greatly Reduce Violent Crimes Related to Crypto Theft
Alena explained that Casa’s multisig setup could also protect the physical safety of individuals who have access to large amounts of cryptocurrency. “We saw an [increasing] amount of extortion, kidnappings, and unfortunately even killings,” she said.
“So the assumption is that you have a multi-device and multi-location setup, as we do, you can mitigate the risk to a large extent.”
“Imagine there’s a criminal that holds me at gunpoint and says, ‘Alena, give me all your Bitcoin,’ and I say, ‘well, I would like to, but in order to do so, I need to go (for example) to my office, where one of the keys is (and [many people are]), and I need to go see my lawyer, because I’ve decided [to leave one of the keys] with my lawyer.’
“The cost for the criminal just went through the roof,” she said. “It’s very unlikely that they will go ahead.”
Introducing Trader's Room v3 by B2BrokerGo to article >>
Insurance Companies May Not Be Reliable for the Crypto Industry
Alena explained that Casa doesn’t offer insurance to its users. “The insurance is the entire security setup. We have many, many checks–even the builds that we do on the software, we have a lot of safety mechanisms built in.”
Additionally, Alena added that insurance businesses are not necessarily as dependable as the industry really needs them to be. “As I’ve worked for insurance companies, I kind of understand how the insurance business works,” she explained. “When it comes to a claim, the claim adjuster in the insurance company will primarily look into ‘ok, can you prove that nobody from your company [had] the knowledge of the keys?’”
We agree with @_jillruth ??
Personal sovereignty =
monetary and data freedom! https://t.co/APK9VJkJnx
— Casa (@CasaHODL) February 26, 2019
“And they will probably find limitations to the coverage; they would say, ‘but we only cover a certain amount’, so, with volatile markets, you may find yourself not covered, or just partially [covered]. Or they will find some footprint in the insurance conditions that will allow them not to fulfill their obligations,” she said.
“Although I don’t think that insurance is always unnecessary–it’s very important in certain things and certain areas–in crypto, there’s less than five insurance companies that can do the coverage and actually understand this risk.”
How to Protect Companies’ Crypto Reserves
“Crypto companies that have teams of 3 or 4 people in management can use Casa Diamond because they can distribute the keys among themselves,” Alena explained. “None of them alone can transfer money–they have certain checks between them,” she said.
However, she went onto say that Casa doesn’t provide services to exchanges. “We don’t do alternated co-signing and stuff like that,” she said. “That’s for the companies like BitGo–they do it well. We focus on small teams, individuals, family offices, and wealth managers.”
So, the QuadrigaCX scandal theoretically could have been avoided if the exchange had employed Casa or a similar service in the past to manage its liquidity pools. However, Alena had a simple piece of free advice for cryptocurrency hodlers who may be concerned that their funds are at risk on exchanges: “the better solution for QuadrigaCX [users] and any exchange users is just ‘do not keep the crypto there when you’re not trading.’”
“Trusting your investment to a third party… is a sin,” she said. “It’s very normal that tend toward these solutions because, until Casa, it was really difficult to maintain a good security setup that’s not [your own business].”
“So I absolutely understand that,” she went on, “but it’s not necessary, and on top of not being necessary, it’s very risky. You’re introducing a huge, huge risk that for me, would be hard to justify.”
When it Comes to Crypto Storage Option Only the ‘Few and Mighty’ Will Survive in the Long Term
“There will be a huge amount of different approaches, but only a few of them will prove themselves working and actually secure.”
“With regards to biometrics, that’s something that sounds fancy, but has to be applied sparingly and with care,” she said. This is because biometrics “are relatively easy to mimic.”
“For example, fingerprint scanners don’t actually scan a whole fingerprint–they just scan a few points and match…you only need a collection of 200 different fingerprints in order to match one.”
“So you need to consider how and where to use biometrics. Face recognition is great, but you need to combine the security with something else…something that you know should be in the game.”
“We will probably see more attempts to go to bluetooth…more hardware wallets embedded into other devices,” she explained.
At the end of the day, however, Alena is a firm believer in multi-sig security. “Multi-sig has been [used] in Bitcoin since the very early days.” However, “the use of it among individuals is very low–among companies, it’s a little bit better, but I’ve seen companies (for example, projects that did [fundraising] and [held an] ICO) that still don’t have a multi-sig setup among the team,” she explained. This is the same problem that caused the QuadrigaCX incident.
Additionally, Alena believes that as cryptocurrency storage security continues to evolve, hardware wallets will continue to serve an important function. “[They are] the foundational layer,” she explained. “That’s the only secure way for end-users to generate private keys, because it’s offline.”
This is an excerpt. To hear the rest of Finance Magnates’ interview with Alena Vranova, click the SoundCloud or Youtube links.