Functioning as a hybrid form of property and currency, Bitcoin and other virtual currencies are entirely digital, operate over a user-maintained decentralized peer-to-peer network and function independently of any governing body. With virtual currencies amassing considerable market value, venture capitalists and entrepreneurs are rushing into the virtual currency ecosystems.
Security over these virtual currency assets, however, is a growing concern for investors and businesses built around virtual currencies. According to an independent investigation posted on BitcoinTalk.org forums, 818,485.77 Bitcoins (with a current value of about $500,000,000.00), have been stolen since August 2010. Without any centralized authority, victims of theft of virtual currencies have little means for redress. For a business operating in the ecosystem of virtual currencies, a theft event can cause crippling financial and reputational damage.
Cybersecurity issues were brought to the forefront by the collapse of Mt. Gox, a Japanese virtual currency exchange which is currently in bankruptcy proceedings due to the “disappearance” of hundreds of thousands of Bitcoins. Governments seeking to regulate virtual currencies took notice of the Mt. Gox failure and reacted. Notably, the State of Texas’ Department of Banking, in a memorandum discussing whether businesses changing U.S. Dollars into virtual currencies are subject to licensure under the Texas Money Services Act, appears to create a duty of cybersecurity for those businesses:
… license applicants who handle virtual currencies in the course of their money transmission activities must submit a current third party security audit of their relevant computer systems. Because the new technological paradigm created by cryptocurrencies has brought with it new risks for the consumer, it is incumbent on a license applicant to demonstrate that all virtual currency is secure while controlled by the applicant.
Although Texas appears to be the first state to address cybersecurity over virtual currencies, and the memorandum is limited on its face to specific businesses, other states and governments will likely follow Texas’ lead by imposing cybersecurity obligations. Unfortunately, Texas did not elaborate as to the parameters of this duty, and there is no regulation or law announcing any minimum standard.
How can a business ensure it has adequate cyber security and protect its virtual currency assets and itself from liability, while operating in an environment lacking guiding regulation or standard? Emerging best practices adopted by businesses operating in the virtual currency economies have created de facto standards that other businesses can look to for guidance.
Any company with a substantial Internet presence or e-commerce business should implement basic cybersecurity measures. Strong passwords, encryption, user two-factor authentication, anti-virus protection, spam filters and firewalls should be in place for any Internet business, especially a business that collects any client personally identifiable information, financial information, or holds any other sensitive data. Virtual currency businesses should design their computer infrastructure with security in mind, and use the most secure operating system, which is widely considered to be Linux.
Fundamental to any virtual currency business is the wallet. The wallet is the software that allows a person or entity to store and transact in virtual currency. The wallet contains a “public key” and a “private key.” The public key identifies the wallet and is disclosed with every transaction on the public ledger tracking transfers of virtual currencies, known as the blockchain. The public key, by itself, does not identify the owner of the wallet. The private key, however, is kept secret because anyone who has both the public and private key can control the wallet and can empty out the virtual currency from that wallet by transferring out its virtual currency holdings. Because virtual currency transactions are generally irreversible and there is no chargeback mechanism, once virtual currency is transferred, it is gone. Thus, maintaining control and protection of the private key for your business’ wallet is critical.
Wallets attached to the Internet are considered “hot” wallets, while those saved on media not connected to the Internet (including hard drives, flash drives, or even paper print-outs), are referred to as “cold” wallets. Businesses should only keep amounts of virtual currency needed for day-to-day transactions in hot wallets and should keep all other reserves in cold wallets. Some virtual currency businesses hold up to 97 percent of their virtual currency offline in cold wallets. Cold wallets should be held on machines or devices not attached to the Internet (referred to as “air gapped”), portable media. Reasonable physical access limitations should be enforced over cold wallets. Vendors providing offsite and insured storage should also be considered. By limiting assets held in Internet-connected hot wallets, businesses can reduce their vulnerability to hacking attacks.
Businesses with high transaction frequency should also consider using a hierarchical deterministic (i.e. “HD”) wallet. Logically, hackers are more likely to target wallets with richer holdings, which can be identified by tracing transactions on the blockchain. HD wallets generate a unique public key for each transaction, which further obscures the identity of the transferor. If your business holds large hot wallets, or engages in a large number of high value transfers, using HD wallet technology can obscure the size of your business’ holdings and reduce your likelihood of suffering an attack.
As many businesses are aware, attacks from inside an organization can be devastating. To address the potential ultra vires or criminal act from an insider, many virtual currencies offer what are referred to as multiple signature, or “multi-sig” wallets. Multi-sig wallets require more than one private key to authorize a transaction and are typically implemented by assigning keys to different people. By requiring multiple consents to make a transfer, Multi-sig wallets reduce the possibility of a rogue employee transferring your business’ virtual currency into his or her own control. Risk management startups also offer watchdog services, which enforce pre-set spending limits, and send notifications when they detect attempts to make unauthorized transactions. Businesses holding large amounts of virtual currencies should enable multi-sig wallets to protect against rogue transfers by insiders.
Although most Internet businesses carry insurance, most existing cybersecurity policies will not cover loss of virtual currency assets. Certain insurers have recently announced new policies which insure against virtual currency loss. Businesses dealing in large volumes of virtual currencies should explore insurance options to mitigate against potential losses.
As governments grapple with regulation of virtual currencies, and venture capitalists and entrepreneurs continue to invest in this new form of value transfer, security over virtual currency assets remains a concern. With strategic system architecture decisions, insurance, and the proper implementation of technology, businesses can insulate their virtual currency from sudden loss.