Security 101 for Banks Delving Into Crypto

America’s first bank heist took place in 1798, centuries before hackers flocked to Dark Web forums to hash out their own plots. Yet it involved a lot of the same components that would define a successful hack today: A malicious insider with a lot of access (a carpenter hired to oversee the relocation of the Bank of Pennsylvania) compromised a third-party solution (vault doors built by a local locksmith) and made off with the money. Notably, his accomplice displayed a staggering amount of idiocy by trying to deposit the money into the very bank it was stolen from without even cooking up a good cover-up story, but that’s a tale for another day. 

This story, along with every other bank robbery, heist, or hack out there, all allude to a simple truth: Banks will remain a coveted target for criminals for as long as they hold and process assets of value. And now that banks are slowly, but surely moving to work with a new kind of valuable assets—namely, cryptocurrencies and other blockchain-based tokens—it’s high time for them to up their game with regards to security. 

It’s not that they haven’t already, of course. According to a 2020 survey from Deloitte, banks spend roughly 11% of their IT budget on cybersecurity. Brian Moynihan, CEO of Bank of America, said earlier this year that the bank spends upward of $1 billion a year on cybersecurity. Sadly enough, though, you never really solve a problem by throwing money at it, and financial institutions delving into the world of blockchain will need to make sure they get the fundamentals right from the get-go.

Keys to the kingdom

The crypto universe is known, if not notorious, for its hacker problem. Just in the third quarter of 2021, malicious actors have stolen over $1 billion worth of assets, according to a recent report. It is important to understand the details, though, namely, the fact that the stolen assets remain where they are—on the blockchain. What does change, though, is the wallet that a specific amount of tokens is associated with.

The wallet, in blockchain terms, comprises two cryptographic keys, a public and a private one. The public one works much like an email address, while the private one is needed to sign off any transaction. Besides regular transfers, a crypto transaction can also be used to access a decentralized finance service—in this case, it works much like a function call in coding, initiating a specific script hosted by the decentralized network. 

So the most fundamental thing to grasp for a bank planning to offer custodial services to its clients is that what they need to secure are the keys used to access these assets, while the assets themselves are sitting elsewhere. There are multiple ways to approach this, but the two prevalent ones are either with an omnibus account or with a separate account for each client. The former option sees the bank control what is effectively a cryptocurrency wallet holding the assets totaling to the sum of the clients’ holdings, with each of the clients assigned their portion in it. The latter sees separate wallets being set up for every client. 

Both options have upsides and downsides from the perspective of convenience, versatility, and usability, both for the bank and the end clients, but what stays the same at this point is the fact that, once again, protecting the private keys is the paramount task from the security perspective.

Be your own defense

In the most general terms, when offering custody over digital assets, a bank can either strike a deal with a sub-custodian, who would take this burden off its shoulders, or develop a direct custody capability. The latter can take the shape of a multi-party computation solution (MPC) or a cold vault. An MPC has multiple computers (usually one on-premise, several on cloud), each one only holding a shard of the key, signing off every transaction, while a cold vault is not connected to the Internet. In some sense, a piece of paper with the private key printed on it is a cold vault, just not a good one. 

All of the options above have their strong and weak points. Sub-custody, for example, may seem like the most enticing option, simply because it moves the headache to a different party. From a security perspective, it also greatly expands the bank’s attack surface, giving prospective hackers more attack vectors to work with. Going after a third-party service provider is a valid and effective tactic, as the Bank of Philadelphia would have testified back in 1798. And we don’t need to go that far, as today’s hackers know just as well to go after banks through their contractors.

The fact that the sub-custodian may have their own risk appetite also limits the bank in terms of its versatility. In other words, in an arrangement like that, the bank can only offer custodian services to clients that fit the sub-custodian’s needs, which may not be ideal. After all, business policies tend to evolve over time, and if the bank’s risk appetite just so happens to grow faster than the partner’s, there is little it would be able to do. Such is the nature of vendor lock-in.

A direct solution has the clear benefit of giving the bank full ownership of its own capabilities. An MPC would be more exposed, as it relies on a cloud, whether public or private, but it would also be more versatile, as it can initiate transactions quickly, at a pace that can serve even high-frequency trading operations. A cold vault is significantly more secure: To hack it, the attacker would have to first get through to it physically. So would the bank, though, when initiating a transaction on a client’s behalf, which means more time spent on the entire process and is hardly ideal for tasks like high-frequency trading. This, nevertheless, is the situation with most of the cold solutions in the market today, albeit not with all of them. 

Strategizing security

While at the end of the day, a bank’s security policy for digital assets will depend on its own risk assessment and priorities, there are a few general rules and practices that a bank should follow to keep its client’s assets safe. First of all, banks should not outsource custody to sub-contractors, as tempting as it might be, because the risks of the approach clearly outweigh the rewards.

When setting up the custodian infrastructure, banks must make sure to spread their assets between the cold vault and the MPC. With the omnibus option, the cold vault must hold the majority of the assets, about 97 percent, as this is where they would be safest, while the MPC must only hold enough to cover the small day-to-day operations. If following the separate accounts way, banks would be best off tailoring the ratio for every customer to their own individual needs and risk appetite.

Finally, in their cold vault access protocols, banks must eliminate the single point of failure. There should be no single individual or computer that handles the access in its entirety. If anything, such designs are only enabling scams and fraud known as rug pulls in the crypto world, where the person in control of a project’s funds decides the money would be better off in their personal wallet.

Of course, none of these practices would make the bank 100 percent invulnerable to hackers. Hackers are all about finding crafty ways to steal someone else’s money, and as long as banks handle those, they will keep trying. In some sense, it comes down to the big numbers game. And yet, by being smart and sticking to a set of relatively simple rules and policies, banks can significantly make the prize too hard to reach for most prospective attackers to even bother trying. This, in itself, is an achievement that would greatly reduce their risks, while also helping them capitalize on the rise of the novel assets and win clients’ trust. 

Credit : Lior Lamesh, CEO at GK8