Since Bitcoin’s debut in 2009, cryptocurrencies have multiplied at a bewildering rate, as have their advocates who encourage us to own them. Cybernews spoke to crypto expert Anish Mohammed, CTO and chief scientist of Panther Protocol, about the security measures that anyone investing in this exciting but unpredictable new world should take.
“Let me describe this whole game of cryptocurrencies,” says Mohammed, who has written extensively about the crypto and blockchain industries. “The security of your machine is key. It is like a house – whether it's a bunker or not, the security is as good as the security of the door. This applies to all cryptocurrencies.”
And, of course, the most secure doors are likely to have locks – and every lock has a key that can open it. Or, in the case of cryptocurrency wallets, two keys – one public, the other private. A wallet’s security depends on the holder being able to prove that they know the private key indexed to the public one without giving away any useful information about the former. Conversely, an unethical hacker will seek to obtain just this data.
“The difficulty is how to calculate from the public key where the private key is,” says Mohammed. “This problem is solved by quantum computers in linear time, very fast. Let's go back to the wallet and door question. So instead of the door, you can have a hardware tool that actually has a massive lock.”
If your computer is breached, a threat actor can exfiltrate your private key and use it to access your crypto wallet. That is why Mohammed believes that keeping it on a separate hardware-based wallet – instead of a digital one accessible on the internet – is a stronger guarantee of cybersecurity.
“If your private key is from the machine, they can pick it up,” he explains. “But if it's on a hard wallet, it's not possible for somebody to take that key out. You have a piece of hardware that is external to your normal device that stores it – could be your phone, a card, or a dongle, whatever form it takes.”
When I ask him why so many crypto-investors opt for a web-based wallet if it is less secure, Mohammed just smiles. “It's really easy to use,” he replies. “It's a browser: so you click, you're in, and you're done.”
This sounds a bit like choosing a guessable password because it is easier to remember – the common theme in cybersecurity of people putting convenience above security. Mohammed agrees but reminds me that crypto wallets are themselves also bedeviled by the password problem. Once again, the solution to this lies in diligence and maintaining awareness of social engineering scams.
“It's managing your risk,” Mohammed tells me. “So if you're doing large sums, then don't [use] one wallet. Have as many as you can, and have separate keys for each of them.”
Another trick is to split up passwords, storing different segments in different places. “A 24-word recovery key can be broken up into three and put in three banks,” he explains. “If somebody was to attack, he would have to open up all three. If you're really sophisticated, you can have a multi-signature.” These are wallets that require two or more private keys to sign and send a transaction.
Another safeguard is to use a guarantor system offered by providers such as Argent.
“You can set other people as guardians,” says Mohammed. “If I trust you enough, you can't take the money out – but you can say yes or no to money being taken out. It's a smart-contract wallet that allows you to set up email, a phone number, or a person. If you apply these kinds of mechanisms, you have a reasonable amount of deterrents against somebody trying to get hold of your wallet money.”
The human factor
And yet, stories abound of crypto owners being hacked, and their wallets cleaned out, leaving them to lament their losses on social media platforms such as Twitter.
Mohammed smiles again when I mention this. “The most important thing is: don't ever say to anybody that you have any money, if you can avoid it,” he cautions. “It's a product of probability – if I have a thousand bucks and you have a probability of 10%, you have an upsell of $100. But if you know I only have ten bucks…”
And the Twitter storms? When people whinge on public forums about stolen crypto funds, aren’t they simply advertising themselves as potentially easy targets for other malicious hackers in the future?
“It depends on who you are and what you're doing,” says Mohammed. “So if you are the founder of a protocol, say Nexus [Hugh Karp, whose crypto wallet was hacked in 2020], you have a responsibility to communicate. But if individuals like you or me get hacked… What should I do – open my mouth, or keep it shut? Not everything works for everybody – some people want to be very public about their grief, some want to be very private. There is no one rule that fits all.”
All too often, it is human interaction that determines whether or not a crypto wallet gets robbed: for instance, social engineering scams that con holders into giving away their passphrases over the phone to thieves posing as customer support agents. Mohammed agrees: “Absolutely, humans are the key. This is the biggest challenge, the human factor of security. It's the weakest link, but as long as you're human, you are exposed to that massive hole.”
A libertarian dream gone sour?
I ask Mohammed if he thinks cryptocurrencies will inevitably become more tightly regulated because of this weak link that leaves them vulnerable to threat actors. As he himself points out, if a regular fiat bank account gets robbed in the EU, up to 100,000 euros can be reimbursed at the discretion of the financial institution in question. But few, if any, such guarantees exist in the crypto world at present.
“I was having a conversation with somebody who happens to know the US regulator and what is happening in the US ecosystem,” he replies. “They were telling me it is very possible that regulators might do things based on personal motivations – to prove or leave their legacy. Lobbies have influence over regulation. So it's very hard for us to look at this and know exactly what's going to happen.”
Politics aside, Mohammed thinks legislators will, in any case, find it difficult to enforce whatever regulations they manage to push through. “Because of the way that protocols and decentralization work, it is pretty hard for them,” he says. “How do you actually enforce online? A wallet that I have in my hand or my browser – it goes through this large legal question of intrusion into privacy. In a lot of countries, the law doesn't have the ability to enter a citizen's house without explicit reason. What is the explicit reason in this case? That is the proper question.”
It's also one that touches on the libertarian ideals that the first cryptocurrency, Bitcoin, was supposed to enshrine – by having a peer-vouched form of money, citizens across the world could, in theory, realize their economic potential without having to do so under government oversight. But it occurs to me that cybercriminals who seek to exploit cryptocurrency could themselves be said to be ultra-libertarians – acting outside society’s norms in their own interests.
Mohammed seems intrigued when I suggest this to him. “Let me extend that a bit more,” he replies. “So let's take the case of entrepreneurs and criminals. I would almost say that entrepreneurs are people who are not criminals [but] redefine legal arbitrage. Say, Uber – it's almost in the middle. In some parts of the world, Uber is legal, in some parts of the world, it's illegal. So now there's a question of who is the criminal and who is not. What I'm saying here is libertarianism doesn't imply that you should bring down society. Society needs to be stabilized – libertarianism implies you can survive only if other people support you in doing what you want to do. Very few people are completely self-sustaining.”
Come to think of it, he’s right. Even a peer-to-peer currency system depends absolutely on human cooperation, essentially compromising the libertarian dream of ultimate self-sufficiency. The ideal behind cryptocurrency then is not so much freedom from society as freedom from the state.
Not as dirty as you think
When I raise the concern that criminals are increasingly using cryptocurrency as a way to clean dirty cash, Mohammed tells me he believes that this phenomenon is exaggerated, and even suggests that it could be less prone to money laundering than traditional fiat. He may have a point – financial crime experts I’ve spoken to have suggested that it may be easier to trace cryptocurrency back to a cybercriminal than it is to follow a conventional paper trail.
“A lot of people think money laundering is easy in crypto, it's not,” he says. “Look at the Dow [Jones] hack in 2016. Apparently the guy who hacked it could only get a very tiny fraction of whatever it was, I think less than 10% in total. Look at all the major [ransomware] attacks and see how much money they manage to get out. What you notice is that they consistently give the money back, or they could only convert very small amounts. Why do they give money back?”
Because they can’t launder all of it, I suggest. “There you go,” he says. “You could just look at all the attacks and draw your own conclusion. You don't have to listen to people – most of the people don't know what they are talking about. The problem with crypto is unfortunately the case of you don't know that you don't know, so you assume that your expertise is far beyond [what it actually is].”
If this sounds arrogant, it is worth bearing in mind that a US congressman admitted earlier this year that nine in ten of his colleagues debating crypto regulation have no idea how blockchain works.
One thing seems beyond question: nowadays, even so-called ‘real’ money isn’t backed by anything more substantial than the goodwill of the government. In 1971 then US president Richard Nixon began a series of measures that culminated in the dollar being taken off the gold standard two years later, paving the way for fiat currencies.
With that in mind, it looks as though, as long as it is backed by the goodwill of its users, cryptocurrency is here to stay. Whether it eventually replaces fiat, or is brought further under government control and loses its decentralized aspect, is another matter entirely that remains to be seen.
More from Cybernews:
Subscribe to our newsletter