The blockchain technology underlying cryptocurrencies represents a great leap forward in security, yet some crypto investors have found themselves on the receiving end of multimillion-dollar hacks, fraud and other attacks.
What explains the simultaneous security and vulnerability of these digital assets, and what can advisors do to help their clients who may be at risk?
This article originally appeared in Crypto for Advisors, CoinDesk’s new weekly newsletter defining crypto, digital assets and the future of finance. Sign up here to receive it every Thursday.
We have to understand that while transactions on a blockchain can be very secure, crypto assets themselves have similar vulnerabilities to other investments and wealth management technology, said Sid Yenamandra, the CEO of Entreda, a cybersecurity services provider for wealth management firms.
“Cryptocurrencies, specifically the underlying technology, blockchain, through its distributed ledger technology and the ability to decentralize control, inherently has a certain level of security built into its technology,” said Yenamandra. “But it is not a panacea. There are still a lot of vulnerabilities that can exist today, even in a blockchain environment. The attacks that exist, that we’ve seen, vary, some are tech related, some lie on the border between cybersecurity and privacy.”
Why are blockchain transactions secure? Yenamandra said that by creating a distributed ledger that breaks actions into blocks and spreads those blocks of work across different computational systems and relying on consensus to validate transactions, blockchains are technically inherently secure – but that doesn’t mean they’re invulnerable.
Who used this token?
In its earliest years, Bitcoin proliferated as a pseudo-anonymous mode of transactions across the internet – even underpinning illicit business across the so-called “dark web” of unsearchable websites. It’s this checkered past that keeps some advisors, like Scott Eichler, founder and principal at Standing Oak Advisors, a Newport Beach, California-based RIA, from investing in the space.
It also raises interesting regulatory questions.
“If a bitcoin or some other type of crypto is transferred between two bad actors, for a bad use, and that is in the ledger, at what point is the bitcoin allowed completely back into the fray? Also, if I can see that a drug lord had this cryptocurrency token, and now I have it, am I contributing to the problem? Am I complicit? Do I have to delete that bitcoin? Can I advise on that?” asked Eichler.
Regulation as protection
One area of vulnerability is the still-evolving regulations governing cryptocurrencies, said Katie Horvath, chief marketing office for Aunalytics, which provides data platform and management services for businesses.
“Investing in cryptocurrencies is going to be risky because of the general lack of regulation,” said Horvath. “A fraud risk is definitely there. When we look at security, the old approach was perimeter security that put all people and data within a single building and set up a firewall. Nowadays the approach is users and credentials, and managed access for devices too, because people are now working from anywhere.”
Aunalytics now mines transactional data for banks every night using artificial intelligence, and is able to recognize customers who may be at risk for cryptocurrency fraud by virtue of their demographic group and having held-away crypto assets, which allows bank wealth managers to reach out and offer those customers investment options with more risk control.
The weakest link is … us
A.I. that can identify vulnerable crypto investors is not just a cool development, it may eventually become a must-have for financial advisors across the industry. Just as in any wealth management setting, the end-client, or investor, is the weakest link, said Yenamandra.
“Some of the issues we’ve seen in reality and practice are related to missing keys, because you have this key exchange mechanism between the participants in a transaction and what happens is that sometimes those keys are stolen,” said Yenamandra. “This most recently happened in the AIPAC region with Bitfinex, a crypto exchange where a bunch of keys were stolen [in 2016]. That allows people to triangulate between keys and users and figure out a way to reverse engineer transactions. The loss of keys is a cyber event, and a big vulnerability.”
Another vulnerability lies in cryptocurrencies’ reliance on technology and code transference, said Yenamandra, as any code can be exploited.
But there are structural weaknesses, too, in the third-party vendors. Cryptocurrency transactions rely on servers, often domiciled in distant countries, transferring code from point to point – but blockchain infrastructure also relies on users who have access to the servers, and the individual devices and computers are also vulnerable.
“With a blockchain, there is a lot of data moving from system-to-system-to-system, which makes the inherent network vulnerable if hackers were to do denial of service attacks or disrupt but not decipher what is going on in the communication between systems,” said Yenamandra. “Disrupting these systems would cause performance challenges and take away from what the blockchain promises to deliver. There are also potential vulnerabilities in routing networks.”
What can advisors do?
Advisors should educate themselves, and pass that knowledge on to their clients in easily digestible chunks.
“Get educated on phishing attempts, because blockchain is similar to the Venmo-based model, all your transactions are public and everyone knows how you are interacting,” said Yenamandra. “People will know if you’re doing a lot of trading with bitcoin, ether or doge, which makes you vulnerable as an end user. The weakest link from a security standpoint is always the user. In the wealth management chain, it’s always the client. They may expose themselves to an attack, but from a regulatory standpoint the axe usually falls on the advisor. The same thing will happen here.”
While the urge among advisors may be to usher their clients into a separately managed crypto account or private fund, Horvath argues that many clients will prefer to hold their assets directly, and advisors must be aware of potential risks.
“A good way to deepen a client relationship is to reach out and call clients who are investing in cryptocurrencies and offer them education, help make them aware of the risks, and make sure clients know you care,” she said. “Most wealth managers are going to want to try to offer a different type of investment that might be more secure, but it won’t necessarily meet the needs or desires of the investors who are really interested in crypto.”