Bitcoin is highly technically-secure as a protocol, meaning that there is only one reason why you’d ever lose your coins: human error. As with many things, people are the biggest security vulnerability in Bitcoin and, as we know, humans are far harder to fix than code.
Two stories from last month showed how far we are from solving Bitcoin’s security challenge. At the beginning of October, federal prosecutors charged crypto trading platform BitMEX with facilitating unregistered trading violations. Two weeks later, one of the world’s largest crypto-fiat exchanges suspended withdrawals indefinitely after one of its key holders went AWOL.
As Noelle Acheson pointed out, these stories highlight one of the biggest ironies of the cryptocurrency market, which is that an industry born on the basis of decentralization is dominated by centralized businesses with centralized vulnerabilities.
Somewhere along the line, Bitcoin’s defining ethos of decentralization has been forgotten. Not by everyone, it’s true; but by a large proportion of both new and experienced Bitcoiners who continue to naively believe that their bitcoin is safer when someone else holds the keys.
On-Exchange Is Insecure
Let’s be clear: without exchanges, there would be no Bitcoin ecosystem. Period. The problem
isn’t with these platforms per se but with the assumption that an exchange is the safest place to store bitcoin.
It’s easy to see how this happens. People make the mistake of assuming that bitcoin functions just like cash, and that coins are best protected by handing them over to a third party which can leverage enterprise-grade security technologies to ensure that they are best protected. But there’s a crucial difference between bitcoin and traditional forms of money: unlike cash, you never “hold” bitcoin; you only own the keys that control them on the blockchain.
Bitcoiners who don’t realize this can in turn believe that they are putting their coins into a digital Fort Knox, but all they have actually done is cede all control (and therefore ownership) of their bitcoin to a third party. And if the bitcoin is mismanaged and lost by that third part, it’s likely that it will never be recovered. The only way to ensure that your bitcoin is highly secure is to self custody your keys in a cold-storage wallet.
So, what’s gone wrong? Why is this message not filtering through to more Bitcoiners? And why aren’t exchanges educating their customers on best practices for keeping their coins secure?
The most obvious answer is that it suits exchanges to keep hold of their customers’ Bitcoin keys since this makes it easier for people to actively trade. There are other, less savory reasons why an exchange might want to keep control over the keys that secure bitcoin, but overwhelmingly, the main motivation is to make the whole process of buying, trading and storing bitcoin as seamless as possible. But if they comes at the cost of making Bitcoin significantly less secure, all these advantages count for nothing.
Putting Security In Users’ Hands
Bitcoin has transformed the world so quickly that it’s easy to forget how recently it was introduced. In seeking to improve user education, we have to remember that it takes ordinary people time to grasp any new infosecurity concept. Self-custody is no exception.
It certainly hasn’t helped matters that our industry has, wherever possible, appropriated language and concepts associated with fiat cash, which provide poor analogies for explaining an entirely new concept of money. After all, bitcoin wallets don’t contain any bitcoin in the way that regular wallets contain fiat: they hold your keys. We need to educate people so that they would no more trust a stranger with their crypto keys than they would with their house keys.
Fortunately, it looks like people are beginning to get the message. Since March 2020, the value
of bitcoin held on-exchange has fallen by about 10 percent or $2.85 billion following high-profile hacks at exchanges and trading platforms including KuCoin, Eterbase, Cashaa and many others.
Even though hackers weren’t to blame for the debacles at BitMEX and OKEx, they still served to highlight how vulnerable your coins are when you don’t self-custody the keys.
In view of these repeated coin catastrophes, it’s difficult to see how exchanges and other Bitcoin platforms can continue to ignore user education. And since anything that harms adoption or damages consumer trust is bad for everyone in the wider Bitcoin ecosystem, I believe that this effort is everybody’s business.
In all fairness, there are exchanges that do a really good job at promoting self-custody
to their customers, with Kraken being just one example. But this commitment to user education must become the rule, rather than the exception.
Remember that Bitcoin was never meant to be merely a competitor to fiat currency, but a revolution in our very relationship with money. If we want people to embrace the ethos of decentralization that enables anyone to be their own bank, let’s help them avoid the biggest mistake they can make, and instead ensure they take full responsibility for securing their Bitcoin.
This is a guest post by Ron Stoner. Opinions expressed are entirely his own and do not necessarily reflect those of BTC Inc or Bitcoin Magazine.
Ron is the head of security at Bitcoin custody provider Casa. Ron is responsible for ensuring that Casa infrastructure, products and customer services meet strict security standards, conducting internal penetration testing and providing best practice security education to help customers keep their secure funds fully secure.