Security Theater: The Illusion of Consumer Protection by Outsourcing Identity Verification
This is a guest post by Pamela Morgan, Esq., CEO of Third Key Solutions LLC.
Security is tricky. Sometimes the most obvious security solution is ineffective and, worse, a distraction from the real risks and issues. In the security industry this is called “security theater.” It looks good and makes some people feel secure, but doesn’t actually reduce risks. Sometimes security theater even exposes people to even greater risk. Such is the case with third-party identity verification for the recovery of bitcoin accounts. It seems like the obvious solution and feels secure, but, in fact, it exposes users to far greater risks without actually doing much to increase security.
One of the most appealing parts of using Bitcoin multi-signature addresses is the potential for complete separation of control, combined with enhanced security. There are a number of ways to implement multi-sig. The most popular today involves 2-of-3 with the end-user holding two keys and a wallet company holding one. While this model secures against misconduct by the company, it doesn’t protect the customer from the very real risk of losing his or her online key or cold storage key or both. It concentrates risk and creates single point of failure with no redundancy.
This solution is flawed for a number of reasons. Doing cold storage right isn’t easy or convenient. Sure, printing a paper wallet isn’t that hard. But many people won’t even do that. Instead they screenshot their private key. They store it on their online laptop, in a cleverly named file such as “not my bitcoin,” or on their phone and forget all about it. Until they get hacked. Or lose their phone. Or their laptop dies. Unless you’re really into bitcoin or have large holdings, if you’re dealing with a broken, stolen or lost device, your bitcoin key backups might not be the first thing on your mind. You might even forget about them completely until it’s too late. For those who do print paper wallets, they must be stored in a secure, fireproof, waterproof environment, ideally off-site. This adds another layer of work that most people put off indefinitely.
Mainstream customers don’t expect to have to back up their own accounts. Password recovery is a standard part of interacting with websites and online services. Mainstream customers consider Bitcoin keys the same as passwords. I know some of you just cringed, but it’s the truth. And so is this: Most people are bad at security; they’re bad at choosing passwords and even worse at remembering them. Consumers expect their wallet company to have a “backup” or be able to restore their funds. But if the customer has lost both of his or her keys – aka passwords – the bitcoin will be lost, too.
As an industry, we’ve recognized this problem and tried to devise other solutions. The most common is to “outsource” the third key. Essentially, this configuration is also built on a 2-of-3, but instead of having the end-user deal with a backup key, a third party holds the third key instead of the customer. Issue solved! Article over … except it’s not. While outsourcing does protect the end-user from the company and provides an independent way to recover funds, consumer privacy and data protection issues arise. Let’s explore this in greater detail.
Today the en vogue idea is to have the third party verify the identity or authenticate the recovery request directly with the end user. This independent user authentication is touted as an important security feature – but is it really? What risk does it protect against? Bad actors within the company, surreptitiously stealing bitcoin from customers? New industry auditable standards (CryptoCurrency Security Standard – Level III) require all company authorized signers to have their identities verified and undergo background checks, significantly reducing the likelihood of this scenario. This idea is so pervasive, however, that it’s helpful to work through it.
The scam works like this: an employee creates fake recovery transactions and requests recovery from the third party. The third party contacts the end user who says “NO!” and the end user is protected. On its face, it seems to make sense. But when we look critically, the flaws become obvious. First, shouldn’t the company’s own internal governance processes be designed to prevent this? A few simple steps to separate duties within the company could prevent all but the most widespread collusion. Also, good governance processes should create a clear auditable and likely prosecutable trail should this level of malfeasance actually occur. Second, in order to be effective, the third party must have a pre-existing independent relationship with the end-user. This means the end-user must set up an account with the third party, separately, during the wallet setup process. Otherwise, the third party must rely on company data for verification, which leaves the bad-actor risk unmitigated. Requiring end-users to register with a third party and provide personally identifiable information is dangerous. It concentrates bitcoin user information into a small subset of the industry, recreating the client data honeypot problem and incentivizing law enforcement and criminals alike to target key storage services.
If the company is validating the recovery request, how can we be absolutely sure the customer actually requested it? We can’t – even if a third party verified the request. The issue is not who verifies the request, but what data is being verified. Verifying a phone number, sms, and/or email address could work, unless the customer’s smartphone has been stolen. Having a third party send an email or sms verification provides no more consumer protection than if the company itself sent the email or text to the user. If someone has access to the end user’s authentication device, the bitcoin can be compromised regardless of whether the verification is performed by a third party or by the company itself. It’s the illusion of protection without much substance.
Real security requires more than an email, more than an sms; it requires knowledge or biometrics. It requires the company to obtain additional personally identifying data from users during setup. Then the question becomes should all of that data be shared with a third party? Isn’t the company in a better position to secure and update that data, then validate against it when the time comes? Couldn’t the recovery request be sufficiently approved and validated within the company without sharing all kinds of private customer data with outsiders?
There is another way. If, instead of outsourcing identity verification, we outsourced governance and process validation, end users would be protected from both bad actors within a company and data compromise arising from third-party data sharing. Recovery processes move from an afterthought, only applicable in times of emergency, to an integral part of operations. This makes sense from a user-retention perspective as well. As processes are tested and refined, the user-experience improves. The company learns what data it needs, what data it doesn’t, and isn’t concerned about a third-party customer data breach that jeopardizes its entire client base. The end user still is involved in the process, confirming identity and recovery requests with the company selected to be the service provider. The company coordinates the recovery process, and is there to help the customer throughout, while the third party introduces checkpoints in the process to ensure that it is followed correctly. This way, all parties are protected from rogue employees, sloppy process, human error or malicious actors.
In the end, the best way to handle the recovery of user funds is for the company with the strongest relationship with the user to stay focused on delivering the best customer experience. Recovery is not the time to hand users over to a third party. It’s not more secure, it’s just security theater.