We spoke exclusively with David Jevans, CEO at CipherTrace, and the Chairman of Anti-Phishing Working Group (APWG) ahead of the Delta Summit.
Regulation of crypto assets is a big topic not only here in Malta at the Delta Summit but also in the current news flow, with a recent report by The Wall Street Journal accusing Shapeshift of money laundering through Monero, a privacy coin that licensed exchanges in Japan were banned from listing.
Where do you draw the line with security in crypto?
It is more nuanced than that. I think it is ok allowing people to buy and store privacy coins on an exchange, like it is an investment product. Why not? If you really know your customers, so if you follow KYC... they should be allowed to buy that through the exchange, but not necessarily ‘in and out’ of the exchange.
So the exchange buys it, manages a pool of liquidity on the exchange, where you make money and lose money. That’s fine. The issue is when people send it ‘in-and-out’… With Monero they should enable the view key capability and tag it, so you know where they are coming from. Nobody does this, but it is built-in into Monero and there is a similar capability built into ZCash.
Do you believe the regulators could step in and impose harsher laws or are they more likely to study the industry before taking action?
I think that regulation makes sense. Not to ban it completely.
Kevin O’Connor of FinCEN was talking this summer at a cryptocurrency conference and was asked whether a crypto to crypto exchange has to comply with AML. FinCEN’s opinion is that if [a cryptocurrency] is fungible into cash, into fiat, which it is easy obviously, then it is treated the same.
Interestingly FinCEN also said “we don’t care about privacy coins, as long they comply with the AML”, which basically means they have to turn on the view key. Fine! Which I think it is the right approach.
During an interview with Bloomberg, talking about crypto exchanges security level, you said that some platforms are “not ready for the prime time”. What are the most common traits of such platforms, in your own experience?
So, a couple of things. One: how old are they? Some people rush these things to market. They think they wanna create an exchange, they hire some other company to write the code, they try to get it out in three months, five months or whatever like that. Right? Are you sure that they have done security verifications?
And they don’t wanna spend their money, because to do a security evaluation on a sophisticated platform like that… it takes months and costs a lot of money.
But management of a cold storage is the big one. So your hot and cold wallet storage, and how you keep an hot wallet versus keeping in an hot wallet. The general best practice is only 10% on hot wallet, and in fact even less than that.
It is actually hard to manage a cold wallet. That is not trivial, to do it properly. And it is not that well known as practice. I mean, there are maybe 20, 30, 40 people in the world that know how to do it.
And maybe they are working already at the bigger exchanges. Maybe the guys that would be the best on how to do it would be the guys that work at the NSA that manage crypto keys for the Department of Defense. Those guys.
So it is not something you can find anywhere, there is no class you take. It is not a skill you will find anywhere, people have to learn it.
There is a lot of talk about investment products that are related to bitcoin; futures, ETN, ETF and so on. For example, do you think a crypto broker fund can provide more security to the investor?
Yes, I like it very much. The institutions that are offering that stuff... as long they have strong security practises or custody management, or even they outsource it and have someone that specializes in it, it is better for the individual investor. Because they are more likely to be reimbursed and less likely to have their money stolen.
What do you believe to be the most secure way to invest in crypto?
I will tell you this: a lot of people say about crypto “Oh, it is great because you can manage your own keys” and that other stuff, right? Yes, but only if you know what you are doing.
I think there is a lot of education still to be done here, for regular investors. I still hear people at conferences who think that if somehow they forget their password, there is some way to call the company and get their stuff back. There is still an educational problem.
Which country is at the forefront of regulating crypto security? And what other countries can do to actually improve their current situation in that regard?
In my opinion it’s Japan. We have talked earlier they set there some coins you can’t have, they have KYC and AML, they have good auditing. But due to the theft problem they had, they also put regulations around technical security that exchanges have to have. To my knowledge no one has done that yet, other than them.
I think it is a good model and I think they are the most advanced. And I think that some level of governance around technical security is a good thing to look at and to develop for other countries.
Regarding exchanges and wallets - what are the simple steps people can make to ensure that their assets are not stolen?
For example, even hardware wallets have security problems, but like everything. But this is the trick: be careful WHERE you are buying from. Buy it directly from the company, don’t buy it on eBay. You can see why. And there are like 150 vendors on eBay selling these things.
What are the usual ways for the criminals to steal cryptocurrencies, are they simply exploiting errors in the code or there are several ways?
I have seen a lot of of people falling victim to phishing attacks. A lot of exchanges don’t understand the phishing problem; it affects their customers, but it can also affect their employees.
There is immaturity too. For example, they won’t have domain monitoring set up, to look at people creating domains that look like them. You see tons of that. Someone breaks MyEthereWallet.com’s info and then phishes with that.
Many of the them are not doing authentication through e-email. And the problem with that is that anyone can send e-mails to your customers or your employees, pretending to be familiar with them. And they can’t tell the difference.
Is there a way to filter out the phishing posts on Twitter and Facebook and other media that we've seen a lot of recently? Fake Elon Musk, Pope Francis pages - they take a lot of people’s money.
This is a part of the maturity issue back again. So, in addition to e-mail anti-phishing, you also need to do social network anti-phishing. You have to search on Facebook, Twitter, Instagram and look for profiles using your name.
What happens usually is that on Saturday you have somebody setting up a Twitter profile, pretending to be your customer support. Of course they don’t do it just for crypto, they do it with banks and credit card companies too.
But you have to have some solution. So monitoring your domains, tracking fake domains, getting a shutdown. And you to monitor the social networks too.
Sim card jacking is reportedly on a rise now but what do you think will be the next big way to steal someone’s crypto?
Another thing i have seen is when they phish the internal employees, getting passwords through a domain name management account. So people will log-in and give them all their passwords. Usually these fake sites stay online for a couple of hours, maybe during the weekend or a holiday.
That’s why everybody should use the phone for the authentication. So it is: name, password and then a token on the phone. Like Google Authenticator on the phone. And that is way better than using SMS text messaging, right?
Because, for example, the bad guys will go after the executive at cryptocurrency companies. And then what they do is that they contact the phone companies and pretend to be that person, and then they hijack the phone number over ten new sim cards. And then, if they are doing text messages stuff, they can intercept the traffic of all the customers for a few hours and then log in and take those people’s accounts. And if they move the money, you will never get it back.
But you should also use your authenticator on all your software development tools, on GitHub. Because you don’t want that bad guy going into your source, finding bugs in your software before you do and then using that to attack your exchange.
What do you believe to be the most secure token standard used for ICO’s (it isn’t just about ERC-20 anymore)?
I think that ERC-20s are fine, as long you are really careful about if you change the code at all. Be really careful what you are doing there. That’s the problem everybody gets into.
I mean: the less code, the better. When I see a contract that has a thousand lines of code in it, it doesn’t sound like a lot, but I get worried. You can do this with two hundred lines of code. And there are no good set of software tools to debug that stuff, to check smart contracts.
Anyway, maybe some good tools will come to existence, maybe we will discover them here, but in companies they also have people that will review [smart contracts] by hand. You have to do that. And even then, there is no 100% guarantee.
But if you look at the Ethereum network, they are not worried about being badly hacked. I mean, there is enough computing power there that is reasonably safe. The things that are really dangerous, in my opinion, are: when people try to build their own blockchain or worse they try to invent a new cryptography. That is a huge recipe for disaster.