How can cryptocurrency be stolen or insured when it has no physical existence? Nick Furneaux explains.
The concept of a cryptocurrency was first mooted by the enigmatic Satoshi Nakamoto in their 2008 bitcoin whitepaper. Nakamoto's paper suggested a decentralised currency that was not controlled by any government or financial policy, with transactions enabled and recorded cryptographically. The ledger of transactions would be public and available to anyone who wished to download it.
The concept of decentralised currencies had, in fact, been used by several tribes over the centuries - including the people of the island of Yap in Micronesia. Yap money, known as Rai coins, were huge calcite stone rings, sometimes larger than a person. Ownership was not recorded in a ledger but in the memories of all the islanders. When the ownership of a coin was transferred, all villagers were told about the transaction, and agreement was simply by consensus of ownership. Bitcoin works in a similar way, with a decentralised public ledger called a blockchain that is available to all - but coin ownership is proven using cryptographic methods.
Rai coins were expensive to mine, as they came from an island hundreds of kilometres away, across the Pacific; this difficulty gave each coin its inherent value. In the same way, cryptocurrencies such as bitcoin introduce new coins into the ledger through a system known as 'mining, where computers carry out complex calculations to solve a problem. When the problem is solved, new coins are introduced. Although this seems as though value is being created from nothing, the computers used to do these calculations are expensive to buy, power and cool. New bitcoin has value because it is expensive and mathematically difficult to produce.
Since 2008, more than 1,500 cryptocurrencies have been launched. As yet, none can really be termed a 'currency' in the strictest sense, and many specialists in the field prefer the term 'crypto-assets' (I will use the terms interchangeably in this article). Bitcoin has raised awareness of decentralised currencies among the general population, while also damaging the reputation of the technology due to the boom and (almost) bust nature of its trading values. Actuaries should not be overly disturbed by the vagaries of these value fluctuations; the concept, mathematics and implementation of blockchain-based transactions are sound. Whether bitcoin survives or not, the technology is here to stay.
It is tempting to just focus on bitcoin when writing articles such as this, but although it holds the popular attention, there are many other cryptocurrencies that are having a significant impact. Ethereum, with its programmable contract system, offers considerable flexibility that allows people to build blockchain-based gambling systems, auction transactions, property trades and even marriage contracts. Venezuela's new, devalued currency (introduced on 20 August 2018) is supported by a cryptocurrency called the petro, which is supposedly (and dubiously) linked to the country's oil reserves. One Russian farm is selling its goods via a cryptocurrency, and many banks are using the blockchain-based transaction system Ripple for international money trades.
How can a crypto-asset be stolen? It is tempting to try and reinvent the wheel when considering the safe storage of crypto-assets. The buzzwords involved, such as 'decentralisation', 'blockchains' and 'cryptography', can make these assets feel esoteric and ethereal.
To understand the risk of theft, we need to understand how a cryptocurrency works, and that means understanding how public and private key infrastructure works. It is hard to simplify the topic, but let's take bitcoin as an example. A bitcoin address that can receive or send bitcoins is a 34-character string of letters and numbers formatted in Base58 (a group of binary-to-text encoding schemes that covers numbers 1-9, letters A-Z and letters a-z, omitting upper-case I, upper-case O and lower-case l to avoid confusion between similar-looking numbers and letters). This string is simply a public key calculated from a secret, private key using a one-way algorithm. If you have the private key, you can calculate all the public keys, but it is computationally unfeasible (read impossible) to reverse back to the private key if you have a public key. To 'spend' the bitcoin held in a public key address, you need the private key to 'unlock' the transaction, so that you can transfer the value to another address. No private key, no transaction.
To protect a crypto-asset, then, we simply need to protect the private key. Like a public key, the private key is a sequence of letters and numbers (sometimes backed up to a system of mnemonic seed words) that can be written on a piece of paper, stored on a computer or chiselled into stone tablets. This means that the asset is, essentially, tangible. If the private key is safe and sound, the assets on the blockchain that it can transact are safe.
We constantly hear about bitcoins and other cryptocurrencies being stolen - how is this happening? While some minor cryptocurrencies have suffered from code problems that left them vulnerable, the majority of thefts are achieved when private keys are stolen. This can happen in a number of ways:
- The hacking of a computer or device that contains private keys - this has happened to a number of cryptocurrency exchanges
- The infection of a computer with malware, allowing the infector to search for private keys
- The use of social engineering attacks to convince the owner of a private key to hand it over. This is incredibly successful - there is even a website that asks you to type in your private key, so it can 'check that your private key has not been hacked or leaked'! Many recent cryptocurrency investors lack technical knowledge, making them an easy target for attackers requesting their private key.
Can a crypto-asset be insured? I have recently been consulting with an asset management firm that is well known for handling assets seized from suspected criminals, storing and then disposing of the assets as required by the courts. The firm recently launched a service for the storage and disposal of crypto-assets, but it was difficult getting insurers to understand the risks. Understanding the value and risks when storing and selling a Ferrari is straightforward; it's more difficult when considering a seemingly intangible crypto-asset.
However, as we have learned, the asset in this case is really the private key. There simply needs to be a process ensuring that the private key controlling the funds is secured, and that the subsequent process for unlocking and transferring funds is equally safe. It is easy to get carried away with the requirements; some companies around the world are recommending what amount to pseudo-standards that complicate the methods of storage and transaction. As anyone in security will tell you, where there is complexity, there is someone who will cut corners.
The insuring of value is more complex due to the massive price fluctuations that have been recorded, but many believe this will sort itself out as cryptocurrencies achieve a reasonable maturity. In late 2017, one bitcoin was worth almost £15,000 at some exchanges. At time of writing, the value is around a third of that figure. These extreme fluctuations have spooked some insurers, as it is very difficult to provide an insured value with any confidence that it will be accurate for any period of time. Investors are also struggling because the standard matrices and indicators used for predicting movements of fiat currencies simply do not seem to translate to cryptocurrency trading. However, bitcoin, Ethereum and other cryptocurrencies have been reasonably stable for the past three months, in comparison to the vast fluctuations seen throughout 2017. Although valuation graphs still show gains and losses that would make a fiat currency trader tremble, the candlestick graph for bitcoin shows a more reasonable adjustment in values taking place during the past three months, which many serious investors expect to continue to improve over time.
When assessing crypto-asset risks in areas such as investment, insurance and even criminality, it is critical to understand the technology that supports the asset, and the need to protect the private keys that control cryptocurrency coins. Even learning the maths and cryptographic systems that underpin cryptocurrencies would be useful to the actuary when deciding on the factors for assigning risk. The sensationalist stories in the tabloid press and the self-aggrandisement of investors and other interested parties are not really relevant to the understanding of risk in this arena.
Although we do not have a true 'currency' in play at the moment, it will only be a matter of time before a mobile-based 'value transfer app' supported by blockchain technology gains general use as a currency of sorts. However, in the meantime, it is important to dig deeper than bitcoin to understand the future and potential of this fascinating technology.
Nick Furneaux is a cybersecurity and forensics consultant specialising in cybercrime prevention and investigation for law enforcement and corporations.