Custodial standards

In the credit card industry, there is a security framework known as PCI-DSS. It represents really a minimal security level for anyone running anything that accepts and stores other people’s money online. PCI-DSS or the Payment Card Industry Data Security Standards are what set a minimum in the online-payment industry for people accepting credit cards.

I am going to be pushing for the same as a minimum standard.

I was a PCI, web-security, and code auditor. The fact of the matter is that the cryptocurrency industry has simply been used as a means by many involved with stealing money from customers and conducting pump-and-dump schemes to profit. None of the same individuals will want to support a security standard. Doing so would expose the flaws, the embezzlement, the theft, and the crimes that they continue to perpetrate within the industry.Right now, I am of the opinion that for every so-called exchange hack, 99 of the hundred reported occurrences are internal and cases of embezzlement. Of course, it becomes easy to blame a hacker when you have no required logs.

There are different ways of ensuring security. An organisation could remain completely decentralised and update records and logs using a secure system such as nChain’s “safe wallet” threshold-key storage and wallet system so that keys are not stored on the server [1]. Where keys are stored in custodial wallets and the funds exist on a centralised server (as with Bitfinex, Binance, and Mt. Gox), we need to start asking the providers how they are protecting our money.

More importantly, with new standards such as Europe’s MLD5 coming into force at the latest in January next year, we’re going to see requirements where custodial systems start applying required levels of protection.

There are some who believe that, because they dictate either custodial systems such as wallets or crypto-to-fiat exchanges, the same requirements do not apply to crypto-only exchanges. It could not be further from the truth. The important thing to remember is that every single crypto-only exchange such as Binance is a custodial wallet system. As such, if they do not comply with Europe’s anti-money laundering (AML) legislation and reporting controls to the same level as all banks or exchanges need to now by January 2020, they will be considered criminal money laundering operations. If you think that such legislation and controls do not matter, ask the principles of Liberty Reserve, formerly of Costa Rica.

Seeing the recent Binance attack (which was very likely an embezzlement) and all the rest that has occurred and continues to occur within the industry, we even need to start looking at secure systems with a minimum setup — or otherwise expect the industry to be subject to all the attacks and never be trusted. The reality is that Bitcoin should remove the need for such an industry, but custodial systems that maintain the security of use of funds take the requirement from the user to a centralised system that stores more value and leads to a loss that is far greater than ever associated with Visa or MasterCard. Basically, such cowboys have created a system that makes Visa look like a secure alternative, and we need to change the inherited narrative.

The irony is that the hackers continuously get away with attacks because logs are deleted. Yet, we have a system that makes deleting logs impossible. Bitcoin (BSV) could be automated such that it links to the logins within the organisation. For instance, in an organisation that controls access to the databases it uses to store custodial data through SSH, each login could be stored immutably on the blockchain. The records could be obscured such that no individual outside the organisation would be able to find out information about the login and yet at the same time no attacker would be able to compromise the system and delete the logs. Doing so would very quickly allow for the tracking and tracing of attacks on any system that holds custodial data.

Doing so would bring trust into the cowboy industry that we have today as we clean it up and get rid of the trash that seeks to take customer funds and treat clients as if they were cows to be milked.

If a system is not custodial, we can more readily ensure that it is secure. People receiving funds can have the keys stored on systems that are not involved with the payment system at all. That is, a branch office can have all of the keys maintained at the central head office and need not worry about being attacked. Exchanges and custodial services are the problem. The described way was how Bitcoin was designed, and yet it is what they who seek a cowboy industry want to tell you is too difficult to achieve.

If we do it right, we could start to get institutional and government support. More importantly, we can start a narrative moving away from cowboy money launderers and thieves into a professional industry.

Like it or not, I’m going to make sure the industry starts to clean up. It’s time for the money launderers, Ponzi pump-and-dump promoters, and people seeking to make a quick buck scamming people through wash trading and false information to be brought to justice. It’s time for the industry to start understanding that it needs to have the basic security controls that even a Visa card processor would be ashamed not to have. Right now, the crypto industry is not even as good as the Wild West of the Internet in the 90s.

It could be secure, but they who designate themselves as leaders don’t want it to be. If they promoted the interest of clients and users of the system that is far from secure and started to clean up the industry, most of the people would be out of a job. It’s time to professionalise, and they who don’t like it are going to start to learn, but they won’t be able to cheat customers.



Never miss a story from Craig Wright (Bitcoin SV is the original Bitcoin)