As an investor in Bitcoin and other cryptocurrencies, I have learned that there are many ways of protecting your investment, whether with paper wallets or hardware solutions such as Trexor. I am not actually worried about the security of my crypto, but that of the exchanges. Imagine if you woke up and learned that Coinbase or Gemini had just a quarter of their bitcoins stolen. The markets would drop and liquidity would be a very large problem.
I’m not talking about hacking, but social engineering and insider threat. Over the past few years we have heard of some exchanges disappearing, so to say, due to their bitcoins being hacked. A more likely scenario is that a person within the organization itself was responsible or a person used social engineering to locate the wallets where the bitcoin was being stored. We don’t know much about where these coins went but we do know that it affected the markets.
Cryptocurrencies are an attractive asset for a thief because a wallet containing billions of dollars worth of crypto can be on a Micro SD Card or on a small piece of paper. So how exactly would a thief gain access? There is, of course, the threat of a hacker or an insider. An insider doesn’t have to be a developer or an executive within the company, it could be the cleaner or the caterer. A cleaner at night has free reign over the offices with the ability to look at reports, papers, memos, or even access a computer. An insider can be anybody.
In my current role in the airlines, I work hand in hand with corporate security and we face many of the same threats, including insider threats and social engineering. The threat of the insider is taken very seriously and requires extensive background checks on personnel that may have access to aircraft or secure areas. Crypto Exchanges should take the same precautions by conducting extensive background checks on not just their personnel, but any contractors such as cleaners, construction, caterers, event planners or any person that may have access to any area of their offices. In addition to background checks, personnel are only given access to locations that they need to access to complete their jobs. For example, a caterer or cleaner does not need access to the data closet in order to perform their job function.
Social engineering can mean a lot of things such as dropping USB sticks by parked cars in company parking lots or becoming friends with the front office secretary so that they can gain access to the facility. It could also be a person posing as a delivery person or coming to fix a toilet. There are several ways of combating this, the first being that all guests must be signed in, IDs scanned, and must be escorted by an employee at all times. A step further would be to ensure that no person is allowed access to the facility for a “tour” or that specific areas/office spaces are locked down if they are allowed.
Hacking is real, but the threat of an insider or a person using social engineering is more likely. Exchanges must take their physical security just as seriously as their digital security. The days of just using a receptionist to stop visitors from entering are over, they need to perform extensive background checks on employees and contractors alike and in some cases take it a step further and not allow computers, cell phones, or USB sticks to be brought into the facility by visitors or contractors.