Holding Cryptocurrency — The Real Risks

The sad truth about holding cryptocurrency is that there are a lot of very real risks. The largest of them is that you could lose your money…ALL of it! Investment advisors will tell you never invest more than you can afford to lose, and that explicit warning tends to be communicated more strongly, the higher risk the investment vehicle. Ironically, these prescriptive words are usually provided as it relates the investment not working out as planned, namely, that the investment is volatile or by some rare occurrence becomes worthless. Seldom is it given on the basis that the actual security of your investment could become compromised.

Allow me to make a simple analogy. Assume you put a lot of money in your bank’s safe deposit box. We generally believe most safe deposit boxes to be secure. Banks tend to have very thick walls, security systems and sensors, a fireproof and blast proof vault, and there amongst the others, a securely locked safe deposit box assigned to you. Now imagine that you could inadvertently make one very easy, but nontrivial mistake and all of that security is worthless and is effectively breached. And in as quickly as you can bat an eyelash, all of the money in that safe deposit box could be stolen and is completely unrecoverable. That is precisely what I am here to discuss with you, because in crypto, this is a very real risk. Take a deep breath, because if that increases your heart rate slightly, you are not alone.

My intent is to educate you on what the risks of holding crypto are from a custodial perspective so that you are better informed navigating the space. The biggest determinant of your cryptocurrency’s security is completely dependent on how you choose to hold it. For those readers who don’t hold crypto or do not understand it very well, the easiest analogies that I can make are the following.

Let’s assume you have $100 USD. Some of your custodial options include

1. Bank. Keeping that money in your checking account.
2. Brokerage. Sending the money to a brokerage account to hold it on your behalf and possibly trade with it.
3. Self-management. Holding that physical cash in your pocket or under your mattress.
4. Friend. Giving that money to a friend to hold for you.
5. Mobile Wallet. Loading that money on your PayPal or Venmo account.

While there are many more things you can do with your $100 USD, those above use cases have been selected because there are equivalents for each of them in the crypto space. Let’s explore each of these.

1. Bank equivalent. Technically there aren’t any mainstream crypto banks that are safeguarding your money for you and providing you FDIC-level insurance, though there is a handful in development. BankEx is working on a decentralized banking system focused on proof of assets and OmiseGo is seeking to bank the unbanked with a diverse platform of financial transaction and settlement services. Note that neither of these represents a true 1-for-1 substitute for traditional banking, but they are in and of themselves disruptive to banking.

2. Brokerage equivalent. Crypto exchanges such as Coinbase, Kraken, or Bittrex are just a few crypto exchanges that provide similar services to that of a stock brokerage account. Each exchange is different in that they provide various crypto-to-crypto trading pairs, in some cases, offer more advanced trading functionality, and also exist in various sovereign jurisdictions. Aside from these key differences, the issue with keeping your fiat or crypto money on an exchange is that you 100% susceptible to entity counterparty risk.

When you hold your crypto on an exchange, the exchange owns your money, YOU DO NOT. This is a very important distinction. While they are providing you access to your funds upon log in. You are completely relying on their underlying infrastructure, governance, security systems and processes to ensure that your money is protected. Arguably, today’s banks are doing the same on your behalf today, but they have to answer to much stricter guidelines and regulations as to how they handle your money.

There have been two high-profile exchange hacks, namely MtGox (now insolvent and under bankruptcy proceedings) and Bitfinex (recovered and still operational). The MtGox hack resulted in the initial loss of 850,000 BTC and the Bitfinex hack resulted in the loss of approximately 120,000 BTC, which at today’s BTC value of approximately $4,300 USD per BTC, is worth $3.65 billion USD and $516 million USD respectively. Yes, those numbers are in fact accurate. These are no small sums. If there are future exchange hacks and you hold your money on an exchange, you are at the mercy of the exchange’s executive decision making. Their leadership will determine what the resulting impact will be to their account holders in accordance with the options they have available and the severity of the hack.

It is also important to consider jurisdictional risk. One of the greatest examples to date has been China’s crackdown on crypto which has even included the possible shutting down of Chinese crypto exchanges. While this proclamation is in the process of being eased, let’s say you put all of your crypto on a Chinese exchange, and you didn’t follow the news all year long. This news would have broke and you wouldn’t have moved your crypto to a different location. Hence, all of the crypto you held on the Chinese account could then effectively have been lost when the exchange is effectively shut down. As we live in truly uncertain times as it relates to crypto regulation, it is possible that similar actions could be taken by other sovereign nations.

Additionally, your login credentials could be compromised and someone could gain access your account similar to how if your online bank account credentials were compromised. Most exchanges strongly recommend implementing two-factor authentication (2FA) with an application such as Google Authenticator or Authy. In some cases, SMS confirmation has also been utilized, but this is less secure as someone could port your phone number and get access to your SMS verification code.

3. Self-management equivalent. Maintaining custody of the crypto yourself is where this becomes more interesting. There are a wide variety of wallets that you can choose from to hold and manage your own crypto. It is important to understand that your crypto doesn’t exist anywhere specifically. Rather, it is a recording on a distributed database structure (also known as a distributed ledger) known as the blockchain. All of the methods that I will share with should be considered interfaces that allow you access to interact with the respective blockchain where the crypto transactions are being codified. One of the most critical points is that in order to access your crypto through these interfaces, you typically need your private key which directly correlates with a public facing address to sign the transaction. Let’s explore the web wallet, hardware wallet, paper wallet, full client and thin client storage methods

a) Web wallet. You visit a website and select the option to view your wallet or send crypto. The following prompt will ask you for your private key. Upon providing your private key you will have access to your wallet. Two of the most popular websites are Blockchain.info for Bitcoin and Ethereum out of Luxembourg and MyEtherWallet out of the United States. For those that are curious what this looks like in practice. Please visit the following link MyEtherWallet — View Wallet. Then copy and paste the following private key into the dialog box as shown below.

7df51ad6b5dfaa276c8b4806b3358a2539fd5d6a8481a0429f98daf97e54fb19

If you have completed this short exercise, you will have successfully accessed a real-world Ethereum wallet! Feel free to play around with it at your discretion. No one should send money to this wallet as anyone on the internet could have this private key now.

While the above website is the actual URL for MyEtherWallet, beware as there are a number of fake URLs that appear to be exact replicas of the real sites that are again designed to steal your private keys and your crypto. It is very easy to mask https://www.myetherwallet.com with https://www.myetherwallct.com or https://www.myethcrwallet.com in emails, Slack channels, or by just putting a textual link on top of the URL. These scams are raking in lots of money all the time! Do not fall for them.

b) Hardware Wallet. Hardware wallets can be compared with a secure dongle or RSA SecurID hardware tokens that plug into your computer. Essentially, you plug in this device to your computer in order to access and sign crypto transactions. The physical device is required and without it, you cannot send your crypto from these wallets. Two of the most common are the Ledger Nano S made in France and Trezor by SatoshiLabs out of the Czech Republic. These are generally considered very secure, but there have been scams where people have received fake ones by second hand distributors specifically designed to steal your crypto. Note, there are no known reports of these companies themselves distributing fraudulent devices. This is NOT part of their business.

c) Paper Wallet. You can run a website offline and generate a private key for your cryptocurrency of choice. You print the document holding your private key and store the document securely in a vault, safe, or under your mattress. Note most people consider this wallet to be used in the fashion adding as many funds as you like, but only withdraw once. You can only use a paper wallet via service that allows you to import your private keys. For a quick tutorial on how this is done, please check out these articles from CoinDesk.com and BitcoinPaperWallet.com.

d) Full Client. A less commonly used solution is running a full client of the blockchain. For example, you can download and run a Bitcoin or Ethereum blockchain on your local computer. In order to do this, you must have your computer connected to the internet and synced with the blockchain. If this of interest to you, please take note that the Bitcoin blockchain including databases indexes is about 170 GB and for Ethereum it is over 330 GB and growing. You also have to maintain custody of your private keys that are run on the wallet attached to your client. For up-to-date- tracking of this blockchain size, this website on bc.daniel.net.nz is an excellent source.

e) Thin Client. If you are determined to run the blockchain locally, one solution is a thin client implementation. This will allow you to interact with the blockchain while only maintaining the headers of all the blockchain transactions. It requires considerably less data than the Full Client, but still requires you to be in sync with the blockchain and maintenance of your private keys in order to access your wallet.

4. Friend equivalent. If you choose to give your crypto to a friend or ask them to invest your hard earned fiat money in crypto on your behalf, recognize that you are trusting them with the custodial management of your money. They must first be above board and someone you would trust with the crown jewels. They will more than likely be using one of the above methods for storing your crypto, which I would argue is THEIR crypto, until it is transferred to you and you take custody and overall management of it. I can’t tell you how many people I hear of who are taking this route, and really don’t understand the implications of trusting someone else with their crypto!

5. Mobile wallet equivalent. While PayPal and Venmo are touted as being great payment solutions with excellent mobile adoption, there are similarly a number of mobile wallets and web browser-enabled that will help you store and transact in your crypto. Some of these wallets include Electrum or Jaxx. While these seem convenient, I have heard of a number of hacks especially with hackers getting administrative control over your devices. For example, Android phones can be rooted so that software administrator updates can be run in the background on your device. For more information on rooting see this link here. I have heard of hackers getting access to your mobile applications via this rooting configuration and emptying out wallets. If you hold crypto on a mobile Android device that is rooted, disable rooting, or take your crypto off of these wallets immediately!

There are a few other high-priority items to address.

a. Loss of your private key. Now that we have covered many of the ways that you can maintain custody of your crypto, a burning question that many people ask is “What if I lose my private key?” There is no easy way to say this other than you have completely lost access to ALL the crypto that was in the wallet that you no longer hold the key for. That’s right COMPLETELY unrecoverable. The key is 64 hexadecimal units long. It is simply not possible to recreate your specific lost key so that you can access your funds.

Photo by Dawn Armfield

b. Physical Security. On a related note, if you have any of your private key materials in a physical location, think about fire and theft. What if your computer, external hard drive, USB flash drive, or any papers that hold private key information is lost in a natural disaster or stolen from you? This is a very real concern. It is estimated that accidental loss represents 25% of the Bitcoins that are in circulation, and hence no one has access to them. If that statistic is true, that would represent approximately $18 billion dollars of value that is unrecoverable. For a touching story of how someone lost $4.8 million dollars with of bitcoin this way see this Gizmodo article.

User Transaction Error. I sent my crypto to the wrong public key address, or I sent my crypto to a blockchain contract address by accident. Yes, once again, the crypto you sent is unrecoverable. Transactions are final in this space.

A quick note on sharing your public key. In order for you to receive money in that wallet, you have to give people your public key. It is perfectly acceptable and common practice to make your public key known to those whom you need to transact with.

In closing, guard your private keys until the end of time. DO NOT give your private key to anyone unless you trust the individual 100% to act on your behalf and that they are at least technologically savvy enough to undertake best practices. With that private key, they can send your money anywhere at their discretion. As earlier noted, once the transaction is confirmed - all transactions final and irreversible.

My 6 custodial recommendations and parting words are

1. Trust few!
2. Keep your money off exchanges.
3. Assume most of the computing units you are working off of are already compromised in some way or will be soon.
4. Use encryption on any files or folders where you store your private keys.
5. Use hardware wallets where you can.

And while there are more secure measures that can be taken, these are excellent starts.

You now have a much firmer grasp of the real risks holding cryptocurrency. Understandably, this is a lot to process, especially if you are new to the space. While it may seem untenable to even hold cryptocurrency in the first place, let me assure you that billions of dollars of value are transacting daily and millions of people around the world are securely doing so. The cryptoverse can be exciting and fun, but it is not without risk. The more money you have this space, the more real these risks become.