Bank Blog Crypto

Bank Blog Publication: WHERE BITCOINS MEET HIGH SECURITY FACILITIES

State-of-the-art crypto custody

by JOCHEN WERNE

Original published in German at DER-BANK-BLOG. Please click HERE Translation created with DeepL.com

14 February 2022

Digital assets are as safe as their encryption? Unfortunately not. After all, the dangers do not only come from hackers. Security must be thought of more broadly, as examples of state-of-the-art crypto custody solutions show.

The protection of crypto assets can only be guaranteed if there is a clear awareness of the dangers. Attacks on digital assets such as cryptocurrencies or asstes no longer end with the numerous attack vectors of cyberattacks, but unfortunately already extend to the use of physical force against their owners. It is therefore important to raise awareness of possible dangers, as shown by examples of the state of today’s state-of-the-art crypto custody solutions.

According to Investing.com, the total number of cryptocurrencies as of 12 December 2021 is 9,004 with a total market capitalisation of US$2.24 trillion. After Bitcoin, Ether, XRP, Litecoin and co, the Libra Coin initiated by Facebook received unprecedented media attention, triggered by the announcement of the project alone. And the emotionality and sharpness with which the discussion was conducted shows how seriously the topic is taken internationally at the state level. It is about reputation, influence, control, responsibility and only in the last instance about technology. And for every investor, it is first and foremost about protecting his assets.

The right sense of danger

In the future, protecting our assets will not just mean keeping our wallet in the deepest pocket of our jacket or handbag or turning the key to our flat twice in the lock. In the future, we will have invested part of the fruits of our labour, our fortunes, in crypto investments and cryptocurrencies. This part of our wealth needs to be kept safe, and we need to understand exactly where and how. This requires that we understand the risks. The sense of danger must therefore adapt, as must the lure of the new opportunities. For this, it is of utmost importance to understand the real dangers and to take appropriate protective measures.

As yet, however, this sense does not seem to be all that pronounced. According to Slowmist Hacked , which specialises in aggregating information on detected attacks on blockchain projects, apps and tokens, the total amount of crypto assets stolen in 122 different attacks in 2020 is $3.78 billion. Even though the evaluation is based on the Bitcoin peaks of January 2021, it clearly shows the importance of greater efficiency in security.

In comparison, only 1.63 billion US dollars were captured in the ten largest bank robberies of all time. Considering that the largest robbery took place when dictator Saddam Hussein ordered his son Qusay to withdraw nearly US$1 billion from Iraq’s central bank with a handwritten note, and the tenth largest robbery netted the perpetrators just US$18.9 million, crypto-cybercrime has become an extremely lucrative business.

Crypto custody: Do hot and cold wallets offer sufficient security?

The famous military scientist Carl von Clausewitz argued in the early 19th century: “An army on the defensive, without fortifications, has a hundred vulnerable points; it is a body without armour”. “We must always retain sufficient forces beyond the garrisons to be a match for the enemy in the open field, unless we can rely on the arrival of an ally to relieve our fortresses and free our army.” In cryptocurrencies, the wallet is the fortress and the blockchain – the distributed ledger – is the army in the open field. It is the job of modern crypto custodians – as guardians of their clients’ assets – to ask themselves daily what additional measures can be taken to best protect cryptocurrencies and crypto assets.

Crypto custody solutions typically involve a combination of hot storage or crypto custody that is connected to the internet and cold storage or crypto custody that is not. Rakesh Sharma comments on Investopia, “Both types of storage have advantages and disadvantages. For example, hot storage is connected to the internet and therefore offers better liquidity. But hot storage options can be vulnerable to hacks due to online presence. Cold storage solutions offer more security. However, it can be difficult to generate liquidity from crypto holdings in the short term because they are offline. Vaulting is a combination of both types of cryptocurrency custody solutions, where the majority of funds are stored offline and can only be accessed with a private key.”

The risk of becoming a victim of physical violence in private crypto custody

The risk of theft of crypto assets is no longer solely about digital robbery in cyberattacks and hacks. Physical violence against the owner of crypto assets or threats to family members is already sadly present. In November 2021, for example, the American co-founder of Tuenti, once billed as the Spanish Facebook, Zaryn Dentzel, was the victim of such an attack in his private Madrid flat.

Dentzel stated on record that the gangsters beat him and stabbed him in the chest with a knife while shooting him several times with a Taser.

Thus it becomes clear that the protection of crypto-assets must also go hand in hand with the fact that a perpetrator who is prepared to use physical force understands in advance that his alleged victim does not readily have power of disposal over his total crypto-assets. Cold storage not at home, but in a cold space, for example a high-security facility, can provide the necessary protection.

State of the art crypto storage meets high security facilities

In July 2021, Prosegur Crypto – the crypto custody subsidiary of Prosegur, one of the largest security companies in the world – announced the creation of the world’s first “digital asset custody bunker”. The consistent combination of a physically and digitally inaccessible environment here is unique to date.

In collaboration with cybersecurity company GK8, Prosegur Crypto brings together all the infrastructure, facilities, technologies and security protocols required to minimise all risk areas identified in the digital asset custody chain.

The solution consists of state-of-the-art cyber security systems provided by GK8’s patented technology and the highest level of a military-grade secured protection environment. It is based on a “360° inaccessibility” approach, mapping over 100 protection measures into 6 integrated layers of security. This ensures the highest possible protection against physical and cyber attacks.

The HSM (hardware security module, a device that generates, stores and protects cryptographic keys) is housed in a military grade briefcase within the high security vault. This vault is only accessible to a limited number of people who manage the data manually and offline. Staff have restricted access to the information they handle to avoid any risk of internal theft and work from a secure facility where there is no risk of physical attack, copying or theft of systems or passwords. In the event of an unauthorised attempt to access the HSM, its contents are permanently deleted. Immediately, a recovery plan is activated, including a protocol for recovering private keys using seeds located in various other vaults.

The module is connected to an MPC (Multi-party Computation) system, which provides a fast signature process on a state-of-the-art computer network and generates transactions on the blockchain without a direct internet connection. This minimises the possibility of fraudulent access and eliminates any potential vector for cyber attacks. These system features are patented and represent a highly differentiated offering in the market.

Plea for openness: danger recognised – danger averted

The analysis shows that from Clausewitz to the latest developments in cyber security and crypto-custody, the security perspective has hardly changed. The more you rely on a single system or fortress, the more vulnerable you are. It’s all about layered security, which makes it time-consuming and very costly for attackers to get what they desperately want.

We are still only at the beginning of a new era for our monetary systems. An era driven by technology in which it is increasingly important for every actor to develop a good understanding of it in order to build sustainable ones. Technology has never been right or wrong, only the way we humans use it can make it so.

New technologies offer the opportunity to make our world more prosperous for all – let’s use it!

The four principles of good governance

Author: Jochen Werne | First published in German on September 6, 2019 in the BANK—BLOG

Author Jochen Werne

How banks create stability to survive in change

The “cobra effect” is a prime example of failed incentive structures. Good governance in banks and savings banks must serve stability and flexibility at the same time. Compliance with four principles is indispensable.

Well-intentioned is not well done yet. Science calls this the cobra effect. It goes back to an event when India was still a British colony. In order to control a cobra plague, a British governor placed a bounty on every snake that he killed. With the result that enterprising Indians began to breed cobras to collect the bounty. When the governor learned of this practice, he had the program stopped and the breeders released the snakes. Result: The problem had multiplied.

The Kobra effect is regarded as a prime example of failed incentive structures – and thus of failed governance. This word, derived from the French “governance” for government, is often used today, and with its almost inflationary mention, the blur surrounding it is also growing.

So let us recall: governance refers to the structures and forms of governance that exist in a society. This refers to the interaction between the state, the private sector and interest groups. The aim is to improve the management of an organisation or a political or social unit in order to achieve better results.

Stability as an objective of governance

However, it has become common practice to use governance primarily when it is not a question of state structures. For example, the term plays an important role in practically all companies that deal with the public in the form of customers or stakeholders. As a result of the blurred use of the term, case studies from politics are often used today to explain economic frameworks.

Undoubtedly, there are many parallels between the governance of states and the governance of private companies, in their structure and processes and thus also in their form of governance. The decisive factor for both is first and foremost stability and thus the ability to cope with major crises. For states, the core of stability is the constitution, which enables leadership during the crisis and at the same time serves as the basis for a way out of the crisis. A current example of this is the national crisis in Austria. The government has failed; until the next elections a transitional government of experts will lead the country and thus guarantee stability. Around this core, however, a state structure must also have a certain flexibility in order to be able to react to developments.

Stability plus flexibility

And this is where the differences to the private sector begin. States are not in competition with the private sector and generally continue to exist even after crises, even if in extreme cases the political system and its fundamental form of governance may change. The situation is different for companies. Of course, they also need a stable core. But they must be extremely flexible and adapt to market situations in order to survive in the long term. Their stability is based on the flexibility of the process organisation. When it comes to flexibility, smaller companies often have an advantage over large, difficult-to-maneuver corporations. We see this in the financial services industry with the example of FinTechs and InsurTechs. However, these relatively small companies often lack the stability they need to survive when consolidating.

Let’s take the example of the banking industry: It faces clear challenges – digitization, new competing business models, exponential technology leaps and ever shorter product cycles with lower margins and increasing regulation. Sustainable answers and the resulting strategies will only be found by those houses that are stable in themselves on the one hand, but are also capable of a degree of flexibility that has never been demanded of them in history on the other.

Four principles of good governance

But how does a company obtain the necessary stability? There are four principles for good, i.e. successful, governance, which must always be present:

Accountability: There must be an organization that is controllable and controlled.
Accountability: The company as a whole and each individual employee are accountable for their actions.
Openness: Only when employees, customers and stakeholders understand what is happening is transparency actually lived out.
Fairness: Ethical conduct is one of the foundations for long-term value creation.

Governance must be lived

In order to achieve a satisfactory situation for both sides, the four principles of governance are indispensable. However, it is not enough to lay them down in statutes; they must also be lived by each individual.

In addition, the current major transformation issues, which not only the banks but also the entire economy have seized, should be seen as an opportunity for companies with a consolidated governance structure and remind us of a statement by the Roman philosopher Seneca, who said: “Only the tree that has been constantly exposed to gusts of wind is firm and strong, because in battle its roots are consolidated and strengthened”.

The Cultural Dimension of Cyber Threats

Country-specific aspects of cybercrime.

The number of cyber attacks on businesses, governments and individuals is increasing worldwide. The human being in his cultural environment is an important element. Different cultures seem to be associated with different susceptibilities.

by JOCHEN WERNE – Original published in German on January 18, 2019 at Der Bank-Blog – Translation with DeepL.com



In its annual management report “The Situation of IT Security in Germany 2018”, the Federal Office for Information Security records a threatening scenario: The number of cyber attacks on the federal government, German industry and private individuals is increasing at an alarming rate. Germany, in particular, is being massively targeted by criminal hackers.

One thing is certain: almost 90 percent of all cyber attacks have a criminal background. Approximately ten percent of all cyber attacks are caused by state cyber warriors. The goal of criminals is either personal data (account connections, credit card numbers, passwords, etc.) or capturing the computer for new attacks via bot network or to extort ransom money for the renewed release of the computer. The ransomware “Wannacry” is an equally prominent and frightening example of this. If state systems become the target of hackers, this usually results in sabotage, espionage and the spying out of trade secrets. The BSI discovered 800 million malicious programs for computer systems last year. In the previous year, the figure was 600 million – around 400,000 malware variants are added daily.

Cyber Security and the Human-Cultural Factor

The view must be directed to an important dimension of the human factor: The influence of different cultures on the handling of technology and in particular on the behaviour of individuals in the context of cyber security. Cultural peculiarities influence preferences, prejudices and behaviours. In his renowned book “The Culture Code”, anthropologist and marketing expert Dr. Clotaire Rapaille explores how members of different nationalities have developed very different codes for the image of products, companies or countries.

These findings come from client assignments in which Dr Rapaille conducted extensive interviews with focus groups to identify cultural preferences, prejudices, idiosyncrasies and behaviors. In more in-depth analyses, a piece of generalized psycho-cultural characteristics is then derived from representatives of the countries studied.

Country-specific aspects of cybercrime

Questions arise as to what protective concepts and guidelines might look like that take this background into account appropriately? And what role do cultural and country-specific aspects play here, such as the famous “German Angst” and corporate cultural aspects, such as the comparison of a classical hierarchical system versus Holacracy models, which have become increasingly en vogue in times of digital transformation?

Some concise examples from the findings of Dr. Rapaille: Americans define themselves strongly through their work. In this culture, professional activity largely determines the image of one’s own identity. The importance of money in this culture is proof of diligence and success.

The author sees completely different meanings in European countries. In France, for example, work and money are regarded more as “necessary means to an end” – those who can afford it expect at least a certain amount of entertainment and comfort from their job there. According to Dr. Rapaille, quality and technical perfection play an important and in some cases even absolute role in Germany or Japan, while US-Americans, according to his analyses, in many cases content themselves with “It just works” and are even sceptical about excessive perfection.

The author recognizes the Germans’ tendency towards perfectionism, which is partly exaggerated from a foreign point of view, as decisive for the quality of “German Engineering” and the global economic success of the Germans in this field. Dr. Rapaille is convinced that US culture, on the other hand, is characterized by a widespread refusal to grow up, which in turn leads to a great competitive advantage in the field of innovation.

Conclusions for more cyber security

This raises the question what are the appropriate protection concepts in an increasingly complex threat situation. A classic approach is the definition and enforcement of policies, both on a technical and organizational level, which are intended to guarantee compliance with security measures. The more hierarchically and authoritatively a corporate culture is aligned, the more restrictive the corresponding guidelines usually become.

However, the approach of establishing security primarily through bans and restrictions on user freedoms has proven to be double-edged in practice. The more the possibilities of an individual user are restricted, the more this encourages the tendency to escape the corset of safety-related rules.

A typical consequence is the “Bring Your Own Device” (BYOD) problem with which many company IT departments have been confronted for years – if the functions and authorizations of their work equipment are too limited, users bring private end devices with them to the workplace. These are then often not integrated at all into the protection and security concepts of the company. If the BYOD escape route is also suppressed, such measures often result in a refusal attitude à la “The desired is not possible with the means available – if the IT department wants it that way, then this task cannot be solved”.

Flat hierarchies and personal responsibility as a solution?

Is the better way, then, in holacracy models, in flat hierarchies, or in “loose reins” in terms of security and a strengthening of employees’ personal responsibility?

For the reasons derived in the preceding sections, this approach is by no means a guarantee for higher IT and information security. A healthy middle course could lie in adequate risk management. Technical and organisational security measures take into account the hazard level of specific data and applications. Sensitive areas and particularly sensitive data are subject to more stringent security measures, business areas or processes with less sensitivity are also protected, but assign employees a higher degree of personal responsibility. All protective measures take into account the above-mentioned psychological and cultural-historical findings.