During the past 6 years (from 2009 to 2015), one-third of all Bitcoin exchanges have been hacked. While this is less than the rate of security breaches experienced by stock exchanges, which is over half, it is still many times that of banks, who reported a 1% instance of data breach.
Bitcoin exchanges do implement certain measures to reduce the risk of hacks, such as partial cold storage and multisig wallets, but are they enough?
Cointelegraph spoke with Robert Genito, CEO of Genitrust, on why Bitcoin exchanges are not doing their proper due diligence to ensure that customer funds are kept safe.
Cointelegraph: What's the difference between a hot and cold wallet?
Robert Genito: A hot wallet is generally a wallet where the private keys - even if they are one signature of many - are stored on a machine with an active connection to the internet.
CT: So a cold wallet is on a device with no internet, correct?
RG: Basically, yes. Preferably the wallet seed or private keys were generated on that "cold wallet" (or "cold storage") machine. Furthermore, the machine never had and never will have an internet connection. The public seed or receiving Bitcoin addresses are exported from that machine and loaded onto the web application service.
CT: Is cold storage at all practical for transactions?
RG: Absolutely. Genitrust developed a proven solution, most popularly used by Wall of Coins. Wall of Coins has proven the ability to release coins - after the end user's request - just as quickly as any multisig hot wallet.
CT: How can you move coins quickly in and out of cold storage? Doesn't that require an internet connection?
RG: That's true. The only part that requires an internet connection is the act of "broadcasting" the Bitcoin transaction to other Bitcoin nodes. The remaining operations can be performed on an offline computer.
CT: Does this provide greater security? How about speed?
RG: Greater security is no question. The speed is equal to that of - or faster- than online multisig operations which are still vulnerable and accessible to the endless world of security attacks. When you have this vulnerability, your hot wallets grow more vulnerable as the stored crypto value increases.
CT: I'd assume this fast cold storage is good for online exchanges that handle thousands of customers' funds. How many use this?
RG: Correct. The biggest limitation of transactions is the same limitation of Bitcoin's Blockchain. Wall of Coins is the only service live and in production that uses what we call "Rapid Cold Storage".
CT: So no exchanges use it? None?
RG: No exchanges operating today.
I'll be clear: we have presented this to a larger USA company. They currently do "withdrawals" only 4 times a day. If they integrated our Rapid Cold Storage, they would be able to do withdrawals all day long for their users.
CT: Why not? It sounds like an unnecessary risk of customer funds not to.
RG: You're right, it's absolutely an unnecessary risk of customers' funds when the exchange is not doing 100% Rapid Cold Storage. There are too many examples of customers - and the Bitcoin ecosystem - suffering from the negligence of exchanges. And history shows that no matter what, your hot wallet coins will be subject to cyber theft.
Business bureaucracy has been the biggest source of friction for this. We do not have the extra funds to spend on a large marketing campaign to sell this technology. Instead, it is an honest effort on our part to reach out to companies to use this.
CT: So Bitfinex, ShapeShift, they all could have potentially avoided the hacks with rapid cold storage?
RG: Absolutely, and their operations would be just as swift. Don't get me wrong, I have a lot of respect for both companies, and to be frank, projects from Erik Voorhees' past have inspired me. At times it is sad to hear bad news, knowing that I would keep my schedule open to consult and help, as this action would also help the Bitcoin ecosystem as a whole. It is my responsibility.
CT: Do you see exchanges changing their way of doing business because of these hacks?
RG: I really do. They will either be proactive as we have been, or their future will hold financially expensive (or inexpensive) lessons until they solve the wallet to "internet" layer.