Bigg Digital Assets (BIGG.C) launched their Netcoins app for Android and Apple iOS today and while it’s easy to understand why, it’s a touch more difficult to persuade folks that maybe choosing convenience over security isn’t in their best interest.
Bear with me, you have an online exchange and it offers some coins. It gets enough traction over a sufficient amount of time and the natural progression is to improve its reach by getting an app together and pushing it out to the most prominent distributors. You can onboard more customers and raise brand awareness, both of which is great for the company, but produces hidden problems for you, the user.
Whenever someone looking to get into crypto chats me up about how to do it, they usually want to know what app’s the best. I tell them invariably that they should never, under any circumstances, use their phone to deal in it. Mostly, they listen, nod and do it anyway, because most people are willing to sacrifice security for convenience and do not understand the risks involved. C’est la vie, I suppose.
Regardless, here’s why managing these assets from a phone-app is counterproductive to your own safety. You get the app for convenience sake in January, upload the front and back of your driver’s license or passport for know your customer/anti-money laundering (KYC/AML) compliance purposes, and then add fiat from your linked bank account (or credit card).
After which, you pick up your crypto. If you’re like most people, you let it sit on the exchange where you can see it, access it, add more or potentially move some around to better performing coins. That’s never a good policy, but you’ll have that. If you’re going to be lazy and leave your holdings on an exchange rather than stash it away in a wallet, then Netcoins is likely your best option for reasons we’ll get into in a bit. But the next stage in our scenario is that you’re out a club one night with your friends and you’re six tequila jello-shots, three flaming zambuca and four beers in, when you realize you’ve lost your phone.
But you’ve got two factor authentication on the phone—a biomarker like your thumb and a password, right? You should be safe. Except those can totally be spoofed.
Passwords? Even easier. No password is safe from social engineering forever.
What’s missing in most potential tech thieves is the incentive and opportunity. Incentive in that most people don’t have enough to offset the risk. In the above scenario at the club, the average opportunist thief isn’t going to bother to hack their way through a smartphone to get to whatever meager holdings you might have if your phone isn’t already open, but if you’ve been collecting it for awhile (and maybe you’re the type to break the first rule of crypto-club—which is you do not talk about how much you hold and where you hold it) then your quest for convenience may have landed you in a heap of trouble.
Even if the Netcoins app comes with both a password and two-factor identification arrangement to access it, which is unlikely but not impossible (obviously I haven’t downloaded the app), it’s probable that the two-factor ID app you use to access your account is also on your phone. Remember—most people choose convenience over security, and incorrectly assume that their password and biometrics are going to be enough to keep their phone safe.
But even after giving the CAVEAT about handling your cryptocurrency and phone apps, if the person still wanted to know what the best app was, I’d probably say Netcoins. Why?
From their press release:
- COMPLIANT, SAFE & SECURE
- Netcoins is a registered MSB by FINTRAC. All customer funds are held in cold storage (offline) and are insured with Bitgo, a leader in institutional digital asset custody. In addition, our team uses qlue.io, a blockchain forensics and investigative tool (and Netcoins’ sister company) to identify and prevent illicit crypto activities.
Blockchain Intelligence Group, the subsidiary of Bigg Digital that operates qlue.io, could track the movement of your stolen crypto from their exchange (or your wallet) along the blockchain to where it presently sits. If they know the name, address or have identifying information behind the address, then it’s possible you could get your crypto back. Possible, but not guaranteed. And that’s if it’s even still on a blockchain qlue services. You’d best hope that your would-be thief still thinks blockchains are completely anonymous, but if he doesn’t then he’s probably accounted for that and you can say goodbye to your holdings forever.
The elephant in the room is that hacks happen all the time and the closure rate on these isn’t a strong enough deterrent. Banks, jewelers, etc, still get robbed, but there are substantial risks involved that swing the success rate closer to the cops. Desperate people rob banks. There are professional bank robbers but they’re rare enough to be noteworthy. Hackers are neither desperate nor rare.
Just this week, $600 million was jacked from the cross-chain decentralized finance platform poly.
The poly network is a computer protocol that gave its users the ability to transfer tokens between blockchains, so technically it isn’t an exchange. Maybe we need to update one of our blockchain axioms now that DeFi has expanded our security requirement horizons. Instead of “there are two types of exchanges – those that have been hacked and those that will be hacked” maybe we should note that anything of wealth or interest exposed on a network and not left in cold storage runs the probability of being stolen.
Apps just make it easier.
—Joseph Morton
