The Risk of Holding Your Investors’ Private Keys

March 19, 2015

Imagine that you’re a wealth manager or a fund investor, and you just raised a $100 million fund with the promise of hefty returns.  You relish the moment as your investors stop by to drop off pallets of physical cash in your offices.  Once you have all the cash, you take great care to mark each bill, putting them in plastic envelopes (so they are mostly water proof), and then you transport them to a safety deposit box or lock them in a cabinet in your offices.  Every time you make an investment or a payout to your investors, you go to your storage location and remove physical cash in order to make a payout.  You pay for guards, surveillance, armored trucks, myriad security precautions, sparing no expense.  Everything is great until one day an unforeseen event occurs and the cash is lost.

This scenario should sound crazy. A prudent institution would keep the money in an FDIC-insured bank (or banks) and use the banking rails for transmitting value instead of physical cash.  It’s simply a more secure way — anything else would just seem reckless.  Further, in the event of a loss of the cash, the question would be asked why the better alternative wasn’t pursued, raising questions about judgment, fiduciary duties, and liability.

Amazingly, many institutions follow an analogous practice with respect to bitcoins. Using storage techniques like paper wallets or printed key back-ups, as required by certain storage solutions, is akin to managing a large swath of physical cash.  In actuality, attempting these methods of bitcoin storage is worse than the cash example, since private keys must be transmitted electronically at various points in the process and are thus vulnerable not only to physical theft, but also to theft online.  Like cash, the tangible wallet or printed back-up keys are also subject to potential theft during transportation or even while in storage.

Just like leveraging the security and insurance of banks for storing or transmitting cash, attempting to manage or even briefly touch private keys when a better option exists could be viewed as reckless and potentially result in personal liability in the event of a loss. In order to avoid this, a prudent fiduciary should 1) use a vetted and insured storage provider that specializes in security and 2) make sure that such solution never requires a fund or manager  to be responsible for private key creation or storage.

Xapo’s security architecture, products and services were all built with these concerns in mind. Xapo’s vault uses private keys that never touch the the client or the internet and are buried deep within geographically dispersed heavily guarded locations that leverage multi-signature technology for transaction signing.  Our processes have been rigorously penetration tested and successfully passed a SOC2 audit in August 2014 — the first of its kind.  Our customized security protocols further reduce the likelihood of theft through social engineering, phishing or brute force hacks.  Finally, in the unlikely event of a loss, the bitcoins held in Xapo’s vault are fully insured and Xapo is fully responsible.

Trust the bitcoin custodian used by top global hedge funds, venture capital, family offices and exchanges. Protect your bitcoins with Xapo.

Ted Rogers

By Chief Strategy Officer

@tedmrogers

Article published on March 19, 2015

, , , , , ,
MORE NEWS

Xapo update about Bitcoin Gold

On Tuesday, October 24th at 1:20 am GMT approximately Bitcoin Gold (BTG) was created (or forked) as a new cryptocurrency based on the original Bitcoin Blockchain. Xapo is handling this fork according to its fork policy, just like we did with the Bitcoin Cash fork. If you had bitcoins in Xapo at the time of…

By Federico Murrone

Xapo and Phishing Attacks

  What is Phishing? At Xapo, we are constantly working to improve the security of our users by enhancing our infrastructure and helping customers identify various types of threats. Phishing is an attack, perpetrated by a criminal, tricking you into clicking on an url that looks very similar to the site you are trying to…

By Carlos Rienzi

About the Bitcoin SegWit2x update

When the Bitcoin Blockchain mines block number 494,784, which will happen on or around Saturday November 18th 2017, a block between 1MB and 2MB in size will be generated by the Bitcoin miners to increase network capacity (SegWit2x). At that point some miners may decide to ignore that block and continue mining on a 1MB…

By Federico Murrone