Hackers will always go after banks. Here’s how to stay safe.

We’ve all seen these scenes in the movies, from Wild West daredevils riding into town with bags of TNT to blast their way into the safe in the local bank to smooth criminals clearing out the vault with elaborate planning and top-notch gadgets. Other heists, like the attempted hack that could have cost Mexico’s Bancomext $110 million, are too techie and too low on action to turn into an AAA blockbuster. They’re still good enough for media headlines, though, and very, very bad for banks, who see their reputation, earned over decades or even centuries, fall apart, courtesy of a savvy hacker.

While banks have a lot to lose in a successful attack, hackers obviously have a lot to gain—and they’re very much aware of that. Just as an example, the banking industry was in for a 1,318 percent increase in ransomware attacks in 2021, making for a clear-cut sign of increased interest. And as banks move into the blockchain ecosystem, which itself saw hackers snatch some $4 billion worth of assets over the past year, they’ll have to deal with even more unwanted attention from cybercriminals.

The truth is, the law knows to follow the money, but so do criminals. And for as long as banks hold vast amounts of value in their custody, whether in cash, securities, or Bitcoin, they will have a target on their backs. Thus, making their way into the crypto space, banks must make sure to follow the best security practices and protocols, keeping their clients’ assets protected at any moment in time.

Getting your custody right

In order to add any sort of crypto services, from basic trading to access to decentralized finance and native staking on Proof-of-Stake blockchains, banks must first develop their custodial capabilities. In traditional banking terms, this is somewhat like opening an omnibus account for clients to deposit their assets into—but with blockchain, things are different. Digital assets are stored on-chain, what the bank needs to protect are the private keys necessary to make any use of them. So in real-world terms, crypto custody is most often effectively an omnibus wallet, storing the private key to the public address holding the clients’ pooled crypto assets.   

From a hacker’s perspective, this wallet might as well have “jackpot” written on it, because that is exactly what it is. But as alluring as this proverbial vault might be, dynamite won’t get cybercriminals anywhere: Once again, to get their hands on the assets, they must get a hold of the private keys. ‘He who controls the Spice, controls the universe’, but he who controls the keys, controls the coins. 

So how exactly do banks go about protecting these keys? Some prefer to outsource the headache to crypto exchanges and other third-party custodians. This works as a quick fix, but adds a whole new layer of third-party risks to the picture, as exchanges and custodial services have their own fair share of hacks and mistakes. It also effectively hands the reins over the bank’s own crypto services to somebody else, as any new coins or protocols it wants to integrate will have to fit into the partner’s risk profile and other strategic considerations. Sub-custody also brings in the additional expenses associated with the involvement of a contractor.

Banks that prefer autonomy and full ownership over their custodial platforms generally choose between a cold vault, which is offline most of the time and thus difficult to hack (as opposed to a True Cold Vault, which is offline 24/7), and multi-party computation (MPC) solutions, which include several computers, each of them holding a part of the private key, signing off every transaction. The latter means the hackers have to compromise multiple machines to hijack the keys. Such solutions are more versatile, as they are always online (“hot,” in crypto speak), but also more vulnerable. Besides being cheaper and bringing banks more versatility, self-custody also unlocks more revenue inflows to banks, enabling it to earn yields off the coins in its custody through native staking or DeFi, and works faster, while with a sub-custodian, executing an order may take up to two days. Not your keys, not your coins, goes the famous crypto saying, and it very much applies to banks as well. 

The best option for self-custody is, as it happens, in the middle: Solutions that mix True Cold and MPC capabilities offer the highest protection while also bringing a lot of versatility to the table. They also, as we are about to see, allow for a strategy that will help banks safeguard their clients’ assets with maximum efficiency.

The attack surface at hand

While a sound, security-driven custodial policy in itself makes it difficult for hackers to reach the private keys, banks need to take more attack vectors into consideration to keep cybercriminals at bay:

• Insider attacks. These can vary from a disgruntled employee to a well-meaning staffer led astray through social engineering techniques. With a spectrum as broad as this to deal with, the response must be equally multi-pronged. The measures must include a stringent physical access management policy for the cold vault, a multi-manager approval system for filtering out suspicious transactions, and general anti-phishing training for staff.
• MPC hacks. While a cold vault often requires the attackers to get into physical proximity for any attempted attack, the same doesn’t go for MPC solutions, which are always online. With a bounty big enough at stake, hackers can still invest in compromising multiple targets, as their expected reward is high enough to justify that. The solution is to keep 95 percent of the assets in the cold vault and the rest in the MPC, for immediate needs, getting the best of both worlds. Hacking is always about return on investment, and hacking a connected computer always comes with a price tag.
• Smart contract vulnerabilities. Smart contracts are on-chain, decentralized applications that power the DeFi ecosystem. Various flaws and mistakes in their design can grant hackers vulnerabilities to capitalize on, from integer overflows to reentry attacks. To prevent these, banks must make sure to audit the code powering the projects and opt for older, more time-proven, and battle-tried services.

Having kept the criminal threat in mind for decades, banks are no strangers to cybersecurity. As long as they put the same amount of thought and effort into their security when venturing out into the decentralized ecosystem, they will be able to tap the vast new revenue flows it offers without exposing themselves or their clients to too much risk. Having said that, blockchain takes an extra degree of security compared to the other databases powering traditional banking, since it is an immutable ledger—once the money is stolen, there is no returning it back!