Analysis Tech

When There is Such Thing as Too Much Security

You will almost never hear that there is too much security… almost. When your security is so tight that it causes $137+ million worth of loss, it is one of those few times where the phrase is very much applicable.

This is what happened when the cofounder of a cryptocurrency firm unexpectedly passed away, taking the only decryption key to the financial records with him. This unfortunate situation became reality for the Canadian cryptocurrency exchange QuadrigaCX in December, 2018, who is now trying to break through their own encryption to recover the funds.

In what amounts to standard security practices for sensitive information such as this, the critical data was stored offline in an encrypted format so only someone with the key would be able to access said data. It’s a tried and true method used by many of today’s businesses. The catch here? Only one guy knew what the passphrase (key) was. With no contingency measures.

If only one person was able to gain access to the data, then it’s really secure, right? Right. Until that one guy tragically dies of Crohn’s disease. Now it’s really secure.

What Now?

In what amounts to a run on the banks, all of QuadrigaCX’s customers are trying to withdraw their funds. When the vast majority of funds are stored in this secure cold storage, however, there isn’t much to go around.

While customers are demanding their money, QuadrigaCX is trying to find a way out of the mess that they have found themselves in. This is the start of what will likely be a long legal battle, but the firm is requesting that the court enter a stay of proceedings. This would buy some time as it essentially prevents lawsuits for a specified duration while the firm investigates how much (if any) of the funds they can recover.

Recovery is going to be tricky. Unless they find some hints as to what the passphrase was, that offline storage is going to stay secure. They have some funds in their online platform, but those are minimal according to reporting. Additionally, some of their funds may be online in other exchanges, but there have been no further details as to how much that would total up to. In short: they need that passphrase.

The Exchange holds a variety of cryptocurrencies, all of which seem to have been mostly secured in offline storage. Here is a breakdown of what is currently in play;

  1. ~26,500 Bitcoin (~$90 million)
  2. ~430,000 Ether (~$46 million)
  3. ~200,000 Litecoin (~6 million)
  4. ~11,000 Bitcoin Cash (~$1 million)
  5. And a bunch of other sub-million dollar holdings
Money Specie € Coin Loose Change Euro Cent Coins

There’s a lot of money at stake; I hope that they are able to decrypt their offline storage and take this as a learning experience, but there are no guarantees. Their legal affidavit doesn’t offer much hope, but it’s an interesting view of their overall situation.

Pictures courtesy of Maxpixel and Wikimedia Commons

Please Login to comment
avatar
  Subscribe  
newest oldest most voted
Notify of
Mason
Member
Mason

Alex, you probably know where I am headed with this. We have super secret passwords, that are only known to one dude for some things like the AD account that can blow away AD schema’s, forests, things like that. That super secret password is written down/typed and validated by actually gaining access to said system. Then it is sealed in an envelope, and put in a literal safe, that 3 of us have the combo to. So if something happens to super admin AD person, or the password needs changed because they leave the company, we crack the literal vault,… Read more »

Joni Smith
Guest
Joni Smith

Trying to.break the passphrase conjures up the image in my mind of Space Oddyssy 2000 and I keep hearing “I am sorry Dave. I’m afraid I can’t do.that..” Hopefully most of you will get that reference. Seriously, how did they not think this through? And when the guy got sick didn’t he think he should tell someone the passphrase? As I noted below, they had a case of the “oh this will never happen”…well, guess what? This is going to be interesting how this turns out and if they are able to break the passphrase. Do they get more than… Read more »

TexJ3
Guest
TexJ3

I am not the IT genius of the group, but what I used to work on had a tremendous amount of impact if not completed appropriately and timely. We had a rather crass statement, “What if you got hit by a bus?” that pertained to ensuring fail safes on work continuing regardless and in an appropriate manner. Our work was also confidential. It is fascinating to me that with this amount of money in play, there was seemingly no fail safe to ensure all assets (or the majority) were not dependent on essentially one person. This was a glaring lack… Read more »

homanj1
Member
homanj1

The super high security on the Dem side in the last election still makes me chuckle. “Password” as John Podesta’s password was a classic. One sometimes deserves to be a victim……

Joni Smith
Guest
Joni Smith

That password was priceless.

Mic-Mac
Member
Mic-Mac

I am terribly sorry if I sound crass and insensitive, but the leadership of this company allowing this is just plain stupid. I guess I am more inclined to think about conspiracy theories. What a perfect crime if you can make people believe you run a company like this.

%d bloggers like this: