Ep29 | Crypto Under Siege: The Thin Line Between Digital and Physical Security

Transcript


[INTRO] Welcome to Hash It Out, a podcast built by data security experts. We decipher the data security landscape through honest conversations about today's headlines and tomorrow's challenges, brought to you by Virtru. Let's dive in. Today, we chat with Adam Healy, CEO of Station seventy, and Chris Pearson, CEO of Blackcloak, about the Coinbase data breach and the criticality of digital and physical security measures in cryptocurrency to safeguard both assets and lives.

Good afternoon. My name is Matt Howard. I am, the chief marketing officer at Virtru, and I wanna welcome you all to another edition of Hash It Out.

Today, we are very fortunate to have, two terrific guests, talking about a topic that, you know, quite honestly is is just I feel like it's been there for a long time, but it's just kind of burst onto the scenes of, you know, mainstream media in in the past couple of weeks, months in ways that, you know, rarely has happened in in my experience, at least, in this industry. We're talking about this idea of of rent to tax increasing as it relates to sort of this, you know, line between sort of digital risk and physical risk really beginning to blur, as we speak, you know, when wealthy people with lots of crypto assets are finding them at, no pun intended, the sharp tip of a very sharp spear, and facing real risk and bodily harm, and the world is kinda different.

And for me today to have this opportunity to talk to Chris Pearson and Adam Healy, is really a special, you know, opportunity to kinda put the topic out on the table and get some real expert kinda frontline feedback. So, Chris Pearson, CEO of Blackcloak, thank you for being here today. If you don't mind, kind of introduce yourself.

Tell us a little bit about your company.

Yeah. Absolutely. It's good. It's great to be here. I'm I'm I'm, you know, really, really pleased that Adam's here, as you know, Matt, and and this is gonna be great.

I'm Chris Pearson, CEO and founder of Blackcloak. Blackcloak is digital executive protection. So we protect corporate executives, board members, other executive leadership team, members, and their families in their personal lives. We've all seen a massive increase in both cyber attacks and physical attacks and the kind of convergence of the two in that area.

Separately, we also protect high profile individuals, like these sports star rock star politician, folks with crypto, folks that are loud about crypto. Once again, protecting them and their families and their personal lives. And and it's, you know, it's one of those things where that that wave is happening right now and it just continues. So, really excited to be here.

And past background of many, many different things from engineering and and hard sciences until legal and to former chief privacy officer and chief information security officer and a little bit of time as a special government employee on the, working at DHS. So it's, great to be here, and this will be a great conversation.

Yeah. Chris, thank you so much. Adam, if you don't mind, do the same. Tell us a little bit about yourself and the cool work that you're doing, at Station seventy.

Just so deeply excited to be here. This is my my second passionate out, and, I think this one is, gonna be a bit more lively. I think last time, it was just me and, me and Matt. So the, Adam Healy, CEO, cofounder of Station seventy.

Really, we're building Station seventy around a lot of experience about the last eight years in crypto solving some of the very sticky security problems. Some of our products, solve some various complex issues around key management, around disaster recovery, business continuity, some identity problems.

And no no one else is really solving those in the crypto space, and we think in order to get the industry to where it needs to go, solving those is really a a paramount activity. And we we've been on this journey for a few years now, and we, we we seem to have built a lot of expertise that now starts to transcend not just key management, but how do you manage keys in these heightened physical security situations that are starting to unfold? And how do you protect organizations and the folks that are not only the executives, but oftentimes the key holders of that crypto, which which many, many times at the more sophisticated firms are not the executives. They're, you know, financial operations teams. There's ops teams. There's security teams that are really involved with moving that crypto, and those individuals are very much at risk.

Interesting.

Well, you know, one thing I'd love to kinda start off with I mean, I think it was it was early May. I can't remember the exact day, but it it feels like a lifetime ago. But then again, it feels like it was yesterday. But but but the world sort of became aware of a a breach that happened at Coinbase. And and, Adam, for the benefit of the audience, can can you just summarize from your perspective what happened with that breach and, you know, just kind of TLDR, tell the world what you think?

Yeah. So this is a a very good case of third party risk, and I don't think it was a failure on the side of Coinbase. Right? I every firm, more or less, uses third parties.

Right? Whether it's Gmail or a third party customer service organization or it it doesn't matter. And I in this particular case, Coinbase was using a well vetted multiyear vendor trusted and and frankly trusted by companies beyond just Coinbase to manage, certain activities around customer service, and that necessitated having access to certain customer data. Now, there are some things that we could potentially talk about around, well, how was that data encrypted at rest?

How was it encrypted in transit? Did those folks actually need access to that data? And, you know, I think Coinbase would probably argue, you know, not necessarily speaking for them, but, you know, as an outsider, but, yeah, they needed access to certain QIC data, addresses, names in order to to do the customer service job. Well, what that ultimately results in, especially in certain jurisdictions where maybe corruption or bribery is more pronounced, is you now have this treasure trove of data that is readily accessible to large numbers of employees, and those employees may be subjected to corruption, blackmail, extortion, bribery, other types of things, and even physical threats of their family.

Yet now that's a very hard problem to solve and and and something that I think, you know, Coinbase is a world class security program. And the fact that this was something that happened there just, I think, underscores how hard of a problem this is to solve.

Got it. Yeah. Yeah. There's no doubt.

Chris Yeah.

When you think about what happened with Coinbase and Adam's words, not mine, treasure trove of personal data, like addresses and phone numbers. I mean, let's be clear. Nobody's crypto got stolen, but all of that personal information that was, you know, exposed as a result of the coin breach dynamic, how does that then translate into physical risk for high net worth individuals and crypto holders? And and what are some of the things that that that you're thinking about as it relates to BlackCloak, you know, in light of Coinbase?

Yeah. There there are few things here. I mean, Adam very smartly, makes the case that look, there there's a lot of risk acceptance that is here in terms of companies have third parties do work on their behalfs and that information has to be made available. Right?

It's just a basic fundamental need. Every company does it. And in this case, right, that access and information just knowing that you're a customer of a bank, of a financial institution, of a wallet, of a cryptocurrency, right? All of that information is useful.

It's useful in the hands of cyber criminals and nation state actors.

And it's one of the things where we're never ever gonna be able to fully protect that information. Right? The euphemistical, we get all the controls in the world, on the computers, and every all the vetting, and nobody can take anything home and the the no USB ports. But look, I mean everyone has a camera or micro camera that can take pictures of screens and and everything else from there. The fact of the matter is is that where we really need to go is what is the usefulness of knowing that this target segment is a client of Coinbase, is a client of a wallet. And that's where you know, well they obviously have cryptocurrency.

They're obviously storing it in this, right, in this company, in this app, in this platform. And it allows you the cyber criminal to very very, right, with specificity target those individuals. You don't have to have a one hundred million person list and guess, okay. Everyone might have a Citibank card or Discover card, so we're gonna go ahead and, right, send it out there.

Talk target them physically or target them digitally?

Well well, both. Well, both. Right?

Because it it I I would actually add that the the the digital targeting is something that that was that was said a second ago. It's like no one lost money. No one lost money through Coinbase.

But we do know factually, that people have lost money through, I think where Chris is going, targeted phishing, targeted social engineering because they know that. So there is actually a, you know, a very large amount of money that has been lost.

Yeah. And and so and so the digital like, your question right on the digital versus physical and the discussion they're in, you're pretty spot on point.

Knowing for sure that someone is or was a customer of a specific service or financial institution or right in this case a wallet is powerful information in and of itself because you can directly message them, target them, maybe have some relevant information. This is regarding your account that was started on January seventh, two thousand and twelve And you might have started you in Kansas City and now we know you moved to New York City, but we really need to redo your KYC. So please provide your social security number here. Right?

You can do that and do it with more meaningful, right, more oomph and and more specificity, which is gonna net you a greater return to the back end in terms of people that are scammed. Both in terms of potentially their wallet or in terms of just normal identity theft. The second place and right right where Adam was going is that, look, it also allows you and of course it allows you to target them in terms of a try to hack the wallet and try to grab the crypto. But then it also does set you up for something if, I don't know this, but if you were able to know certain striations of clients in terms of the ones with, right I'm gonna make this up, over a million in some type of cryptocurrency.

Those that are between a hundred thousand and a million and those with a hundred and thousand and under, you'd be able to make some type of an educated guess on the value of the assets under management that are included in that wallet, and then target them physically or just quite honestly, you know, I mean look and see which people are in the high net worth, ultra net worth areas geographically within a certain country and target them. But it does allow for that convergence between cyber and physical to be there through that information. It's really interesting stuff.

Well and this this is why like, it was a month ago, Adam, you and I were just going back and forth on LinkedIn, and and we were talking about Coinbase. And then it was, like, a week later, maybe not even a week, The Wall Street Journal comes out front page with this story about the crypto executive in Paris getting abducted and beaten in broad daylight.

I mean, I'm not suggesting that there was any correlation at all. Don't get me wrong. But the timing of that is just sort of like, holy crap. I was thinking about, wow, that's a bad breach at Coinbase.

There's a bunch of PII out there that's probably gonna come back to, you know, haunt someone. No pun intended. But I wasn't thinking it could come back to cause somebody physical harm like we just witnessed in Paris just a couple of weeks ago. Like, what's your two cents on that?

It's a good question. I I think what we saw in Paris there's actually been two very, very high profile incidents in Paris recently. One was a crypto executive who had a senior cutoff while they were trying to get this crypto away from him.

The other was actually it wasn't a crypto employee or somebody in the industry. It was the daughter of a crypto executive that was an attempted kidnap. And so what we've actually seen is threat actors, start to transcend just the executives themselves and move to family members, move to other parties that are close to that individual in the, with the expectation that they'll be able to extract some type of ransom. So it's it it only seems to be getting worse. Obviously, there was another case recently in New York. There there there was a was an issue a couple years ago in Egypt with an American citizen.

This is not a new problem, but it's becoming very, very common. And I think that's where it's starting to make the media.

I recently was on Fox and CNN talking about this. They are starting to kind of publicize these issues. And one thing that I can say is kind of an industry insider and someone who isn't is advised on a lot of these security matters at different institutions is it's not just the ones you hear about. I would say there's an equal number of ones that are be being handled privately that are not making the media that don't result in, you know, breaking news CCTV coverage because it's a very dramatic event.

So these situations are starting to get taken very, very seriously, and the the Coinbase data breach is certainly going to cause an increase in these events. But then we also have to remember this isn't the first time. Right? Ledger had a data breach a few years ago with five million or so records that were leaked to include home address.

HubSpot, a Web two, non Web three, non crypto company had a data breach, I don't know, two and a half years ago. And there were fourteen crypto companies that were targeted. It was if if you actually read what happened, the threat actor gained access through phishing some credentials from a HubSpot employee and immediately went into HubSpot and basically dumped the entire CRM record for fourteen crypto companies, didn't touch anything else, and then left.

So this is this is gonna be a a bigger and bigger issue as time continues. And I think there's a lot of connectivity between the price of Bitcoin and the attractiveness of threat actors to this problem.

So so so go ahead, Chris.

You guys there? I'm here.

Was right. And you translate it into other forms of right monetary valuation.

The ability to have yes. It's an immutable record that is transferred around, but the ability to potentially get it to exit nodes to go ahead and and move around KYC and AML sanctions and all the rest. Right? It makes it even more attractive because it's an actual asset that you can go ahead and transform into something else.

It's like cryptocurrency has revolutionized the ransomware market, Whereas before it used to be that you had to go ahead and send money and items into like a Western Union or some other physical place, which first has cameras and other requirements. So it wasn't as attractive to cyber criminals. Cryptocurrency really has allowed cyber criminals to be able to egress their ill gotten gains and convert it, which is really great the hardest part. Convert it into other forms of assets.

And so it's even more attractive. I totally agree with Adam. But it's even more attractive just because of its ability to move around the world at kind of light speed.

So The one thing I the one thing I would caveat with that, because I am I I am a slightly biased crypto person, is the amount of, malicious activity that is that that crypto is used for is a fraction of the amount of malicious activity that the dollar is used for. There's far more money laundering and extortion and other types of nefarious activity with fiat, you know, national currencies than there is crypto, obviously, because there's a lot more of those in circulation globally.

But you're you're you are spot on. It does make the ability to make funds without KYC, without AML, PSA subjected to things like that. It it does make it, a a good bit easier, but you're the through the threat actors lens, you're still gonna take a loss. Right? Wandering money through crypto is different than laundering money, you know, kind of legacy context, but you can still wander it either way.

Well, this is the thing I wanted to ask both of you. Like like, just I'm not nearly as close to this as you guys are, but I certainly, you know, pay attention to the game, so to speak, and have invested myself in crypto, but not enough that anybody would wanna hopefully kill me.

You know You should you should say that one more time and just be very clear about it.

Hopefully, nobody wants to kill me.

I guess the question is, you you know, this. There's this irony which strikes me, which is that many crypto holders, like, observing the risk in the world, have moved to cold wallets to avoid this idea of digital hacking and theft.

But but at the same time, as we're now sort of talking about, that move to cold wallets, which was designed to minimize digital risk, has increased exponentially, maybe that's overstating it, the idea of physical risk. Is that wrong? Is that right? Like and then more specifically, Chris, first you, How do you advise clients on this idea of balancing digital versus physical safety when this is the world we're living in?

Yeah. Yeah.

I mean, this is an interesting question. It's one we get a lot, and it's one where we can we see the nexus. We see the convergence When you're talking about protecting, let's just say at the essence, you want to protect yourself, your family, your way of life, money, all the rest of these things. You really have to start with privacy. Right? How are you protecting where you are in terms of your location? A lot of that is right removal from data broker websites.

You know, kind of the four one one or Zayba search or white pages dot com. Now that was all great advice and guidance up until really about August of twenty twenty four. Once you have one of the largest data brokers, National Public Data, NPD, have a breach and have records. There's over three hundred million records, but on two seventy unique Americans.

But once you have that treasure trove out there of every address, every phone number, every email address, and your social security number, and your date of birth out there, it is a hundred percent immutable. It cannot be removed from the deep web dark web. It is there. So it's one of the things where no matter what, a cyber criminal who's on the dark web can go ahead and grab that data store and find out where you are.

So it's absolutely now less possible to remain anonymous for almost everyone in the United States.

Obviously over time, decades, that information will burn down and become less useful, but it's gonna take decades. So what do you really have to do? Back to the top, right? Understand what that footprint is of your digital footprint.

Shrink it down as much as you can. Data of birth removal, yes. Sharing information, sharing on social media. Sharing and publicizing where you are, location and things like that in different settings.

These are things that you have to really pay attention to. Second, you're gonna need to pay attention to the cyber security of your actual device itself on top of computer and your phone number. Right? A lot of wallets are still and a lot of people are still using phone number SMS based authentication in and around cryptocurrency.

Right? Just in and around it. Right? There are nuances between different services, all the rest, but still using that.

That's an extraordinarily highly, compromise-able, means of authenticating your account. Using, right, an actual authenticator or some type of UB key, physical key, pass key, or, right? And both of that plus having a cold bot is probably where you need to be. But you gotta really advise on privacy, shrink it down for you and your family members.

If you got a family of four and you only do it for one person, it might kinda doesn't matter. It's like it's like if only one person gets a flu shot and someone gets a flu at Thanksgiving, doesn't matter that right? One person got flu shot, everyone's gonna be basically walking away with the flu. So you gotta inoculate yourself there and really shrink that tax service.

Watch what you're doing in terms of social media and all rest. Watch how you're protecting your devices and accounts, right? And accounts. And it may be something where people say, well look I was protecting my account.

Well, but did you protect the email that actually is associated with the account? Where you have the initial keys, initial implementation, initial setup, and you can get a lot of great information from that. And it'll probably allow for an attack to be more successful, especially human engineering attack. So you have to do those and think about those layers.

And then of course, look, the fact of the matter is you are going to know the value or worth of what you have in your wallet.

And if it's a million, if it's ten million, if it's twenty million, if it's whatever, you know your assets under management.

If you're entering a place where you are an attractive target, you need to take some some measures, some steps to actually protect you and your loved ones from a physical security perspective. Right? You know, the the old guns, guards, gates, yeah, it still rings true in terms of how you trimming the bushes, lighting, cameras, passcodes, different ways of coming in, who's in your house, do you have cleaning services coming in, how you doing construction. All the rest of those types of things are important.

They're they're right necessary. They're not sufficient in terms of covering off this risk. You'd have to do a few other things. Change a pattern of life, not getting the same coffee down the road in New York City that you always go to each and every morning.

All these are things that do require some consulting, some analysis, some risk assessment on the physical side, not just digital. That's right. It's really the convergence now.

Interesting. Sobering for sure. Adam, what's your take?

I probably couldn't have said that better myself, and I think Chris did a good job of covering the ace a through z list of things.

What I would say is, like, you know, we have to you know, a lot of times in the cybersecurity context, we have this we we use the term assume breach. Right? If if we assume there's a data breach, here's how we protect our data. Here's how we protect our system with layers of defenses, etcetera.

And I think the way Chris laid it out is is very accurate in terms of how do you layer those digital defenses and then also those physical defenses.

And varying pattern of life, one of the things that we preach, in in part and parcel to that to to folks that we're advising or or or executives that we know is just general situational awareness. Where are you going? When are you going there? You know?

Or is your is your head down on your phone? As you're walking through the parking lot? You know, make yourself look like less of a victim. A good friend of mine used to always talk about if you go to the, you know, the plain the the great plains of Africa and you look at the, the the the prey.

All the prey have their heads down and are looking at eating at grass, you know, eating the grass, and their heads are down. Looks a lot like a human on a phone walking through a dark parking lot. What do all the predators look like? Right?

All the predators have their eyes up. They're looking around. They're seeing what's going on. They're using their binocular vision, and they're they're aware of their surroundings.

A lot of times to avoid becoming a victim, you just have to not look like a victim. And and having that situational awareness is something that we've been preaching a lot because of the reality is not everyone is, you know, able or not everyone's company is willing to fund executive protection and home security audits and all of these things that the the kind of upper echelon of those within crypto do, on a regular basis. So you kind of are it's up to you to keep yourself and your family safe. It starts with that digital side, keeping your address, your phone number, those things less accessible to Chris' point.

It'll never be totally unaccessible because of the breaches that have happened.

But but how do you make it less accessible?

And then how do you build those layered physical defenses?

I think the the sad reality I hate to be the the the doomsday person around on this on this particular discussion. But the sad reality is if you're a tornado hit by a even moderately sophisticated bad actor, you're probably going to have a really bad experience without a lot of rigor to build that insulation, around you. Because most folks are just simply not able to isolate their their data and build those layered physical defenses to prevent against even a moderately sophisticated bad actor.

So my question to both of you is is kind of this. I mean, again, I I've been in this industry for twenty, twenty five years. I've been to, I don't know, fifteen RSAs. I know that both of you have done the the same, and and, you know, sometimes I just feel like we're all on a treadmill, and we're working really hard to minimize risk and theft and bad things from happening.

And I don't know how successful we're being, like, collectively as an industry. Are we really moving the needle, or are we just kind of, like, slowly walking backwards on a treadmill and going nowhere? I guess my question to both of you is this. Again, not not being sort of like the doomsday or just negative, but how much of what we're seeing right now with all of this that we're talking about is really new versus, like, this is just the same old, same old that's been out there for decades and decades.

You know, you talked about, Adam, you talked about, you know, what's happening with crypto in the margins of nefarious stuff is fraction of what's happening with fiat currency. And so is it is it another way of saying, well, what's happening today with respect to bad actors doing bad things around crypto and and the the blurring of the line between physical and digital risk is just just people being bad? I mean, is it the world really changed, or is this just more of the same?

I think the big difference here, and this is an analogy I've used a few times now, is let's say you were looking to rob someone fifteen or twenty years ago. Right? You could potentially get the amount of money they had at their home, which was probably not a lot from cash. You might be able to convince them to put some do an ATM withdraw if you you help if you take a new an ATM.

But most banks are, you know, two, four, five, six hundred dollars is the max you can withdraw. You could rob a bank. You could risk a silent alarm getting into a shootout with the police. Banks don't have a lot of money in them anyways.

You could, you know, may maybe a couple hundred grand. You could rob a convenience store considerably less and maybe even a higher risk profile than robbing a bank. Now you can rob a soft target, a human. Right?

A human is probably the weakest link in this entire situation because, you know, you use the the wrench attack metaphor. And, you know, it's for those that are uninitiated to that metaphor, it's essentially, you know, I don't have to beat the safe or the vault or the, you know, the the locks. I just have to hit you with a wrench enough times until you give me the code to it.

And, you know, so now you have this paradigm where you can directly target the human that has access to those assets. And what we have to remember is that hardware wallet, that mnemonic that you have in your head, those twelve words that you have in your head, which allow you to restore wallet, that passphrase that's written down at home, that's a bearer instrument, and that bearer instrument gives you access to potentially millions of dollars. So now from the eyes of a bad guy, the risk versus reward kind of calculus, it's it's a lot easier to potentially get a big payday by just going after that really soft target.

Yeah. I mean, it's interesting how Adam puts that. And I think there are two two different parts to your question, Matt. One one is on the, hey. You know, are we where are we at overall in terms of the kind of the attacks controls and all the rest.

And then the second, is worthwhile to spend some time on. You know, really at the end of the day, in order to go ahead and get all of somebody's assets or a significant amount of somebody's assets to Adam's point, you you have to kind of kidnap them, bring them to the bank and the bank is the one in control of the actual safe deposit box, the right? The access and all the rest. It's that really that third party. It's like I don't have access into the vault. Yeah. You gotta go rob the bank and put on explosives and do some type of George Clooney and Matt Damon magic and and and all the rest.

And what wallets and the introduction of crypto have really done there is actually, right, diversify that and spread those bank vaults out to your phones, your devices.

Everything is within your control. Everything.

Access into your account is within your control. Access to if you're doing a best practice and you have an encrypted password or something blah is in your control.

Unlocking your phone, the biometrics there within your control. Right? Knowing to see where passphrase and all the rest in your control. And if you have a cold wallet, it's inside the safe. That's literally the the passcode that you know once again in your control. So none of those types of facts are gonna defend against whether it's cold, warm, hot, dual-factor authentication, yubikey you are the individual that can compromise or give up access to everything.

And it's really, really interesting because that means that you are the person to attack either digitally or physically. Right? There is nobody else to attack there. It's you.

So that's first and foremost. Second, just overall in terms of like making yourself a harder target to hit and kind of making things a little more complicated. Right? As an industry, we really need to right.

Look. Let's get rid of SMS, authentication on any and all wallets and crypto and all the rest. It's just simply not something that's acceptable. Let's mandate that it be an authenticator or perhaps some other type of key.

Let's also put in controls on the back end so that you have to have a double triple verification system to actually do the movement, in some form or fashion. I'm not saying that, right, I haven't seen these before that some people don't have. But but like are we doing something it's like with Apple's iPhone. If you turn on stolen device protection, right, it used to be that you get, right, you put something in someone's drink or you see what their code was at the bar, you know, and you go ahead and you replicate it.

They're a little bit tipsy and then you steal their phone, you walk down the road, you put it in the same, you put it in the same, you put it in the same, digits that you saw. Well you could get away with whatever is on their phone and they access whatever is on their phone. Now with stolen device protection, it makes it a little bit harder because even if you do enter in that that you know six digit code, four digit code that you shoulder surfed and then stole a phone on, if you turn it on when you change your distance, when you change your geography, it may prompt for that face scan, for that biometric.

And so once again third parties have stepped in here to try to increase the level of controls, increase the friction when there are major items, major events that are happening on that device.

I think this is one that's going to be solved through or it's going to be mitigated or better solved through education at the wallets and crypto and that whole area. Some changes in terms of increased friction of, right let's get rid of SMS, let's get rid of some of the low hanging fruit there.

Let's make sure that we're we're comparing hashed passwords so we can make sure they weren't on a dark web, data breach type of list. Let's do some of those things and and and do them for the client. Second, let's make sure that we make people aware of different things that they can or should be doing. And then we're gonna have to make sense with the fact that at the end of the day, compromising an individual or a family member there is actually something that can compromise that entire ball and think that through really, really carefully. I mean, it's just a changed it's really a changed migrated, you know, kinda risk dynamic is what we're talking about.

I just and I was just one thing to that. So everything Chris said around, the the the other, like, a third party having controls that help you minimize your risk, that is very true in the crypto industry for custodial accounts. So if you're using Coinbase, if you're using Kraken, you're using BitGo, you're using OKX, you're using custodial accounts, They're using off zero. They have breached password detection.

They force hardware type you know, pass keys or YubaKeys is the primary, and then it's, like, a really difficult process to get to SMS. And, like, it's only, like, after you click, I accept this risk thirteen times. So, like, there's a lot of and in my I would actually say, much better security controls around those services that are custodial than you would find at most banks, especially most regional banks. And and, you know, for Coinbase is a good example.

Right? They have volume and velocity limits. If you've updated your wallet allow list recently, then you you have seventy two hours before you can transfer funds out. And, like, there's a lot of sophistication around ATO, account takeover, around fraud detections.

But but it's when you get into those self custody assets. Right? You have the hardware wallet at your house. You have the paper wallet. You You have MetaMask in your browser. Now there's no third party that acts as an additional control buffer, and it really is, you know, for lack of a better term. The lawyers don't like this when I send this, but you are your own bank in those cases when you're doing self custody.

Right. So so those are the cases, I think, where folks have the most, the most risk. And the paradox there is kind of unfortunate, which is you've all probably heard the not your keys, not your crypto, right, which is basically a call to action to self custody.

Well, a lot of your OG crypto folks, a lot of your, you know, folks who've been around a while, they really adhere to that ethos.

Now you've now just created this different where you've traded one set of risks for a different set of risks, and now that's where we are with all of these these physical attacks happening.

You you mean, it's literally insane, but but but the fact that we're having this conversation and just a small little anecdote, you know, I just recently, you know, had a kid graduate college. There was some money left over in their five o whatever account, and I wanted to move the money from that account to my youngest who's now in college to help pay for their college. And the process of doing that with the bank was so unbelievably painful. And and the the regulatory, the security, just and and look, it it's my money. I should be able to move it, but yet it was months in the making, and there's a long drawn out story there I won't bore you with. But but, you know what, never did I think for a second I'd be better off with that money stuffed under my mattress. And that's exactly where we are, you know, to a certain extent, where everybody is their own bank. Let's stuff our crypto under our mattress and hope that things, you know, are better off in that context because not my keys, not my crypto is the ethos.

I don't know. I I mean, maybe the world's gonna change and come off of that because of what we're now seeing. I I don't know. But but This is actually one of the problems that we're so so at Station seventy, we built some institutional products.

That was our first set of products that we launched, around key security, key management. This summer, we're actually releasing a new app that has some, like, duress protocols, panic protocols built in. It's not a wallet, but it's a security wrapper that you can integrate to any of your self custody wallets. Because, again, no one's really built some of these security tools that we would take for granted using your example in the traditional finance sense where, yeah, it might be high friction, but, like, it definitely was safe probably when you transferred that that balance. Like, you it happened, and it worked.

Exactly.

Yeah.

Yep. Well, we are running up on time. I have one final question for the two of you. And, again, I wanna thank you both for being here.

It's just incredibly interesting timing, and you guys are both world class experts. So grateful to have this chat. I wanna know what do you think about going forward. Like, if you add as you think about the world today and you think about the next, I don't know, six months seems like a lifetime, but maybe next six to twelve months, what do you think the world looks like six to twelve months from now?

And do you think that, you know, there's an opportunity for us to collectively take, you know, the advice, for example, something Chris offered? Like, let's just not support multifactor authentication via SMS text. Don't do that. That's stupid.

Like, how much can we move the needle between now and a year to kinda change the equation and maybe, like, authentically improve the quality of security and privacy and protection for people, you know, who happen to be owning these assets?

I think I mean, there there's a there's a multitude of things. Let let's separate things out here. So first of all, you have a large number of venture capital funds that have backed, let's just call folks in in in in crypto, whether it's wallets or crypto, it doesn't matter. Right? That have backed folks in that ecosystem.

Many of those individuals and those firms are being and have been targeted. So we need to, right, really think about what's right for that ecosystem in terms of maybe turning it down a notch, being more aware. Second, we need to talk about the folks that are actually executives at cryptocurrency wallet, institutions, or associated with it. Right?

Anywhere that there's a chain there that are associated and what's right for them. Just basically being in the mix. And then of course, so third area, Matthew, as you mentioned, the actual users of customers of. And let's dive in there a little bit.

I think there are a lot of things that need to be done. You know, there needs to be increased education that is simple, easy to understand in terms of best practices, number one. Something that's very, very short. We're talking sixty to ninety seconds.

People aren't gonna pay attention to more than that. Second, we need to really really fundamentally change how access works and to any of the vaults, to any of the wallets, to any of the crypto.

And doing things like turning off SMS abilities, like absolutely part of the mix.

Perhaps proving right that your password, the current one you're using, is not something that has been hashed before on dark web, deep web, treasure troves, is interesting. Making sure perhaps that, right, you have to have, right, IP addresses logged in and lack of variance there, so you know where you're traveling or where you are at, and take people off of VPNs, so you actually have a one to one. There's a whole bunch of like essentially identity theft red flag rules, types of things that you can do that are implemented right now for credit card transactions, stepped up authentication, and all the rest.

But if we can slow down time a little bit through controls, right, not to such a high friction level, but through controls there, I think we're gonna be better off in terms of actual users. I do think that there's a responsibility that many companies do have in terms of the education there, especially as it relates to, hey, it's your fingerprint that's being used here at some of the risks. It's your cold storage, and here's some of the risks.

Put this in your safe, and then what are the risks associated with that? But then we gotta bring our family members along too. Right? It's not just about us. It's about the entire family. And it's about making sure that quite honestly, if you're one of the people that has a large amount of assets under management that are involved in this area, you're quiet about it.

You're not out there.

Right? You're not out there. I think there was a story where Mark Cuban had lost some nine hundred thousand dollars in some type of a crypto scam. I mean, look, we can turn this down.

We don't have to announce, right, to everyone what we're doing in this space, and help make us a bigger target. But there's a lot there. I just think we really need to get the conversation started, and then we're gonna come up with the right types of controls. Some of the ones I mentioned may be good, may be valid.

They may be things that add too much friction, but we should really, really sit down and have a conversation on this.

Okay. Last thing, Adam.

Is part of the answer what's happening now within Washington and the Trump administration and sort of the idea that crypto becoming, I'll call it, normalized from a regulatory perspective? I mean, is the world better off when banks are basic when when Mastercard I'm making this up. But when Mastercard and Capital One are in the crypto business, does the world get better? I mean or or not?

That's a of course, you you gotta give me this regulatory overlayed question.

Here. I don't know if it gets better.

Well, listen. It's it a lot of people in Washington right now with the current administration are talking about crypto. That's all I'll say.

I yeah. I know. I was I've been to a few of these events. I think I don't know if it gets better.

I think that there's a lot that could be done around Bitcoin in broader financial industry, financial services. I don't know that the government should be involved. But we just have to remember that Bitcoin was started as a direct reaction to the two thousand eight, crisis that unfolded. Right?

The the genesis block of Bitcoin has enshrined in it a counterpoint to the the headline. I and I forget it all right now, but it's basically around the banks getting bailed out again. Right? And and I and I think we have to think about that.

I don't know that it gets better. I think that it it's there's a lot that could be done around, stablecoins. There's a lot of people you see talking about stablecoins. I think that helps things get better.

Right? If we think non Bitcoins, like, let's talk stablecoins that are US dollar denominated, that's a very good way for us to export soft power to areas of the world that wanna transact in dollars without having to hold dollars or have US bank accounts. So I I think that could be better. I'm a bit dubious on the, like, Bitcoin strategic reserve thing.

I don't know how I necessarily feel about that. I'm probably leaning more towards not supporting that.

The the the this is so we'll see how this stuff plays out, but I'm I definitely think there's something around soft power deduction with stable points and automated in buyers.

Wow. Well, that was a fun forty five minutes.

I really, appreciate the two of you for being here today, and, I hope that, anyone who has the opportunity to watch and listen to this particular episode of Hash It Out, you know, learn something. I know I did for sure, and thank you both for being here.

Thank you. It was a great conversation, great debate, and, look, really, really timely and important.

Yeah. Appreciate glad glad to be here. Appreciate we got this together.

Yeah. Alright, guys. Have a great day.

Thanks for listening. If you enjoyed this episode, leave us a five star review, and don't miss us the next time we hash it out. Like, follow, and subscribe to us on YouTube, Spotify, and Apple Podcasts, all linked below.