Back in January, the New York Times published the article: Lost passwords lock millionaires out of their Bitcoin fortunes. Since then the story has gone viral.
The highs and lows of Bitcoin have been well documented - the value of Bitcoin rose roughly 224% in the year 2020. But what hadn’t come under such scrutiny (or at least until the NY Times broke the story) was the question: what happens when you forget the password to your digital crypto wallet?
The lost password worth $220 million
For any readers who haven’t heard of Stefan Thomas, here’s a quick recap of his story.
Thomas is the man who has two guesses left to figure out the password to his IronKey, a small hard drive that contains the private keys to his digital wallet. A wallet that contains 7,002 Bitcoin, which at the time of writing is worth around $220 million. The problem is, Thomas can’t remember what the password is.
It’s likely you know that head-scratching, ‘what’s my password’ feeling well. You try different combinations of your most frequently-used passwords to no avail, until the account locks you out for ten minutes, or points you to reset your password, or to get in touch with your system administrator.
Except your guesses probably aren’t worth $220 million. And even if you do get locked out of an account, there’s normally a way around it.
But with an IronKey, there’s no reset button. There’s no helpline to call where someone can help unlock your account. An IronKey gives users ten guesses before it seizes up and encrypts its contents forever. Thomas has already used eight of his guesses, unsuccessfully.
What the cryptocurrency system didn’t account for
The nature of cryptocurrencies, which made them so attractive in the first place, is now working against some crypto owners. Traditional bank accounts and online wallets like PayPal can provide people with a way to reset lost passwords, or re-access locked accounts.
But Bitcoin and other decentralized crypto exchanges don’t provide this service. Part of the original idea behind cryptocurrencies like Bitcoin was to allow anyone in the world to open a digital bank account and hold the currency outside of traditional government oversight or regulation. Essentially, the system allows anyone to create a cryptocurrency wallet without registering with a financial institution, or going through an identity check.
It’s ironic then, that a currency that was meant to operate outside of regulation and restrictions, to make financial systems more accessible, has this flaw. Because Thomas isn’t alone. Around 20% (roughly $140 billion worth) of all existing Bitcoin is thought to be in lost or inaccessible wallets, according to cryptocurrency data firm Chainalysis.
The structure of the cryptocurrency system clearly didn’t account for just how bad people are at remembering and securing their passwords.
Cryptocurrencies defy regulatory norms, but is this changing?
The anonymity of cryptocurrencies doesn’t just create a problem with lost passwords. A lack of identity checks provides the perfect opportunity to launder money. And this makes cryptocurrencies attractive to criminals. Analysis suggests that criminals laundered $2.8 billion in 2019 using crypto exchanges.
This might only be a fraction of all cryptocurrency transactions, and there are plenty of other routes criminals take to launder money, but it’s still brought cryptocurrencies under the scrutiny of regulators. Crypto is still a relatively new space. Regulation around the different ways to buy, hold and trade are fragmented and often confusing. They differ between countries and regulatory bodies.
And regulation also varies between centralized exchanges (platforms and apps that enable traders to buy, sell, and exchange cryptocurrencies against fiat currencies or other cryptocurrencies) and decentralized exchanges (which allow for direct peer-to-peer cryptocurrency transactions). Decentralized exchanges pose a particular challenge for regulators.
A 2020 study by crypto intelligence firm CipherTrace found that over half of the world’s cryptocurrency exchanges have weak or deficient customer identification and KYC processes in place.
And the same study found that 81% of decentralized exchanges had weak, or no, know-your-customer (KYC) practices. Because of the nature of decentralized exchanges, the implementation of KYC processes has largely been ignored so far.
But with more regular scrutiny of cryptocurrency exchanges likely, this could change. So given regulators in both the U.S. and Europe may be turning more of their attention to cryptocurrencies, what can crypto exchanges do?
The next step for cryptocurrency exchanges
Cryptocurrency exchanges should look at implementing anti-fraud and AML systems more broadly. This could include better KYC, sanctions screening and customer identity verification processes.
While it does add an extra step to customer onboarding, identity verification has its benefits. It will not only satisfy regulator scrutiny, but will also create more trust with customers. The cryptocurrency space is still relatively new, but is only growing in popularity. As interest in the industry grows, so will interest in the safest and most secure ways to purchase, trade and hold cryptocurrencies.
To remain competitive, exchanges should make trust, security and user experience their priority.
And what about Thomas? Well, he's still lying awake at night trying to think what the password to his IronKey might be. But he has lost some of his enthusiasm for the idea that people should be their own bank.
