Unlike government-backed currencies, digital cryptocurrencies are transmitted over blockchain networks and are stored in digital wallets called cryptocurrency wallets or crypto-wallets. As media for storing cryptocurrency, these wallets are a requirement for many participants in a public blockchain network. Internal auditors should be aware of the risks as well as the security and fraud implications of this technology.
A crypto-wallet is to a blockchain network what a traditional bank account is to a bank. It monitors and keeps track of cryptocurrencies within it by processing transactions in a cryptographically secure manner. This enables transactions to occur between parties without the need for a financial intermediary such as a bank.
An important feature of crypto-wallets is their pseudonymous nature. Participants on a cryptocurrency exchange can see the inflow and outflow of transactions contained in a crypto-wallet, but they cannot see the personal details of the wallet's owner. Although this feature is great from a security perspective, it becomes a major stumbling block when it comes to cryptocurrency fraud investigations.
For example, in March some victims in Vancouver, B.C. lost approximately $2 million to a blockchain fraud in the space of a week, according to Global News. The pseudonymous nature of crypto-wallets makes it a herculean task to investigate or even identify the culprits. Therefore, users must follow predefined security measures to protect private keys from cybercriminals.
Crypto-wallets can be categorized into two main categories: cold and hot wallets. Cold wallets are commonly used to store cryptocurrencies for longer periods with no internet connectivity, thereby offering better security. On the other hand, hot wallets require internet connectivity and thus present a higher risk. A hot wallet is easier to set up and can be used for daily transactions, including frequent cryptocurrency trades. Under the cold and hot wallet categories, there are several types of crypto-wallets available.
Hardware Wallets A hardware wallet is a portable device, such as a USB flash drive or any external storage device, that can store public addresses and private keys. Ledger Nano S and Trezor Wallet are some prominent examples of hardware wallets. These tools are quite secure and possess recovery capabilities. If the personal identification number (PIN) of a device is missing or forgotten, the user can retrieve the cryptocurrencies stored within the wallet by following the predefined recovery steps, thereby avoiding the need to reset the device or PIN. (Cold wallet)
Desktop Wallets Desktop wallets are applications installed on an internet-connected computer's operating system that offer a user full control of the crypto-wallet. Desktop wallets store a user's private key and act as an address for sending and receiving cryptocurrencies. Common desktop wallets include Bitcoin Core, Electrum, and Exodus. (Hot wallet)
Mobile Wallets Mobile wallets are designed for smartphones but work like desktop wallets. For transactions, mobile wallets use QR codes with the private key being stored in the application software. The private keys can be retrieved if the software is compromised. Coinomi and Mycelium are two examples of mobile wallets. (Hot wallet)
Web/online Wallets Just as their name implies, web wallets make access to cryptocurrencies possible via the use of a browser or a smartphone. Since the web wallet stores the private key in an electronic form, the wallet must be selected carefully. Coinbase is a popular example of a web wallet. (Hot wallet)
Paper Wallets The private and public keys are printed on paper and must be entered manually or by scanning their QR codes. (Cold wallet)
Due to the lack of intermediaries on various cryptocurrency exchanges, crypto-wallet users are strongly advised to keep their crypto-wallet private keys secure. The loss of a crypto-wallet account's private key may result in a permanent loss of cryptocurrency funds for the wallet owner. With the increasing popularity of blockchain technology and its various e-commerce uses, internal auditors should develop a good understanding of various crypto-wallets' attributes and limitations.
Shaun Aghili, DBA, CIA, CRMA, CISA, is a professor of management and a blockchain researcher in the Master of Information Systems Security and Assurance Management programs at Concordia University of Edmonton in Alberta.
Moyosore Grace Adeyemi is a blockchain technology graduate research student at Concordia University of Edmonton in Alberta.
Mahakpreet Singh is a blockchain technology graduate research student at Concordia University of Edmonton in Alberta.