Jameson Lopp: Self-custody is essential to avoid third-party risks, phishing attacks are the biggest threat, and a three-wallet system can enhance security | Bankless

Key takeaways

• Self-custody in crypto is crucial to avoid reliance on third parties, which pose significant risks.
• Privacy acts as the first line of defense in crypto security, preventing further attacks.
• Physical attacks on crypto holders are increasing, highlighting the need for enhanced security measures.
• Trusted third parties remain the primary threat to crypto holders, overshadowing smart contract risks.
• Economic pressures on crypto companies may reduce the frequency of smart contract audits, increasing investor risk.
• Phishing attacks are the most common threat to individuals managing their own crypto assets.
• Digital security must be prioritized to counteract the high probability of phishing attacks.
• Scammers impersonate reputable brands to trick users into granting permissions, leading to asset theft.
• Physical threats, including home invasions, are a significant risk for crypto holders.
• Malware targeting devices that secure private keys poses a major threat to wallet security.
• Social engineering is a common tactic in phishing attacks, emphasizing the need for user awareness.
• A three-wallet system is recommended for managing risk in crypto transactions.

Guest intro

Jameson Lopp is Co-Founder and CTO of Casa, a Bitcoin security company specializing in key management solutions. He previously worked at BitGo, where he enhanced multisignature security services that now secure 20% of all Bitcoin transactions. Lopp also created Statoshi, a platform monitoring the Bitcoin network for attacks.

The threat of third-party reliance in crypto

• “The biggest threat to crypto natives is reliance on trusted third parties and not taking custody of their own assets.” – Jameson Lopp
• Self-custody is emphasized as a critical security measure to mitigate risks.
• “Privacy is the outermost layer of security in the crypto space.” – Jameson Lopp
• Physical attacks on crypto holders are gaining attention, highlighting a new security concern.
• “The primary threat to crypto holders comes from trusted third parties rather than novel smart contracts or branch attacks.” – Jameson Lopp
• Economic pressures may lead to fewer smart contract audits, increasing risks for investors.
• Phishing attacks are the most probable threat for individuals managing their own crypto assets.
• Digital security should be prioritized to protect against common threats in crypto.

The rise of physical and digital threats

• “Scammers often impersonate reputable brands to trick users into granting permissions that allow them to steal assets.” – Jameson Lopp
• The most dangerous course of action involves potential physical threats to individuals and their families.
• Attackers often use malware to compromise devices that secure private keys, leading to potential wallet theft.
• “Almost all phishing attempts involve elements of social engineering.” – Jameson Lopp
• Combating digital threats in crypto requires simplicity and minimizing attack surfaces.
• Users should segregate their crypto wallets based on the amount of funds and risk involved.
• Avoiding on-chain activities entirely may not be the best solution to mitigate risks.

Managing crypto security through wallet strategies

• “A three-wallet system can help manage risk in crypto transactions.” – Jameson Lopp
• Simply owning an ETF instead of participating in crypto activities defeats the purpose of owning digital assets.
• Properly managing private keys and seed phrases can significantly reduce the risk of losing crypto assets.
• Users should avoid keeping all their crypto assets in one wallet to mitigate risks.
• A good wallet segmentation approach involves using a hot wallet for small amounts and a cold wallet for larger holdings.
• Social engineering is the most common form of attack against crypto holders today.

The importance of self-custody and security measures

• “Individuals must recognize the responsibility that comes with taking custody of their crypto assets.” – Jameson Lopp
• Operating a crypto wallet requires peak cognitive condition to avoid costly mistakes.
• Transactions involving on-chain assets should never be rushed, especially under emotional stress.
• Most communication channels lack authentication, making them vulnerable to impersonation.
• “I don’t trust any incoming message that seems fishy.” – Jameson Lopp
• Using shared insider knowledge for authentication is more reliable than random words.

Enhancing security with physical and digital measures

• “It’s safer to log in directly to websites rather than clicking on links in messages.” – Jameson Lopp
• Password managers protect users from various types of phishing attacks by ensuring credentials are only autofilled on legitimate websites.
• Investing in a hardware security key like a YubiKey is a wise decision for anyone involved in crypto.
• SMS for two-factor authentication is highly insecure and should not be used.
• Yubikeys provide superior security for two-factor authentication by storing secrets on the hardware device itself.
• Email accounts are the most critical aspect of most people’s digital lives.

Addressing privacy vulnerabilities in the digital age

• “Investing in security measures like passkeys and YubiKeys will become essential for everyone in the future.” – Jameson Lopp
• The goal of security is to have better defenses than potential attackers.
• Using a separate machine for signing crypto transactions is a foolproof method to enhance security.
• The number of violent in-person attacks targeting individuals with digital assets is increasing.
• Attackers are identifying potential targets by monitoring their digital presence and wealth indicators.
• The digital age has created significant privacy vulnerabilities for individuals.

Organized crime and cross-border threats

• “Attacks on crypto figures often involve kidnapping for ransom.” – Jameson Lopp
• Dubai has the highest rate of rich attacks due to high-value face-to-face OTC trades.
• Corruption within tax authorities can lead to the exposure of individuals with crypto assets to organized crime.
• Organized crime often involves a remote mastermind who coordinates with local criminals.
• Organized crime is leveraging cross-border jurisdictional arbitrage to conduct attacks on crypto holders.
• Attackers can easily pinpoint a victim’s physical address through various data leaks.

Preventing physical and digital security breaches

• “Preventing oneself from becoming a target is crucial in mitigating risks associated with physical home invasion attacks.” – Jameson Lopp
• Rich attacks can occur even when assets are held with custodians, not just in self-custody.
• Ransom attackers have a greater than 50% success rate and are able to steal tens of millions of dollars annually.
• To prevent a wrench attack, one must eliminate themselves as a single point of failure in their security setup.
• A distributed key system enhances security by using multiple hardware devices from different manufacturers.
• Public permissionless networks can achieve security models that surpass traditional institutions like banks or Fort Knox.

The role of multisig and decentralized security

• “Using air-gapped devices like ledgers and treasures is crucial for protecting crypto keys from online attacks.” – Jameson Lopp
• The biggest risks in self-custody are not from hackers but from mistakes and environmental failures.
• Multisig setups provide flexibility and redundancy in key management, reducing the risk of catastrophic failure.
• Decisions about key distribution in crypto involve trade-offs between convenience and security.
• Distributing keys across various locations enhances security but can be inconvenient.
• Physical safeguards and multi-signature setups are crucial in preventing successful wrench attacks.

The future of self-custody and financial sovereignty

• “Vitalik Buterin’s multisig setup incorporates a social recovery mechanism to enhance security.” – Jameson Lopp
• If the success rate of attacks drops significantly, attackers will find it less profitable to conduct home invasions.
• Becoming a hard target is crucial for personal security.
• Reinforcing home security can significantly delay unauthorized entry.
• Most American home construction uses inadequate materials for security.
• Home defense requires a strategic approach to weapon accessibility and safety.

Enhancing privacy and security in crypto transactions

• “To enhance on-chain privacy, it’s important to use new wallets funded from different exchanges than those used for previous wallets.” – Jameson Lopp
• Using mixers for privacy can lead to compliance risks and unwanted associations.
• For strong privacy, it’s better to use crypto designed with privacy features at the protocol level.
• Privacy in the crypto industry is currently inadequate and poses significant risks.
• Using exchange API keys in tax software can lead to security vulnerabilities.
• The responsibility of managing private keys can feel overwhelming and may deter some from self-custody.

Balancing convenience and security in self-custody

• “Self-custodial crypto may still be the end game despite current setbacks.” – Jameson Lopp
• Self-custody in crypto empowers individuals by allowing them to take control of their finances without relying on external authorities.
• Human nature tends to favor convenience, which complicates the adoption of self-custody in finance.
• Self-custody in crypto must be made more convenient to prevent users from outsourcing their control to third parties.
• Empowering individuals through public permissionless protocols is essential for achieving financial sovereignty.