How merchants deal with cryptocurrency risk
In one homebrew supply shop in San Dimas, Calif., customers can pay for their hops with bitcoin — a move that sets the store apart from its competitors, but that some security experts warn may introduce a whole new category of fraud for the merchant to deal with.
Before he opened Pacific Brewing Supplies, owner Charles Toepfer was a software engineer. So, accepting cryptocurrency as a method of payment was a logical choice.
While he knows the risk of fraud exists, Toepfer said he hasn’t experienced any and he said he isn’t overly worried, just based on the size and rarity of his typical cryptocurrency transactions.
As other businesses follow Toepfer’s example, security experts say merchants need an increased focus on the ways that fraudsters might try to exploit them.
For his part, Toepfer relies on cryptocurrency payment processing company Bitpay to handle his transactions, mitigating much of his fraud exposure.
Jeremie Beaudry, part of the compliance, legal and regulatory affairs team for Atlanta-based Bitpay, said that their fraud protection is a strong motivation for businesses to sign up.
Businesses that accept bitcoins typically deposit their cryptocurrency into a digital wallet. Those wallets are on the front lines of fraud defense.
Wallets can take many forms but are typically either a “hot” wallet — one that is hosted on an internet server or network-connected device — or a “cold” wallet that is stored offline to protect it from attacks.
Both types of wallets present unique vulnerability points for theft, loss and fraud.
“The key really comes down to how you will protect your private key,” said Al Pascual, senior vice president of research and head of fraud and security for Javelin Strategy and Research in Pleasanton, Calif.
Merchants should follow all the best practices that consumers with significant cryptocurrency holdings should follow, including encrypting their keys and considering multisignature wallets and dual-factor authentication.
If only one person is required to sign off and provide the private key for large transactions, businesses run the risk of embezzlement, phishing and social engineering attacks, Pascual said.
Businesses that use payment processors to handle their cryptocurrency transactions typically rely on hot wallets. In the case of hot wallets, there are two types to choose from — custodial and noncustodial wallets.
Custodial wallets keep all your data for you. Noncustodial wallets rely on you to store your private information and keys. If you use a noncustodial wallet and you lose your key, your coins are permanently lost with no chance of ever recovering them.
But if merchants rely on a custodial wallet and their payment processor holds all their customers’ keys, the processor becomes a juicy hacking target. If they get hacked and the client's key is compromised, that money is gone without hope of recovery.
Only one processor — San Francisco-based Coinbase — currently offers a guarantee to return money lost in a hack.
Despite the risk of leaving keys in the hands of a third party, most businesses will end up opting for a custodial wallet, Pascual said. “As a rule, people don’t want to have to manage that stuff,” he said.
And then there is the risk of old-fashioned theft.
“God forbid someone holds you at gunpoint and makes you send them your private keys,” Pascual said.
He likened having millions of dollars in bitcoin keys to stashing that much cash in your back office. “If everyone carried $2 million cash in suitcases, there would be a lot more muggings,” Pascual said.
Interestingly, cryptocurrencies actually protect merchants from one traditional form of risk— chargebacks. Because there is no central processor handling the cryptocurrency transactions, there is nobody who can force a refund.
But that is not to say there won’t be chargebacks in the future. Governments have taken note of cryptocurrencies and their use in money laundering and transactions of illegal goods, which has thrown their future into question.
“Right now if criminals use stolen or misused crypto at your site, it is unlikely anyone will come calling and ask for it back,” Pascual said. “But in time, that might be the case.”
If a merchant sells large-ticket and hard-to-trace items such as electronics, gift cards or jewelry, fraudsters might pay using a coin that was previously associated with the darknet — potentially triggering a federal Suspicious Activity Report and drawing the attention of the Federal Financial Institutions Examination Council.
“One day you may find yourself in the situation where you have accepted stolen crypto. Right now we don’t know what that means, but a process and legal framework might emerge where the victim can claw back the payment,” Pascual said.
There is still a lot of ground to be covered and precedent to be set, Pascual said.