PARTNER CONTENT
Cactus Custody provides secure, transparent, and efficient custodial services for institutional clients, and currently safeguards billions of dollars worth of digital assets for over 300 clients. Here, the team highlights key security vulnerabilities and how institutions can mitigate their digital asset risks…
What common security practices should institutional users actively avoid to enhance their security posture?
Certain “safety habits” may seem secure but can pose significant risks. For instance, using SMS for two-factor authentication (2FA) is highly vulnerable to attacks such as SIM card swapping, fake base stations, redirection, malicious apps, and operator leaks. A more secure approach is to use hardware security keys (Ukey), followed by passkeys, and authentication apps like Google Authenticator.
Storing passwords in browsers is to be avoided. If a browser is compromised, all stored passwords become exposed. Using a dedicated password manager like 1Password, which stores data separately from browsers, reduces potential attack surfaces and is similar to how Cactus Custody’s security plug-ins operate, securely storing private keys in isolated data centres rather than within the browser.
Many mistakenly believe that storing private keys on hardware guarantees security. A friend lost access to 150 bitcoins because the hard drive containing his private key became damaged over time. While multiple backups seem like a solution, they also increase the theft risk.
Which major security incident in the history of the blockchain industry has impressed you the most?
The Mt Gox hack is a significant security incident due to its profound impact. When news of the hack spread, many investors lost faith and began selling their assets. This incident prompted deep reflection among network security professionals. The hack exemplified a transaction scalability attack, revealing critical failures in several areas, including inadequate separation of hot and cold storage, insufficient implementation of strict risk control measures, poor maintenance of internal security, and a lack of transparency.
What are the key security vulnerabilities exposed by these major incidents in the blockchain industry?
Significant security incidents in the blockchain industry expose vulnerabilities in security, risk control, management, and auditing. These issues go beyond a simple transaction scalability attack vulnerability.
How can we effectively patch these security vulnerabilities?
Vulnerabilities will always exist. The key is to minimise their impact by implementing a Secure Development Lifecycle (SDLC) in the R&D process, including identifying and warning about vulnerabilities, implementing effective mitigation measures, real-time risk control, and emergency responses.
Modern management relies on well-designed processes, standardised execution, and advanced tools. Their proper implementation ensures a detailed explanation of incidents, such as the recent fraudulent exchange case involving an AI deep fake hack. Auditing is often overlooked but is crucial for maintaining security and accountability. Critical systems must be “available” and “auditable.”
How do you effectively balance user convenience with robust security when developing your security policies?
This is a perennial challenge. Excessive security measures can frustrate users, while prioritising convenience can leave systems vulnerable. The first step in striking the right balance is to implement a layered security design, applying different security levels based on the importance of user assets and specific user needs. For less critical functions, minimising user authentication enhances convenience, while stringent security measures are enforced for functions that could jeopardise asset security. To help users understand this balance, we regularly publish informative documents, manuals, and articles, and aim to integrate features that are both user-friendly and enhance security, such as passkeys and biometric authentication.
From your professional perspective, what recommendations would you give institutional users for protecting digital assets?
Firstly, diversify your asset risk; avoid putting all your eggs in one basket. Secondly, stay informed and continuously learn, but approach new developments cautiously; what you perceive as “safe” may not be secure. Lastly, entrust specialised tasks to professional teams. For significant digital assets, using a professional security custody institution is essential.
What are Cactus Custody’s core business activities and services?
Supported by Matrixport, Cactus Custody offers premier digital asset custody services for large mining companies, mining pools, hashing power platforms, exchanges, funds, and OTC traders. As a licensed Hong Kong Trust Company (License No: TC006789), we adhere strictly to capital reserve requirements and anti-money laundering regulations, ensuring full compliance across all our services. Our ISO 27001, ISO 27701, and ISO 9001 certifications underscore our commitment to high standards in information security, privacy protection, and quality management.
Cactus Custody provides secure storage solutions for cryptocurrencies and other digital assets, a range of wallet options, secure access to various DeFi protocols, and features the Oasis Off-exchange Settlement Solution, which merges the security of traditional settlements with the benefits of digital asset technology, separating trading and settlement to mitigate risk.
Cactus Custody – (Left) Yanyan Hu, Head of Risk and Product Strategy, (Middle) Timothy Tan, Head of Sales and Partnership, (Right) Omid Zadeh, Global Head of Prime Sales – Supported by Matrixport, Cactus Custody offers premier digital asset custody for mining companies, exchanges, funds, and OTC traders. Licensed in Hong Kong (TC006789) and ISO-certified, we ensure compliance and security. Our services include secure storage, wallet options, DeFi access, and the Oasis Off-exchange Settlement Solution.
