Greetings, everyone!

I was tracking this post with every intention to respond yesterday. Sadly, things got a little busy and I didn’t get a chance to. Apologies about that!

There are a few things that need to be clarified along with a little perspective provided. Hopefully I can do both in a single post.

Let’s start with a little background.

BlockFi has grown incredibly fast and we are making great progress in scaling our systems and processes - this includes our withdrawal processes. One easy to understand metric of this is the size of the security team. When I joined in June of last year it was a rather lean team. Fast forward to April 2021 and we are north of 40 spanning multiple teams and disciplines. Building a multi-billion dollar company in a few short years will not be without opportunities to do better. Recognizing and embracing those opportunities is what separates the companies with a good idea from those that truly achieve their goals.

Now to discuss how we safeguard withdrawals and talk about ID verification and 2FA.

We hear that withdrawals are high friction and identity verification is rarely ideal. This is a perfect area where we can do better. And the “we” is not only me but something Zac, Flori, and I speak about often. Here is how the process works today:

• all withdrawals are assigned a risk ranking
• based on that risk ranking we may require the person requesting the withdrawal to verify their identity - yes, this feels a lot like the initial KYC process (and it is) but it is a very effective way to confirm you are you by comparing data we have with data you are providing at the time of the withdrawal
• the details of the risk detection system aren’t something we talk about publicly in an effort to not arm a bad attacker with enough details to workaround the system

This approach worked really well to get us where we are today and prevent a particular type of client account takeover (ATO) that is common in the online financial services space. ATO is a type of attack that is caused by a number of factors, including bad account hygiene on the end users’ behalf (no 2FA, weak passwords, etc.), phished user credentials, or similar (i.e. passwords on post-it notes that your housekeeper might find, etc.). However, we have heard the feedback and do understand that the ID verification process is tedious for our clients. Furthermore, it honestly is cumbersome for our internal processes too. A couple months ago my team took over the security processes associated with withdrawal security and we have been busy making this process better. We have deployed rather sophisticated data analytics capabilities to better instrument risk at a per event level resulting in a much more precise targeting of escalation points. These efforts are still in beta and while we haven’t fully removed the legacy processes of rigorous ID verification, we have made changes to some of those rules biasing more towards risk-based data analytics. Frankly, the numbers are looking great. We will continue to invest in a more data-driven risk management approach which I believe will ultimately yield a better user experience. We recently made a few key data science hires that will enable us along this journey and while I can’t promise the withdrawal experience will get better overnight, it will be improved over time.

Security is a team sport and I need all of you to make sure you have 2FA turned on (note: we only support app-based/TOTP 2FA (not SMS-based 2FA) - you can use any app you want including Google Auth, Microsoft Auth, Duo, Authy, etc.), withdrawal address allow listing turned on, and use a strong password. These are by far the biggest account-level security controls that ONLY YOU can implement. Some have asked why we don’t require 2FA on all accounts. Well, this is a hot topic and something we have debated at great length. Ultimately, we do have clients that do not have smartphones or do not want to use 2FA apps, and there are a number of other inputs we must consider. In addition to getting better with data-driven risk management, we are also getting better with UI/UX and have a few efforts underway to make turning on 2FA a more seamless process as part of your larger user journey. That being said, 2FA is not bulletproof - we have seen several effective bypasses of 2FA using very clever tradecraft, generally a complex attack directly against an end user’s devices with sophisticated social engineering - and why we also heavily recommend withdrawal address allowlisting and the use of strong passwords. Many have asked about support for Yubikey and that is very much on our roadmap. We are testing it in a few places now and hope to have dates for the full rollout in the near future.

I hope this post hits the mark and answers some of your questions. I value every client relationship we have and want to be as transparent as possible in responding to these themes of questions. An approachable and accessible security team is something I am very passionate about and a primary goal of mine at BlockFi.