IsBit is a Mexican company looking to use Bitcoin and blockchain technology to break into that country’s two-way trade financing, which last year recorded $775 billion in cross-border payments. Although its immediate desire is to raise outside funding, it must also build trust, for itself and for commercial blockchains in general: similar outfits have been hit by fraud.
Co-founder Sebastian Acosta Checa says the startup is on the verge of converting corporate and bank trial users into customers, which would give IsBit a major lift in its ambition to displace Swift and CLS Group, consortia that today dominate international payment communications and currency-exchange settlement.
Citing statistics from Mexico’s central bank, Acosa Checa says cross-border payments between, say, Mexico and China can take a week or longer to process, and the banks can take cuts of 3% to 10%. Such payments (including forex spreads) added up to more than $20 billion last year. He says IsBit’s blockchain application lets companies reduce their cost to below 1% and settle payments in under an hour.
Companies in one country deposit fiat currency in their local bank (locally, IsBit handles withdrawals and deposits in both pesos and dollars). IsBit transfers the money via its blockchain to a bank on the other end, where another company can receive the money in its local paper currency. Users don’t need to hold or trade Bitcoin themselves; it’s just the medium in which IsBit makes the forex trade behind a cross-border payment.
Acosta Checa says IsBit is beginning to work with banks as well as 200 companies trying it out, and hopes to have 5,000 users on the service by the end of the year.
Bad examples
Getting people from testing to users will require trust in the system. A tech company has to bear the same responsibilities as a bank when handling client money. “There’s no room for mistakes,” Acosta Checa said. “One security breach or unsanctioned transaction – it would be a big problem. I don’t operate with a big legal department. So I need execution to be perfect.”
The problem he has is beyond his control: other Bitcoin networks have been undone by fraud. For example, Hong Kong-based Bitcoin exchange network Bitfinex, which caters to retail investors, was robbed of around BTC120,000 in 2016, valued at about $66 million at the time (or $129 million today). The theft occurred on a single day when transactions were made in small amounts to thousands of bitcoin addresses.
Compounding the pain to its users, Bitfinex then levied a 36% loss across all user balances. The network was back in business the next week, but since the heist, Bitfinex’s founder and CEO, Raphael Nicolle, has vanished from the public eye.
The hack took place despite Bitfinex having set up what appeared to be sophisticated, two-step authentication measures – similar, but not exact, to those that IsBit deploys. So could it happen again? Acosta Checa says no – not like that.
Bitfinex operates on a multi-signature model, in which three entities hold keys (strings of passwords related to a unique identity). Any transaction requires validation from two out of the three keys. The customer has one, which he can activate via a mobile device or a desktop computer. Bitfinex (the exchange operator) has another. The third is held by a “hot-wallet”, which in Bitfinex’s case is an entity called BitGo.
Just as banks need to keep some cash on hand to meet daily redemption requests, a digital-currency exchange needs some bitcoins available for liquidity purposes. This is the role of a hot wallet: it’s a store of clients’ bitcoins that is connected to the internet and can be tapped by the exchange. (The bulk of client bitcoins are meant to be stored offline, in “cold storage”.)
The Bitfinex hack involved getting the exchange to instruct BitGo to sign off on illegal trades. BitGo’s systems appear to have functioned properly, which has raised suspicions that the heist may have been an inside job from Bitfinex: access to both the Bitfinex key as well as the means to trick BitGo into validating the deal. (Another bitcoin heist attacking Japan’s Mount Gox in 2015 was an inside job.)
Smarter security
Acosta Checa knows something about cyber security. Trained as an actuary, he also used to work as an in-house hacker for companies, getting paid to probe their digital weaknesses.
He says IsBit also uses “multi-sig” technology to protect a fraction of assets kept in a hot wallet, while most client assets remain offline on recovery servers.
But, Acosta Checa says, BitGo was not configured with the right risk-management rules. It didn’t pay attention to amount limits, nor was there any signal to manually verify large withdrawals. “We have established limit-velocity of withdrawals or a manual approval,” he told DigFin.
Another flaw with BitGo was that passkeys could be drawn out of its server through APIs (connections that allow servers to share software applications). IsBit has instead embedded keys in its server’s memory, so hackers would have to first gain access to the server to steal the passkey, and then erase the server’s memory of the hacker’s visit.
IsBit is also implementing a better way to protect assets by being more exact about how much need to be kept in the hot wallet. Acosta Checa has developed actuarial calculations to weigh deposits (offline, in cold storage) versus liquidity required in a hot wallet to meet withdrawal requests.
“The challenge [to our business] is our relationship with tax authorities; it’s compliance,” he said. “We have a lot of cost because we have to do verification on each new customer, to ensure they are legit. This is a manual process.”
He reckons the cost is worth it: acquisition runs to about $50 to $100 per company. Acosta Checa argues this is nothing compared to the lifetime value of a big importer or exporter using the exchange, which he calculates to be as high as $20,000 over three decades.
That’s a faraway goal for a company that is still onboarding its first clients, but Acosta Checa believes cost of client acquisition will also fall. New technologies will emerge to make KYC and AML cheaper and easier, he says.
Ultimately the play for him is the logic for companies and their banks to use blockchain networks, transferring cross-border payments cheaply and quickly via digital currencies. He is competing with another Mexican fintech company, Bitso, for national dominance. Compliance and defending against fraud are problems, but Acosta Checa notes that his challenges aren’t so unique: fraud has long existed in the paper-based world.
The threat of fraud should not, by itself, inhibit adoption of blockchain networks, but realistically they still have to prove themselves – particularly those such as IsBit taking aim at the B2B world. “We’re going to go and make this mainstream,” Acosta Checa promised.