Coinflow CISO: Securing crypto payments amid AI threats
▼ Summary
– Malcolm Portelli, CISO at Coinflow, says the crypto industry, not Malta’s location, drives his threat model because crypto firms are prime targets for advanced persistent threat groups.
– Portelli replaced ineffective monthly security awareness videos with quarterly training capped at 30 minutes, supplementing it with engaging formats.
– He communicates cyber risk to boards using financial data from reports like IBM’s Cost of a Data Breach Report and GDPR penalties, as numbers are a universal language.
– Portelli criticizes forced password rotation as outdated guidance, noting the UK’s NCSC and Microsoft abandoned it years ago, and laments AI-generated content diluting threat intelligence.
– Coinflow uses API-based multi-factor authentication for security, invests in AI anomaly detection to combat fraud involving authorized payments, and faces a patching gap where automated remediation lags behind vulnerability discovery.
The security leader of a crypto payment firm says the sector’s threat model is defined more by its industry than its geography, as advanced persistent threat groups increasingly target digital asset companies. Malcolm Portelli, Chief Information Security Officer at Coinflow, runs the firm’s security operations from Malta, where the company maintains a presence alongside its U.S. headquarters and other jurisdictions. He shared his insights during an interview at the Span Cyber Security Arena conference.
Crypto payments sit near the top of the target list for sophisticated adversaries, Portelli explains. “It’s more the industry which we operate in. So, financial services, Web3, and crypto and all that comes with that. Crypto is a big target, especially for the big APTs. They’re always looking at how they can get into crypto firms because that’s their chosen money.” Malta has emerged as a fintech and blockchain hub, thanks to government incentives that attract company headquarters, a policy Portelli credits with boosting the local economy and tech ecosystem.
Monthly security awareness videos no longer work, Portelli says, after he removed them from his program. “Something that I’ve stopped doing is the regular monthly videos. You know, you go out and get snippets that people watch. It’s a checkbox.” He now favors quarterly training, limiting content to 30 minutes per quarter, and supplements it with engaging formats. He also rejects the annual-only approach as insufficient, aiming for a middle ground frequency.
Boardrooms have grown more interested in cyber risk over the past decade, but some members may overestimate their understanding. Portelli handles disagreements by relying on published data, citing the Verizon Data Breach Investigations Report and the IBM Cost of a Data Breach Report, which quantifies losses in dollars that resonate with board members. He also references GDPR penalties of up to 4 percent of global revenue when European personal data is compromised.
“Numbers are a universal language,” Portelli says. “If you are an accountant, if you are in technology, if you are in operations, you understand numbers.” He notes that board members who grasp the financial exposure tend to trust the CISO on execution: “When they understand it, they leave it to you. I hired you. They trust you.” Coverage of major breaches in mainstream business outlets has aided this conversation, with Portelli pointing to recent disruptions at Marks & Spencer and Co-op, as well as the attack on Jaguar Land Rover that prompted UK government support, as examples that have brought cybersecurity to the front pages.
Forced password rotation is a practice Portelli wants retired. The UK’s National Cyber Security Centre and Microsoft moved away from it around 2016 to 2018, yet some standards and frameworks still require it, which Portelli calls a contradiction of settled guidance. He also expresses frustration with the flood of AI-generated content on LinkedIn and security blogs, where original posts are rewritten by language models within days and republished across hundreds of sites, diluting attribution and weakening threat intelligence signals. He runs a personal site to break down security concepts into accessible snippets and prefers to write the content himself.
Coinflow operates primarily through APIs, which Portelli says simplifies certain controls. The company implements multi-factor authentication for API keys using available data to validate and authenticate clients with minimal impact on operational efficiency. He describes the setup as straightforward for developers to implement yet highly effective. Fraud has shifted toward scams that convince customers and staff to authorize payments themselves, so Portelli is investing in AI-based anomaly detection and pattern recognition to flag suspicious transactions, paired with continued education for employees and end users. Banks and governments, he notes, are now running awareness campaigns at a global scale.
Attack volume will keep climbing for the next three years, Portelli predicts, driven by AI tools that find vulnerabilities at very low cost. He points to Mythos, an AI vulnerability discovery system that surfaced numerous issues in Firefox, and recent research from TrendAI that identified around 300 vulnerabilities in widely used WordPress plugins at roughly $20 per zero-day. Defensive AI has kept up with discovery, he says, but automated patching that preserves application functionality remains an open problem. Enterprise CISOs already sitting on large vulnerability backlogs see little benefit from a discovery tool that adds hundreds of items when remediation tooling lags behind.
(Source: Help Net Security)