Why do we so easily forget about security?

Door Pasqualle Verwoerdt

Why do we so easily forget about security
when we buy and sell Bitcoins
and other Cryptocurrencies?

We have all read the newsflashes the last few months reporting that Bitcoins have been stolen from individuals  as well as from Bitcoin Exchanges. For the Exchanges that were robbed the impact is very big and might even cause bankruptcy because of the big amount of money that is  involved (in some cases more than 70 million dollar). For the individual buyer and seller of Bitcoins there are also big risks of losing their Bitcoins to hackers or cyber criminals. We are all very critical towards our banks protecting our money; so why are we not that keen on security related to our Bitcoins?

 


SIMPLE WAYS OUR BITCOINS ARE BEING STOLEN:

  • A Cyber Criminal obtains the password for your account as a storage Service.
    If you are using services like Coinbase you prevent to take care of a public and private key yourself. How would you feel when your bank was only asking for a username and password? Not very safe.
    A username is often our email address. This makes it easier to also steal your password by hacking email accounts and then asking, while pretending to be Coinbase, to reset your password. Best way to prevent this risk is using 2 factor authentication, and to use it the right way meaning not on the same device!
  • You expose your Private Key; this is really what it’s all about.
    If you don’t use services like Coinbase to protect your public and private key you have to manage your own wallet. If you would ask me, from a security perspective, this is what you would always need to protect yourself.
    We all know that people that have  showed their private key, have used it in emails and  simply stored it on software on their laptop. We also see hacked wallets both software and hardware based, so  even a wallet is no guarantee that your Bitcoins are safe. Best way to protect your private key is to protect it by using certified hardware like USB based HSMs. This way your private key can’t be compromised (because the USB based HSM is in a physical vault. You only take it out when you want to trade.
  • A cybercriminal intents to be a Bitcoin recipient, by copying them and pretending to be the recipient.
    Actually this is quite easy. With “initial coin offerings” the cybercriminal just fakes the website where to send your bitcoins to. When the Bitcoins are sent to the wrong wallet the Bitcoins are lost for both sender and receiver and there is now way you will be getting them back.
  • Relying on an insecure Third party (Exchange company), after securing your own private key is the worst mistake you can make.
    Millions of dollars have been hacked because the cybercriminal just broke in to the laptop of one of the Bitcoin exchange employees. The criminal  got access to the company’s payment services and to  the customer wallets. Then just emptied these wallets and most of the times got away with it. Be careful by choosing the Exchange company you’re going to do business with. Choose the one where the right security is in place. In the very near future this will be the only Unique Selling Point and the only way to survive as a Bitcoin Exchange company.

 

 

WHAT IS THE MOST SECURE WAY TO MANAGE OUR BITCOINS?
So the  two most important issues to be aware of are:

  1. Protecting your private key yourself and
  2. Doing business with the rightly secured Bitcoin Exchange company.

But how do we do this? Being a Bitcoin owner we should consider the best protection for our private key (“in Bitcoin business it’s all about your private key”). As mentioned storing this private key in email, software or insecure hardware is not sufficient. As we all know email is easy to compromise and the same goes for software.
When we look at hardware and hardware wallets we need to be aware of what has been happening over the last few years related to hardware vulnerabilities. We have learnt from “Heartbleed” , “Rowhammer” and “Flip Feng Shui” vulnerabilities and again have seen it regarding  Meltdown and Spectre: storing keys on servers and  even on hardware wallets is generally not the best way to do it. Best practice is to use a certified USB based HSM (Hardware Security Module) to store and exchange the private key as a Bitcoin owner.

However, if you have to store your private key on a PC or server, then you should follow these rules:

  • Control all physical and logical access to the PC/server
  • Keep the operating system and other software patched
  • Avoid using VMs
  • Minimize internet and network connectivity:  ideally  do not connect  to a network and certainly not to the Internet
  • Don’t allow any untrusted codes to run (including JavaScript ) within web browsers – only run essential codes obtained from a trusted source and verify the private key

SECURITY IS THE CRITICAL SUCCESS FOR CRYPTO CURRENCIES
If we look at the perspective of  Bitcoin Exchange companies security will be the Critical Success Factor to survive  the heavy competition. Some of the Exchanges are way upfront and will be able to survive if they keep on evolving. Protecting  Bitcoins for their customers is the main challenge for now. This is meanly about securing the private key for their customer.  Best practices for Exchanges is to use certified Hardware Security Modules.

 

A quote from Nicolas Bacca , Co-Founder and CTO of Ledger to support my statement;

“The only mission critical industry which is not using HSMs i the Bitcoin exchange industry (with the exception of Gemini). For some unknown and mysterious reasons, hot wallets security architectures are based on ad hoc solutions built around off the shelf hardware and thus totally uncertifiable against Common Criteria or FIPS 140. When you deal with private keys that you cannot revoke, and whose compromise would result into massive losses, you just can’t have them on a regular server architecture’.

 

WHAT DOES THIS ARCHITECTURE LOOK LIKE?

Figure: Hardware Security Module – HSM Based Security architecture for Exchanges

 

Nice  to see that Ledger embraced the use of HSM’s as a Trust Anchor in their architecture. They are way ahead of most of their competitors when it comes to protecting the private key’s
It’s all about “protecting your private key” should be the message to all the Bitcoin/cryptocurrency owners and Exchange company’s. As I see it, the only way to do this right is using HSMs. Our banks are using HSM’s for dozens of years to protect our money and assets, now we as Bitcoins owners and Exchanges of Cryptocurrencies  should do the same when it comes to guaranteeing these future currencies“

Encryptie in de toekomst

 

Pasqualle Verwoerdt
Business Manager Avensus High Grade Security.

 

Avensus High Grade Security beschermt de meest kritische data vanuit het standpunt dat encryptie de beste beveiliging is zolang de organisatie de sleutels zelf onder controle houdt. Het gaat ons daarbij niet alleen om het leveren van de beste oplossing voor informatiebeveiliging; het is ook onze taak mensen en organisaties bewust te maken van de risico’s. Hierin zijn alle security assets van belang.

Pasqualle is bereikbaar op pverwoerdt@avensus.nl

 

Avensus Nederland BV

Almere

Delft

Wilt u op de hoogte blijven van het laatste nieuws? 
Schrijf u dan in voor onze driemaandelijkse mailing!

mautic is open source marketing automationONTVANG ONZE NIEUWSBRIEF