Why do we so easily forget about security
when we buy and sell Bitcoins and other Cryptocurrencies?
We have all read the newsflashes the last few months reporting that Bitcoins have been stolen from individuals as well as from Bitcoin Exchanges. For the Exchanges that were robbed the impact is very big and might even cause bankruptcy because of the big amount of money that is involved (in some cases more than 70 million dollar). For the individual buyer and seller of Bitcoins there are also big risks of losing their Bitcoins to hackers or cyber criminals. We are all very critical towards our banks protecting our money; so why are we not that keen on security related to our Bitcoins?
SIMPLE WAYS OUR BITCOINS ARE BEING STOLEN:
- A Cyber Criminal obtains the password for your account as a storage Service.
If you are using services like Coinbase you prevent to take care of a public and private key yourself. How would you feel when your bank was only asking for a username and password? Not very safe.
A username is often our email address. This makes it easier to also steal your password by hacking email accounts and then asking, while pretending to be Coinbase, to reset your password. Best way to prevent this risk is using 2 factor authentication, and to use it the right way meaning not on the same device!
- You expose your Private Key; this is really what it’s all about.
If you don’t use services like Coinbase to protect your public and private key you have to manage your own wallet. If you would ask me, from a security perspective, this is what you would always need to protect yourself.
We all know that people that have showed their private key, have used it in emails and simply stored it on software on their laptop. We also see hacked wallets both software and hardware based, so even a wallet is no guarantee that your Bitcoins are safe. Best way to protect your private key is to protect it by using certified hardware like USB based HSMs. This way your private key can’t be compromised (because the USB based HSM is in a physical vault. You only take it out when you want to trade.
- A cybercriminal intents to be a Bitcoin recipient, by copying them and pretending to be the recipient.
Actually this is quite easy. With “initial coin offerings” the cybercriminal just fakes the website where to send your bitcoins to. When the Bitcoins are sent to the wrong wallet the Bitcoins are lost for both sender and receiver and there is now way you will be getting them back.
- Relying on an insecure Third party (Exchange company), after securing your own private key is the worst mistake you can make.
Millions of dollars have been hacked because the cybercriminal just broke in to the laptop of one of the Bitcoin exchange employees. The criminal got access to the company’s payment services and to the customer wallets. Then just emptied these wallets and most of the times got away with it. Be careful by choosing the Exchange company you’re going to do business with. Choose the one where the right security is in place. In the very near future this will be the only Unique Selling Point and the only way to survive as a Bitcoin Exchange company.
WHAT IS THE MOST SECURE WAY TO MANAGE OUR BITCOINS?
So the two most important issues to be aware of are:
- Protecting your private key yourself and
- Doing business with the rightly secured Bitcoin Exchange company.
But how do we do this? Being a Bitcoin owner we should consider the best protection for our private key (“in Bitcoin business it’s all about your private key”). As mentioned storing this private key in email, software or insecure hardware is not sufficient. As we all know email is easy to compromise and the same goes for software.
When we look at hardware and hardware wallets we need to be aware of what has been happening over the last few years related to hardware vulnerabilities. We have learnt from “Heartbleed” , “Rowhammer” and “Flip Feng Shui” vulnerabilities and again have seen it regarding Meltdown and Spectre: storing keys on servers and even on hardware wallets is generally not the best way to do it. Best practice is to use a certified USB based HSM (Hardware Security Module) to store and exchange the private key as a Bitcoin owner.
However, if you have to store your private key on a PC or server, then you should follow these rules:
- Control all physical and logical access to the PC/server
- Keep the operating system and other software patched
- Avoid using VMs
- Minimize internet and network connectivity: ideally do not connect to a network and certainly not to the Internet
SECURITY IS THE CRITICAL SUCCESS FOR CRYPTO CURRENCIES
If we look at the perspective of Bitcoin Exchange companies security will be the Critical Success Factor to survive the heavy competition. Some of the Exchanges are way upfront and will be able to survive if they keep on evolving. Protecting Bitcoins for their customers is the main challenge for now. This is meanly about securing the private key for their customer. Best practices for Exchanges is to use certified Hardware Security Modules.
A quote from Nicolas Bacca , Co-Founder and CTO of Ledger to support my statement;
“The only mission critical industry which is not using HSMs i the Bitcoin exchange industry (with the exception of Gemini). For some unknown and mysterious reasons, hot wallets security architectures are based on ad hoc solutions built around off the shelf hardware and thus totally uncertifiable against Common Criteria or FIPS 140. When you deal with private keys that you cannot revoke, and whose compromise would result into massive losses, you just can’t have them on a regular server architecture’.
WHAT DOES THIS ARCHITECTURE LOOK LIKE?
Figure: Hardware Security Module – HSM Based Security architecture for Exchanges
Nice to see that Ledger embraced the use of HSM’s as a Trust Anchor in their architecture. They are way ahead of most of their competitors when it comes to protecting the private key’s
It’s all about “protecting your private key” should be the message to all the Bitcoin/cryptocurrency owners and Exchange company’s. As I see it, the only way to do this right is using HSMs. Our banks are using HSM’s for dozens of years to protect our money and assets, now we as Bitcoins owners and Exchanges of Cryptocurrencies should do the same when it comes to guaranteeing these future currencies“