The Best Guide to Bitcoin Security in 2017
Bitcoin has been at the center of the largest digital thefts of all time. The price of Bitcoin has been rising for a number of years, and speculation over the long term value of Bitcoin has ranged from $10,000 through to as much as several million. For this reason, Bitcoin is a big target for potential thieves, and whether for commercial or personal reasons, Bitcoin security should be treated with paramount importance. This article will examine best practice Bitcoin security, as well as a questionnaire to help you understand how effective your current security is. Use these links to read more:
- The biggest Bitcoin thefts of all time
- 1. Bitcoin Exchanges Are Not Secure
- 2. Cold Store your Bitcoin
- 3. 2-Factor Is Not Enough
- 4. Multisignature Transactions
- Your Bitcoin security score
The biggest Bitcoin thefts of all time
Here are just a handful of infamous multi-million dollar Bitcoin thefts from recent years. There are many more to speak of, as well as hundreds if not thousands of smaller thefts targeting individuals (including Bitcoin ransomware):
- Bitcoin exchange Bitfinex loses $72M in massive online theft
- Mt.Gox exchange embezzelment and theft of $460M
- Vanishing drug marketplace Evolution has $12m of Bitcoin go missing
- Bitcoin user, Allinvain loses 25,000BTC in security hack (now worth $22.5M at time of publication)
Most Bitcoin thefts are made through exchanges, particularly as many lack the necessary security measures for dealing with large volumes of Bitcoin. Mt.Gox for example, evolved from its inception as a MAGIC: The Gathering card exchange website – it’s unsurprising that their security and compliance were abysmal. Exchanges, at least in the early days of Bitcoin’s growth, were “low hanging fruit” for many hackers.
1. Bitcoin Exchanges Are Not Secure
If you do not own the private key to your Bitcoin wallet, then your funds should be considered insecure. No matter what your belief is in an online exchange’s “cold storage” or “protection scheme”, the reality is that is that they are poorly regulated and little is known about their security expertise. Unfortunately with Bitcoin, you must learn how to secure your own private keys.
Of course, storing small amounts of Bitcoin in an exchange is perfectly acceptable, not every single mBTC needs to be taken into your own cold storage wallet. However, should you find yourself storing more Bitcoin in an exchange than you are comfortable losing, then it’s time to take control. Many thousands of people have learned this lesson the hard way – here are some tips for learning it the easy way.
2. Cold Store your Bitcoin
Storing your Bitcoin in an offline “cold storage” wallet is one of the safest ways to keep your investment secure. Any wallet that sits on an internet-connected device is at risk of theft through malware, social engineering or simply by having access to said device. Offline wallets (also called hardware wallets) are not difficult to setup, and the two leading brands – Trezor and Ledger – provide simple solutions.
If you must store your Bitcoin on an internet-connected device, or just in any wallet in general, it’s essential that you regularly backup your private keys. By doing so, if your hard drive was to go missing or become inaccessible, you would still be able to access and recover your private keys.
How do I know a hardware wallet is safe?
Both Trezor and Ledger have their source code available for anyone to review on Github.com:
Not only does this help from an auditing point of view, but it means that should anything happen to the business itself, the code is still available to the public. This means that funds can eventually be recovered despite the original business no longer operating. These hardware wallets use pin numbers to gain access, and recovery seeds can (and should be) stored offline in a safe place, ideally with a solicitor or trusted 3rd party. Do not store your recovery seeds alongside your devices for obvious reasons.
3. 2-Factor Is Not Enough
In a recent spate of thefts, it has transpired that 2-Factor authentication could be flawed when it comes to securing Bitcoin. 2-Factor authentication is the process of using a smartphone app (typically Authy or Google Authenticator) to provide a second layer of security on top of a standard password. The issue with 2-Factor authentication is that it is susceptible to social engineering – an attack vector that is commonly used in modern day hacks. A number of founders at the Ethereum-based prediction markets company Augur have had their phones compromised through their carrier. In these attacks, hackers impersonate the victim and attempt to convince carrier staff to transfer the cellphone number to their control. By doing this, 2-Factor codes can then be sent directly to the attacker and passwords can be reset without too much difficulty.
Storing anything vital, such as private keys, behind 2-Factor authentication may seem safe, but the reality is that they can still be compromised through a 3rd party such as your cellphone carrier. Offline storage of both your private keys and recovery seeds is essential to ensure maximum security.
4. Multisignature Transactions
Anyone who uses Bitcoin is likely to sign their transactions with their own signature and nothing else. Multisig wallets can be used to take signatures from as many as 15 different parties in order for a transaction to be broadcast to the network. The importance of this is that the process in which transactions are signed has no single point of failure. Typically multisig wallets have 3 signatories, with a requirement that 2 of the 3 parties sign the transaction for it to be authorized. By taking a multisig approach to your transactions, you can add an extra layer of security that would, along with offline storage of the private keys, provide one hell of a security fence for your Bitcoin. Those who are particularly security conscious could consider storing one private key with a loved one, another with their solicitor, and the last with themselves. Should one key go missing, it is still possible to access the funds.
A similar approach can be taken with recovery seeds, whereby the key phrases required to recover a private key are “chopped up” and stored at separate locations. It would be advisable to mirror this at least once to other locations to ensure the recovery seed does not get lost.
Your Bitcoin security score
How hot on your Bitcoin security do you think you are? Take this short quiz to find out where you stand on a scale of “I’m ready to be robbed” through to “nuclear bunker” levels of security.
- Where do you store your Bitcoin?
- Do you use 2-factor authentication?
- Do you use multiple signatures for transacting Bitcoin?
- Where do you store your recovery seed?
a) Bitcoin exchange (0 points)
b) Internet-connected device (0 points)
c) Hardware wallet (3 points)
a) Yes (3 points)
b) No (0 points)
a) Yes (3 points)
b) No (0 points)
a) I don’t have a recovery seed (-3 points)
b) With my hardware wallet (0 points)
c) Separate to my hardware wallet (3 points)
d) Split across more than one location (5 points)
If you’ve scored anything above 10 then you’re doing a good job. Higher than 12 and you are one hell of a security-conscious Bitcoiner – well done!