How do you secure Bitcoin?
by Malte Skarupke
After the Mt. Gox thing the bitcoin course is going back up again. My initial response was “this is a Mt. Gox problem, not a bitcoin problem” and I think this seems to be the general opinion right now.
But then it looked like the most likely reason for the disappearance of the money is that some insider at Mt. Gox just ran away with it. And the more you think about it, the more you realize how easy this is. Let’s say you are an admin at a company which has a lot of bitcoins. One day you book a vacation to some Caribbean island, and the day before you leave you copy the private keys of all the big bitcoin wallets that the company has onto a thumb drive. As soon as you’re out of the country you use those private keys to transfer all of the company’s money to your account. You’re rich, and it’s not easy to see how that could have been prevented.
You can protect yourself against this. Split your bitcoins into many wallets. Hire different sysadmins and make sure that they don’t have access to the same things. Airgap your private keys. Put additional security measures around that airgapped storage to check everything that people bring in or out of that room. The Coinbase website gives a few more ideas: Split your keys and keep the shares in different geographical locations.
But all of that is so easy to circumvent if you’re a sysadmin. Let’s assume that Coinbase stores it’s bitcoins in many, many wallets, most of which use all of the above security measures: At some point you need to remove money from those wallets, at which point the private key has to be accessible somewhere. If I was an evil sysadmin at Coinbase, I’d just keep a copy of all private keys when the wallets are first created. It’s very difficult for others to detect that I’m doing this, and it’s difficult to prevent me from doing this for at least some wallets if I’m a sysadmin. Then once I have those private keys I wait a few years. When I have access to several million dollar worth of bitcoin I move to a sunny island and make myself rich. Coinbase can’t prevent me from doing this. Even if they immediately notice that money is disappearing from their wallets, it will take them ages to actually get to their own wallets because they have them stored so securely. I can transfer money much faster than they can prevent me from transferring money.
Actually I don’t even have to be an evil admin to do the above. How easy do you have to make it for a good person to steal millions of dollars before they will steal millions of dollars? Stealing bitcoins is pretty damn easy. If a Coinbase admin is reading this: I’m not saying that you should probably copy some wallet private keys right now, but if you did do that there’s probably no way for anyone to find out that you did it. Especially if you wait a year or so before you do anything with that private key.
So one day you catch one of your sysadmins copying private keys. What do you do then? It’s difficult to find out how many wallets she has access to already. Do you transfer money from all of your wallets to new wallets? What security problems does that process have? How do you even do that on a large scale if you store your wallets as securely as Coinbase?
There is a new interesting vector of attack here: Imagine I steal bitcoins and I don’t get caught and I don’t move to a sunny country. I just stay at the company. It’s not like anyone knows that it was me who stole the bitcoins. How are they going to find out? Instead I help plug the security hole and then when we transfer all the remaining bitcoins to new wallets I collect more private keys. I can probably repeat this a few times until the company comes up with a process that identifies which of their sysadmins has been stealing money. But even then there’s no way for the company to get the money back. Worst thing they can do is send you to jail without any real evidence. Once you’re out of jail you’re still rich. And if you’re smart you wait for the normal security breach that’s inevitably going to happen. And while the company claims “we lost email addresses and encrypted passwords but no bitcoins were stolen” you steal bitcoins under the cover of that attack.
Imagine you could come up with a process where not even the sysadmins see the private keys of the new wallets when you make the transfer. Are you now running a risk of locking yourself out of your own wallets? It’ll actually be interesting to see whether this will happen to Coinbase even with just their current security measures. Offline copies can go missing and then the money is gone. And you don’t want to triple backup everything because the more redundant you make your data, the less secure it is. Since they use secret splitting there’s probably a balance there where you don’t run the risk of losing the money and you don’t make yourself vulnerable, but you have to get it right.
Let’s assume that Coinbase manages to make itself safe against sysadmins. Most companies won’t have that kind of security. Let’s pick a random company like Sony and say that they start to accept bitcoin as a payment method. Where will they store them? Will they use Coinbase? If everyone does that then Coinbase becomes too juicy of a target and it should be considered less safe just because of that. Also if you store your bitcoins at Coinbase you can’t use them to invest. Who is going to store money at a place that doesn’t offer interest? That may still work as long as the bitcoin course goes up, but that won’t last forever.
I think that the Mt. Gox event presents a bigger problem to bitcoin than people realize. Someone showed how easy it is to run away with millions of dollars in bitcoin. And it could be quite a while before we find out who it was. The accounts where the money went to will be watched until the end of time, so we’ll probably find out eventually, but finding out will only be useful if that person is still in the US.
So what will happen? I think that there will be companies that get bitcoin security right. There will be quite a few places who will never have a single bitcoin stolen. But that doesn’t matter because I think there will be a few more high profile bitcoin thefts, and then all big institutions will try to get out of bitcoin asap. Just because that’s how big institutions tend to react. Even if Coinbase’s security measures do work and they never have money stolen, there will be enough big thefts from other places that people will distrust Coinbase and they’ll be afraid that Coinbase could be next.
After that you can still use bitcoin to buy drugs, so bitcoin won’t die, but I think it will never be as successful as people hope it will be.