It’s always a bit of a dilemma for cryptocurrency exchanges and their operators to provide info on the security measures that they’ve implemented. On the one hand, you want to talk about the security measures you took to attract more customers. On the other hand, you want to provide as little information as possible to potential attackers.

After the recent Bitfinex hack, I felt obliged to share my two cents on securing cryptocurrency.

Here it goes:

Principles

Every security implementation will be different for each exchange so first, we need to outline a list of principles that will guide us at each decision point.

1) Security > Efficiency

It doesn’t matter how hard to use or slow a system becomes by taking a certain security measure. System designers must opt for the more secure method as long as it falls within the acceptable limits of efficiency for the end users.

Of course, there is a limit to how inefficient s crypto exchange can be before people start abandoning it. But as long as we can keep our systems close to the acceptable limits, we can make up for the inefficiency by making some other things more efficient.

2) If it’s online, it can be hacked

There is a reason why you can’t go on Facebook (or anywhere else on the internet) in nuclear plants. And the reason is not employee productivity.

You have to assume that anything that is connected to the internet can be hacked.

In fact, given enough information and resources any system can be hacked even if they’re air gapped (see Stuxnet). But by generating & storing our keys offline we are increasing the cost of an attack by at least a couple of orders of magnitude.

3) No single point of failure, no stone unturned

It sounds straightforward. But when it comes to implementation, you will find that you need to think about so many scenarios that some can be neglected. They shouldn’t be.

Here is an example:

Let’s say you, as a team, created offline keys, printed paper backups and put together a multisig wallet. Great. If each one of you used the same printer to print the paper backups, then you have a potential single point of failure: the printer can have a memory/cache from which your paper backups can be retrieved by an unauthorized person. This attack vector must be addressed.

This is an extreme scenario for sure. But if this kind of detailed thinking is applied at all decision points then we can sufficiently increase the cost of a potential attack.

If you cannot think of too many attack vectors, then you are not knowledgeable enough to take on the challenge of designing a cold storage system. Seek professional help. This is what we did.

Most systems integrators have secure key management practices. There are also small shops like Andreas M. Antonopoulos’s Third Key Solutions. Find them, talk to them. Even having a few days of consulting can make a world of difference.

Creating your Cold Storage wallet

When you start thinking about your securing your crypto assets with the above principles in mind, it’s immediately obvious that you need to have a cold multisig wallet.

There are an unlimited number of ways you can create a cold multisig wallet. It’s important to choose the right technologies and to follow the best practices while creating your wallet.

I’ve seen people turning off their WiFi, creating keys and copying them to USB sticks and calling it cold storage. That’s not my understanding of it.

1 Air gapped device

The device must not have previously connected to the internet. Not the OS but the hardware itself. Networking must be physically disabled on the device. No wifi adapter, no ethernet port. Even if a piece of hardware has been wiped clean, it might have gotten infected at BIOS level.

2 Hardware level encryption

The device must have hardware level encryption on top of software encryption. Relying on commercial encryption tools such as BitLocker alone is not sufficient.

Using a FIPS 140 certified device is a good idea. Preferably Level-3.

There are so many small details that you need to get right on top of these like secure password selection, preventing visual surveillance during key generation, secure backup generation, choosing the right software to generate your keys etc. As long as we leave no stone unturned, we should be ok.

Operating Your Cold Storage Wallet

So we created a secure cold multisig wallet and made sure it’s virtually hacking proof.

Unfortunately, that is not enough.

A hacker can hack your exchange’s database, increase his balance and start making withdrawals. Or he can find another method of getting crypto funds out of your online systems without authorization. If you do not have measures to address these scenarios, securing your cold storage will be meaningless. He will keep stealing and you will keep paying.

For instance, if you didn’t design your spending procedures well enough, you can receive an email like below from your colleague:

Hey bro, I need $1M at Bitstamp rate sent to this address 1EkDzuX…

And off goes your money. We’ve seen this happen to one of the best companies in the Bitcoin space.

Make sure you have a set of control activities before any amount can leave the cold storage.

Here are a few checks you can do before any funds leave your cold storage wallet:

Check your holdings against your liabilities. If something is amiss, then address that first.

Predetermine a set of addresses and only send funds to these addresses. Nowhere else.

Implement automated checks that will raise a red flag when an anomaly occurs. Like a customer withdrawing an unusually large amount. Or the total amount of withdrawals on a specific day exceeding your daily average.

Predetermine a maximum amount that can leave the cold storage at once. If business situation forces you to spend more than the pre-determined amount, make sure your systems are all healthy then proceed to spending.

Setup a previously agreed channel and message format for exchanging signatures among key holders. Do not sign messages you receive from another channel or in different format.

Get verbal confirmation from your co-signers for every transaction.

There are many other things you can do. At the top of my paranoia, I was checking customer support cases to see if there is anything unusual before we spent from our cold storage.

The point is to be vigilant.

The Hot/Warm Storage

Securing your hot wallet is tricky. We already assumed that it can be hacked so what do we do?

Here are a few principles that can be followed:

Keep a minimum amount of funds online: Make sure you have efficient and secure forwarding to cold storage setup.

Make sure you have efficient and secure forwarding to cold storage setup. Separate your warm storage from your exchange system: The hot wallet must be isolated from the exchange. Your exchange app must consume it as a service. This allows you to take extra security measures on your hot wallet that you wouldn’t normally be able to apply on your exchange app.

The hot wallet must be isolated from the exchange. Your exchange app must consume it as a service. This allows you to take extra security measures on your hot wallet that you wouldn’t normally be able to apply on your exchange app. Prevent single points of failure: If the hot storage is only secured via a private network or a single password, then this is a problem. Make sure to force an attacker to jump through at least 3 obstacles before he can access your hot storage (Secure network, password, physical OTP).

There are so many complexities that you will face while implementing these principles. Here is an example:

Customer sends a very large amount to his deposit address. This will inevitably force you to temporarily hold a large amount of funds in your warm storage. What you can do is to monitor these customers and ask them to send directly to a cold storage address you can generate for them next time they intend to make a large deposit and make sure you have the capability to handle this scenario.

You need to worry about inside jobs. Spend time thinking about what can happen in this regard. Assume nothing. Read the amazing story of the ShapeShift hack.

You need to consider potential attacks from your hosting provider. Learn about their internal procedures. They can surprise you.

Using BitGo

BitGo has been a solid player in the Bitcoin space for a long time and they have obviously built a very secure system. I would advise using their services for the hot/warm wallets only. In terms of holding all or most of your funds there, I don’t think it can match the level of security a well designed multisig cold wallet can provide.

The keys are online. If you can’t secure your own system, then there is little BitGo can do to prevent hacks.

Conclusion

The exchange operators can’t sit on their hands, security implementations have to been living things, they need to improve all the time as the stakes are getting higher.

I don’t think I covered more than the tip of the iceberg here. But hopefully I was able to help someone somewhere who will secure cryptocurrency for others.

Cryptocurrency exchanges have to get so many things right. Holding and settling funds on behalf of the user, providing payment mechanisms, providing tools & services traditionally provided separately by brokerages and exchanges. These are all distinct areas of specialization.

I believe that in the future, these functions will be divided between different entities and the entity that holds the funds on behalf of others will get security right but will not know much about trading apps. The exchanges will not have to invest too heavily in security and focus on the trading apps. For every entity to be able to afford this specialization, the market needs to grow a lot larger than it is today.