Bitcoin Security

A Best Practices Primer

By Kirk Phillips, CPA, CMA, CFE / September 8, 2015

Bitcoin Exploration

The Bitcoin ecosystem has many different types of platforms such as exchanges, payment service providers, reporting platforms and an array of other supporting services. Every time you create a new account your online profile expands, increasing the risk of breach with one or all of your accounts. Private keys and passphrases should be managed as securely as possible, and the same for login credentials. The following tales are filled with valuable lessons for stepping up your game with digital identity management regardless of whether you’re an individual, microbusiness or a Fortune 1000 company.

Gone Phishing

Paul Boyer, creator of the “Mad Money Machine” podcast on the “Let’s Talk Bitcoin” network, learned a tough lesson recently. Paul happily received donations totaling 3.3875 bitcoins, about $2,000, from loyal listeners until he discovered a zero balance in his wallet at the end of June 2014. He collected donations using a payment service provider normally paying out bitcoins in U.S. dollars on a daily basis, but he never submitted a bitcoin payout address, so the coins just accumulated, awaiting the attention of hackers. That was his first mistake.

It turned out that a creative BitPay look-alike phishing scheme had cleverly disguised an email with a “View Invoice” link requesting the refund of a customer payment. Unfortunately, Paul took the bait by clicking the link and unknowingly handed his password to the hacker who changed the payout address and received 3.3875 bitcoins the following day.

One last mistake: Paul hadn’t activated a security feature for his account known as “2-factor authentication,” which would have prevented hackers from cashing in his bitcoins, even if they had hacked into his computer. Fortunately, 2-factor authentication is becoming more widely used on Bitcoin platforms. After a standard username and password login, a 2-factor box pops up asking for a code generated by a smartphone app such as Authy or Google Authenticator. If hackers obtained your login credentials, they couldn’t log in without your smartphone and the code. The lesson here is to activate every 2-factor authentication available upon setting up a new account—and beware of downloading overhyped free software.

Identity Ransom

Longtime Bitcoin evangelist Roger Ver was attending a conference when friends started messaging their suspicions of a Facebook imposter. Someone hacked into his old Hotmail account using it like a master key to retrieve logins for other accounts. The hacker demanded a 37.6-bitcoin identity ransom worth $20,000 at the time. Roger offered up a 37.6 bitcoin table-turning reward via Facebook and Twitter for info leading to the hacker’s arrest. The viral bounty was too much for the hacker to bear, so he or she quickly bowed down, handed over login credentials and disappeared.

No bitcoins were stolen, but this tale shows how a single email account can be an attack vector or weak point for exposing an entire online digital identity. When the same email is used for all accounts it effectively weaves everything together with a single thread. In addition, the more well-known and the more perceived wealth someone has, the greater the risk for getting attacked.

When the same email is used for all accounts it effectively weaves everything together with a single thread.

A Tale of Social Engineering

Bitcoins Reserve CEO Sam Lee and his company were victims of a creative social engineering attack starting with the U.S. Marshals’ public email leak of the Silk Road Bitcoin auction list. Hackers were licking their chops over a juicy list of high rollers handed to them with a white glove.

Sam then got an email from a hacker asking for a media interview while proceeding to open a Google docs link supposedly containing interview questions. The link unleashed malware that sucked out all the usernames and passwords from his Chrome browser, leading to control of all the company’s email addresses. The hacker then sent an email from Lee’s account to the CTO requesting a client withdrawal of 100 bitcoins—worth about $65,000. In this case the “client” was actually the hacker and the bitcoins evaporated.

Browser-based password managers are convenient but non-secure ways to store passwords. The hackers took over Lee’s entire digital identity but still couldn’t penetrate the company’s securely stored bitcoins. However, it’s hard to defend against a hacker falsely posing as a trusted party, one of the slickest tools in a hacker’s toolbox. “This is a weakness in our internal processes and procedures; it has nothing to do with weaknesses in Bitcoin because frankly Bitcoin so far has none,” says Lee.

Keys to the Kingdom

Androklis Polymenis, a.k.a klee, is an early Bitcoin adopter and NXT stakeholder who recently discovered his $1 million stash of bitcoins and NXT, another cryptocurrency, had vanished. The breakdown likely came from a hacker who found klee’s unencrypted plain text password file sitting in Dropbox, where klee had left it exposed. He responded by putting out a 500-bitcoin bounty, worth nearly $300,000, for return of the stolen crypto and identification of the hacker, who eventually returned 462 of 1,170 bitcoins while keeping the rest as the bounty in exchange for klee calling off the hunt. In the meantime, the NXT community was able to rally together and retrieve some of the stolen NXT tokens.

Although about two-thirds of the cryptocurrency wasn’t recovered, it could easily have been a total loss. The keys to the kingdom were practically sitting on a park bench waiting to be picked up.

It’s a painful lesson highlighting the importance of safeguarding bitcoins and other cryptocurrencies. Armory founder Alan Reiner, a self-proclaimed ultra-paranoid crypto-nerd says, “Holding your own bitcoins is like harnessing fire,” and then adds: “Sometimes the biggest threat to users is themselves.”

Dancing Barcode

Clef’s a 2-factor mobile app that eliminates database storage of usernames and passwords by generating a unique digital signature every few seconds using RSA public key cryptography with essentially nothing for hackers to steal.
Users are blown away by the ease of use when they hold a mobile phone up to a computer screen while the app syncs with a dancing barcode called the wave.

Clef increases registration conversion by 30 percent while eliminating forgotten passwords. In addition, only 15 percent of users set up traditional 2-factor, leaving the other 85 percent exposed to a greater hacking risk. Clef solves the website login problem; however, Bitcoin private keys, passphrases etc. still have to be secured. Websites set up Clef and conversely, end users set up password managers, so Clef can only be used when implemented by the website itself.

Conclusion

Every hack starts with a breakdown by one or more responsible individuals working as part of a large company or just managing their personal affairs. Every size organization should follow the golden thread rule of emails, which states that companies should issue one email for communications and at least one email for account login credentials per employee. This separation exponentially reduces the surface area for attacks with the highest return on security than any other measure. The cost of an additional email is close to zero while the benefit of being out of the public domain—as would happen with a single-use email address—is priceless. There are many great password managers. LastPass has multiple 2-factor authentication options, with a free version available for individual users and an enterprise-paid version for businesses, with access controls scalable from a microbusiness of one to hundreds of users.

Eventually these types of defense measures used to better secure session-based authentication will be replaced by message-based authentication thanks to the gift of Bitcoin’s blockchain. For example, Tradle.io is transforming identity management by offering banks a KYC network on blockchain to reduce the amount of KYC due diligence checks, while giving bank customers co-ownership of their verified identities, which can be adapted for accessing websites. In the old model, companies stored all their customer usernames and passwords in a centralized database. This one giant attack vector required significant resources in the futility of constant defense. The new model eliminates the database silo and the millions of dollars used to maintain it. In the meantime, start securing your digital identity and your bitcoins with these seven easy steps and go on more vacations with all the time you save. The average person has 25 logins per day, so one minute of fumbling per login multiplied by 250 working days equals 2.6 wasted weeks per year logging into websites. Enjoy peace of mind on your newfound vacation instead!

Seven Steps to Digital Security

Best practices for digital identity management are encompassed in the following seven steps.

­Let’s put some golden security nuggets to use before we end up as another cautionary tale. Best practices for digital identity management are encompassed in the following seven steps.

Step 1: Choose Platform

Select a password management system such a LastPass or Secret Server, create an account, activate two-factor authentication and start adding website and login credentials. Browser-based password managers should not be used, so just do a Google search for reviews on the best password managers. Businesses should create an enterprise level account with an admin console for managing users. You are 100 percent responsible for managing your bitcoins, so reducing the risk of compromising your entire online profile starts by managing one account at a time.

Step 2: Add Sites

Once the password manager is set up, you can easily add sites by logging into an account as you normally would. Most systems will prompt you to save the site with a simple click. You can also add sites manually with the URL, site nickname, username and password. If you previously saved all your usernames and passwords in a spreadsheet, adjust the columns to the import format and upload. Easy tutorials are usually available for mastering the setup.

Step 3: Test Sites

Always go back and test-click the site after saving it whether you save sites one by one or import a list. Sometimes little nuances like the login URL or username need to be adjusted. When you create new accounts the URL automatically picked up by the system is often not the login URL, so testing and correcting helps to avoid frustration.

Step 4: Delete the Old List

After you’ve successfully transitioned from a password list it’s time to delete the file. If you set up a password manager and keep your old file then you have not reduced any risk. If you’re among those who have a difficult time parting with the old for fear of losing access to something or wanting to keep it just in case, you can get over the hump by copying your old password list and pasting it into a secure note available in most password managers.

Step 5: Create a Unique Email

Email is the golden thread that weaves your entire digital identity together, and unfortunately, most folks use the same email and the same or similar passwords for all their accounts, including social media, financial accounts and everything in-between.

The critical distinction is understanding how email is used for both communication and account creation. Securing your online identity means that these two roles must be separated by using two different email addresses.

In other words, the email you use for communication should be different from the one you use for new account setup. Create a new second email account without using your own name or a word that could be associated with you. For example, set up an email like (any word) admin@gmail.com or use the random password generator to create an email “prefix” such as 3rxyHk4p98@gmail.com rather than JohnSmith@ gmail.com. Then swap the email on each site with the new email the next time you log in. It will be easier to change accounts one by one instead of turning it into a major all-at-once project.

Step 6: Change Passwords

Hackers can simply use brute force to break an easy-to-remember password. Change all of your passwords to a minimum 16-character, hard-to-break random password using the random generator provided within the password management software.

Password resets should be done in conjunction with the new email resets described above. If you can’t remember the password then it’s harder to break. If you use a password manager you no longer have to remember passwords because the system keeps them encrypted.

Step 7: Secure Bitcoin Wallets

Bitcoin-related sites may require special attention beyond standard login credentials. Sometimes a passphrase, a group of random words, is required to access your bitcoins. If you lose the passphrase you lose your bitcoins, period, so it must be handled very carefully.

Some sites don’t have standard login credentials and only require a passphrase. In either case, the passphrase should be saved in the encrypted password field in the password manager. Also consider writing down your passphrases and keeping them in a safe.

There are many other advanced techniques that are beyond the scope of this article, but these strategies are meant to significantly reduce risk for people who would otherwise keep login credentials in a text file, spreadsheet, on scrap paper or in draft emails.


By Kirk Phillips, CPA, CMA, CFE

Kirk Phillips is an entrepreneur, certified public accountant (CPA) and a certified fraud examiner (CFE) who is passionate about technology and the possibilities for Bitcoin to disrupt, decentralize and bring transparency into the business world. Author of the forthcoming book, The Ultimate Bitcoin Business Guide, an inspirational reference for entrepreneurs and SMBs, he weaves risk management into business process outsourcing, crypto-business consulting and education. He can be reached at TheBitcoinCPA@gmail.com.