The Risks of Storing Bitcoin in Digital Wallets
With the astronomical rise in the price of bitcoin in recent years, the ownership of the cryptocurrency has also skyrocketed in tandem. Many leading cryptocurrency exchanges such as Coinbase, Kraken, Binance and Bittrex have been adding more than 100,000 users per day in 2017.
The most common forms of bitcoin storage are online digital wallets created with exchanges that give the users the convenience of depositing and spending bitcoins through the use of a mobile app.
Although they are called ‘wallets’, digital wallets do not store bitcoins technically but rather, they store the public and private keys. The public key is used to create the bitcoin wallet address which is provided to receive bitcoins. This address is like a bank account number.
More importantly, spending bitcoins from a wallet can only be done using the private key. Anyone who has knowledge of a bitcoin owner’s private key can transfer the bitcoins from the owner’s wallet. It is therefore of paramount importance that the private keys of bitcoin wallets be secured properly.
When bitcoin wallets are created with an exchange, the private keys of the wallets are not made known to the users. Instead, the private keys are held by the exchange for the purpose of facilitating the transfer of bitcoins when the users initiate any bitcoin spending requests from their mobile apps. Users will need to trust the exchanges with how the private keys are secured but this is not clearly explained to users.
Unfortunately, users only find out about compromised private keys leading to bitcoin loss through news reports of exchanges being hacked.
Here is a list of examples of hacking incidents with exchanges that have caused the loss of millions of dollars’ worth of cryptocurrencies over the past years.
- The Mt Gox Hack: Up till Mt Gox declared bankruptcy in 2014, it was the world’s largest cryptocurrency exchange, controlling about 70% of the crypto ecosystem transactions. 850,000 bitcoins, valued at $450 million in February 2014, were lost. About 750,000 bitcoins were deposited by users of the site while Mt Gox owned the remaining 100,000. Investigations have shown that attack, where private keys of Mt Gox’s digital wallet were stolen, had occurred as early as September 2011.
- Bitfinex Hack: Considered the 2nd largest hack in the history of cryptocurrency, the Hong Kong based exchange lost about 120,000 bitcoins worth about $72 million in August 2016. Bitfinex had introduced multi-signature accounts with bitcoin wallet provider BitGo to better secure bitcoins held by the exchange. The arrangement required 2-of-3 keys to sign transactions before funds can be withdrawn from Bitfinex. Bitfinex held two of the keys (one which was kept offline as a recovery key) while BitGo held one key. Despite such an arrangement, the BitGo software allowed 120,000 bitcoins to be withdrawn from Bitfinex users’ accounts in three hours. Observers noted that the weakness was likely not due to multi-signature as a feature itself but rather how multi-signature was implemented between Bitfinex and BitGo. If two of the three keys were hot, the risk of attackers gaining access to them to “blindly sign” transactions would be as real as if there was only one hot key.
- NiceHash Mining Hack: In December 2017, it was reported that NiceHash, a Slovenia-based mining exchange, had 4,700 bitcoins worth nearly $64 million stolen from its wallet. It led to the resignation of its CEO Marko Kobal. NiceHash had used a single digital wallet to store the company’s bitcoin as well those belonging to their customers.
- Youbit Hack: South Korean cryptocurrency exchange, Youbit, suffered not one but two hacks in 2017. The first attack in April 2017 saw the theft of 4,000 bitcoins (worth $73 million). A second attack in December 2017 led to a loss of 17 percent of its total assets resulting in the exchange declaring bankruptcy. Following the April attack, Youbit said it would store more cryptocurrency in hard wallets with the apparent intention to keep the digital coins offline. Unfortunately, this also could not prevent the second attack.
A New Way to Store Cryptocurrency For The Long Term
Turning to non-digital storage for private keys is not necessarily the answer either. Today, private keys or mnemonic phrases can be written or printed on paper. While this allows the wallet to be offline, it also introduces the risks of the paper wallet to be stolen or lost. For long term storage, paper wallets are not ideal given the possibility of decay of the paper or potential degradation of the ink used to print the private key. If a paper wallet can no longer be read, it will be a permanent loss of the cryptocurrency wealth in the wallet.
Silver Bullion, a Singapore-based wealth protection company, is pioneering a new way to store cryptocurrency wealth securely for the long term. It released a white paper in December 2017 detailing the Gregersen-Gono Standard and its implementation for Silver Bullion’s CryptoSafe Storage solution.
No Digital Storage = No Digital Theft
As we have seen, digital theft of private keys looked to be the common reason behind the security breaches at major cryptocurrency exchanges. Attackers have been able to surreptitiously access crypto private keys as long as they are stored digitally.
In their bid to make cryptocurrency transactions convenient for their users, exchanges often have to store private keys on their servers for the ease of signing millions of transactions. Unfortunately, this pits the security of the exchanges against the skill of potential hackers. So far, the latter have managed to outsmart the security of several exchanges whilst remaining anonymous.
Silver Bullion’s CryptoSafe Storage secures private keys as encrypted QR codes in a non-digital medium. These encrypted QR codes are etched by laser onto durable polycarbonate cards for storage in our Class II gold vault within The Safe House. With no digital trace of the private keys, there can be no possibility of digital theft.
2.5 ton door to the silver vault at The Safe House.
Card Encryption = No Physical Theft
When it comes to private keys, it is true that anyone who can see it, can steal it. This is a risk common to paper wallets and the mnemonic phrases of hardware wallets.
Silver Bullion’s CryptoSafe Storage solution encrypts private keys immediately after they are created and uses a laser to etch the encrypted private keys as QR codes on physical cards making them indecipherable.
The encryption ensures internal security and makes stealing of the cards themselves useless. The encrypted private keys can only be decrypted by the vault’s offline software which requires active multi-party authorization from independent functional groups within Silver Bullion.
Bitcoin private keys are encrypted into QR codes which is indecipherable.
Durable Storage Medium = No Private Key Degradation
Private keys are encrypted into QR codes that are laser etched with precision onto durable polycarbonate cards. The quality of the laser etching is extremely high as QR codes etched on cards have been tested to be resistant to even forceful scratching. As the etching is not ink-based, there is no chance for any ink degradation or smear over time.
In addition, the use of polycarbonate cards, a material also used in the manufacture of bullet-resistant panels, ensure that encrypted private keys can be securely stored for long periods of time. Cards are stored in their own miniboxes with uniquely identifiable one-time metal seals. Silver Bullion’s CryptoSafe Storage method solves the possibility of decay with paper wallets and the reliability issues with digital storage on hard disks and flash drives.
Laser etching encrypted Bitcoin private key onto polycarbonate card at The Safe House.
Private Key Redundancy = No Private Key Loss
As a precautionary measure in the unlikely event that the primary customer card is damaged or lost, each encrypted private key is also laser etched onto a separate recovery card which is stored in a different secure location away from Silver Bullion’s vault.
The recovery card’s private key is encrypted with a different encryption(RSA-2048) from the primary customer card(AES-256). As an additional security measure, the decryption process used for the primary customer card cannot be used to decrypt the recovery card.
The decryption process for the recovery card requires, among other security measures, the access to a key card which is stored in a third party Safe Deposit Box. The provision of the recovery card ensures that private keys are not lost.
Each encrypted private key has a primary customer card and a recovery card.
Visual Verification = No Impersonation of Identity
Any changes to critical information on customers’ accounts will require visual verification by Silver Bullion staff. This is done either with the customer present in person in the office or using video conference to verify the identities of customers requesting any change of critical information.
This ensures that customers’ accounts are secure and prevents potential attackers from changing critical customer information for the purpose of impersonating their identity.
Staff verifying customer's identity through a video call.
Succession Management = No Wealth Loss Beyond Death
Silver Bullion’s CryptoSafe Storage also allows crypto owners to bequeath bitcoin wealth to their loved ones should something unfortunate happen leading to their demise. Silver Bullion have processes in place, from their years of experience in securing customers’ precious metals, to ensure smooth transition of assets to estate administrators.
The acceptance of cryptocurrencies as a store of value will continue to gain traction around the world. Bitcoin owners would need to assess for themselves, the safest way to store large amounts of crypto wealth for the long term. Someone storing $1,000,000 in crypto for the long term is likely to prioritize security beyond self-management of private keys. Silver Bullion’s Physical Crypto Storage can be the ideal crypto storage solution for them.
The details of Silver Bullion’s Physical Crypto Storage can be found in the white paper here: https://www.silverbullion.com.sg/Articles/Detail/Physical-Crypto-Storage-Coming-Soon/2266