Old Fashioned Bank Heist: are the Exchanges Protected?

[crazy_rabbit]

It occurred to me that with all the exchange "hacks" at some point (already for Gox) someone will probably try robbing the exchanges the old fashioned way: Ski masks and guns.

What is to stop criminals from physically stealing money from the accounts: show up at the back office with guns and force the admins to transfer funds to their own accounts?

[1713952340]

1713952340

[1713952340]

1713952340

[1713952340]

1713952340

[greyhawk]

What is to stop criminals from physically stealing money from the accounts: show up at the back office with guns and force the admins to transfer funds to their own accounts?

The fact that there is no back office but instead only a po box registered through a proxy agent.

[caveden]

Sick, criminal people could do even worse things.
Everybody knows who's the owner of MtGox for example. Does he have a family? If he has, they can be kidnapped...

That's another reason to use multi-signature. If the criminals know that the ewallet operators are not capable of spending the money they store without the express consent of their customers, then what's the point in trying to coerce such ewallet operators?

If I controlled a BTC wallet worth millions, and that was a public fact, I'd be very concerned with my personal safety.

[dree12]

It occurred to me that with all the exchange "hacks" at some point (already for Gox) someone will probably try robbing the exchanges the old fashioned way: Ski masks and guns.

What is to stop criminals from physically stealing money from the accounts: show up at the back office with guns and force the admins to transfer funds to their own accounts?

Considering the lack of encrypted wallets (and when there, passwords stored in plaintext), the hot wallet can easily be stolen by barging into the server room. If it's hosted, it can be stolen by some disgruntled employee of the networking team just as easily. This "physical theft" is dangerous stuff, and will guarantee the loss of at least the hot wallet (multisig will still fail once all the servers are physically stolen).

[Remember remember the 5th of November]

Interesting discussion. Valid points, too.

[FreeMoney]

It occurred to me that with all the exchange "hacks" at some point (already for Gox) someone will probably try robbing the exchanges the old fashioned way: Ski masks and guns.

What is to stop criminals from physically stealing money from the accounts: show up at the back office with guns and force the admins to transfer funds to their own accounts?

Considering the lack of encrypted wallets (and when there, passwords stored in plaintext), the hot wallet can easily be stolen by barging into the server room. If it's hosted, it can be stolen by some disgruntled employee of the networking team just as easily. This "physical theft" is dangerous stuff, and will guarantee the loss of at least the hot wallet (multisig will still fail once all the servers are physically stolen).

It might be hard to get 8 servers in different parts of the world even if each was relatively insecure. Possibly not so hard to trick them into signing unless the system was well designed.

[caveden]

This "physical theft" is dangerous stuff, and will guarantee the loss of at least the hot wallet (multisig will still fail once all the servers are physically stolen).

Multisig won't fail if the other party necessary for the signature are the customers. I think we can safely rule out the possibility of attacking every single costumer.

[caveden]

It might be hard to get 8 servers in different parts of the world even if each was relatively insecure. Possibly not so hard to trick them into signing unless the system was well designed.

The attacker doesn't need to get physical access to all servers. As long as someone has legit access to all servers, the attacker may just force this person to give him the money.

[beckspace]

They should be protected like banks. With security guards and/or time-lock virtual vaults. They're operating with real money (Bitcoins) and not just digital representation of money (fiat in exchanges).

[paulie_w]

this post highlights the single most concerning thing for me about bitcoin, even being its biggest possible supporter: robberies will be irreversible in nearly all circumstances.

[Capital One Corporation]

what if the only one who knows about the private key is dead in the air crash? then all the coins will lost.
So we have to let many people have access to the private key. If one person dead in a disaster, the other ones will be able to release the coins. Again, we have to trust people, right?

[mark_logan]

This topic reminds me of this comic:
http://xkcd.com/538/

[DeathAndTaxes]

The same way you protect physical money, precious metals, diamonds, jewelry, etc.

First 90% to 95% should be in a cold wallet.  Depending on business needs 50%+ could be an in a "cold cold" wallet which isn't even located on site.  You don't need multi-sig in the protocol to split a private key.  Their are offfline techniques to split a secret so that is requires m of n sub-keys.   Designate one employee the trustee of each sub-key, and encrypt it with GPG public.   Then you have lots of options for securing the pieces to prevent rapid physical access.  Time lock safes (you know the real ones TL-6x30 rated, glass relocker, durress code, silent alarm,etc), safety deposit boxes in a nearby bank, a branch office located on another continent are all methods to make a "smash and grab" type robbery simply impossible.

The rest of cold funds should probably be off line but in a semi-available method.  Something like a cold wallet laptop in a time lock safe which requires 2 managers keys/codes.  

Protecting the hot wallet from a physical attack may be more difficult but it should be a dedicated physically hardened server.  Yes they make server chassis which are essentially burglary safes.  Making the hot wallet deterministic and in-memory only would allow the hot wallet to be wiped.  The seed should not immediately available during normal operations.   Then it really becomes how paranoid are you.  Rig the server to write over the hot wallet in memory when an attack is detected.  Site alarm system, panic button, duress code on the chassis, failure to receive heartbeat from the network could all be signals to wipe the server.  Hell if you wan to get crazy put a GPS on the server so if the attackers connected it to a battery, faked the heartbeat signal, and attempted to remove the entire server once it got more than x meters from the site it would clear and crash anyways.

In the event that attackers gain control of the site but can't directly steal the private keys the key server should have preset "rules" which limit coinflow.  It could operate in delayed signing mode for large tx, have tx qty and BTC qty limiter.  An example would be a set of rules that limit total tx per hour to 400 or less, total BTC per hour to 5,000 or less, and any single tx larger than 1,000 BTC will be delayed 60 minutes.

It all depends on how much you are willing to spend.  If you had the resources of even the smallest credit union or precious metal wholesaler you could turn an exchange into a fortress (class A building, armored doors, biometrics, armed security, close caption monitoring, panic shutdown system, datacenter vault, vehicle barriers, security lockouts, independent electrical power, etc).

[bpd]

Bitcoin's ability to be sent instantly at a distance is simultaneously what makes it a far better payment mechanism than gold, and what makes it so much harder to secure than gold.

Imagine if it were possible to remotely teleport into a gold vault and quickly teleport the gold to an unknown location halfway across the world. Storing gold would have to be approached quite differently. For instance , it would probably no longer be optimal to build 1 giant super secure vault and put all the gold there.

[Aseras]

Lets not talk smash and grab. What about the newer trend of kidnap a family member or wife, or even the person themselves and force the turnover of the wallet or private keys or a transaction for their release.

This is much more likely, especially as the value climbs.

It's also much "safer" than a typical kidnapping extortion as no one has to make a pickup of the cash or whatever. they simply verify it via the blockchain from anywhere and tell you where they stashed the person or body.

[DeathAndTaxes]

Lets not talk smash and grab. What about the newer trend of kidnap a family member or wife, or even the person themselves and force the turnover of the wallet or private keys or a transaction for their release.

This is much more likely, especially as the value climbs.

It's also much "safer" than a typical kidnapping extortion as no one has to make a pickup of the cash or whatever. they simply verify it via the blockchain from anywhere and tell you where they stashed the person or body.

That isn't limited to exchanges though.  Why kidnap the family member of an exchange operator?  He/she may not even have access to the full value of wallet(s).  It would essentially be theft/embezzlement by the operator.  As exchanges get large enough hopefully they will adopt policies and procedures that make that impossible.  I mean if an operator can steal client funds to pay a kidnapper they can just as easily steal client funds to start a new life in the Caribbean.  

The method of payment shouldn't change the target of kidnappers.  The target of kidnapping paid in BTC are probably going to be the same as the targets of kidnapping paid in USD.  Any rich person can acquire enough BTC to pay a ransom.  Bank managers tend not to be targeted for ransom specifically because "their" bank holds a lot of cash.  Kidnappers are looking to add complications.   Find someone rich, take their love one, get paid (in USD, Gold or BTC).  

I do agree that Bitcoin (sadly) has certain properties which make it ideal for paying a kidnapping (or shipping piracy).  I expect it is only a matter of time before that headline is on every news site in the world.

[hashman]

Good points.

It's not all doom and gloom however.

These problems mean that when an operation gets too big, cold wallets get too large, it presents a target (from the outside and the inside).  Such operations will have trouble getting new customers to leave funds there as customers are wary of this risk.  Thus, these bugs with bitcoin (too much like a suitcase of money) are really another feature: to encourage a healthy ecosystem with many players and nobody getting too large. 

Sadly we are also going to see a lot people getting suckered by spam extortion. 

BTW I will destroy the entire bitcoin network unless there are 100 coins at this address by noon tomorrow:
1dontbeasucker123456789 

[Dansker]

This once again hightlights that bitcoin is PART of the real world, and not some sort of alternate universe.

Just like the CEO of a bank is not just sitting on a pile of cash in his own house, so should'nt exchanges.

Besides applying security in various forms, the exchanges also need to be insured against theft and the like.

[paulie_w]

you know what guys?

if anything, this proves to me that Bitcoin needs _MORE_ anonymity support and features.

[The_Duke]

Good points.

It's not all doom and gloom however.

These problems mean that when an operation gets too big, cold wallets get too large, it presents a target (from the outside and the inside).  Such operations will have trouble getting new customers to leave funds there as customers are wary of this risk. 

Aahahaha! Bitcoin users being wary of risks!? Really? 
I think you'd do really well in all of the Pirate / MNW / Ponzi topics. You'll see how aware the average bitcoin user is of risks...