Thoughts on the compromise of Casascius coin holograms

[nubbins]

As reported by Mike Caldwell (http://casascius.wordpress.com/2013/08/04/defcon-21-successful-compromise-of-the-hologram-reported/), the hologram on Casascius physical bitcoins was compromised a few days ago by security researchers at DefCon 21.

While I've seen many people react to this news with dismay that their coins have lost all resale value, I'd like to offer a differing opinion, in the hopes of getting a discussion going.

Let's use the 1oz / 1 BTC silver round as an example.

Currently, this coin can be bought directly from Casascius for BTC2.5. Since the face value is BTC1, one could make the assumption that the rest of the coin (the silver round itself, plus the intact hologram) has a nominal value of BTC1.5.

Redeeming the face value of the coin by removing the hologram would destroy the BTC1.5 nominal value of the coin, as collectors don't want to purchase coins that are no longer in mint condition. It's not hard to imagine that the removal of (or visible tampering with) the hologram would cause a steep decrease in the nominal value of the coin: say, from BTC1.5 to BTC0.5 (essentially, spot price of silver plus a premium for the scarcity of the rounds).

I can think of only three reasons for removal or tampering of the hologram:

(1) curiosity (some people want to know what it looks like underneath),
(2) honest redemption (some people may wish to spend the BTC contained within), and
(3) fraud (some people may wish to redeem the BTC and then resell the coin as if it were intact).

For the purposes of the argument, we're really only interested in (3). Situations (1) and (2) would result in a visibly tampered (most likely fully removed) hologram.

Situation (3) is a more interesting situation, in that it's impossible to know when purchasing a coin from a third party whether or not they possess the private key -- that is, until you check the balance and find that it's been transferred to another address.

Now, a coin which has been successfully tampered with (i.e. no evidence of tampering is present) still retains a nominal value of BTC1.5, even without the added BTC1 face value.

Given that the holograms will likely be given an upgrade in the near future, the value of existing coins as collectibles will likely increase; but by how much?

For numismatic purposes, a successful, no-evidence tamper would not result in any decrease in value from a non-tampered, unredeemed coin; or would it?

I'm much less worried about this situation than I originally was, but I'd still love to get the opinions of other people on the subject.

Thoughts?

[1714134804]

1714134804

[1714134804]

1714134804

[1714134804]

1714134804

[nubbins]

It definitely makes it tough to resell the coin without subtracting the face value from the price -- once you start having to trust two people (casascius as well as the reseller), there's no way of knowing which party to blame if a coin gets defunded. The trust problem also grows each time the coin changes hands.

It's too bad the coins couldn't remain unfunded and have the face value returned to the purchaser; the problem with this scenario is that you'd then have a bunch of unfunded coins floating around alongside the funded ones, which makes all of them fall under suspicion.

EDIT: I just realized that NONE of the 2013 silver rounds are funded yet -- or at least, I don't think so. If all of the silver rounds remained unfunded, the original purchasers could receive a refund for the face value of the coins. Word would spread quickly that all of the 2013 silvers are unfunded, and any future buyers would be aware of this when the coins are resold in the future.

Seems like a win-win situation...?

[Chainsaw]

I am suddenly soooooooo thankful I got mine graded and hard-cased (ANACS) months before this exploit was discovered.
It seems to me that we've just further split the already-rare, collectible Casascius coins into two camps - potentially compromised and almost-certainly-uncompromised.

Short of the already-graded coins (alongside documentation of date-of-grading, preceding this exploit)...I cannot think of any outstanding coins whose legitimacy would not rely in part on the trust of the integrity of the seller.

I was holding onto these tight before this news broke. Now...the phrase cold, dead hands springs to mind :-P

[nubbins]

I am suddenly soooooooo thankful I got mine graded and hard-cased (ANACS) months before this exploit was discovered.

Emphasis mine. I think you mean "before this exploit was published".

Who's to say that you didn't discover a similar exploit, weeks or months before you got your coins graded and hard-cased? 

[casascius]

I have much more faith in humanity than to consider my product broken.  Sure, the world is full of bad guys, but the idea of trust going out of style I think is a bit overrated.  Someone saying "all Casascius coins should be considered compromised" should also never shop in a grocery store or eat in a restaurant, as there's a similar possibility that someone poisoned all the food.

My product is primarily an educational tool, a proof of concept.  The possibility of it being physically compromised has always been assumed to be present, just look at the terms and conditions I have you agree to when you order.  Casascius Coins weren't created to be tamper-proof money - if that's what you need, the best physical bitcoin you can get for the purpose is the paper wallet you print offline by yourself.  What a Casascius Coin is, I trust that most people still understand it is what it is.  Further, there is no such thing as a truly physically secure tamper evident product, period.  The laser rim on the silver coin that was undefeated at DefCon will be defeated if the dude who did it has unlimited more chances to try and refine his attack.  Proper perspective is key.

A lot of people who have bought my coins have taken me up on my offer to PGP-sign a statement acknowledging that they are the original purchaser of their coins.  This way they can convey to a secondary buyer that they are the only people who have handled the coins.  (I say taken me up, while acknowledging I haven't delivered more than a few by hand, due to how many I'd need to produce; I'm thinking of producing these PGP-signed acknowledgments in a sort of automated batch with a script, and then manually taking care of those who believe my automated acknowledgment doesn't meet their needs).

With respect to the idea of me refunding 1BTC instead of funding the coins... I don't believe that's what the buyers want.  They want the intact coin with the bitcoin loaded as promised when they bought it.  If they want the bitcoin off of it with the coin intact, they can try and "compromise" it themselves... if they can.

Regarding grading... there's a subjective nature to it.  A person submitting a coin for grading who also happens to be in possession of a PGP-signed message from me confirming they were the original buyer is going to pass outside analysis better than joe blow.  Or on the other hand, the graders may throw up their hands and say we're not messing with this, making those graded ones that much more unique.

[Littleshop]

I am suddenly soooooooo thankful I got mine graded and hard-cased (ANACS) months before this exploit was discovered.
It seems to me that we've just further split the already-rare, collectible Casascius coins into two camps - potentially compromised and almost-certainly-uncompromised.

Short of the already-graded coins (alongside documentation of date-of-grading, preceding this exploit)...I cannot think of any outstanding coins whose legitimacy would not rely in part on the trust of the integrity of the seller.

I was holding onto these tight before this news broke. Now...the phrase cold, dead hands springs to mind :-P

Am I missing something?   Why would grading them stop the exploiting?  If you exploited them they would still look the same.   The chemicals they use do not change the grade or look of the metal.

[nubbins]

I have much more faith in humanity than to consider my product broken.  Sure, the world is full of bad guys, but the idea of trust going out of style I think is a bit overrated.  Someone saying "all Casascius coins should be considered compromised" should also never shop in a grocery store or eat in a restaurant, as there's a similar possibility that someone poisoned all the food.

True, although there's much less motivation to poison food as there is to get free money.

With respect to the idea of me refunding 1BTC instead of funding the coins... I don't believe that's what the buyers want.  They want the intact coin with the bitcoin loaded as promised when they bought it.  If they want the bitcoin off of it with the coin intact, they can try and "compromise" it themselves... if they can.

Personally, if I was buying a coin from a reseller, I'd rather buy an unfunded silver round for 1.5 BTC than a possibly funded one for 2.5 BTC, but you may be correct in believing me to be in the minority. To make such a drastic move would require complete consensus, which I don't think would be possible to achieve.

Regarding grading... there's a subjective nature to it.  A person submitting a coin for grading who also happens to be in possession of a PGP-signed message from me confirming they were the original buyer is going to pass outside analysis better than joe blow.  Or on the other hand, the graders may throw up their hands and say we're not messing with this, making those graded ones that much more unique.

I fully agree, and I think the PGP-signed messages are a good idea. Would many graders have the know-how to verify such a message, I wonder? I can see many balking at the idea.

Just to be clear, I'm still very pleased with my purchase. This being my first silver buy, I was shocked at the size and heft of the 1oz rounds!

[Chainsaw]

EDIT: This was originally a long post trying to clarify I was talking about my assumed impact to the collectible aftermarket, and not the coins in general.  But I since read that formally speaking, this was not an exploit, as the tampering was evident.  Now, I used 'exploit' all over in that post, and re-writing it to be appropriate would have mangled it.  The last thing I want to do is mislead people or create confusion, especially around a product with such great support.

(see http://casascius.wordpress.com/2013/08/04/def-con-21-preliminary-results-from-sunday/ for a great example of this.)

Thanks for your tireless support and advancement of Bitcoin, Mike.

[TheSwede75]

Everyone just needs to chill out. If a coin is TRULY untouched and mint, a buyer can just request very high res images and even the most careful tampering risks leaving 'some' mark. All this really does is make the true mint condition high value coins and 2-fac bars more valuable.

Also, everything mentioned in the hack can be thwarted by the manufacturer for example adding a thin layer of epoxy or liquid plastic to new coins sold, making it virtually impossible to 'crack' with any solution combination.

[MWNinja]

The laser cut edge on the holograms for the silver coins is incredibly fragile, I suspect the exploit method would leave noticeable evidence.

On the flip-side, there are plenty of imperfections in the laser cut edge as well which could make it easier to conceal the tampering,  so we won't know for sure until somebody tries.

[casascius]

On the flip-side, there are plenty of imperfections in the laser cut edge as well which could make it easier to conceal the tampering,  so we won't know for sure until somebody tries.

This will get better when my coins fit the stickers better.  Either new stickers at a smaller diameter, or coins without the little cross hatches.

When I place the sticker, the cross hatches curl the sticker up.  The laser obliterates the contact point, but the curled portion doesn't reliably settle on to the coin.

If I decide on lasering as a permanent thing I do to all the coins, stickers that properly fit the coins won't be so delicate.

[casascius]

Would many graders have the know-how to verify such a message, I wonder? I can see many balking at the idea.

I can also digitally sign PDF, which Adobe Acrobat will recognize and validate without any hassle to the user.  May come in handy.  Though it's a paid hardware signing module that is not really that suitable for signing batches of documents in bulk, it remains an option for one-off requests.

[nubbins]

Would many graders have the know-how to verify such a message, I wonder? I can see many balking at the idea.

I can also digitally sign PDF, which Adobe Acrobat will recognize and validate without any hassle to the user.  May come in handy.  Though it's a paid hardware signing module that is not really that suitable for signing batches of documents in bulk, it remains an option for one-off requests.

I'm not too familiar with PDF signing, but that sounds like it would be more accessible to non-technical people. Would it be too much of a reach to generate a PGP-signed message and have that placed into a signed PDF?

I'd be more than happy with one signed document per roll, listing the coins contained therein. I can envision silkscreening some nice certificates of authenticity with the PGP-signed messages, reminiscent of old 19th century bearer bonds

Given that the final count of 0.5s with series 2 holograms is apparently only 45(!), I'm quite eager to get the "stamp of approval" on them!

[casascius]

I'm not too familiar with PDF signing, but that sounds like it would be more accessible to non-technical people. Would it be too much of a reach to generate a PGP-signed message and have that placed into a signed PDF?

It would be easy to do but hard for the user to verify, only because when you copy text from PDF to the clipboard, how it looks when you paste it is a crapshoot, and it must be perfect to verify properly.  But I could secondarily PGP-sign the entire (Adobe-signed) PDF file as a binary (creating a separate signature file that GPG recognizes)

Signing PDFs also allows for easy signing of the embedded photos.  I have scanned all of the silver coins and most of the recent brass coins.

[nubbins]

I'm not too familiar with PDF signing, but that sounds like it would be more accessible to non-technical people. Would it be too much of a reach to generate a PGP-signed message and have that placed into a signed PDF?

It would be easy to do but hard for the user to verify, only because when you copy text from PDF to the clipboard, how it looks when you paste it is a crapshoot, and it must be perfect to verify properly.  But I could secondarily PGP-sign the entire (Adobe-signed) PDF file as a binary (creating a separate signature file that GPG recognizes)

Signing PDFs also allows for easy signing of the embedded photos.  I have scanned all of the silver coins and most of the recent brass coins.

Secondary PGP-signing of the PDF would be great! The pictures are a great addition, as well, as they would clearly show the old holograms.

[niko]

Back in May I was able to remove and re-apply holographic stickers from a paper wallet, as mentioned here:
https://bitcointalk.org/index.php?topic=169836.msg2031469#msg2031469

Perhaps naively, I viewed my hack (similarly based on a particular solvent) as trivial, and convinced myself that Casascius coins must have been tested against this vulnerability.

Euro and dollar bills are similarly compromised by counterfeiting. The difference today is in the threat of ugly and violent consequences for the perpetrators. Not that I am implying Mike should take action, but...

As pointed out above, if chain of custody can be ascertained with sufficient trust, old Casascius coins are still functional.

[johnniewalker]

Being a numismatist, it is VERY easy to recognize a fake coin. The same would apply here. Casascius was smart enough to plan ahead-his coins (like the laser-cut holograms) have distinct features.

Also, I don't know if I'm missing something, but what about just confirming via FirstBits?

[Chainsaw]

Johnnie,

with sellers potentially having the means to discover the inner code, one could:
-Extract and record that information
-Sell the coin with the bits intact
-Redeem the coin's Bitcoins, after having sold the coin

Buyers will not purchase a coin just to instantly redeem it, so they could pull that trigger minutes, or months afterwards.

The tampering is evident, so one can still buy safely. It just requires more work, and my guess is that for those coins in a 'vulnerable' state, this will lead to a decrease in demand (because it is more of a pain to obtain them), and this will result in a decrease in premiums obtained for those coins.  I further speculate that those would-be-buyers are more likely to find an equivalent buy, than to give up and buy nothing.  If I were still looking to obtain more of the rare, collectible coins, I would shop exclusively from:
-Sellers, with an established web of trust, asserting a chain of custody through only trusted sellers.
-Coins sealed (ANACS graded) prior to known tamper-evident-trick.
-Coins graded post-tamper-trick, calling out the authenticity of the coin.

The first means that each sale will make the subsequent resale harder, as the custodial chain becomes longer.
The second is a pretty tiny club (of which I believe you are a fellow member, Mr. Walker!)
The third will first require ANACS to be educated on how to identify the tampering/exploit. This is not a guarantee, but given my conversations with them around the Casacius error, I think they'll be amenable to this.

So I see this being non-impactful to the majority of the coins out there, I do anticipate this will have effects on the higher end collectible market.  Guess we'll see!

[polrpaul]

Don't use physical BTC - that was never the intention..   

[BitPappa]

I think the publicized hack adds uncertainty to a buyer's mind. So I would think the average price (in BTC) of resold coins will creep down a bit, more so with the coins that show the least evidence of tampering. It will be interesting to see.

I am attracted to Casascius coins as a longterm collectible, and as a very cool physical embodiment of the idea of Bitcoin. I don't plan on selling the couple I own, at least not in the near future. But if I were sitting on a lot of coins with the intention of selling them, I would not be happy about an additional perceived risk in the minds of buyers that the coins could be drained of value after they were purchased.

Another concern I have for the coins is that someone will simply create great duplicates of the holographic stickers. If people can counterfeit governmental currencies, I assume they can counterfeit one of these stickers.