Suggestions for improved security

[ebliever]

Disclaimer: I'm not a software security professional or anything near to it. I am a quality engineer for safety-critical products, and fairly alarmed at the continuing flow of news about hacks going on in the bitcoin/altcoin world. This has to be brought under control for cryptocurrency to continue to grow! While not an expert, I do have some suggestions that it looks pretty clear would have prevented some of the latest hacks if they had been observed. So here's my advice, hopefully it enters circulation and does some good.

PROBLEM STATEMENT:   
Exchanges and online wallet services are reported being hacked and losing large amounts of Bitcoin frequently due to increasingly intense hacker attacks.
Mt. Gox, Poloniex, Flexcoin etc.

OBSERVATIONS:
The most "professional" sites (Coinbase, BTC China, Bitstamp, etc.) have not publicized recent problems - are they hiding losses or are they more robust?
Evidence suggests many of the smaller outfits mean well, but are putting sites online that have not been SYSTEMATICALLY tested against hacking.
Meanwhile, the hackers DO systematically test for security holes.
If your site has a flaw, safe to assume it WILL be exploited - I keep hearing things that sound much too lackadaisical from site operators. Security should be #1 priority and fundamental because all other effort is wasted without it!

SUGGESTED CORRECTIVE ACTIONS:   
1   Website owners should recognize they are absolutely responsible for the funds entrusted to them, and that hackers WILL target them.   
2   Site owners should be strongly encouraged to obtain insurance to protect against the risk of hacking - not by government, but by the customer base!   
      Sites should advertise their guarantees based on their insurance, just as US banks have FDIC protection. Consumers -support those sites rather than uninsured sites.
3   Insurance industry should be encouraged to develop products to serve cryptocurrency sites in support of #2.   
4   Website functions should be diagrammed out and broken down into steps during the design stage.   
5   A FMEA (failure mode effects analysis) approach should be taken to identify EVERY risk and identify countermeasures for each item during the design stage.   
6   During trial of the website (prior to customer use!) each countermeasure should be VERIFIED with fault-injection testing - prove the countermeasure works and is robust.   
7   Employ teams (either of employees or trusted contractors) whose job is to target the website and breach security. Should cover ALL aspects of the customer interface (and insider risks) and potential vulnerabilities.   
8   Don't just focus on theft but on all risks such as accidental loss as well. For example, the system should be built so that no conceivable combination of power outages, printer errors, human error, electrical fire, lost paperwork, spilled coffee, etc. can result in lost keys or loss of cold storage security.   
9   I encourage site owners to work together and with law enforcement on techniques to entrap and identify hackers. (Bait and sting operations, advertise mixing services actually run by law enforcement, etc.)   
10. When some bitcoin hackers are caught, stage very public executions as a warning to others. Just kidding. I think.


My 2 Satoshis,
Ebliever

[DeathAndTaxes]

Or you could stop using sites which put the entire risk of failure on the user.  Uninsured user deposits makes users non-profiting investors.    If the site does well the true owners profit, if the site does bad the depositors lose everything.

How about not having user deposits?  BitSimple never holds bitcoins owned by users. Users hold funds in their own wallet and can sell them with zero confirmations by transferring them to BitSimple.  Purchased coins are likewise sent directly to an address designated by the user.

If we get hacked it is investors funds that are lost; not surprisingly that makes us very motivated to ensure we aren't hacked.  It also makes running a hidden fractional reserve system impossible as we are using our own capital.  Tangible Cryptography (parent of BitSimple) which has been around since 2011, and has not lost a single satoshi, very few Bitcoin related companies can make similar claims.

[NLNico]

7   Employ teams (either of employees or trusted contractors) whose job is to target the website and breach security. Should cover ALL aspects of the customer interface (and insider risks) and potential vulnerabilities.  

Can be also a public vulnerability reward program (big companies like Google, Facebook, Yahoo, etc also have this.) Actually Kraken, Coinbase, this forum and other websites also have a program like that where they rewards Bitcoins for whitehat security specialists who report the bugs to them privately. The Hall of Fame of Coinbase for that already has like 30 names on it. So it is really effective (or at least: they get a lot of valid reports.) See my topic for an overview of vulnerability reward programs: https://bitcointalk.org/index.php?topic=483195.0 Websites can use these example programs for their own program.

Don't mean to really spam my own topic here btw. But I do think it's very relevant


Besides that I definitely agree with your other suggestions too.

I also agree with DeathAndTaxes to think about possibilities to not the hold bitcoins of the users within your own website/exchange. I have read before that BitSimple does it like that, but didn't completely understand it yet (as a developer but without btc site tho) But definitely something worth looking into.

[ebliever]

Good comments in both responses. Here's a query: Is anyone keeping a log or chart of all the bitcoin hacks to date? That would be a handy resource for websites to validate their security efforts against. (It's not something you should start with because it makes you lazy, but after all your other development efforts, a final check should involve verifying that a site is not vulnerable to any past hacks.)

[NLNico]

There is this topic: https://bitcointalk.org/index.php?topic=83794.0 the latest still have to be added I guess.

[ebliever]

Excellent! Thanks! Yes, looks like it needs updating, but glad that such resources are available.

[ranunculus]

good