Bitcoin Security Standards Audit [BSSA]

[nwtrades]

Due to the news of rampant thefts at Bitcoin exchanges this past week (Mt. Gox, Poloniex, Flexcoin) it is becoming apparent that there's a dire need for some security standards in the Bitcoin community to ensure compliance and build client trust.  The media is jumping over every hack story that comes out and shouting that it's insecure.  You can't blame people for thinking this way, because at this point it's a legitimate fear.

There is no question that we need a standard process for third party security experts to be able to review exchange processes and software from top to bottom.  If you know of some sort of external security company that already does this, feel free to post.

Perhaps exchanges could be verified on a certain level of compliance and receive a letter or badge to post on their website for proof of audit.  Maybe someone like Andreas Antonopoulos would be interested to open this discussion further.

Items to address in audit:

- Source code, deployment and version control procedures
- Bitcoin software and protocol implementation
- Server platform (software versions, port scanning, server logging, brute force protections, DDOS protection, backups, redundancy, etc)
- Emergency shutdown and startup procedures
- Physical security (security cameras, electronic facility monitoring, alarm systems, swipe-cards, etc)
- Use of AML / KYC procedures and encrypted offsite storage of client documents
- Offsite cold storage (multiple locations) and use of keys, with logs of all activity
- Onsite hot wallet and use of keys
- Minimum of email verification or 2-Factor Authentication mandatory for withdrawals on all client accounts
- Options for clients to set a withdrawal limit on their account (similar to a bank)
- Alerts available for unusual activity on client accounts, with additional verification option (email or phone call) in case of sudden large withdrawals
- Staff background checks
- Staff fraud prevention training
- On-site restrictions for staff electronics and storage devices
- Restricted access areas for developers and system-critical staff
- Procedures for reporting illegal or suspicious activity to law enforcement

I will add to this as more feedback comes in.  PLEASE contribute!  This is a great community and the development of this ecosystem is happening and will continue happening thanks to you!

[Bob Derber]

+1

As long as this is a voluntary program, and combined with a recognition that the exchange can capitalize on for complying with the program so that it is also worth their while - I am up for this.

[Petopas]

very good idea. Isn't the bitcoin foundation thought to do something like this? At least I thought they might be interesting in doing such things but somehow one of the biggest failures was a gold member of them...

some addition: the granted award must be valid only for a limited period, lets say 6 months.

[QuestionAuthority]

Sounds great but can we use a real company instead of Ed's uncle Fred.

How about Deloitte? They shouldn't cost more than a few hundred thousand for a full audit. http://www.deloitte.com/view/en_US/us/index.htm

[nwtrades]

very good idea. Isn't the bitcoin foundation thought to do something like this? At least I thought they might be interesting in doing such things but somehow one of the biggest failures was a gold member of them...

some addition: the granted award must be valid only for a limited period, lets say 6 months.

The Bitcoin Foundation's focus is on the Bitcoin protocol itself, in terms of standardizing, protecting and promoting it.  External exchanges have never been a highlighted priority to date.  The general consensus to date has been "it's a free market" so the exchanges decide their own standards and ways of doing business.  Unfortunately we've seen a very poor security track record as a result.  Now it's blown up into a bigger issue than most people imagined it would be.

[nwtrades]

Sounds great but can we use a real company instead of Ed's uncle Fred.

How about Deloitte? They shouldn't cost more than a few hundred thousand for a full audit. http://www.deloitte.com/view/en_US/us/index.htm

Deloitte is a possibility of course for audits similar to traditional financial services companies, but then the issue arises around their expertise regarding the Bitcoin protocol, software and security practices of which they would have no clue how to handle.  There may need to be a hybrid approach, or perhaps an entirely new compliance organization started with Bitcoin developers and security experts.  As an example of such an individual, Andreas Antonopoulos recently did security checks for companies like Coinbase and Mt. Gox.

[BittBurger]

+1.   Great idea.

But will someone carry this through, and make it a network-wide thing?  Do you have the stamina and the resources to make it happen?

Possible suggestion:   Require insurance service of some sort.  Elliptic.  Lloyds of London is very forward thinking with Bitcoin.

-B-

[acoindr]

Then what happens when coins are lost from one of these stamp approved companies? The problem with theft or loss is it only takes one mistake or hole. Nothing is 100% secure.

The better approach is to teach people to be responsible for their own coins, and create enabling technology for them to do it. Additionally, companies can and probably will begin to have insurance/recoup options. These things are on the way naturally, but as I explain here, they take time. In the meantime, we need to do a better job educating people on how to protect their coins.

[QuestionAuthority]

Sounds great but can we use a real company instead of Ed's uncle Fred.

How about Deloitte? They shouldn't cost more than a few hundred thousand for a full audit. http://www.deloitte.com/view/en_US/us/index.htm

Deloitte is a possibility of course for audits similar to traditional financial services companies, but then the issue arises around their expertise regarding the Bitcoin protocol, software and security practices of which they would have no clue how to handle.  There may need to be a hybrid approach, or perhaps an entirely new compliance organization started with Bitcoin developers and security experts.  As an example of such an individual, Andreas Antonopoulos recently did security checks for companies like Coinbase and Mt. Gox.

You do realize Deloitte does management consulting and audits for businesses, governments and military facilities worldwide, right? I don't think the little Bitcoin software will confuse them much. LOL

[amspir]

I will add to this as more feedback comes in.  PLEASE contribute!  This is a great community and the development of this ecosystem is happening and will continue happening thanks to you!

A prohibition on fractional banking.
Real-time or at least daily auditing of client BTC balances.

[opet]

There may need to be a hybrid approach, or perhaps an entirely new compliance organization started with Bitcoin developers and security experts.  As an example of such an individual, Andreas Antonopoulos recently did security checks for companies like Coinbase and Mt. Gox.

I tweeted Andreas the other day with a similar idea following his audit of Coinbase.  Unfortunately, he never responded (I definitely respect that he's a busy guy, so I won't hold that against him... lol).

My idea is to solicit the community for experts to step forward, be vetted by the community itself, and then get selected at random to participate in such audits.  I haven't fleshed out the entire concept, but it seems to me that this type of voluntary self-regulation would be a perfect fit for the bitcoin ecosystem.

I'd gladly throw my hat (and my resume) into the ring if this idea gains reaction.

[amspir]

- Staff background checks

This is scary that people even want this, because background checks give up no information. They are useless if they were useful then murders would be down.

In a theoretical scenario,  if the lead programmer had a hacking charges, the company's compliance officer had identity theft charges, and the CFO had financial fraud charges, and the company never performed background checks to find this out before the hires, you would be completely OK with it?  I personally think it would be grounds to sue on gross negligence.

[forbun]

We could create something like the UL (Underwriters Laboratories) of Bitcoin.

[alani123]

There is no central authority.

We now see one of the major downsides of this. If the bitcoin fundation would create something similar to what OP suggests we propably wouldn't have to go through all those thefts.

[gweedo]

- Staff background checks

This is scary that people even want this, because background checks give up no information. They are useless if they were useful then murders would be down.

In a theoretical scenario,  if the lead programmer had a hacking charges, the company's compliance officer had identity theft charges, and the CFO had financial fraud charges, and the company never performed background checks to find this out before the hires, you would be completely OK with it?  I personally think it would be grounds to sue on gross negligence.

You do know a lot of companies hire hackers who have been charged or found guilty in a court of law to head up security for the company. So where you are quick to judge, they are actually helping you stay safe. I also know of two bitcoin companies that have people with charges (not hacking) against them and you probably use them in someway. So I would be completely ok with it.

[alani123]

There is no central authority.

We now see one of the major downsides of this. If the bitcoin fundation would create something similar to what OP suggests we propably wouldn't have to go through all those thefts.

No this is the beauty of bitcoin! This is why I am love with it cause no one has to give me permission to start a company. This is the free market, if you don't feel safe, don't use the service. Bad actors fade and good actors stay.

This why America is a country that power is fading away from fast, we are too quick to blame someone or have a babysitter, instead use your own commonsense.

I agree with this, however I also like the concept of the original post. Everyone would still be able to start a company, but if their service is solvent and reliable and the can prove they would be rewarded with some official recognition. Just like the Bitcoin Foundation has members, some sort of team would set some requirements. If a website qualifies then let's say that they would receive a sticker.

This would help non advanced users avoid risky services and also promote solid ones over less reliable ones. In my opinion this can only make a market better.

[amspir]

You do know a lot of companies hire hackers who have been charged or found guilty in a court of law to head up security for the company. So where you are quick to judge, they are actually helping you stay safe.

For a security consultant brought in to test a system for weakness, sure.  As the person supervising other programmers and writing code with no one looking over his shoulder, and that at one time crossed the line and invaded the computer systems of a company that he had no permission to invade, HELL NO.  The same reason police departments shouldn't hire murderers, rapists and robbers.  Usually such people will work with the police as paid informants, not police officers.

Karpeles was demonstrably a scam artist when he maliciously cheated a French business out of 15,000 EUR and fled the country.  This should have been discovered and publicized before MtGox got as big as it got, so only idiots would put money into that scam.

I also know of two bitcoin companies that have people with charges (not hacking) against them and you probably use them in someway. So I would be completely ok with it.

If you are implying that these people have drug charges, then the problem is that they would have relationships with criminals in the drugs and money laundering business.  At this point in bitcoin's history, with the authorities casting an evil eye towards bitcoin, such employees would be a liability -- a federal prosecutor could find a way to connect the company with criminal activity, seizing and raiding it, thus killing it.  i.e. Shrem.  You have to be a big bank like HCSB to actually get away with it.

[securityguy]

In the credit card world there is PCI DSS.  However even companies which are compliant to this standard get hacked from time to time and news of this hits the media of the thousands of credit cards stolen.

[maaku]

No, no, and please no. This is not what bitcoin needs. We need trustless exchanges which don't have to be audited because there is no capability to lose client funds.

I laughed and then made a depressing sigh when I heard about Andreas Antonopoulos' "audit" of CoinBase. He basically said "I approve of stucking your money with these folks" -- but you shouldn't have to trust *anybody* with your money. That's the whole point of bitcoin! We have the technology to build trustless exchanges, we just need to focus the resources to do it:

http://www.reddit.com/r/Bitcoin/comments/1zgbza/i_am_building_a_free_and_fair_trustless_exchange/

[securityguy]

No, no, and please no. This is not what bitcoin needs. We need trustless exchanges which don't have to be audited because there is no capability to lose client funds.

I laughed and then made a depressing sigh when I heard about Andreas Antonopoulos' "audit" of CoinBase. He basically said "I approve of stucking your money with these folks" -- but you shouldn't have to trust *anybody* with your money. That's the whole point of bitcoin! We have the technology to build trustless exchanges, we just need to focus the resources to do it:

http://www.reddit.com/r/Bitcoin/comments/1zgbza/i_am_building_a_free_and_fair_trustless_exchange/

From your reddit posting;

Users deposit bitcoins and other crypto assets by means of an audited gateway or pegging mechanism.

It seems your plan requires auditing too.