Can a Bitcoin bank be secure and trustworthy?

[sunray]

I've been thinking a lot recently about the challenges of creating a secure and trustworthy Bitcoin bank.  I think this is a hard problem and one which presents a challenge for the wider adoption of Bitcoin.

WHY BANKS ARE NEEDED

Storing bitcoins safely is challenging even for technically savvy individuals (who have to think about multiple backups, wallet size, password strength and the like) and even harder for everyone else.  If Bitcoin is to be adopted widely, most people will want to (and should) store bitcoins somewhere other than their own hard drive and/or a flash drive buried in their garden.  Furthermore, it would be challenging to scale Bitcoin to encompass all transactions between invididuals.  So it seems likely that most people will store bitcoins in banks and that most transactions will be resolved between these banks without using the Bitcoin protocol itself.  At the end of the day, banks could use the actual protocol to resolve any balance discrepancy.  Of course, the cautious can still hold their bitcoins buried in their garden.  And as I argue below, there are many reasons to be cautious.

WHAT I WANT FROM A BITCOIN BANK

If I want to store a large sum in a Bitcoin bank, then of course I want security, reliabiliy and possibly anonymity.  There's an additional feature that's of paramount importance to me but I rarely see discussed here: a daily withdrawal limit.  I want the bank to guarantee that it won't give me money all at once, even if I ask for it.  The reason is simple: if someone can grab my password using a keylogger, root kit or other hack, I don't want them to be able to extract all my BTC in a heartbeat.  I'd like to be able to set the withdrawal limit myself.  Changes to the withdrawal limit must themselves take several days to complete and must themselves be accompanied by email notifications so I can find out if they're happening unexpectedly.

HOW TO IMPLEMENT A SECURE BANK

Today, the de facto Bitcoin banks are Mt Gox and MyBitcoin.  Neither of these sites call themselves banks, but I'm sure that each of them is holding many tens of thousands of BTC on behalf of lots of individuals, who (for now) trust them to return their money.  Let's suppose that we want to implement a Bitcoin bank which can securely hold BTC worth, say, $50M USD.  How can that be done?

The naive approach is to simply hold the BTC on highly secured computers on the bank's internal network, protected by passwords known only to a small number of trusted individuals.  Knowing what we know about computer security, I think this approach is far too insecure for an asset of this value.  If someone inside or outside the bank can hack that machine (e.g. using social engineering and/or a keylogger to grab a password), the $50M suddenly disappears and nobody will know where it went.  It's also possible that someone could walk into the bank with a gun and demand a transfer.

So could the bank simply convert most BTC to USD, which they could then store at some other bank?  That won't work, since the BTC/USD exchange rate is highly volatile and so the bank could sustain an enormous loss if it's guaranteeing to return BTC to any depositor.

The bank could store most BTC in a vault in a physically secure location (think guards with guns, security cameras).  Transferring BTC into the vault is easy: simply send to an address in any wallet in the vault.  Once every day or so, the bank might need to withdraw a certain amount of BTC from the vault in order to cover any outstanding liabilities.  If vault is filled with flash drives each containing a wallet, the daily trip to the vault might involve just extracting one or more of these drives.  Still, the vault is a single point of attack.

Alternatively, the blank might store 100 different flash drives in 100 different locations which are somewhat secure (e.g. safe deposit boxes in another bank), send money to them as needed, and just fetch one or two of these each day to cover withdrawals.  This seems like the most secure approach to me if the bank doesn't want to trust anyone else.  Even then, there's still plenty to worry about: an untrustworthy programmer on the inside could conceivably hack the bank's software so that everything looks OK on official reports, but cash is actually being siphoned off to somewhere else.

Of course, if a network of banks trust each other, then only one of them needs a (centralized or distributed) vault of this nature; the others can simply trust that loans to or from that bank are good.  But, still, the bank which runs that vault will need to fetch BTC from that vault on a regular basis.

CAN ANY BANK BE TRUSTWORTHY?

Suppose that a bank is backed by a major company and implements all the precautions above.  Can we reasonably convert a significant fraction of our life savings to BTC, store them in the bank and sleep easily at night?

The question is somewhat absurd today because holding a large sum of BTC today is enormously risky in and of itself: Bitcoin is young, and BTC could simply drop to zero for any number of reasons.  In other words, if a signficant fraction of your savings are in BTC then you shouldn't be sleeping well anyway.  But let's assume that BTC stabilize and/or that a depositor is willing to accept the currency risk.  The question remains: can the bank be trusted?

I maintain that even if the bank's management is trustworthy and responsible, a large loss of BTC stored at the bank is a plausible event - with probability greater than 1-2% per year, say.  I believe this because I think computer security is fundamentally that hard, and when bits equal dollars they are likely to be under attack.   

So, now: suppose that a bunch of us store our life savings in BTC in a bank and one day the bank's managers make a dreadful announcement: the worst has happened and the bits have somehow disappeared.  They say can't figure out whether it was an inside job or a clever virus from outside that penetrated the bank (think Stuxnet), but the money is gone and the bank is bankrupt.  What should happen next?

Should the bank managers go to jail, or (as perhaps some crypto-anarchists might advocate) be hunted down by vigilantes?  There's certainly plenty of reason for us to suspect that they simply took the money.  But I think it's also plausible that they acted in good faith and a hacker nevertheless slipped through the many controls they implemented.  Some might argue that even if they acted in good faith, they still deserve to be punished (by losing their life savings, or by going to jail).  But in that case I think nobody would ever want to be a manager of such a bank, because they'd be assuming enormous personal risk for a hard computer security problem.  And exactly who should be punished here?  All the bank's managers?  What if there are 12 members on its board - do they all go to jail?  It's entirely possible that a couple of them are crooked and the rest are innocent.

For all these reasons I find it difficult to advocate harsh punishment for the managers of a failed Bitcoin bank.  Unfortunately, the lack of such punishment increases their incentive to act in a dishonest way, so I think this is a significant ethical dilemma.  After all, if the bank fails, it's also hard to imagine simply shrugging our shoulders and tell the depositors: oh, well.  You should have chosen a bank that had a better reputation, and at least that bank will never borrow from anyone again.  Perhaps some free-market libertarians might view the loss this way, though.

The alternative is to say that governments should regulate such banks, audit their internal practices, and bail them out if the BTC are lost.  That seems pretty unlikely in the case of Bitcoin.  And if enough BTC are lost (say, actually destroyed rather than stolen), even a major government could not possibly bail them out: if the bank had more than 50% of outstanding BTC then it would be mathematically impossible to refund the depositors' original amounts.

IMPLICATIONS FOR USE OF BITCOIN

All of the above leads me to question whether we'll ever be able to put BTC in a bank without assuming a risk of total loss of, say, 1-3% percent per year.  In this sense I've started to think of BTC (even if the currency stabilizes) like junk bonds: probably worth something, but with a significant risk of total loss, no matter who you trust to store it.  Fundamentally I think this is because it's hard for anyone to store BTC securely, and hard to know whether they are lying if they say that they have failed to do so.

And given that, at the moment I think most people and businesses may not ever want to store a significant fraction of their savings in BTC.  So it may be that we still use traditional currency for savings, but BTC are a useful medium of exchange - exactly like paper cash today.  And that would be fine, but this conclusion is a still a bit disappointing to me, because it means we must constantly convert between dollars and bitcoins, and because many of us have hoped for an even larger future for Bitcoin.

Or am I wrong?  Do people on this forum believe that banks will be able to store BTC without this risk of loss?

[divergenta]

this has been discussed many times before

[canadaduane]

this has been discussed many times before

... by those who have been a part of bitcoin for a long time.  But there are many, many more new people here than there are oldtimers.  Perhaps a link would be helpful?

[casascius]

One feature Satoshi designed into the Bitcoin protocol that has just not yet been implemented in clients is the ability to have Bitcoins be encumbered not by one, but by multiple addresses.  This would solve the trust problem you've mentioned.

When you send Bitcoins, the destination is not just an address, but rather, a "script", or basically a formula for unlocking the coins.  At present, all Bitcoin transactions contain a script that basically says, "Transaction which gives a valid public key and signature for address XXXX may spend these coins".

The system already supports more complex logic, so that transactions could be encumbered by two addresses.  TO do so, is simply a different script: "Transaction which gives a valid public key and signature for XXXX, and also the same for YYYY, may spend these coins."

The logic can be mixed and matched into novel combinations (such as three addresses, OR one-or-the-other address, OR any two out of three addresses).  This would allow "two-party" Bitcoins that must be released by both parties, or a two-trustee arrangement where either the owner himself, or both of his trustees acting together, can release the coins.  Et cetera.

The only thing lacking right now is the user interface and API elements to actually create such a transaction.

[casascius]

Also an independent thought:  I assert that the most secure way to hold Bitcoins is in an offline wallet.

And as many of us know, offline wallets can RECEIVE bitcoins even when not on the network.

If I ran a Bitcoin bank, I would be touting how every time you sent my bank bitcoins, that you were sending them to an OFFLINE WALLET that no hacker can get to.  I would do so to serve a reminder that when you want to withdraw, that it might take me some time to put some coins back online to send you.

[sunray]

One feature Satoshi designed into the Bitcoin protocol that has just not yet been implemented in clients is the ability to have Bitcoins be encumbered not by one, but by multiple addresses.  This would solve the trust problem you've mentioned.

I'm aware of the scripting system and it's great that it allows multiple addresses to be specified.  I don't see how this can be used to solve the trust problem, though - can you elaborate?

[casascius]

I'm aware of the scripting system and it's great that it allows multiple addresses to be specified.  I don't see how this can be used to solve the trust problem, though - can you elaborate?

It allows more elaborate controls to be put in place to safeguard BTC, sort of how a safe helps a bank do a better job of custodian of physical things like bank notes etc.

A common control at a bank is to get manager approval for large transactions.  A more sophisticated Bitcoin bank could keep the majority of its BTC under wraps of two or more private keys, some of which would be kept on systems that were airgapped from the internet and controlled only by more senior, trusted people (or potentially an outside third party).  A single rogue bank employee, or a hacker in control of the online systems, wouldn't be able to touch those BTC by themselves.

A common control in cash environments is a time-lock safe.  The same thing could be implemented in Bitcoin, where BTC could be encumbered with a second key whose signature is released in accordance with rules established within the time lock safe.

An escrow/trustee relationship (e.g. the ability for the coins to be released upon the action of any two-out-of-three or similar arrangements) controls for the possibility of the primary person losing access to keys (in the event of death, equipment failure, they quit, etc.)

Further, I have proposed directly to MtGox that they engage an outside auditor to produce the kind of reports I am certain you're looking for.  I am not primarily in the Bitcoin business, but I am in the business of providing online services to other companies, and our more sophisticated customers demand what we call a "SAS 70 Type II" audit report (http://www.sas70exam.com/services/type-ii-sas-70-audit/), which we pay $15-$25k a year from an independent auditor to get.  It's worth its weight in gold.  Whether MtGox or anyone else will bite on the idea any time soon remains to be seen.

[kiba]

If you're going to write essays on forum, write for me instead. You will get compensated.

[casascius]

If you're going to write essays on forum, write for me instead. You will get compensated.

Although I am not him, he echoes my thoughts exactly...

I think it is really too bad I am already doing something else right now career wise, because this market is RIPE for someone to come up with a new exchange built by people familiar with the kind of controls expected out of large-scale payment processing companies.

MagicalTux, if you are reading this thread, you really ought to be publishing some sort of statement on your website describing the controls you put in place to answer questions like this.  Someone with $20k or $50k or more to drop on Bitcoins has to think not just of what will the BTC value be later, but whether you know what you're doing to prevent BTC "accidents".  Your website is absolutely silent with respect to this, and sure we understand the DDoS bit isn't your fault, but trust me on this: even to state on your website that, for example, you keep over X% of your BTC in an offline wallet on two flash drives, one of which is in a safety deposit box, (assuming it's true), would be well worth the time in the added confidence it would create in your business.  Even if that meant sometimes your withdrawal function would fail because "oops," you've got to go get some BTC out of the "safe" and the transaction will complete soon.

[hazek]

It's a moot question...

It's like asking if for example BWM can produce cars that wont malfunction while driving at a high speed for a short distance.

It's in banks best interest to be prudent, provide security and remain trustworthy at all times in order to maintain their customer base. The only reason why this isn't the case with fiat money banks is because of the "too big to fail" and FDIC protection that produces a moral hazard where savers, account holders and shareholders don't care what the bank does because their money is protected.

[bitlotto]

With Bitcoins when I think of "Bank" I think of a simple, specialized, high security computer. I picture my "bank" being a secure computer.

Someone could create a very minimalistic Linux Live CD that can only:

-load a simple GUI that prompts the user to insert a usb stick.
-on the usb stick an encrypted file is created for storing the users wallet and stores the blockchain
-user is told to copy the file everywhere they can
-the program intelligently helps the user pick a good password
-the live cd then loads bitcoin and connects to the internet
-the password can only be entered using the mouse and on screen keyboard in case someone snuck a key logger on the computer
-since it runs off cd you can be sure there are no other running programs spying on the user
-rebooting the computer erases all tracks on the computer
-the only way to bypass all that would to physically add hardware to the computer for spying -those who need even more security would then lock up their laptop/computer physically to prevent access

Something like that. I think it can be done. A very tiny Live Linux Distro that only can do Bitcoin securely. It would be fitting too, to call it "Bitcoin Bank OS" 

That way you don't need to trust people managing your money. Your money is as secure as the password you choose.