The rise in popularity of the Bitcoin protocol provides businesses and consumers with something they have never had before: full and complete control of their money. Furthermore, Bitcoins have turned out to be popular target for black hat hackers raising security concerns within the bitcoin industry. In this paper we aim to identify the security risks that Bitcoin consumers and businesses need to take into consideration when working with various wallets and exchanges. We chose to focus on these particular areas of the Bitcoin industry because it's where the majority of security breaches occur. Bitcoin wallets and exchanges are the point of entry for most Bitcoin users and businesses that want to adopt Bitcoin.
1. Insecure Bitcoin Private Key Storage
In Bitcoin, when the private key to a public address is compromised, the attacker has full control of those funds. Improper storage of private keys is identified to be the most common security mistake for software built on Bitcoin.
2. Insufficient Authentication Mechanism
The Bitcoin protocol allows individuals full control of their funds. It is important to have a secure authentication scheme whenever accessing bitcoin.
3. Weak Encryption in Address Generation
A major problem when it comes to encryption in private key generation is an insecure random number generation of seeds that are used in the Elliptic Curve Digital Signature Algorithm (ECDSA). When improper seed values are used, hackers can derive the private keys and gain access to exchange or wallet funds.
4. Lack of Web Application Security Controls
Many existing exchanges and wallets are missing basic web application security controls. A single missing control can allow an attacker to completely compromise a user’s account.
5. Insufficient Security Training
Wallet and exchange employees and users are often targets of sophisticated spear phishing and social engineering attacks that have proven to be very successful on several occasions.
6. Lack of separation of Concerns in Application Architecture
Many hosted services use an insecure architecture that gives hackers a single attack surface that can cause a system wide compromise.
7. Insufficient Denial of Service protection
Exchanges and hosted wallets require robust Denial of Service (DOS) prevention systems in order to have sufficient reliability for their customers.
8. Lack of encryption of Data at Rest
Exchanges and wallets commonly store unencrypted data either server side or client side. This also includes Personally Identifiable Information (PII) and transaction information for user's who use hosted services.
9. Lack of encryption of Data in Motion
Lack of SSL/TLS encryption both between the client and server as well as between server components that are internal or cloud based.
10. Lack of Security Audit Trail
Many Bitcoin businesses fail to do basic security audits of their software and hardware infrastructure. They take a reactive approach to security in the Bitcoin industry where businesses usually do not implement extremely important security controls until a breach occurs.