How to Ensure Bitcoin Security

This article appeared in print edition 5.1 of yBitcoin. Click here to see the full issue. Click here to order your copy.

By Andreas M. Antonopoulos

Bitcoin allows anyone to be their own bank. If that sounds like a potential scenario for chaos, it’s only because you haven’t yet heard of the great lengths to which Bitcoin users can go to ensure the security of their “one-person banks.” 

By following a handful of basic security guidelines, Bitcoin users can achieve a level of security to protect their money that is beyond the capabilities of the banking world as we know it. The truth is that banks are barely able to keep accounts secure. Although banks promise to make deposited funds available upon request, none of them could actually withstand a run in which all depositors decide to simultaneously withdraw their funds. In that respect, bank funds are just an abstract reference to value. The funds they protect are just numbers in a ledger, while the actual money is out on loan to the banks’ borrowers.

Bitcoin is different. Once bitcoins are sent to your address, you control them entirely; you maintain them, and when you want to use them for a purchase, they are there for you. With Bitcoin, possession provides 100 percent of control. But with this great power comes great responsibility.

Having the keys to unlock a bitcoin is equivalent to possessing a chunk of precious metal. Which means if you misplace it, have it stolen or mistakenly send the wrong amount to someone, you would have as much recourse as if you dropped cash on the sidewalk and didn’t notice until you got home.

Bitcoin is different enough from anything that has come before that we need to think about its security in a novel way, too. However, Bitcoin has capabilities that cash, gold and bank accounts do not. A bitcoin wallet, containing the private keys necessary to access bitcoins, can be backed up like any file. It can be stored in multiple copies, even printed on paper for hard-copy backup. A backup of Bitcoin keys is as good as possession of the original keys. You can’t “back up” cash or precious metals. Banks can recover funds for you, but only at their own discretion. And they can also confiscate funds, adding a risk that doesn’t exist in Bitcoin.

So, what should end users do to secure their bitcoin wallets?

Do Not Store Money on an Exchange

Many people purchase their first bitcoin from an exchange, where they can trade their country’s currency for bitcoin or other cryptocurrencies. However, keeping your currency on an exchange is dangerous because exchanges can and do get hacked. An exchange is just that, a place to exchange cryptocurrency. It’s not a safe place to store your savings. 

With traditional investments, a brokerage house buys, sells and manages the assets for its clients. With digital assets, there is nothing to manage. There are no prospectus, no dividends, no management. They simply facilitate the exchange between two parties. As soon as you complete the trade, move your cryptocurrency (and cash for that matter) off the exchange and into a wallet you independently control. This is as simple as creating a new wallet and withdrawing the cryptocurrency to an address controlled by that new wallet. 

Remember: Your keys, your bitcoin. Not your keys, not your bitcoin.

Choose a Wallet for Which You Control the Keys

One indication that you control the keys is that the wallet asks you to make a backup when you receive the first incoming payment. The most secure device most people possess is their smartphone. For new users, a mobile wallet is the best choice, balancing ease of use and security. Examples of mobile wallets that allow you to control the keys:

iOS: Airbitz, breadwallet, Copay, Jaxx, Mycelium

Android: Airbitz, Copay, Jaxx, Mycelium, Samourai

Back Up Your Keys 

Today, most bitcoin wallets will prompt new users to create a backup of their keys. Sadly, many people skip this step, which can lead to loss if a device is misplaced or stolen. Backing up can be as simple as using a sheet of paper to write down 12, 18 or 24 backup words (mnemonic words) displayed by your wallet and storing them in a secure, fireproof and tamper-evident location such as a home safe or bank vault. Some wallets don’t use mnemonic words but still provide a backup feature; check their websites for details. Regardless, before you back up, be sure you’re in a secure environment, away from prying eyes and cameras. Your backups are your keys.

Balance the Risk of Loss and Theft 

While most users are rightly concerned about the threat of theft, loss is an even bigger risk. Data files get lost all the time, but if they contain bitcoin, the loss is much more painful. 

Some users further protect their backups with encryption, pass phrases and PINs, but more is not always better. In the effort to secure their bitcoin wallets, users must be very careful not to go too far and end up losing the bitcoins instead. In the summer of 2010, a well-known Bitcoin awareness and education project lost almost 7,000 bitcoins. In an effort to prevent theft, the owners had implemented a complex series of encrypted backups. In the end, they accidentally lost the encryption keys, making the backups worthless and losing a fortune. 

Like hiding money by burying it in the desert, if you hide it too well you might not be able to find it again. Balance the risk. Bitcoin has capabilities that cash, gold and bank accounts do not. A bitcoin wallet, containing your keys, can be backed up like any file.

Use Two-Factor Authentication 

Many first-time users will use a web-based wallet or online service as their Bitcoin bank. Unfortunately, this has led to a rash of thefts from Bitcoin users, almost all due to compromised desktop computers. Hackers will install trojans and keyloggers looking for access to well-known Bitcoin sites. As soon as users log on, their own computer will compromise the account and surreptitiously transfer all of their money to another Bitcoin address. Once stolen, there is no recovery, as Bitcoin transactions are not reversible. The most effective defense against this attack is using what is known as a “two-factor authentication scheme” (2FA) or using a smartphone application to generate onetime codes. Google Authenticator and Authy are two such services worth looking into. Many wallets now incorporate 2FA as a standard feature, be sure to use it.

Spread the Risk 

Would you carry your entire net worth in cash in your wallet? Most people would consider that reckless, yet Bitcoin users often keep all of their bitcoins in a single wallet. Instead, users should spread the risk among multiple and diverse bitcoin wallets. The prudent user will keep only a small fraction — perhaps less than 5 percent — of their bitcoins in an online or mobile wallet as “pocket change.” The rest should be split between a few different storage mechanisms, such as multisignature and hardware wallets.

Use Physical Storage or Hardware Wallets

Bitcoin keys are nothing more than long numbers, sometimes displayed as a series of words. This means that they can be stored in a physical form, printed on paper or etched on a metal coin. 

Securing the keys then becomes as simple as securing the physical copy of the Bitcoin keys. A set of Bitcoin keys that are printed on paper is called a “paper wallet,” and there are many free tools that can be used to create them. Paper wallets are not backups of your online keys, they are new keys, generated securely offline and used specifically to store bitcoins offline. This type of storage is sometimes referred to as “cold storage.” 

Another way to store bitcoins securely is through hardware wallets. These hardware wallets allow nonexpert users to attain an almost foolproof level of security. Unlike a smartphone or desktop computer, a purpose-built bitcoin hardware wallet has only one function: to hold bitcoins securely. The devices don’t run general-purpose software and have simple interfaces that work to limit opportunities for compromise. These devices range in cost from $25 to $220 and are available for purchase online.

Use Multisignature Wallets 

Multisignature, or “multisig,” is a powerful feature that was added to the Bitcoin protocol in 2012. Like a bank’s safe deposit box, where two keys are simultaneously used to unlock a single box, Bitcoin’s multisig feature allows users to secure their bitcoin using multiple keys. 

Unlike a bank’s safe deposit box, which offers limited configurations, Bitcoin can currently support up to fifteen total keys with any configuration of required signers. Currently the most popular multisignature configuration is "2-of-3," where you hold two keys and a wallet provider or another third party holds the third. The most popular configuration for businesses is "3-of-6," where three executives in a company each hold one key, two keys are stored at different off-site cold storage locations and the last is held by a third party for recovery purposes only. 

In summary, Bitcoin is a new and complex technology. The industry has grown considerably over the past eight years, demonstrating an incredible rate and breadth of innovation. Over time, we will develop better security tools and practices that are easier to use by nonexperts. For now, Bitcoin users can employ many of the tips above to enjoy a secure and trouble-free Bitcoin experience.

About The Author

Andreas M. Antonopoulos is the author of Mastering Bitcoin (published by O’Reilly Media), considered by many the definitive technical guide on Bitcoin, and The Internet of Money, a book for everyone about why Bitcoin matters. He is currently writing Mastering Ethereum, due for publication in early 2018. He is an expert in security and distributed systems, an entrepreneur and a coder. He can be contacted on Twitter @aantonop or at http://antonopoulos.com.