bitgo presents multi-sig bitcoin security at inside bitcoins nyc

How to Stop Bitcoin Theft: Multi-Sig Wallets Make Bitcoin

Secure and Useful for New Industries

Will O’Brien

CEO & Co-Founder, BitGo [email protected]

April 8, 2014

Today’s Talk

•  Landscape of Bitcoin security •  Introduction to multi-sig •  Multi-sig for the enterprise •  Multi-sig for new industries

COPYRIGHT © 2014 BITGO, INC. 2

Who Am I?

•  Will O’Brien •  CEO & Co-Founder of BitGo •  Computer Science, Harvard •  FinTech, trading platforms and capital markets •  MBA, MIT Sloan •  Startups and mid-size companies in consumer,

payments, video games, and media •  Obsessed with Bitcoin since 2012


BitGo: Multi-Sig Security-as-a-Services

•  First multi-‐sig wallet •  Monitor holdings of any other wallet or address •  BitGo Enterprise •  BitGo API


Q: What is the biggest threat to Bitcoin adoption?

Threats to Bitcoin Adoption


Regulation

Price volatility

Security

Liquidity

Security a Fundamental Threat

“An Australian bitcoin bank has been hacked, the service’s operator only known as ‘Tradefortress’ refused to give his name to the press, stressing he was not much older than 18.”

Over $40,000 has been stolen from Bitcoin wallet provider Coinbase. ” “ The Bloomberg reporter opened up his paper wallet to show the private key, and, not too surprisingly, the funds were quickly stolen. “ ”

$1.2M hack shows why you should never store Bitcoins on the Internet


Market analog: IT security now a primary concern for CXOs and BoDs

22%

54%

2007 2012

% of

Ent

erpr

ises

Sources: Cisco, Forrester, Gartner, IDC, IBM, Ponemon Institute, analyst reports, Bain analysis

SECURITY ISSUES FREQUENTLY DISCUSSED WITH BOD ON QUARTERLY BASIS

HIGHER PROFILE OF SECURITY IS DUE TO FREQUENCY, SCALE & IMPACT OF ATTACKS

•  Cost of cybercrimes rose to a median $5.9M per organization in 2011, a 56% increase

•  Security vulnerability disclosures grew to ~9K in 2012, a 29% increase

•  Symantec blocked more than 5.5B malware attacks in 2011, an 81% increase

• Web based attacks rose to 4.5K per day in 2011, a 36% increase

• Mobile malware grew by 400%, with Android attacks growing by 2577% in 2013

• DDoS attacks increased by 27%, with the largest attack measuring at 100.84 Gbps and lasting 20 minutes in 2013

SIGNIFICANT % OF CSOS (SECURITY) NOW REPORT TO TOP LEADERSHIP

•  54% report to C-‐level execs (including CIOs)

•  30% report to CEO, BoD, or enterprise risk team


Global IT security market growing to $92B with strong consolidation trend


43

60

16

23

5

8

2012 2016F Enterprise SMB Consumer

9%

10%

14%

CAGR 12-‐16

Note: Excludes MPLS VPN Sources: IDC, Gartner, analyst reports, Bain analysis, company financials

25

35

$0B

$10B

$20B

$30B

$40B

$50B

$60B

$70B

$80B

$90B

$100B

2012 2016F ROW US

10%

9%

CAGR 12-‐16

$64B

$92B

$64B

$92B

Global IT security market

GLOBAL IT SECURITY MARKET

Identity theft protection

$7.68B (acquired by Intel in 2010)

$14.5B (NASDAQ:SYMC)

$1.29B (acq. by Symantec in 2010)

$1.97B (NYSE:LOCK)

$17.5B (LON:EXPN)

Private ($130m revenue)

Anti-‐virus and corporate security

Identity and authentication

LEADING COMPANIES AND EXITS

Quick Primer: Bitcoin Keys


SECRET!

SAFE

Bitcoin Storage: A Costly Trade-Off


Security

Acce

ssibility

low

low

high

high

If all systems can be hacked, where do you store your private key?

Private key storage local computer

Security threats malware key logging hard drive failure forgotten password

Examples

Bitcoin Storage: Desktop Wallets


Security

Acce

ssibility

desktop wallets

low

low

high

high

Bitcoin-‐QT Android wallet

Note: some of these wallets are exploring multi-‐sig

Private key storage online

Security threats server hacking denial of service phishing key logging insider theft

Examples

Bitcoin Storage: Hosted Wallets


Security

Acce

ssibility

desktop wallets

low

low

high

high

hosted wallets

Note: Blockchain does not store your keys

Private key storage online

Security threats server hacking denial of service phishing key logging insider theft regulatory action

Examples

Bitcoin Storage: Exchanges


Security

Acce

ssibility

desktop wallets

low

low

high

high

hosted wallets & exchanges

Note: for illustration purposes only

Private key storage offline

Security threats physical loss physical theft coercion forgotten password

Examples

Bitcoin Storage: Offline


Security

Acce

ssibility

desktop wallets

low

low

high

high


cold storage paper wallets

cold storage

paper wallets

brain wallets

physical tokens

brain wallets

Private key storage (multi-‐signature)

3 keys distributed -‐  hosted key -‐  user key -‐  backup (offline)

Security threats server hacking malware key logging insider theft coercion forgotten password

Increased security measures

fraud detection spending limits corporate treasury cold keys

Bitcoin Storage: Multi-Sig


Security

Acce

ssibility

desktop wallets

low

low

high

high


cold storage paper wallets brain wallets

Comparing Bitcoin Wallet Architectures


With Multi-Sig You Hold Your Own Bitcoin, 100% on Blockchain


Multi-Sig for the Enterprise


Evolution of Bitcoin Corporate Adoption


Lower costs, reduce fraud PR and sales increase

Accept Bitcoin Asset investment Digital currency trading

Hold Bitcoin Supply chain Payroll Promotions

Use Bitcoin

-‐  Big Fish Games -‐  Overstock.com -‐  Square -‐  TigerDirect -‐  Zynga -‐  30K+ merchants

-‐  Bitcoin Investment Trust -‐  Fortress/ Pantera -‐  Sator Square

-‐  BitPay -‐  Gyft -‐  Lamassu ATM

Company Profile

Businesses accepting and spending Bitcoin

Family office investors and financial institutions

Key Needs •  Accountant-‐friendly UI •  Enterprise security •  Spending limits and transaction approvals for various users in the org •  Regular financial reports

•  Trader-‐friendly UI •  Enterprise security for large Bitcoin holdings •  Fund administration that meets corporate governance requirements •  Robust audit trail and financial reporting

Multi-‐Sig Setup

•  2-‐of-‐3 key wallets •  Access by multiple users with different rights

• M-‐of-‐N key wallets •  Secondary approval for large transactions

Organizational Needs for Multi-Sig

BITGO, INC. CONFIDENTIAL 21

How an Organization Uses Multi-Sig


Person Spending limit Creates wallets Approves spending Views holdings

CEO $100,000 ✓ ✓ ✓

CFO $100,000 ✓ ✓ ✓

VP finance $50,000 ✓ ✓

Director accounting $25,000 ✓

Financial analyst $0 ✓

Auditor n/a ✓

Enterprise security features •  Network fraud detection •  Spending and velocity limits •  Approval chains •  Time-‐delayed transactions

Corporate Dashboard


Wallet-Based Security and Permissions


Spending Limits in Action


Security and Approval Flow


Multi-Sig forNew Industries


Multi-Sig Custodial Accounts

•  Escrow •  Gifts •  Auctions •  Real estate


Exchanges: Preventing the Next MtGox


Risks of “pooled holdings” exchange •  Theft or loss of all funds •  Government seizure of funds •  Limited independent auditing •  No insurance •  No notification of account breach

POOLED EXCHANGE MODEL

Exchange Powered by Multi-Sig


Five Parties Model


http://www.systemics.com/docs/ricardo/issuer/faq_governance.html#5PM http://bitcoinmagazine.com/10639/five-‐parties-‐model/

Get Started with Multi-Sig

•  Individual: Use a multi-sig secure wallet

•  Merchant or financial institution: Use a multi-sig, multi-signer wallet

•  Bitcoin exchange or business: Bake multi-sig in to your transaction model using custodial accounts


API

Build on the BitGo API

•  Exchanges, trading platforms, funds, marketplaces, escrow services, and beyond can build systems on the BitGo API

•  The BitGo API enables the following operations: –  Creation of M-‐of-‐N P2SH (multi-‐sig) addresses

–  Hierarchical Deterministic Wallet management (BIP32)

–  Transaction creation

–  Transaction signing –  Spending limits

–  Multi-‐signer address flow


Industry Goals for Multi-Sig

•  Secure the majority of Bitcoin holdings with multi-sig by the end of 2014

•  Embrace standards and industry best practices like BIP32 (HD wallets)

•  Innovate on new models based on multi-sig

Make 2014 the Year of Multi-Sig!


Thank you


https://www.bitgo.com [email protected]

@BitGoInc

bitgo presents multi-sig bitcoin security at inside bitcoins nyc

Technology

bitcoin adoptioncopyright

multisig security

bitcoin secure

bitcoin keyscopyright

bitcoin theft

multisig multisig

sig wallets

enterprise multisig