Topic: Bitcoin Security Standards Audit [BSSA] - page 4. (Read 5159 times)

I really doubt that you people know how the free market works. Bitcoin Security Standards Audit is not the way to go. Why do we need background checks? Is this big brother trying to crowbar in their regulations?

We don't need regulations, we need people to be smarter before sending coins. If you did a quick check of Mt Gox you would have seen it was a death trap, if you did a quick look at TF on here you would have known he had no clue how to run a wallet service. The moral of the story is their are signs, no company just shows up and the next day they get hacked or bad programming hurts them.

A prohibition on fractional banking.
Real-time or at least daily auditing of client BTC balances.

You do realize Deloitte does management consulting and audits for businesses, governments and military facilities worldwide, right? I don't think the little Bitcoin software will confuse them much. LOL

Then what happens when coins are lost from one of these stamp approved companies? The problem with theft or loss is it only takes one mistake or hole. Nothing is 100% secure.

The better approach is to teach people to be responsible for their own coins, and create enabling technology for them to do it. Additionally, companies can and probably will begin to have insurance/recoup options. These things are on the way naturally, but as I explain here, they take time. In the meantime, we need to do a better job educating people on how to protect their coins.

+1.   Great idea.

But will someone carry this through, and make it a network-wide thing?  Do you have the stamina and the resources to make it happen?

Possible suggestion:   Require insurance service of some sort.  Elliptic.  Lloyds of London is very forward thinking with Bitcoin.

-B-

Deloitte is a possibility of course for audits similar to traditional financial services companies, but then the issue arises around their expertise regarding the Bitcoin protocol, software and security practices of which they would have no clue how to handle.  There may need to be a hybrid approach, or perhaps an entirely new compliance organization started with Bitcoin developers and security experts.  As an example of such an individual, Andreas Antonopoulos recently did security checks for companies like Coinbase and Mt. Gox.

The Bitcoin Foundation's focus is on the Bitcoin protocol itself, in terms of standardizing, protecting and promoting it.  External exchanges have never been a highlighted priority to date.  The general consensus to date has been "it's a free market" so the exchanges decide their own standards and ways of doing business.  Unfortunately we've seen a very poor security track record as a result.  Now it's blown up into a bigger issue than most people imagined it would be.

Sounds great but can we use a real company instead of Ed's uncle Fred.

How about Deloitte? They shouldn't cost more than a few hundred thousand for a full audit. http://www.deloitte.com/view/en_US/us/index.htm

very good idea. Isn't the bitcoin foundation thought to do something like this? At least I thought they might be interesting in doing such things but somehow one of the biggest failures was a gold member of them...

some addition: the granted award must be valid only for a limited period, lets say 6 months.

+1

As long as this is a voluntary program, and combined with a recognition that the exchange can capitalize on for complying with the program so that it is also worth their while - I am up for this.

Due to the news of rampant thefts at Bitcoin exchanges this past week (Mt. Gox, Poloniex, Flexcoin) it is becoming apparent that there's a dire need for some security standards in the Bitcoin community to ensure compliance and build client trust.  The media is jumping over every hack story that comes out and shouting that it's insecure.  You can't blame people for thinking this way, because at this point it's a legitimate fear.

There is no question that we need a standard process for third party security experts to be able to review exchange processes and software from top to bottom.  If you know of some sort of external security company that already does this, feel free to post.

Perhaps exchanges could be verified on a certain level of compliance and receive a letter or badge to post on their website for proof of audit.  Maybe someone like Andreas Antonopoulos would be interested to open this discussion further.

Items to address in audit:

- Source code, deployment and version control procedures
- Bitcoin software and protocol implementation
- Server platform (software versions, port scanning, server logging, brute force protections, DDOS protection, backups, redundancy, etc)
- Emergency shutdown and startup procedures
- Physical security (security cameras, electronic facility monitoring, alarm systems, swipe-cards, etc)
- Use of AML / KYC procedures and encrypted offsite storage of client documents
- Offsite cold storage (multiple locations) and use of keys, with logs of all activity
- Onsite hot wallet and use of keys
- Minimum of email verification or 2-Factor Authentication mandatory for withdrawals on all client accounts
- Options for clients to set a withdrawal limit on their account (similar to a bank)
- Alerts available for unusual activity on client accounts, with additional verification option (email or phone call) in case of sudden large withdrawals
- Staff background checks
- Staff fraud prevention training
- On-site restrictions for staff electronics and storage devices
- Restricted access areas for developers and system-critical staff
- Procedures for reporting illegal or suspicious activity to law enforcement

I will add to this as more feedback comes in.  PLEASE contribute!  This is a great community and the development of this ecosystem is happening and will continue happening thanks to you!