Author

Topic: Security standards for bitcoin commerce sites and applications (Read 1400 times)

member
Activity: 105
Merit: 10
Perhaps this topic might seem a little more interesting now?
legendary
Activity: 1652
Merit: 2301
Chief Scientist
Gavin, your ClearCoin project holds bitcoins on deposits.  Can you direct me to the security standards that you are adhering to?  Has a 3rd party audit been peformed to ensure that your organization is adhering to those standards?  Have you subjected your infrastructure to any kind of penetration tests?  If I have 1000 btc in escrow at ClearCoin and an act of God wipes out your server at 2:15PM on a Sunday afternoon, is money safe and recoverable?

No, no, no and yes.  I'm planning on making the answers to all of those questions "yes" within the next six months, although I need to look at how many bitcoins are contained at any given time in the ClearCoin wallet; it might make more sense to send double or triple that amount of bitcoin to a publicly verifiable address, prove I own the coins, and guarantee any losses due to ClearCoin getting hacked.

(note: I just looked, and right now there are 540 bitcoins in the ClearCoin wallet, so spending $50,000 to protect them really wouldn't make sense).

Quote
More to the point, how can I or anyone affordably provide the same kind of fault tolerance and data security that a traditional banking institution would?

Yet another bitcoin chicken-and-egg problem that will get solved by investors taking a risk and giving bitcoin entrepreneurs the resources to do security right (or wealthy entrepreneurs stepping up and making the investment themselves).
member
Activity: 105
Merit: 10
I agree, that  we don't need to reinvent the wheel.  However, an individual like myself with enough money to buy a domain name and a months worth of bargain basement web hosting does not present themselves to the world as a bank or a credit union.

Gavin, your ClearCoin project holds bitcoins on deposits.  Can you direct me to the security standards that you are adhering to?  Has a 3rd party audit been peformed to ensure that your organization is adhering to those standards?  Have you subjected your infrastructure to any kind of penetration tests?  If I have 1000 btc in escrow at ClearCoin and an act of God wipes out your server at 2:15PM on a Sunday afternoon, is money safe and recoverable?

As a startup, I do not have the resources (financial or expertise) that Bank of America has to devote to network security.  My website is hosted on a server somewhere in Los Angeles California.  I have no idea who has physical access to the server my site is hosted on.  Even if I'm not going to rely on backups that my hosting company makes, I do know that they make them.  I have no idea if backup media or server hardware is disposed of in a secure manner.

Can anyone recommend a hosting company that adheres to security practices worthy of providing hosting for a bitcoin financial institution?

More to the point, how can I or anyone affordably provide the same kind of fault tolerance and data security that a traditional banking institution would?
legendary
Activity: 1652
Merit: 2301
Chief Scientist
My advice:  don't reinvent the wheel.  There are already standards and organizations dedicated to security practices surrounding currency, both physical and virtual, and financial transactions.  It doesn't really matter if the currency is bhat or bitcoin, the principles will be the same.

jr. member
Activity: 48
Merit: 9
great topic, I would love to hear from those more knowledgeable than I am on it.  I'd imagine it comes down to server security.  putting reserves on different drives is probably a good idea and then just transferring funds in when the active drive gets low and out when there is surplus
member
Activity: 105
Merit: 10
We are seeing an ever increasing number of bitcoin related financial services being offered.  We have a number of exchanges, eWallets, tip jars, escrow services, credit unions, and countless offline apps.  Some of these services are tasked with safeguarding user's bitcoins.

For the sake of discussion, let's consider an online eWallet system.  A successful eWallet system, one that has many users and a large quantity of bitcoin on deposit, is basically a huge pile of cash sitting inside a computer.  Where is that computer?  Is it in a highly secure NOC somewhere or in somebody's kitchen.  Are backups being performed, if so how often?  Where and how are the backups stored, are they secure?  The list is endless.

A hacker doesn't need to steal the private key / bitcoin wallet.  They would just need to use it long enough to make a very large transfer to their own account.

If there's a million bitcoin sitting on a computer somewhere worth worth who knows how much fiat currency, we are going to see a hacker challenge the likes of which the world has never seen!

The people participating in this forum are laying the foundation for a new economy.  A large scale theft would be a major setback to the bitcoin project.  

I see a great need for developing security recommendations and best practices for any entity offering services that involve storing bitcoin on behalf of their owner.  After that's done, organizations can be formed to audit these entities to ensure compliance (another new business opportunity).

Is anyone here interested in working on this?
Jump to: