‘Ideal’ Security Setup for an Average Bitcoiner by Security Experts
Answering a question in a recent AMA (ask me anything) session on protecting one’s Bitcoin from thieves, experts from crypto security specialist Casa gave what may be an ideal security setup for any average BTC holder, based on the amount they’re securing.
Casa’s Chief Technology Officer (CTO), Jameson Lopp, and the Product Lead for the Casa Node, Brian Lockhart, held a Reddit AMA on Tuesday. Among many questions, there was also a request for recommendation by user ‘CorporalCrabcake’ on “the ideal security setup for just your average Bitcoiner looking to make sure they don’t get hacked?”
Lopp answered this request saying that ‘Ideal’ is a relative term, so a broad reply can’t really be given, since it depends on the amount of value somebody’s securing. The way Lopp looks at it is: “if the cost of setting up an “ideal” system of securing private keys is less than a few percent of the value of the coins, then it should be a no-brainer.”
He gives a few more detailed pointers based on his personal opinions, as well as on various tiers offered at Casa:
- For securing amounts worth more than USD 1,000 – buying a hardware wallet is the bare minimum; he currently recommends ColdCard wallet, though he says that any popular wallet should be fine. (Check out a list of alternative hardware wallets).
- For securing amounts worth more than USD 10,000 – use multisignature (multisig), preferably with the keys held by different brands of hardware wallets.
- For securing amounts worth more than USD 100,000 – think about how geographically distributed you want the different devices to be, and possibly use a “higher M of N multisig setup for greater robustness,” says the expert.
Answering questions by Redditor ‘eYou’, Lockhart said that with multisig, users are spreading risk across multiple keys, but “the higher the amount protected, the higher [number] of keys you should require in order to sign a transaction.” He added that a mix of key storage devices – mobile key and one or more hardware wallets – is recommended either way, while mixing the brands of hardware wallet “is not a bad idea, and can protect against possible issues with a specific manufacturer.”
In the meantime, Casa came out with a couple of announcements in the past few days. In a blog post, the two experts addressed concerns regarding rumored vulnerabilities in Casa Node 1, a plug-and-play Bitcoin and Lightning node. They said that these are known issues that resulted from intentional design decisions, but that there’s no need to remove funds from your Casa Node. Furthermore, Casa Node 2 is already out as it was previously announced.
Related to the online security, the annual Internet Organized Crime Threat Assessment (IOCTA) for 2019 by the European Union Agency for Law Enforcement Cooperation (Europol) is also out. The report states that “while cryptocurrencies continue to facilitate cybercrime, hackers and fraudsters now routinely target crypto-assets and enterprise.” Among the main conclusions, the report finds that:
- Gangs use Advanced Persistent Threat (APT)-style tactics to take control over certain aspects of a bank’s internal network, and nation states are sometimes involved; for example the Lazarus group, which has ties to North Korea, was allegedly responsible for over half a billion USD in cryptocurrency thefts since 2017.
- Cryptocurrency exchanges are still a magnet for hacking groups, and last year, over USD 1 billion in cryptocurrencies were stolen from exchanges and other platforms worldwide.
- There was a massive surge in cryptomining, both passive (through scripts running in a victim’s internet browser) and via cryptojacking malware. “Both techniques exploit a victim’s processing power without their permission to mine cryptocurrencies — typically Monero,” says the report. With the closure of Coinhive in March, browser-based cryptomining declined, but the attacks against public and private sectors entities are evolving. “Apart from the occasional exceptional case, cryptomining is likely to remain a low-priority threat for EU law enforcement.”
To combat the crimes and high adaptability of those who perform them, the IOCTA says that:
- law enforcement and legislators must innovate and learn about the specific new technologies to investigate technically challenging or complex cybercrimes;
- as it’s getting more difficult to acquire data for investigations thanks to technological developments, such as the enhanced use of encryption to hide tracks or cryptocurrencies to hide illicit earnings, “law enforcement and the judiciary must continue to develop, share and propagate knowledge on how to recognize, track, trace, seize and recover cryptocurrency assets,” but also build trust-based relationships with the Cryptoworld;
- EU investigators should be vigilant concerning emerging cryptocurrency conversion and cash-out opportunities, and share any new information with Europol.