bitgo presents multi-sig bitcoin security at inside bitcoins nyc

How to Stop Bitcoin Theft: Multi-Sig Wallets Make Bitcoin

Secure and Useful for New Industries

Will O’Brien

CEO & Co-Founder, BitGo will@bitgo.com

April 8, 2014

Today’s Talk

•  Landscape of Bitcoin security •  Introduction to multi-sig •  Multi-sig for the enterprise •  Multi-sig for new industries

COPYRIGHT © 2014 BITGO, INC. 2

Who Am I?

•  Will O’Brien •  CEO & Co-Founder of BitGo •  Computer Science, Harvard •  FinTech, trading platforms and capital markets •  MBA, MIT Sloan •  Startups and mid-size companies in consumer,

payments, video games, and media •  Obsessed with Bitcoin since 2012

COPYRIGHT © 2014 BITGO, INC. 3

BitGo: Multi-Sig Security-as-a-Services

•  First  multi-­‐sig  wallet  •  Monitor  holdings  of  any  other  wallet  or  address  •  BitGo  Enterprise  •  BitGo  API  

COPYRIGHT © 2014 BITGO, INC. 4

Q: What is the biggest threat to Bitcoin adoption?

Threats to Bitcoin Adoption

COPYRIGHT © 2014 BITGO, INC. 6

Regulation  

Price  volatility  

Security  

Liquidity  

Security a Fundamental Threat

“An  Australian  bitcoin  bank  has  been  hacked,  the  service’s  operator  only  known  as  ‘Tradefortress’  refused  to  give  his  name  to  the  press,  stressing  he  was  not  much  older  than  18.”  

Over $40,000 has been stolen from Bitcoin wallet provider Coinbase. ”  “ The Bloomberg reporter opened up his paper wallet to show the private key, and, not too surprisingly, the funds were quickly stolen. “ ”  

$1.2M hack shows why you should never store Bitcoins on the Internet

COPYRIGHT © 2014 BITGO, INC. 7

Market analog: IT security now a primary concern for CXOs and BoDs

22%  

54%  

2007   2012  

%  of

 Ent

erpr

ises

Sources:  Cisco,  Forrester,  Gartner,  IDC,  IBM,  Ponemon  Institute,  analyst  reports,  Bain  analysis  

SECURITY  ISSUES  FREQUENTLY  DISCUSSED  WITH  BOD  ON  QUARTERLY  BASIS  

HIGHER  PROFILE  OF  SECURITY  IS  DUE  TO  FREQUENCY,  SCALE  &  IMPACT  OF  ATTACKS  

•  Cost  of  cybercrimes  rose  to  a  median  $5.9M  per  organization  in  2011,  a  56%  increase    

•  Security  vulnerability  disclosures  grew  to  ~9K  in  2012,  a  29%  increase    

•  Symantec  blocked  more  than  5.5B  malware  attacks  in  2011,  an  81%  increase  

• Web  based  attacks  rose  to  4.5K  per  day  in  2011,  a  36%  increase  

• Mobile  malware  grew  by  400%,  with  Android  attacks  growing  by  2577%  in  2013  

• DDoS  attacks  increased  by  27%,  with  the  largest  attack  measuring  at  100.84  Gbps  and  lasting  20  minutes  in  2013  

SIGNIFICANT  %  OF  CSOS  (SECURITY)  NOW  REPORT  TO  TOP  LEADERSHIP  

•  54%  report  to  C-­‐level  execs  (including  CIOs)  

•  30%  report  to  CEO,  BoD,  or  enterprise  risk  team  

COPYRIGHT © 2014 BITGO, INC. 8

Global IT security market growing to $92B with strong consolidation trend

COPYRIGHT © 2014 BITGO, INC. 9

43  

60  

16  

23  

5  

8  

2012   2016F  Enterprise   SMB   Consumer  

9%  

10%  

14%  

CAGR  12-­‐16  

Note:  Excludes  MPLS  VPN  Sources:  IDC,  Gartner,  analyst  reports,  Bain  analysis,  company  financials  

25  

35  

$0B  

$10B  

$20B  

$30B  

$40B  

$50B  

$60B  

$70B  

$80B  

$90B  

$100B  

2012   2016F  ROW   US  

10%  

9%  

CAGR  12-­‐16  

$64B  

$92B  

$64B  

$92B  

Global  IT  security    market  

GLOBAL  IT  SECURITY  MARKET  

Identity  theft  protection  

$7.68B  (acquired  by  Intel  in  2010)  

$14.5B  (NASDAQ:SYMC)  

$1.29B  (acq.  by  Symantec  in  2010)  

$1.97B  (NYSE:LOCK)  

$17.5B  (LON:EXPN)  

Private  ($130m  revenue)  

Anti-­‐virus  and  corporate  security  

Identity  and  authentication  

LEADING  COMPANIES  AND  EXITS  

Quick Primer: Bitcoin Keys

COPYRIGHT © 2014 BITGO, INC. 10

SECRET!  

SAFE  

Bitcoin Storage: A Costly Trade-Off

COPYRIGHT © 2014 BITGO, INC. 11

Security  

Acce

ssibility  

low  

low  

high  

high  

If  all  systems  can  be  hacked,  where  do  you  store  your  private  key?  

Private  key  storage   local  computer  

Security  threats   malware  key  logging  hard  drive  failure  forgotten  password  

Examples  

Bitcoin Storage: Desktop Wallets

COPYRIGHT © 2014 BITGO, INC. 12

Security  

Acce

ssibility  

desktop  wallets  

low  

low  

high  

high  

Bitcoin-­‐QT  Android  wallet  

Note:  some  of  these  wallets  are  exploring  multi-­‐sig    

Private  key  storage   online  

Security  threats   server  hacking  denial  of  service  phishing  key  logging  insider  theft  

Examples  

Bitcoin Storage: Hosted Wallets

COPYRIGHT © 2014 BITGO, INC. 13

Security  

Acce

ssibility  

desktop  wallets  

low  

low  

high  

high  

hosted  wallets  

Note:  Blockchain  does  not  store  your  keys  

Private  key  storage   online  

Security  threats   server  hacking  denial  of  service  phishing  key  logging  insider  theft  regulatory  action  

Examples  

Bitcoin Storage: Exchanges

COPYRIGHT © 2014 BITGO, INC. 14

Security  

Acce

ssibility  

desktop  wallets  

low  

low  

high  

high  

hosted  wallets  &  exchanges  

Note:  for  illustration  purposes  only  

Private  key  storage   offline  

Security  threats   physical  loss  physical  theft  coercion  forgotten  password  

Examples  

Bitcoin Storage: Offline

COPYRIGHT © 2014 BITGO, INC. 15

Security  

Acce

ssibility  

desktop  wallets  

low  

low  

high  

high  

hosted  wallets  &  exchanges  

cold  storage  paper  wallets  

cold  storage  

paper  wallets  

brain  wallets  

physical  tokens  

brain  wallets  

Private  key  storage  (multi-­‐signature)  

3  keys  distributed  -­‐  hosted  key  -­‐  user  key  -­‐  backup  (offline)  

Security  threats   server  hacking  malware  key  logging  insider  theft  coercion  forgotten  password  

Increased  security  measures  

fraud  detection  spending  limits  corporate  treasury  cold  keys  

Bitcoin Storage: Multi-Sig

COPYRIGHT © 2014 BITGO, INC. 16

Security  

Acce

ssibility  

desktop  wallets  

low  

low  

high  

high  

hosted  wallets  &  exchanges  

cold  storage  paper  wallets  brain  wallets  

Comparing Bitcoin Wallet Architectures

COPYRIGHT © 2014 BITGO, INC. 17

With Multi-Sig You Hold Your Own Bitcoin, 100% on Blockchain

COPYRIGHT © 2014 BITGO, INC. 18

Multi-Sig for the Enterprise

COPYRIGHT © 2014 BITGO, INC. 19

Evolution of Bitcoin Corporate Adoption

COPYRIGHT © 2014 BITGO, INC. 20

Lower  costs,  reduce  fraud  PR  and  sales  increase  

Accept  Bitcoin  Asset  investment  Digital  currency  trading  

Hold  Bitcoin  Supply  chain  Payroll  Promotions  

Use  Bitcoin  

-­‐  Big  Fish  Games  -­‐  Overstock.com  -­‐  Square  -­‐  TigerDirect  -­‐  Zynga  -­‐  30K+  merchants  

-­‐  Bitcoin  Investment  Trust  -­‐  Fortress/  Pantera  -­‐  Sator  Square  

-­‐  BitPay  -­‐  Gyft  -­‐  Lamassu  ATM  

Company  Profile  

Businesses  accepting  and  spending  Bitcoin  

Family  office  investors  and  financial  institutions  

Key  Needs   •  Accountant-­‐friendly  UI  •  Enterprise  security  •  Spending  limits  and  transaction  approvals  for  various  users  in  the  org  •  Regular  financial  reports  

•  Trader-­‐friendly  UI  •  Enterprise  security  for  large  Bitcoin  holdings  •  Fund  administration  that  meets  corporate  governance  requirements  •  Robust  audit  trail  and  financial  reporting  

Multi-­‐Sig  Setup  

•  2-­‐of-­‐3  key  wallets  •  Access  by  multiple  users  with  different  rights  

• M-­‐of-­‐N  key  wallets  •  Secondary  approval  for  large  transactions  

Organizational Needs for Multi-Sig

BITGO, INC. CONFIDENTIAL 21

How an Organization Uses Multi-Sig

COPYRIGHT © 2014 BITGO, INC. 22

Person   Spending  limit   Creates  wallets   Approves  spending   Views  holdings  

CEO   $100,000   ✓   ✓   ✓  

CFO   $100,000   ✓   ✓   ✓  

VP  finance   $50,000   ✓   ✓  

Director  accounting   $25,000   ✓  

Financial  analyst   $0   ✓  

Auditor   n/a   ✓  

Enterprise  security  features  •  Network  fraud  detection  •  Spending  and  velocity  limits  •  Approval  chains  •  Time-­‐delayed  transactions  

Corporate Dashboard

COPYRIGHT © 2014 BITGO, INC. 23

Wallet-Based Security and Permissions

COPYRIGHT © 2014 BITGO, INC. 24

Spending Limits in Action

COPYRIGHT © 2014 BITGO, INC. 25

Security and Approval Flow

COPYRIGHT © 2014 BITGO, INC. 26

Multi-Sig forNew Industries

COPYRIGHT © 2014 BITGO, INC. 27

Multi-Sig Custodial Accounts

•  Escrow •  Gifts •  Auctions •  Real estate

COPYRIGHT © 2014 BITGO, INC. 28

Exchanges: Preventing the Next MtGox

COPYRIGHT © 2014 BITGO, INC. 29

Risks  of  “pooled  holdings”  exchange  •  Theft  or  loss  of  all  funds  •  Government  seizure  of  funds  •  Limited  independent  auditing  •  No  insurance  •  No  notification  of  account  breach  

POOLED  EXCHANGE  MODEL  

Exchange Powered by Multi-Sig

COPYRIGHT © 2014 BITGO, INC. 30

Five Parties Model

COPYRIGHT © 2014 BITGO, INC. 31

http://www.systemics.com/docs/ricardo/issuer/faq_governance.html#5PM  http://bitcoinmagazine.com/10639/five-­‐parties-­‐model/  

Get Started with Multi-Sig

•  Individual: Use a multi-sig secure wallet

•  Merchant or financial institution: Use a multi-sig, multi-signer wallet

•  Bitcoin exchange or business: Bake multi-sig in to your transaction model using custodial accounts

COPYRIGHT © 2014 BITGO, INC. 32

API  

Build on the BitGo API

•  Exchanges,  trading  platforms,  funds,  marketplaces,  escrow  services,  and  beyond  can  build  systems  on  the  BitGo  API  

•  The  BitGo  API  enables  the  following  operations:  –  Creation  of  M-­‐of-­‐N  P2SH  (multi-­‐sig)  addresses  

–  Hierarchical  Deterministic  Wallet  management  (BIP32)  

–  Transaction  creation  

–  Transaction  signing  –  Spending  limits  

–  Multi-­‐signer  address  flow  

COPYRIGHT © 2014 BITGO, INC. 33

Industry Goals for Multi-Sig

•  Secure the majority of Bitcoin holdings with multi-sig by the end of 2014

•  Embrace standards and industry best practices like BIP32 (HD wallets)

•  Innovate on new models based on multi-sig

Make 2014 the Year of Multi-Sig!

COPYRIGHT © 2014 BITGO, INC. 34

Thank you

COPYRIGHT © 2014 BITGO, INC. 35

https://www.bitgo.com  will@bitgo.com  

@BitGoInc