The document discusses how multi-signature (multi-sig) wallets can improve bitcoin security and enable its use in new industries. It begins with an overview of existing bitcoin storage methods and their security trade-offs. Desktop, online, offline and exchange storage are outlined. The document then introduces multi-sig wallets as a more secure solution that distributes control of funds across multiple private keys. It argues this approach makes bitcoin secure enough for enterprise and new applications.

1. How to Stop Bitcoin Theft:
Multi-Sig Wallets Make Bitcoin
Secure and Useful for New
Industries
Will O’Brien
CEO & Co-Founder, BitGo
will@bitgo.com
April 8, 2014

2. Today’s Talk
• Landscape of Bitcoin security
• Introduction to multi-sig
• Multi-sig for the enterprise
• Multi-sig for new industries
COPYRIGHT © 2014 BITGO, INC.
2

3. Who Am I?
• Will O’Brien
• CEO & Co-Founder of BitGo
• Computer Science, Harvard
• FinTech, trading platforms and capital markets
• MBA, MIT Sloan
• Startups and mid-size companies in consumer,
payments, video games, and media
• Obsessed with Bitcoin since 2012
COPYRIGHT © 2014 BITGO, INC.
3

4. BitGo: Multi-Sig Security-as-a-Services
• First
multi-­‐sig
wallet
• Monitor
holdings
of
any
other
wallet
or
address
• BitGo
Enterprise
• BitGo
API
COPYRIGHT © 2014 BITGO, INC.
4

5. Q: What is the biggest
threat to Bitcoin adoption?

6. Threats to Bitcoin Adoption
COPYRIGHT © 2014 BITGO, INC.
6
Regulation
Price
volatility
Security
Liquidity

7. Security a Fundamental Threat
“An
Australian
bitcoin
bank
has
been
hacked,
the
service’s
operator
only
known
as
‘Tradefortress’
refused
to
give
his
name
to
the
press,
stressing
he
was
not
much
older
than
18.”
Over $40,000 has been stolen from Bitcoin wallet provider Coinbase.
”
“ The Bloomberg reporter opened up his paper
wallet to show the private key, and, not too
surprisingly, the funds were quickly stolen.
“ ”
$1.2M hack shows why you should never store
Bitcoins on the Internet
COPYRIGHT © 2014 BITGO, INC.
7

8. Market analog: IT security now a
primary concern for CXOs and BoDs
22%
54%
2007
2012
%
of
Enterprises
Sources:
Cisco,
Forrester,
Gartner,
IDC,
IBM,
Ponemon
Institute,
analyst
reports,
Bain
analysis
SECURITY
ISSUES
FREQUENTLY
DISCUSSED
WITH
BOD
ON
QUARTERLY
BASIS
HIGHER
PROFILE
OF
SECURITY
IS
DUE
TO
FREQUENCY,
SCALE
&
IMPACT
OF
ATTACKS
• Cost
of
cybercrimes
rose
to
a
median
$5.9M
per
organization
in
2011,
a
56%
increase
• Security
vulnerability
disclosures
grew
to
~9K
in
2012,
a
29%
increase
• Symantec
blocked
more
than
5.5B
malware
attacks
in
2011,
an
81%
increase
• Web
based
attacks
rose
to
4.5K
per
day
in
2011,
a
36%
increase
• Mobile
malware
grew
by
400%,
with
Android
attacks
growing
by
2577%
in
2013
• DDoS
attacks
increased
by
27%,
with
the
largest
attack
measuring
at
100.84
Gbps
and
lasting
20
minutes
in
2013
SIGNIFICANT
%
OF
CSOS
(SECURITY)
NOW
REPORT
TO
TOP
LEADERSHIP
• 54%
report
to
C-­‐level
execs
(including
CIOs)
• 30%
report
to
CEO,
BoD,
or
enterprise
risk
team
COPYRIGHT © 2014 BITGO, INC.
8

9. Global IT security market growing to
$92B with strong consolidation trend
COPYRIGHT © 2014 BITGO, INC.
9
43
60
16
23
5
8
2012
2016F
Enterprise
SMB
Consumer
9%
10%
14%
CAGR
12-­‐16
Note:
Excludes
MPLS
VPN
Sources:
IDC,
Gartner,
analyst
reports,
Bain
analysis,
company
financials
25
35
$0B
$10B
$20B
$30B
$40B
$50B
$60B
$70B
$80B
$90B
$100B
2012
2016F
ROW
US
10%
9%
CAGR
12-­‐16
$64B
$92B
$64B
$92B
Global
IT
security
market
GLOBAL
IT
SECURITY
MARKET
Identity
theft
protection
$7.68B
(acquired
by
Intel
in
2010)
$14.5B
(NASDAQ:SYMC)
$1.29B
(acq.
by
Symantec
in
2010)
$1.97B
(NYSE:LOCK)
$17.5B
(LON:EXPN)
Private
($130m
revenue)
Anti-­‐virus
and
corporate
security
Identity
and
authentication
LEADING
COMPANIES
AND
EXITS

10. Quick Primer: Bitcoin Keys
COPYRIGHT © 2014 BITGO, INC.
10
SECRET!
SAFE

11. Bitcoin Storage: A Costly Trade-Off
COPYRIGHT © 2014 BITGO, INC.
11
Security
Accessibility
low
low
high
high
If
all
systems
can
be
hacked,
where
do
you
store
your
private
key?

12. Private
key
storage
local
computer
Security
threats
malware
key
logging
hard
drive
failure
forgotten
password
Examples
Bitcoin Storage: Desktop Wallets
COPYRIGHT © 2014 BITGO, INC.
12
Security
Accessibility
desktop
wallets
low
low
high
high
Bitcoin-­‐QT
Android
wallet
Note:
some
of
these
wallets
are
exploring
multi-­‐sig

13. Private
key
storage
online
Security
threats
server
hacking
denial
of
service
phishing
key
logging
insider
theft
Examples
Bitcoin Storage: Hosted Wallets
COPYRIGHT © 2014 BITGO, INC.
13
Security
Accessibility
desktop
wallets
low
low
high
high
hosted
wallets
Note:
Blockchain
does
not
store
your
keys

14. Private
key
storage
online
Security
threats
server
hacking
denial
of
service
phishing
key
logging
insider
theft
regulatory
action
Examples
Bitcoin Storage: Exchanges
COPYRIGHT © 2014 BITGO, INC.
14
Security
Accessibility
desktop
wallets
low
low
high
high
hosted
wallets
&
exchanges
Note:
for
illustration
purposes
only

15. Private
key
storage
offline
Security
threats
physical
loss
physical
theft
coercion
forgotten
password
Examples
Bitcoin Storage: Offline
COPYRIGHT © 2014 BITGO, INC.
15
Security
Accessibility
desktop
wallets
low
low
high
high
hosted
wallets
&
exchanges
cold
storage
paper
wallets
cold
storage
paper
wallets
brain
wallets
physical
tokens
brain
wallets

16. Private
key
storage
(multi-­‐signature)
3
keys
distributed
-­‐ hosted
key
-­‐ user
key
-­‐ backup
(offline)
Security
threats
server
hacking
malware
key
logging
insider
theft
coercion
forgotten
password
Increased
security
measures
fraud
detection
spending
limits
corporate
treasury
cold
keys
Bitcoin Storage: Multi-Sig
COPYRIGHT © 2014 BITGO, INC.
16
Security
Accessibility
desktop
wallets
low
low
high
high
hosted
wallets
&
exchanges
cold
storage
paper
wallets
brain
wallets

17. Comparing Bitcoin Wallet Architectures
COPYRIGHT © 2014 BITGO, INC.
17

18. With Multi-Sig You Hold Your Own
Bitcoin, 100% on Blockchain
COPYRIGHT © 2014 BITGO, INC.
18

19. Multi-Sig for the
Enterprise
COPYRIGHT © 2014 BITGO, INC.
19

20. Evolution of Bitcoin Corporate Adoption
COPYRIGHT © 2014 BITGO, INC.
20
Lower
costs,
reduce
fraud
PR
and
sales
increase
Accept
Bitcoin
Asset
investment
Digital
currency
trading
Hold
Bitcoin
Supply
chain
Payroll
Promotions
Use
Bitcoin
-­‐ Big
Fish
Games
-­‐ Overstock.com
-­‐ Square
-­‐ TigerDirect
-­‐ Zynga
-­‐ 30K+
merchants
-­‐ Bitcoin
Investment
Trust
-­‐ Fortress/
Pantera
-­‐ Sator
Square
-­‐ BitPay
-­‐ Gyft
-­‐ Lamassu
ATM

21. Company
Profile
Businesses
accepting
and
spending
Bitcoin
Family
office
investors
and
financial
institutions
Key
Needs
• Accountant-­‐friendly
UI
• Enterprise
security
• Spending
limits
and
transaction
approvals
for
various
users
in
the
org
• Regular
financial
reports
• Trader-­‐friendly
UI
• Enterprise
security
for
large
Bitcoin
holdings
• Fund
administration
that
meets
corporate
governance
requirements
• Robust
audit
trail
and
financial
reporting
Multi-­‐Sig
Setup
• 2-­‐of-­‐3
key
wallets
• Access
by
multiple
users
with
different
rights
• M-­‐of-­‐N
key
wallets
• Secondary
approval
for
large
transactions
Organizational Needs for Multi-Sig
BITGO, INC. CONFIDENTIAL
21

22. How an Organization Uses Multi-Sig
COPYRIGHT © 2014 BITGO, INC.
22
Person
Spending
limit
Creates
wallets
Approves
spending
Views
holdings
CEO
$100,000
✓
✓
✓
CFO
$100,000
✓
✓
✓
VP
finance
$50,000
✓
✓
Director
accounting
$25,000
✓
Financial
analyst
$0
✓
Auditor
n/a
✓
Enterprise
security
features
• Network
fraud
detection
• Spending
and
velocity
limits
• Approval
chains
• Time-­‐delayed
transactions

23. Corporate Dashboard
COPYRIGHT © 2014 BITGO, INC.
23

24. Wallet-Based Security and Permissions
COPYRIGHT © 2014 BITGO, INC.
24

25. Spending Limits in Action
COPYRIGHT © 2014 BITGO, INC.
25

26. Security and Approval Flow
COPYRIGHT © 2014 BITGO, INC.
26

27. Multi-Sig for
New Industries
COPYRIGHT © 2014 BITGO, INC.
27

28. Multi-Sig Custodial Accounts
• Escrow
• Gifts
• Auctions
• Real estate
COPYRIGHT © 2014 BITGO, INC.
28

29. Exchanges: Preventing the Next MtGox
COPYRIGHT © 2014 BITGO, INC.
29
Risks
of
“pooled
holdings”
exchange
• Theft
or
loss
of
all
funds
• Government
seizure
of
funds
• Limited
independent
auditing
• No
insurance
• No
notification
of
account
breach
POOLED
EXCHANGE
MODEL

30. Exchange Powered by Multi-Sig
COPYRIGHT © 2014 BITGO, INC.
30

31. Five Parties Model
COPYRIGHT © 2014 BITGO, INC.
31
http://www.systemics.com/docs/ricardo/issuer/faq_governance.html#5PM
http://bitcoinmagazine.com/10639/five-­‐parties-­‐model/

32. Get Started with Multi-Sig
• Individual:
Use a multi-sig secure wallet
• Merchant or financial institution:
Use a multi-sig, multi-signer
wallet
• Bitcoin exchange or business:
Bake multi-sig in to your
transaction model using
custodial accounts
COPYRIGHT © 2014 BITGO, INC.
32
API

33. Build on the BitGo API
• Exchanges,
trading
platforms,
funds,
marketplaces,
escrow
services,
and
beyond
can
build
systems
on
the
BitGo
API
• The
BitGo
API
enables
the
following
operations:
– Creation
of
M-­‐of-­‐N
P2SH
(multi-­‐sig)
addresses
– Hierarchical
Deterministic
Wallet
management
(BIP32)
– Transaction
creation
– Transaction
signing
– Spending
limits
– Multi-­‐signer
address
flow
COPYRIGHT © 2014 BITGO, INC.
33

34. Industry Goals for Multi-Sig
• Secure the majority of Bitcoin holdings with
multi-sig by the end of 2014
• Embrace standards and industry best
practices like BIP32 (HD wallets)
• Innovate on new models based on multi-sig
Make 2014 the Year of Multi-Sig!
COPYRIGHT © 2014 BITGO, INC.
34

35. Thank you
COPYRIGHT © 2014 BITGO, INC.
35
https://www.bitgo.com
will@bitgo.com
@BitGoInc