On the Security and Reliability of Bitcoin Exchanges

This was originally posted on the Money and Tech blog on Thursday, February 27, 2014.

This week, the headlines of tech, business, and mainstream news organizations have been filled with rumors, doom, and gloom regarding the failure of one of the most well-known bitcoin exchanges, Mt. Gox. This follows a long history of instability at the exchange, which was once the largest by volume but has within the past year dropped to the single digits as a percentage of global bitcoin exchange volume. Mt. Gox recently halted withdrawals from their exchange on February 7, 2014, attributing a problem with their web wallet implementation to a long-known quirk in Bitcoin called “transaction malleability.” Then, after deleting all of their tweets over the weekend, on Monday February 24, 2014, the Mt. Gox website began returning a blank screen. After an uproar in the Bitcoin community and media, MtGox.com currently shows this message from CEO Mark Karpeles:

“February 26th2014

Dear MtGox Customers,

As there is a lot of speculation regarding MtGox and its future, I would like to use this opportunity to reassure everyone that I am still in Japan, and working very hard with the support of different parties to find a solution to our recent issues.

Furthermore I would like to kindly ask that people refrain from asking questions to our staff: they have been instructed not to give any response or information. Please visit this page for further announcements and updates.

Mark Karpeles”

There has indeed been much speculation as to what has actually gone wrong with Mt. Gox, and this post is not meant to add to this speculation, but rather to clarify the situation for readers and provide advice for how to prevent or avoid such incidents.

As mentioned above, Mt. Gox has a long history of inconsistent service stemming from outside attacks as well as internal failures due to being “a victim of [their] own success.” It is almost an annual event for them to crash catastrophically, taking the price of bitcoin down with them. For those who have been paying attention these last few years, this latest failure is not a surprise. For the many newcomers to Bitcoin since the boom of 2013 who failed to do any due diligence whatsoever, it comes as a complete shock. There are also long-time bitcoiners who have had money stuck in Gox, and others who simply trusted them to continue operating and acting as a responsible custodian of their coins. Here are my suggestions for readers who are wondering how to avoid a similar situation in the future:

  1. Do your due diligence before giving money to strangers. What is the reputation of these strangers? Have they been known to shut down their service sporadically, or experience theft from criminals public and private? Are there better options out there? These are important questions to ask and answer before depositing money at a cryptocurrency exchange.
  2. Keep as little of your money stored on exchanges as possible, for as short a period of time as possible. If you must keep money on an exchange (for instance, if you are actively trading and waiting for orders to fill), use two-factor authentication (2FA) to secure your account. Note that 2FA will not protect you from “inside jobs” or a technical failure on the part of the exchange service.
  3. If your exchange needs aren’t urgent, try using local exchange methods instead. Attend a cryptocurrency meetup to trade with enthusiasts in your area, or use a service like localbitcoins.com to meet traders at a local library or coffee shop.
  4. For storage of your coins, use an encrypted wallet service that gives you control of the private keys that allow your coins to be spent. Blockchain.info offers a great mix of security and convenience, as does the Mycelium mobile wallet. Regardless of what service you use, make sure YOU control the private keys and ALWAYS use 2FA or a secondary PIN for access and withdraws. For longer-term storage needs, I recommend using an offline encrypted Bitcoin Armory wallet.
  5. Self-regulatory associations in the Bitcoin ecosystem such as DATA (edit: and C4) are developing security and transparency best-practices that existing and would-be Bitcoin businesses should adopt to mitigate abuse and fraud. In the mean time, exchanges can hire a security auditor or offer bug bounties to white-hat hackers.

For those who have been directly affected by the issues at Mt. Gox, my best hope is that all wrongs are righted and everyone is made whole again, and soon. If you are feeling depressed due to loss and need someone to talk to, please email me. I never had any money at Gox but still know the feeling of deep loss and will gladly provide comfort during this difficult time. For more recommendations on securing your cryptocurrency assets, check out my blog post entitled “Securing Your Bitcoins.”