In the last few months I’ve been approached by several different groups in the virtual currency space asking for my input on various things; mostly because of my involvement in payment systems over the last 15 years, but also because I’ve been involved with Bitcoin almost from its beginning. My advice has spanned technical, business, and even legal issues pertaining to virtual currencies; unfortunately, security hasn’t really been given the attention it needs.
The start of 2014, and much of Bitcoin’s existence, has been plagued by security breeches with several Bitcoin related sites falling victim to thefts. As a result I’ve decided to put together a reasonably short document on securing virtual currency applications. It is based on my experience from working at banks and payment processors since the late 90’s and is centred around existing standards and policies such as PCI, OWASP, NIST, etc…. The information has always been out there but application developers (sadly) aren’t normally thinking about security. ‘Throwing a firewall’ in front of it just won’t cut it; especially when it means a compromise could cost you the contents of your hot wallet and your dignity, if you are lucky.