How we’re making Newton secure

Newton is Canada’s first commission-free cryptocurrency brokerage. In this article, we’ll explore some of the techniques we’re using to keep our users’ funds safe.

From the always-relevant XKCD

Storing the private keys for large amounts of cryptocurrency on behalf of users can quickly make you a target. And not just to Russian hackers — robbery attempts (e.g. the $5 wrench technique) are not uncommon.

It’s a responsibility we take very, very seriously.

While for obvious reasons I won’t describe our entire security protocol, I’d like to highlight a few of the things we’re doing to make Newton secure to all kinds of attacks — whether they be electronic, social engineering, or physical.

Security isn’t all-or-nothing. Instead, it involves recognizing potential risks, understanding their severity, and finding a balance between rock-solid security and good user experience.

NB: I’ve taken some liberties to simplify the language in this post in the interests of accessibility — when I say ‘account’, this could mean either Ethereum-style accounts, or it could mean Bitcoin addresses.

Cold Storage — Easy to say, hard to do

In the early days of cryptocurrency, many exchanges did a stupid thing — they put private keys on servers connected to the internet. Like the combination to a safe, private keys allow the holder to unlock and spend any funds “stored” in a particular account.

Unsurprisingly, storing private keys on internet-connected servers resulted in a lot of pain — by exploiting vulnerabilities, hackers located thousands of miles away from these servers were able to make off with hundreds of millions of dollars worth of cryptocurrency.

It has become common practice today to store private keys in “cold storage”, meaning completely disconnected from the internet. But how does this work in practice? Here’s how we do it:

1. Generate private keys offline and keep them there. Private keys are really just long, unguessable sequences of random numbers and letters. Thanks to the mathematical properties of public-key cryptography, those private keys need never touch the internet — they can even be kept entirely on paper. Those keys can then be used for two things: a) to create public addresses you can use to receive funds, and b) to sign transactions allowing you to spend those funds.
2. Sign transactions offline. Signing a transaction to send crypto from Alice to Bob is just like signing a cheque — Alice fills out the details of the transaction (who the funds will go to, how much to send), then Alice uses her private key to prove that she is the owner of that account. This signing process can be done entirely offline, and at Newton we do this on air-gapped computers where we have physically removed any Wi-Fi or Bluetooth hardware to prevent wireless attacks.
3. Broadcast online. But now that we have a signed transaction, what do we do with it? We need to move that transaction to an internet-connected computer so it can be recorded on the blockchain. A signed transaction is completely safe — there’s no way to reverse it to find the original private key used to sign it — but moving information off of an air-gapped computer is tricky. USB keys are famously vulnerable to attack, and the cardinal rule of cold storage is that the computers involved must never, ever be connected to the internet. We get around this by using QR codes, printers, and cameras to move information around in an optical way that is nearly impossible to compromise.
4. Stay paranoid. This process by itself isn’t totally immune to attack — what if someone simply sits next to you and forces you to sign a transaction giving them all of your money? For this reason we keep all of our cold storage equipment in distributed facilities with 24/7 security. We are only physically able to sign transactions when safely signed in at one of those facilities, locked in a private room. We also take into account things like side-channel attacks which could allow an attacker to use a nearby cellphone to steal information — we make liberal use of Faraday shields for any personal electronics, and we also sign transactions on battery power to prevent power analysis attacks.

In practice, while most funds are stored in cold storage, we keep extremely small amounts in internet-connected wallets so users can withdraw crypto without manual intervention. We operate under the assumption that these funds are vulnerable, and should never be worth enough to be catastrophic if stolen.

Oh, and we never, ever store private keys in our office (I’m looking at you, would-be attackers).

Protecting User Accounts

What if an attacker is simply able to sign in as a user and request a withdrawal of their funds?

Fundamentally, our choice to go mobile-first with Newton was driven by security considerations — mobile devices, and iPhones in particular, have better security features than most PCs. Apple’s Secure Enclave, for example, is a dedicated hardware chip offering rock-solid security not found in most laptop or desktop computers. Paired with TouchID or FaceID, it’s possible to store sensitive information in a way that’s extremely difficult to compromise (even by the FBI).

We do a couple of things to make account hijacking difficult:

1. Two-factor authentication. Two-factor authentication pairs something you know, your password, with something you have, your phone. It ensures that someone else can’t login with your account without also having physical access to the phone. This is a critical feature in an era of bulk password theft and one we make mandatory on all Newton accounts.
2. Device attestation. While two-factor authentication has become widespread, device attestation is a lesser-known security feature first introduced by Google with SafetyNet and recently introduced by Apple in a somewhat obscure API called DeviceCheck. Basically, this service allows us to verify that a request came from a real iPhone that has not been compromised. It also allows us to check whether that device has been used to create a Newton account before (which Apple has figured out how to do in a clever way that preserves user privacy). We block all requests that don’t come from a valid mobile device.
3. Bank security. While it’s common for cryptocurrency services in Canada to offer a plethora of options for deposit and withdrawal, we offer exactly one method: direct debit through a connected bank account. By requiring users to login using their banking credentials (which we do not store or even have access to), we are able to leverage the bank’s security to ensure you are the rightful owner of that account. Once connected, the bank account on file cannot be changed without manual approval and re-verification.
4. Firewalls, DDoS protection, oh my! Beyond these user-facing measures, we do a lot of work behind the scenes to prevent unauthorized access to our web servers, including multiple tiers of firewalling and integration of services that protect against Distributed Denial of Service (DDoS) attacks. We practice defense in depth, an information security principle that calls for multiple, redundant layers of protection in case any one layer fails or is compromised.
5. Bug bounties. Finally, we will be starting a bug bounty program in the near future. Bug bounties are programs that offer monetary rewards to white-hats who discover flaws or vulnerabilities in our software or infrastructure. By encouraging the good guys to find and report problems before malicious hackers do, we hope to benefit from smart minds beyond those on our immediate team.

Because information security is a moving target with new vulnerabilities being discovered all the time, this is an evolving process — we’re constantly thinking about all of the ways smart hackers might try to compromise our security.

There is no such thing as a “perfectly secure” service, and so wherever possible we also think about how to store less information so there is less to compromise in the event of a successful attack.

Parting Notes

This is by no means an attempt to extensively document our procedures and protocols — merely to offer a glimpse.

We welcome any and all feedback and suggestions on things we can do to improve our security. Our belief is that great security and great UX can and should go hand-in-hand.

Oh, and if you made it this far: our first round of beta invites will be showing up in inboxes within the next 10 days! Mwah.

Stay tuned.