Knowing how to secure your bitcoins is no longer optional. Bitcoin wallets are fast becoming online criminals’ favourite obesession, whether online, at exchanges, on your PC or your mobile. Dell SecureWorks researchers estimate that over 140 malware applications exist that specifically target bitcoin wallets. Protecting your wallet against these threats requires only a handful of cautionary steps. The following guide outlines the security vulnerabilities and provides the essential know-how and preventative actions every Bitcoin wallet owner should routinely practice.
What Bitcoin Thieves Want
As documented here, most bitcoin thefts are due to poor wallet security management. The specific threats are discussed in more detail further down the page and here is a summary of the known items of interest to bitcoin thieves:
- Your desktop login password or device PIN
- Your wallet password
- Your private keys
- Your online wallet/exchange password
- Access to exchange/web wallet servers
- Vulnerable components or protocols used by online services
In the interest of general wallet security and to specifically safeguard your wallet against these forms of attack, follow the tenets outlined in the following “security best practice” checklist:
Bitcoin Wallet Security Best Practice – Checklist
- For everyday transactions, prefer wallets installed on your PC or smart phone
- Distribute your bitcoin holdings between many wallets
- Use a variety of wallets: desktop, mobile and offline
- Prefer multi-signature capable wallets where possible
- Use online (web) wallets only for transitory transactions *
- Make regular backups of your wallets to an external hard drive or CDROM. Verify your backups.
- Use wallet encryption. Most vendors provide this feature, but third party encryption software is also suitable.
- Implement a passphrase scheme that meets basic passphrase security requirements.
- Keep wallet software up-to-date – many updates are security fixes.
- For long-term bitcoin holdings, use Cold Storage and Paper Wallets.
* Special mention needs to be made of the innovative BitGo multi-signature wallet in relation to Online (Web) Wallets. The BitGo wallet, although an online wallet, implements the Bitcoin protocol’s multi-signature functionality, and requires both an online and offline signature to sign off transactions. Consequently, this online “multisig” wallet is highly secure – more so than any other standard online wallet.
Send this article to a friend or new Bitcoin user you know. The infographic below summarizes these guidelines and provides an introduction to Bitcoin, in general, and to Bitcoin security best practice suitable for novice and intermediate users.
Known Security Threats
Malware and Trojans
Malware is typically acquired by unwitting users when they install misrepresented or obscure applications and widgets via the web. Malware Trojans masquerade as officially certified applications in, say, the Apple Store. What you end up installing is software that scours your PC or mobile device for wallets, passwords and private keys, and that then reports back to a cybercriminal or botnet. Dell SecureWorks estimates that at least 140 of these types of Bitcoin-targetting malware are active in the wild.
Sometimes one of the components of a trusted software application can be vulnerable. For example, the recent OpenSSL Heartbleed vulnerability which allowed a snooping attacker to extract (amongst other things) your username and password whenever you logged into a web service.
No malware was required since the vulnerability existed in the OpenSSL library that most websites and internet connecting applications (i.e. wallets) use. As a result, all web servers had to update to the fixed OpenSSL version and internet users were alerted to update their login passwords across the board. Once login credentials are obtained, the next attack follows.
Stolen Login Credentials
Once your username and password are known to a snooper, they can access your precious bitcoins, whether the credentials are for an online exchange account, an online wallet, your mobile wallet or your PC wallet. If your PC or mobile is connected to the internet, an attacker can access it using security vulnerabilities specific to the device’s OS.
If, like most people, you use a password formula for various logins then you should consider strengthening your passphrase scheme (formula) to generate more secure passwords. Often, the theft of one of your password can reveal all of your other login passwords, because they are variations of a formula. Botnets exist to decypher and extrapolate these formulaic passwords.
Stolen Private Keys
A standard Bitcoin transaction requires your private key to unlock its bitcoin outputs. If a third party obtains one or more of your private keys (stored in your wallet) then, he can transact any coins previously received by that public-private key pair. Such a transaction doesn’t have to be made using your wallet – it can be initiated on any device and from anywhere. This is a design feature of Bitcoin which allows, amongst other things, the ability to import and export addresses between wallets.
Online Wallet and Exchange “Hack Attacks”
Exchanges host wallet accounts for all their clients, so they are vulnerable to the same “hack attacks” as Online Wallet services. To date, over 12 Bitcoin exchanges have been hacked and have had bitcoins stolen from them. This type of attack seeks access to the core of the service’s servers where account credentials and wallets are stored. Typically the database containing user credentials is compromised, and usernames and passwords harvested. With these, users’ wallet contents are then trivially transferred to the fiendishly lucky attacker.
Bitcoin transactions, by design, digitally sign hashes of transactional components, and these are combined and signed again as a means of validating the contents of the transaction. The inevitable outcome of the process of digital signing of other signatures is that there will always remain one final signature – the one that was used last in the chain. This natural fact makes Bitcoin transactions vulnerable to Transaction Malleability whereby an attacker can change the id of a transaction. This is a known vulnerability but not of concern to wallet users specifically.
51% “Hash Attack”
Mining powers the Bitcoin network and should any group of miners (or a single entity) command 51% of the overall network hashing power, they would effectively control the network. This means that they could reverse transactions, fork the blockchain, etc., with all manner of network damaging repercussions. Users of the network cannot do anything to prevent this outcome at the moment. This threat will become a concern later – for now it’s a theoretical problem with no contention surrounding control of the Bitcoin network.
Protect Your Bitcoins From Hackers and Thieves [Infographic] by the team at WhoIsHostingThis