Last updated on March 18th, 2015 at 12:00 am
Since there’s no other way to pay and use Bitcoins, we might as well find ways to protect the one we have: the wallet. The security of this digital tool has been, especially since Bitcoin’s boom, the main concern of the cryptocurrency development community.
You must know that if, by any chance, you lose your wallet or its password, it’s super difficult to recover it. Also, if a thief gains access to your wallet or your password and steals your Bitcoins, there’s no way to recover your money. Because of this and other overcome difficulties, a great progress has been made in the last four years, but we still have a lot to do.
You can prevent some of the risks, but a single mistake can ruin all your hard work. Let’s go through some of the recent cases of losses and thefts and check what are the possible solutions to protect your digital currency.
1. 25.000 BTC stolen
In June 2011, the Bitcointalk member known as ‘allinvain’ lost the astonishing amount of 25.000 BTC, the same as $500.000 at the time! The thief, an unknown intruder, somehow gained direct access to his computer and wallet and stole the Bitcoins, using one of two ways: either he made a transaction from ‘allinvain’s’ computer itself or just uploaded the wallet.dat file and emptied it on his own computer. What could ‘allinvain’ have done in this case? He could have encrypted his wallet, but in 2011 this process wasn’t so simple as it is now.
2. 7.000 BTC lost
Two years ago, Bitcoin developer Stefan Thomas had three backups of his wallet – in an encrypted USB stick, a Dropbox account and also in a Virtualbox– and not even all this could help him. Why? Because he erased two of these backups and forgot the password to the third one, losing 7.000 BTC forever! That was $125.000 at the time.
3. 2 BTC taken by Java application
The victim told his story here: “last night, around 9PM PDT, I clicked a link to go to CoinChat.freetzi.com and I was prompted to run java. I did (thinking this was a legitimate chatoom) and nothing happened. I closed the window and thought nothing of it. I opened my Bitcoin-qt wallet approximately 14 minutes later, and saw a transaction that I did not approve go to wallet 1Es3QVvKN1qA2p6me7jLCVMZpQXVXWPNTC, for almost my entire wallet (2.07 BTC)”, something like $300 at the time. And this coin was encrypted! But the attacker found a way around it: the Java application that the victim had opened had also asked for additional permissions and that’s the secret. As the victim agreed, he gave access to a malicious program that was able to read all of his keystrokes. Then, the application waited until he typed in his wallet password and recorded it, decrypting and emptying out the wallet.
4. 160 BTC taken from Blockchain.info wallet
A blockchain.info user lost his Bitcoins, about 160 of them worth $20.000, to an unknown attacker. The user was not remotely careless, as he tells: “I use the blockchain.info wallet service to manage that address. My password was a random 18 character password with punctuation, upper/lower case, etc. I had two-factor authentication with Google Authenticator turned on and a second password on the account that was a random 8 characters”. A lot of security measures, as you can see. However, the problem was in the blockchain.info mobile application. The thing is that, on the desktop, blockchain.info encrypts users’ wallets twice: the wallet with the main password and the private keys themselves with an optional second password. But, on the mobile this doesn’t happen and only the second layer of encryption is used. This is not usually a problem in Android setups, but this user’s smartphone was rooted, which allowed the user to employ some powerful applications, but also tinkered with the Android ecosystem. By going this way, any application could have helped the attacker, making it easy to crack the 8-character second password.
So, after reading this, what are the possible security measures we can apply to our wallets? As you noticed, each attack as a specific protection secret, but the main measures you can take are the following ones: turn on wallet encryption, use two-factor authentication (Google Authenticator is a good option) and check API keys that were created without your permission, don’t give untrusted applications excessive permissions and create more backups and check them regularly.
And, then, there’s another viable strategy: use multiple layers of security to ensure that a single attack can’t make all your money disappear. You can get a basic online security service, that provides multiple layers of defense, practice some basic computer security (which means don’t go downloading or running applications from untrusted sources and be aware of Java), keep separate wallets for your shopping and savings or go for two-of-three schemes, a fairly common way of reducing the risks.
Or you can always wait for the dedicated hardware USB wallets that are coming soon, providing a highly secure minicomputer for making Bitcoin transactions that you can carry in your wallet.