Protecting Against Bitcoin Malware

[berdelyi]

Hello all,

The number of incidents involving malware targeting bitcoin users continues to rise.  One category of virus I find particularly nasty is when the bitcoin address you are trying to send money to is modified before the transaction is signed and recorded in the block chain.  This behaviour allows the malware to by-pass two-factor authentication by becoming active only when the bitcoin address is entered.  This is very similar to how man-in-the-browser malware attack online banking websites.

Out of band transaction verification/signing is one method used with online banking to help protect against this.  This can be done in a variety of ways with SMS, voice, mobile app or even security tokens.  This video demonstrates how HSBC uses a security token to verify transactions online.  https://www.youtube.com/watch?v=Sh2Iha88agE.

Many Bitcoin wallets and services already use Open Authentication (OATH) based one-time passwords (OTP).  Is there any interest (or existing work) in in the Bitcoin community adopting the OATH Challenge-Response Algorithm (OCRA) for verifying transactions?

I know there are other forms of malware, however, I want to get thoughts on this approach as it would involve the use of a decimal representation of the bitcoin address (depending on particular application).  In the HSBC example (see YouTube video above), this was the last 8 digits of the recipient’s account number.  Would it make sense to convert a bitcoin address to decimal and then truncate to 8 digits for this purpose?  I understand that truncating the number in some way only increases the likelihood for collisions… however, would this still be practical or could the malware generate a rogue bitcoin address that would produce the same 8 digits of the legitimate bitcoin address?

Brian Erdelyi

[johoe]

If you want to protect against malware you also have to make sure that the bitcoin address displayed in the online shop was not swapped by the malware.  The BIP-70 standard should help here, if your wallet supports it.  In that case the BIP-70 request data have to be transferred from the wallet to you on a second channel so that the malware cannot manipulate it.

I understand that truncating the number in some way only increases the likelihood for collisions… however, would this still be practical or could the malware generate a rogue bitcoin address that would produce the same 8 digits of the legitimate bitcoin address?

Unfortunately, the malware could.  8 digits is way too short.  You can get easily brute force for every 8 digit combination a matching bitcoin address.  After all that are just 100 million addresses and you can produce several 100,000 addresses per second with vanitygen.  Let it run for an hour, put the addresses in a database and then the malware could just lookup a matching address in the database.

IIRC, with bip 70 you would see the name of the website instead of a bitcoin address.

[brituspol]

If you want to protect against malware you also have to make sure that the bitcoin address displayed in the online shop was not swapped by the malware.  The BIP-70 standard should help here, if your wallet supports it.  In that case the BIP-70 request data have to be transferred from the wallet to you on a second channel so that the malware cannot manipulate it.

I understand that truncating the number in some way only increases the likelihood for collisions… however, would this still be practical or could the malware generate a rogue bitcoin address that would produce the same 8 digits of the legitimate bitcoin address?

Unfortunately, the malware could.  8 digits is way too short.  You can get easily brute force for every 8 digit combination a matching bitcoin address.  After all that are just 100 million addresses and you can produce several 100,000 addresses per second with vanitygen.  Let it run for an hour, put the addresses in a database and then the malware could just lookup a matching address in the database.

IIRC, with bip 70 you would see the name of the website instead of a bitcoin address.

OTP related security may help. However, being bitcoin anonymous, there could be an anonymous way to check OTP.

[berdelyi]

Thanks for the feedback.  After discussing the idea with others I concluded that this method (i.e. OCRA) for out-of-band transaction verification only makes sense with web based wallets.  From a usability perspective, I think SMS, voice and mobile apps are better options.

[berdelyi]

Another concept...

It is possible to use multisig wallets to protect against malware.  For example, I could generate a wallet with 3 keys and require a transaction that has been signed by 2 of those keys.  I place one key in cold storage and send anther to a third-party.

It is now possible to generate and sign transactions on my computer and send this signed transaction to the third-party for the second signature.  This now permits the use of out of band transaction verification techniques before the third party signs the transaction and sends to the blockchain.

If the third-party is malicious or becomes compromised they would not have the ability to complete transactions as they only have one private key.  If the third-party disappeared, I could use the other key in cold storage to sign transactions and send funds to a new wallet.

Thoughts?