[ Reposting some comments from the Trezor thread, somewhat edited ]
thanks !
If you are using someone else's computer, it may easily have a hacked OS. Ditto if the malware was installed in your computer by someone hacking into it with root access.
The Trezor seems to protect against that risk, since the transaction details are displayed on the Trezor's screen and confirmed there.
similar thing here with the keyboard second factor
(Neither device will protect against the user copying or scanning the wrong payment address from merchant's homepage that was hacked --- at the server, by IP/URL spoofing, or by a compromised browser. For that, the user must be careful to get the address from a secure source that cannot be easily hacked.)
End (server)-to-end (device) BIP 70 will protect against that in the future, providing the trusted CA list is sane - not going to be implementing it in the current device though.
I am not clear yet on how BTCchip works, but if one computer in such a place is compromised, there is a high chance that all of them are. Especially if (a) the computer was compromised specifically to steal bitcoins from BTCchips (which is the assumption), or (b) the hacker may be an employee of the place.
Computers would have to be all infected and act together in order to exploit both the main client and the client displaying the second factor - highly unlikely in my opinion.
If a chip-enabled credit/debit card gets stolen, the owner should worry that the PIN was captured visually (by a camera or person looking over his shoulder) or by a physically hacked CC reader at some store.
If a BTCchip gets stolen, the owner should worry that the PIN may have been captured visually as he typed it on the computer's keyboard, OR by a keylogger in the computer. The latter is much more likely to occur than a hacked CC reader.
If a Trezor gets stolen, the owner should worry only if there is a chance that the PIN scramble matrix was captured visually from the Trezor screen. Malware alone cannot capture the Trezor PIN.
A thief getting access to both the chip and the PIN is not a realistic threat in my opinion as well.
General comment:
Stealing bitcoins by hacking may become a big issue, if it is not already. Hardware wallets like Trezor and BTCchip surely improve the security, but substantial risk will remain. Malicious hackers will be strongly motivated to use all their ingenuity to overcome the device's protections.
sure, security is about balancing risks / convenience / protection / cost, as always.
Bitcoin theft seems more tempting than credit/debit card theft, for several reasons. For one thing, bitcoin transactions are instantaneous (even though confirmation may take 10 minutes on average) and final. Even if the victim uses Trezor or BTCchip, if the device is stolen after the thief got the PIN, the coins will probably be gone before the user gets the chance to move them, and they cannot be recovered (unless the thief is caught and convinced to return them). In comparison, when someone's credit/debit card is stolen, the owner can call the company to cancel it, and there is a good chance that it will be canceled before the thief has a chance to get value out of the card. Moreover, the bitcoin network provides no anti-theft barriers: no one will call the victim to confirm a transaction that moves a million BTC from his account to someone else's account.
Even if if the probability of success of some hacking attack mode is 0.1% or less, the per-target cost of such an attack is small, thousands of computers can be hacked automatically, and the payoff from one successful attemp may be quite substantial. See that Australian guy who was recently hacked out of 750 BTC, almost 300'000 USD. Note that the malware may be programmed to act only if the wallet has a large enough sum.
I have a different opinion about that - credit/debit card theft today comes mostly from exploitation of different security levels (copy the magnetic track of a chip card, clone it and use it in a country not using chip cards), or identity theft (order a real fake card from stolen credentials). Recovering from such thefts which cannot be identified easily before they happen takes quite a long time (talking about months here).
With Bitcoin everyone plays on the same security level (which is already a nice improvement), and you can already have a second factor confirmation in multisignature wallets (GreenAddress is a good example - confirming each transaction using SMS to a feature phone is quite nice, even without a hardware wallet)
I do not expect that the manufacturers of hardware wallets will go out of their way to warn users of these remaining risks.
I believe that the threat matrix should be clearly provided so that people can know what they're buying
The bitcoin media and the community should do that.
I'd actually feel better if an independent security audit group was formed to specifically do that. That would keep the signal to noise ratio higher.
However, manufacturers should put clear disclaimers in their warranties and ads, so that they are not blamed if bitcoins are stolen from clients.
No warranty claim can be placed for an amount greater than the price paid in Euros for the product –
the Buyer acknowledges that while the best care has been applied to design a product suitable to
store crypto currency assets securely, no warranty is made by the Seller that the product is free from
software or hardware defects that could cause a loss of a part or the full assets stored on the
products. The Buyer is advised to keep a safe backup of each asset stored in the product.
good enough ?
