The Bank of Bitcoin- The World's Most Secure Bitcoin Service- Unhackable!

[edd]

nnyld, ScaryKubiak, pluh, r3wt (and others) -

I have said before that although we have done literally everything we can think of to make our site as absolutely secure as possible, we know that there is always a possibility of any site being hacked...even the White House's site has been hacked in the past.

The Paper Vaults that The Bank of Bitcoin allows its Members to create CANNOT be hacked.  They are literally just as secure as any paper wallet.  I have stated this so many times, in so many ways, that I am reminded of the scene in "The Shawshank Redemption" where the lead character called the warden "obtuse" for seeming to deliberately misunderstand what he was being told.

Even if our site were hacked, any Bitcoins in your Paper Vault would be absolutely safe.  This is quite unique for an online Bitcoin Service: when other online services are hacked your Private Keys and Bitcoins are gone; with us, it would be an inconvenience, but the Bitcoins and Private Keys in your Paper Vaults would remain safe.

Furthermore, to combat the possibility of the injection of malicious code into the client-side javascript used to manipulate your Paper Vaults we have described a two- or three-minute method to check that our code has not been altered (either by a hacker or otherwise).

It should be obvious that we take security VERY seriously, and have created an online Bitcoin service which handles that security by putting YOUR Private Keys and YOUR Bitcoins in YOUR hands, and yet STILL allowing you to send your Bitcoins from any javascript-enabled Internet-connected device.  This is a very unique, valuable and secure service - and I am proud of what we have accomplished.

I really wasn't going to chime in on this thread again. But It's been sitting there taunting me all day.

The ironic thing is: we aren't the ones being obtuse. We'we pointing out legitimate points of weakness and flaws in your concept. We also have no doubt that you "take security VERY seriously" but that doesn't make you any good at securing your site. At best your inept at worst your attempting to pull something.

~

If I were malicious - I might do something exactly like what you've done... including making multiple mdm5 documents on how to 'verify' the authenticity of the paper wallet generation code. Then I'd set my server up to monitor get requests from the same clients. Whenever my software felt someone wasn't being diligent checking - it would then deliver altered code that would deliver a copy of the private key back to my server. Assuming that you could kick the can down the road for awhile with some less experienced users claiming your legitimacy... in a few years you'd have access to hundreds or thousands of cold storage wallets that you could then clean out for massive profit. Total time invest - six to eight hours it would take to put together your website and 2 years of hosting fees.

~

One reason nobody is taking you seriously is because you aren't offering anything (except a bit more hassle) to do the same things we can do already using established software and services. There's no way for you ever make much of a profit offering 'clones' of other services. This means that you must have some other plan for how to make a bitcoin off the venture... otherwise why bother.

Another reason is when security issues and flaws in concept are pointed out you imply we're being obtuse... if you were legitimate you'd be trying to get our input on how to fix these issues instead.

~

When it comes to the bitcoin world there are a couple hundred thousand geeks and fiscal wizards (at least) who're more than willing to help you develop a good product or service for the fun of it... or simply for whatever it might add to the growth of bitcoin. My advice to you would be to start listening to us about the issues with your 'service'.

I'm willing to give BoB the benefit of the doubt and assume they really do believe that simply combining two existing services, a hot wallet and the ability to print paper wallets, is a viable business model. My problem is with the way they choose to promote it. It seems that they are attempting to conflate the two separate services in the mind of customers, giving the impression that their hot wallet service is unhackable.

Now I'm sure Veronica will reiterate that they aren't making the claim that their server is unhackable. However, by continuing to define themselves as "The World's Most Secure Bitcoin Service" without clarifying that this does not in fact refer to themselves but to paper wallets in general, the BoB will continue to be criticized.

All you've done is glue a banana to a shoe and called it "the world's most edible footwear"; it's deceptive and condescending and you should stop.

[Atruk]

I'm willing to give BoB the benefit of the doubt and assume they really do believe that simply combining two existing services, a hot wallet and the ability to print paper wallets, is a viable business model. My problem is with the way they choose to promote it. It seems that they are attempting to conflate the two separate services in the mind of customers, giving the impression that their hot wallet service is unhackable.

Now I'm sure Veronica will reiterate that they aren't making the claim that their server is unhackable. However, by continuing to define themselves as "The World's Most Secure Bitcoin Service" without clarifying that this does not in fact refer to themselves but to paper wallets in general, the BoB will continue to be criticized.

All you've done is glue a banana to a shoe and called it "the world's most edible footwear"; it's deceptive and condescending and you should stop.

So much this. So much time has been spent on their paper wallets, that there hasn't been much discussion of the features they offer with their active wallets, and how those should be viewed with all of the caution a normal online wallet warrants (quite a bit).

[Explodicle]

One has to spend those 2-3 minutes EVERY TIME they log on. Since you know the IP and time of page loads, and when the next transaction is sent to you from that IP, you can tell who hasn't been checking hashes and how many coins those poor careless souls have in their wallets.

Actually, we have no way of knowing who is or is not checking hashes.  And actually, it takes less than 30 seconds once you get the hang of it.

If I were malicious - I might do something exactly like what you've done... including making multiple mdm5 documents on how to 'verify' the authenticity of the paper wallet generation code. Then I'd set my server up to monitor get requests from the same clients. Whenever my software felt someone wasn't being diligent checking - it would then deliver altered code that would deliver a copy of the private key back to my server. Assuming that you could kick the can down the road for awhile with some less experienced users claiming your legitimacy... in a few years you'd have access to hundreds or thousands of cold storage wallets that you could then clean out for massive profit. Total time invest - six to eight hours it would take to put together your website and 2 years of hosting fees.

QFT. I'm sick of arguing about this, so in case anyone needs it spelled out for them:

BoB knows when Alice loads the page.
BoB knows when Alice broadcasts a transaction.
If the difference between these times is <30s, BoB knows Alice didn't check the hash.
If Alice hasn't checked a hash during the last 10 logons, she probably won't do it on the 11th logon.

[llieco]

  looks interesting

[Inedible]

There's no way for you ever make much of a profit offering 'clones' of other services. This means that you must have some other plan for how to make a bitcoin off the venture... otherwise why bother.

Or rushed in without fully researching the marketplace. Quite possible considering the complexity.

[SEC agent]

You do realize that calling yourself a bank and taking peoples money holds certain legal ramifications, right?

[darklight]

Nothing is unhackable

[firefop]

There's no way for you ever make much of a profit offering 'clones' of other services. This means that you must have some other plan for how to make a bitcoin off the venture... otherwise why bother.

Or rushed in without fully researching the marketplace. Quite possible considering the complexity.

Sure I'd accept that answer. At this point the only way for them to begin redeeming the reputation of the site is to retract the e-wallet features... while consulting with us on how to actually construct a viable business model.

If they had done any sort of market research (like talking to one of their IT guys for 10 mins =P) they would have been told that best way to build a name would have been to provide the paper wallet download alone... then take advice on making it as secure as possible... then in a 6 months or a year... deploy whatever the rest of their services would be. At least that way you've got some name recognition. So the average user can think 'oh yah, I remember looking at the paper wallet site... cool they've got a wallet service now... I might try that out.'

[MicroGuy]

My understanding is that using the word "bank" in your name can lead to regulatory problems down the road.  

[huffyrox]

I signed up to give it a try.

[crudcat]

Hey there everyone, my name is Veronica Kearney and I am a Co-Founder of The Bank of Bitcoin. We are a group of philanthropists and investors who all believe that Bitcoin is the currency of the future. The Bank of Bitcoin was initially created for our own use, but we have now adapted it for use by the public (we will soon be adding Merchant Services). We believe that offering a convenient, unhackable way to store and access Bitcoins will result in greater public confidence in Bitcoin, and all the benefits that will bring. Our programmers have developed the most (and perhaps only) completely secure Bitcoin service in the world.

If I have to store 'coins with someone else - it hardly counts as the most "completey secure Bitcoin service in the World".

[jimmijames73]

I think claiming to be 'unhackable' could come back to bite them.

[Inedible]

I think claiming to be 'unhackable' could come back to bite them.

It already has - it's been mentioned every 10 posts or so.

[Deathwing]

We dont need a bank.

[ioi]

Thanks to Bitcoin I learn to be my own bank.

With Bitaddress.org and Electrum.org

I only will an ewallet to have liquidity in my phone, like blockchain.info

Also, Green Address to pay quickly. But there will not be all of my coins.

[TheBankofBitcoin.com]

I want to say that I really do appreciate all those with well thought out constructive criticism, as opposed to those who glibly remark "nothing is unhackable" or similar comments.  I will say, however, that every comment (even those which might be considered to be "glib negativity") does offer a learning opportunity, and I do try to make the best of these opportunities.  So, I thank you all for your comments, whether I regard them as positive or negative.

I have stated over and over that it is our Paper Vaults, created using client-side javascript on the user's own computer, which are unhackable.  When these Paper Vaults are properly created and printed they are unhackable.  I am not saying that our site itself is unhackable, because it would be absurd to make that claim about any site, whether it is ours or more long-established sites such as bitaddress.org, or whatever. 

The reason for having our "Active Storage" at all rather than simply doing everything through our Paper Vaults is because we do have plans for additional services to be rolled out in the future, and Paper Vaults simply do not provide the necessary flexibility.  For example, we have already announced that we are planning to introduce Merchant Services very soon.  This will allow us to generate a unique Bitcoin Address each time a purchase is made from a vendor, rather than simply sending Bitcoins to the same Paper Vault address each time a purchase is made.  The purpose for this is, among other things, to provide a greater level of anonymity and privacy regarding a vendor's Bitcoin income.

We also have certain other services planned further out which would also rely upon the Active Accounts.  For now, however, I would like to mention that whenever someone Active Storage balance goes above a certain threshold we send an email to the Account Holder informing him or her that moving Bitcoins into a Paper Vault would be the safest way of storing large quantities of Bitcoins, and that only Bitcoins intended to be spent relatively soon should be kept in Active Storage.  This is done for two reasons: 1) to avoid large losses to our user's in the event that our site were hacked, and 2) to make our site a low-value target to hackers - in other words go hack someone like MtGox (or whomever) who actually HAS large quantities of Bitcoins on their server.

Also, about the word "Bank" in our web-service: No we are not a legally registered bank, but then again we are NOT storing or dealing in legal currency, but in Bitcoins.  This is an important legal distinction.  Also, "The Bank of Bitcoin" is not the name of a legal corporate entity, but the name of a website/web-service; another important legal distinction.

I would further like to state that it would be next to impossible to actually tell who is or is not checking the md5 hash of our Paper Wallet pages.  Let's not forget that typing in a long Bitcoin Address and Private Key can take some time, which can vary greatly from person to person, or even vary greatly for the same person on different visits.  It is far quicker to check the md5 hash than to type in the Address and Private Key, and because of this it is impossible to know when someone is checking the md5 hash.  I do understand and appreciate the high level of caution regarding Bitcoin security and am open to any workable suggestions that would fit into our business model.

Again, thanks for all your comments.

[MicroGuy]

Also, about the word "Bank" in our web-service: No we are not a legally registered bank, but then again we are NOT storing or dealing in legal currency, but in Bitcoins.  This is an important legal distinction.  Also, "The Bank of Bitcoin" is not the name of a legal corporate entity, but the name of a website/web-service; another important legal distinction.

A friend of mine operated a mortgage business with the word "bank" in the name and it cost him a lot of money in legal expenses and he eventually had to change the name. You might want to check into this before continuing with the current name. Best of luck with your business and I wish you the greatest of successes.

[wmbtc]

LOL bitcoin was made not to use bank , you really think that anybody will store their precious bitcoins in ur "bank"

[Svennisen]

Recomendation:

Fire whoever is doing the design and photoshop banners... terrible.

[canadense]

I am wondering why we would not simply print out our wallet contents on paper and look upon that as our security? Yes, we would also need encryption against hacking.