Bitcoin Forum
November 06, 2024, 05:43:56 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: "Online wallet services" are an invitation to fraud and theft  (Read 3944 times)
jimrandomh (OP)
Newbie
*
Offline Offline

Activity: 43
Merit: 0


View Profile
July 05, 2011, 05:31:47 PM
 #1

There are a number of "online wallet services" for Bitcoin. The premise is that you send them your coins, and they provide a web-based interface with which to spend your coins. The problem is that these services are acting as banks, but without sufficient auditing, security, or credibility. There are three things that can go wrong with an online wallet service, and they add up to a major risk for anyone keeping money in one.

First, the wallet service might get hacked by a malicious third party. If you keep your bitcoins on your own computer, then they can be stolen if your computer is compromised; if you keep them in an online wallet service, then they can be stolen if *either* your computer is compromised *or* the online wallet service is compromised. And the wallet services are big, obvious targets for attackers.

Second, the wallet service might be doing "fractional reserve"; that is, they may not keep the actual balance on hand to back all their deposits. In this case, everything would seem to be fine until a bunch of people tried to make withdrawals at once, and then they'd discover that there wasn't actually any money there. Regular banks do this, and loan out the extra money; a wallet service could do fractional reserve, but take the extra money as profit. Regular banks have deposit insurance, which is essentially a guarantee by the US government that if everyone tries to withdraw at once and there isn't enough money there, the government will print more to cover the lost balances. In exchange, the bank is subject to a reserve requirement, which is a percentage of all deposits that they have to keep on hand, and audits.

Finally, the wallet service might just steal your money. They could just pack up and disappear one day. Alternatively, a wallet service that wanted to make money this way could keep up pretenses for awhile by disabling accounts a few at a time, or by losing a small fraction of transactions, and by blaming problems on outside attacks.

Seriously, keep your Bitcoins in your own possession. Don't recommend online wallet services to people. And don't expect online wallet services to cover for user-interface or other deficiencies the current Bitcoin client has - those need to be addressed in the client, not by a third-party service.
je_bailey
Newbie
*
Offline Offline

Activity: 18
Merit: 2


View Profile WWW
July 05, 2011, 06:00:11 PM
 #2

Speaking as someone who is actively working on setting up an online wallet. I can understand your concerns. It's also our biggest challenge (to build trust)

As someone who is obviously against the idea. What would make you feel more comfortable with the idea?

Actions we are going to take:

1. Make it clear whose behind it.
2. Clarify how our system works and what safe guards are in place
3. How we plan on making money

Stephen Gornick
Legendary
*
Offline Offline

Activity: 2506
Merit: 1010


View Profile
July 05, 2011, 06:09:36 PM
 #3

Seriously, keep your Bitcoins in your own possession. Don't recommend online wallet services to people. And don't expect online wallet services to cover for user-interface or other deficiencies the current Bitcoin client has - those need to be addressed in the client, not by a third-party service.

Funny, just minutes after you wrote that is this:
  "I think some centralized service is good for the bitcoin community".
  - http://forum.bitcoin.org/index.php?topic=26264.0

Unichange.me

            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █


qikaifu
Full Member
***
Offline Offline

Activity: 168
Merit: 100


God creats math and math creats bitcoin.


View Profile
July 05, 2011, 06:17:02 PM
 #4

Speaking as someone who is actively working on setting up an online wallet. I can understand your concerns. It's also our biggest challenge (to build trust)

As someone who is obviously against the idea. What would make you feel more comfortable with the idea?

Actions we are going to take:

1. Make it clear whose behind it.
2. Clarify how our system works and what safe guards are in place
3. How we plan on making money



For the No.1:

1) Be a U.S. citizen
2) Register a company in U.S.
3) Tell people your exactly background information.
4) Post 1 of your pictures is good for building trust.

conclusion: transfer your personal creditability to your service.

Of course, you have to do a good job on 2. and 3.



If you see any of my suggestions useful, please donate me. http://btc.to/ec
westkybitcoins
Legendary
*
Offline Offline

Activity: 980
Merit: 1004

Firstbits: Compromised. Thanks, Android!


View Profile
July 05, 2011, 07:08:00 PM
 #5


Quote
Seriously, keep your Bitcoins in your own possession. Don't recommend online wallet services to people. And don't expect online wallet services to cover for user-interface or other deficiencies the current Bitcoin client has - those need to be addressed in the client, not by a third-party service.

Most of us using this forum are old enough and smart enough to be able to handle risk analysis on our own. We can determine what we consider a safe amount to put into online wallets, and can even point all this out when recommending them to others.

Bitcoin is the ultimate freedom test. It tells you who is giving lip service and who genuinely believes in it.
...
...
In the future, books that summarize the history of money will have a line that says, “and then came bitcoin.” It is the economic singularity. And we are living in it now. - Ryan Dickherber
...
...
ATTENTION BFL MINING NEWBS: Just got your Jalapenos in? Wondering how to get the most value for the least hassle? Give BitMinter a try! It's a smaller pool with a fair & low-fee payment method, lots of statistical feedback, and it's easier than EasyMiner! (Yes, we want your hashing power, but seriously, it IS the easiest pool to use! Sign up in seconds to try it!)
...
...
The idea that deflation causes hoarding (to any problematic degree) is a lie used to justify theft of value from your savings.
jimrandomh (OP)
Newbie
*
Offline Offline

Activity: 43
Merit: 0


View Profile
August 02, 2011, 07:46:01 PM
 #6

*bump*

I'd just like to point out that MyBitcoin's disappearance was foreseeable, and foreseen. Anyone who kept a significant amount of money there, didn't do their due diligence.
EhVedadoOAnonimato
Hero Member
*****
Offline Offline

Activity: 630
Merit: 500



View Profile
August 02, 2011, 07:57:24 PM
 #7

2) Register a company in U.S.

Seriously? You expect bitcoins business to register in a country where the chance of being shut down in the future is that high?

Bitcoin business should be registering in tax havens where money printing is not a tradition.
smoothie
Legendary
*
Offline Offline

Activity: 2492
Merit: 1474


LEALANA Bitcoin Grim Reaper


View Profile
August 02, 2011, 08:16:58 PM
 #8

*bump*

I'd just like to point out that MyBitcoin's disappearance was foreseeable, and foreseen. Anyone who kept a significant amount of money there, didn't do their due diligence.

Agreed. With this thread being up for close to a month now I would say that anyone who lost bitcoins at mybitcoin.com is at fault for their own losses.

There were too many warning signs of fraud.

Plus it seems contradictory to keep one's wallet/coins on a third party server. The whole idea of bitcoin is to be and decentralized and storing your coins on a central server defeats one of the main beauties of the design of bitcoin.

What a shame....


███████████████████████████████████████

            ,╓p@@███████@╗╖,           
        ,p████████████████████N,       
      d█████████████████████████b     
    d██████████████████████████████æ   
  ,████²█████████████████████████████, 
 ,█████  ╙████████████████████╨  █████y
 ██████    `████████████████`    ██████
║██████       Ñ███████████`      ███████
███████         ╩██████Ñ         ███████
███████    ▐▄     ²██╩     a▌    ███████
╢██████    ▐▓█▄          ▄█▓▌    ███████
 ██████    ▐▓▓▓▓▌,     ▄█▓▓▓▌    ██████─
           ▐▓▓▓▓▓▓█,,▄▓▓▓▓▓▓▌          
           ▐▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▌          
    ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓─  
     ²▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓╩    
        ▀▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▀       
           ²▀▀▓▓▓▓▓▓▓▓▓▓▓▓▀▀`          
                   ²²²                 
███████████████████████████████████████

. ★☆ WWW.LEALANA.COM        My PGP fingerprint is A764D833.                  History of Monero development Visualization ★☆ .
LEALANA BITCOIN GRIM REAPER SILVER COINS.
 
the founder
Sr. Member
****
Offline Offline

Activity: 448
Merit: 251


Bitcoin


View Profile WWW
August 02, 2011, 08:23:51 PM
 #9

2) Register a company in U.S.

Seriously? You expect bitcoins business to register in a country where the chance of being shut down in the future is that high?

Bitcoin business should be registering in tax havens where money printing is not a tradition.

We registered where our company is located,  Pottsville, PA USA.    Our clients know who we are,  can verify an address, etc...  considering it's plastered all over there that it's a Yooter InterActive Company.


Bitcoin RSS App / Bitcoin Android App / Bitcoin Webapp http://www.ounce.me  Say thank you here:  1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f
twobits
Sr. Member
****
Offline Offline

Activity: 574
Merit: 250



View Profile
August 02, 2011, 08:26:20 PM
 #10

2) Register a company in U.S.

Seriously? You expect bitcoins business to register in a country where the chance of being shut down in the future is that high?

Bitcoin business should be registering in tax havens where money printing is not a tradition.

We registered where our company is located,  Pottsville, PA USA.    Our clients know who we are,  can verify an address, etc...  considering it's plastered all over there that it's a Yooter InterActive Company.



I want to be able to buy Yuengling for bitcoins.

█████                █████      ███████             
█████                ███    █████████████       
█████                ██  █████████████████   
█████                █  ██████              ██████ 
█████                    ████                      ████ 
█████████████  █████                        ████
█████████████  █████                        ████
█████████████  █████                        ████
█████                    █████                             
█████                █  ██████              ███████
█████                ██  ███████████    █████ 
█████                ███    █████████    ████   
█████                █████      ███████    ██
███
███
███
███
███
███
███
███
███
HyperQuant.net
Platform for Professional Asset Management
███
███
███
███
███
███
███
███
███
WhitePaper
One-Pager
███
███
███
███
███
███
███
███
███
Telegram 
Facebook
Twitter
Medium
███
███
███
███
███
███
███
███
███
███
███
███
███
███
███
███
███
███
█████                █████      ███████             
█████                ███    █████████████       
█████                ██  █████████████████   
█████                █  ██████              ██████ 
█████                    ████                      ████ 
█████████████  █████                        ████
█████████████  █████                        ████
█████████████  █████                        ████
█████                    █████                             
█████                █  ██████              ███████
█████                ██  ███████████    █████ 
█████                ███    █████████    ████   
█████                █████      ███████    ██
the founder
Sr. Member
****
Offline Offline

Activity: 448
Merit: 251


Bitcoin


View Profile WWW
August 03, 2011, 04:00:04 AM
 #11


I want to be able to buy Yuengling for bitcoins.
[/quote]

the brewery is across the street.. literally smell hops each time I go to work.


Bitcoin RSS App / Bitcoin Android App / Bitcoin Webapp http://www.ounce.me  Say thank you here:  1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f
westkybitcoins
Legendary
*
Offline Offline

Activity: 980
Merit: 1004

Firstbits: Compromised. Thanks, Android!


View Profile
August 03, 2011, 04:17:28 AM
 #12

*bump*

I'd just like to point out that MyBitcoin's disappearance was foreseeable, and foreseen. Anyone who kept a significant amount of money there, didn't do their due diligence.

Exactly.

Side note: I can't help but wonder why so many people seemed to prefer mybitcoin over instawallet. Because it had a password? Both were e-wallets, and not worth keeping a lot of bitcoins in.

Bitcoin is the ultimate freedom test. It tells you who is giving lip service and who genuinely believes in it.
...
...
In the future, books that summarize the history of money will have a line that says, “and then came bitcoin.” It is the economic singularity. And we are living in it now. - Ryan Dickherber
...
...
ATTENTION BFL MINING NEWBS: Just got your Jalapenos in? Wondering how to get the most value for the least hassle? Give BitMinter a try! It's a smaller pool with a fair & low-fee payment method, lots of statistical feedback, and it's easier than EasyMiner! (Yes, we want your hashing power, but seriously, it IS the easiest pool to use! Sign up in seconds to try it!)
...
...
The idea that deflation causes hoarding (to any problematic degree) is a lie used to justify theft of value from your savings.
EhVedadoOAnonimato
Hero Member
*****
Offline Offline

Activity: 630
Merit: 500



View Profile
August 03, 2011, 07:38:01 AM
 #13

We registered where our company is located,  Pottsville, PA USA.

I wish you and all your customers good luck.
wumpus
Hero Member
*****
Offline Offline

Activity: 812
Merit: 1022

No Maps for These Territories


View Profile
August 03, 2011, 07:54:11 AM
 #14

Speaking as someone who is actively working on setting up an online wallet. I can understand your concerns. It's also our biggest challenge (to build trust)

As someone who is obviously against the idea. What would make you feel more comfortable with the idea?
Would offering wallet.dat download (or alternatively, a gpg-encoded text file with private keys) by a good idea? So that even if your site goes offline - for example, if your servers are nuked or taken - I still have the private keys for my own addresses and can use them in a local client, and spend the coins.

This won't help against you purposeful stealing the coins, but will give reassurance against loss or destruction.

Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through FileBackup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.
dogisland
Sr. Member
****
Offline Offline

Activity: 262
Merit: 250



View Profile
August 03, 2011, 08:42:16 AM
 #15

Speaking as someone who is actively working on setting up an online wallet. I can understand your concerns. It's also our biggest challenge (to build trust)

As someone who is obviously against the idea. What would make you feel more comfortable with the idea?

Assuming you're an honest individual I can still forsee the following problems.

1. How can you protect the bitcoin private keys in the wallet from...

a. Disgruntled employees (assuming you'll need employees)
b. Someone at the data center where your servers are hosted.
c. The backups you'll need to make. Who holds these ?

2. You're going to be constantly under cyber attack.

a. Who examines your code ?
b. Your software stack i.e. the 3rd party libraries you use how will you check that no-one inserts a specific attack on your site via a library upgrade.
c. How about your personal computers a hacker could gain access and use a keylogger to get root passwords ?

3. If you do well you'll be holding a significant amount of cash for other people that can easily be transferred and anonymized. You've also made yourself public on your site.

It's possible someone could attack you personally to get at the bitcoins. Have you thought about that ?
wumpus
Hero Member
*****
Offline Offline

Activity: 812
Merit: 1022

No Maps for These Territories


View Profile
August 03, 2011, 08:45:59 AM
 #16

It might also be interesting to make a personal wallet webservice for micro-payments. Only allow a certain maximum BTC per user, so that it is not used as long-term storage for large amounts of coins.

Users should then be actively encouraged to only use the service for web payments.

This will limit the risk a bit...

Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through FileBackup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.
defxor
Hero Member
*****
Offline Offline

Activity: 530
Merit: 500


View Profile
August 03, 2011, 08:47:52 AM
 #17

What would make you feel more comfortable with the idea?

Not giving you my private keys for storage, but using the data stored with you together with my local secret every time a key is needed.

This would be similar to how LastPass handles passwords (they're not stored with them, yet it's "like" if they were) and give the same security as Wuala has over Dropbox (employees cannot, ever, see your content).

wumpus
Hero Member
*****
Offline Offline

Activity: 812
Merit: 1022

No Maps for These Territories


View Profile
August 03, 2011, 08:53:28 AM
 #18

Not giving you my private keys for storage, but using the data stored with you together with my local secret every time a key is needed.
But how would you see that work with a web service? You could implement a large part of the Bitcoin protocol in JS, but if it is served from the wallet provider, it could steal any key that you enter by injecting a keylogger into the JS as well.

It could work with the native clients though, to have it use a wallet on a storage provider (with encrypted private keys) instead of a local one. Would be a matter of generalizing the DB backend. This would also protect against wallet loss if the local machine is formatted.

Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through FileBackup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.
defxor
Hero Member
*****
Offline Offline

Activity: 530
Merit: 500


View Profile
August 03, 2011, 09:27:54 AM
 #19

Not giving you my private keys for storage, but using the data stored with you together with my local secret every time a key is needed.
But how would you see that work with a web service? You could implement a large part of the Bitcoin protocol in JS, but if it is served from the wallet provider, it could steal any key that you enter by injecting a keylogger into the JS as well.

That's the most common argument leveraged against LastPass, and it's indeed valid (see below). The solution, so far not implemented anywhere, is to sign a hash of the JS snippet in question and have that verified by the client. When the code needs an update it has to be vetted before clients approve a new hash or signature.

I believe this is on its way into the HTML specifications but I haven't looked for some time. If we control the client implementation (Android, PCs) it's however implementable already today.



In the LastPass case, they are considered trusted (reputation, company) and the architecture is meant to protect against hacking instead. They take great care to make sure their systems serving up the JS in question aren't easily manipulated, and if a hacker were to extract their databases they still cannot do anything with them since everything is encrypted and only the end users have the corresponding keys.
Vandroiy
Legendary
*
Offline Offline

Activity: 1036
Merit: 1002


View Profile
August 03, 2011, 12:41:14 PM
 #20

Where can one get a security architect for this kind of job?

I thought Microsoft has depleted the supply by dragging all the good people into the Midori project... Tongue

Seriously, someone who can manage a 100.0% flawless system for all the running time -- those people are rare to come by. One contact of the private keys with a hacker, and your entire company is history. And possibly the responsible people as well, if the amount of value lost was high enough for people to get violent.
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!