Bitcoin Forum
December 08, 2016, 12:07:48 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 3 »  All
  Print  
Author Topic: Can viruses steal people's bitcoin purses? What can be done for protection?  (Read 11614 times)
manixrock
Newbie
*
Offline Offline

Activity: 1


View Profile
January 09, 2011, 03:29:06 AM
 #1

With worms and viruses having access to millions of computers (botnets) and stealing private information so easily, it's not hard to envisions adding a setting to those bots to steal someone's bitcoins. Unlike stealing credit card information, this gives an immediate and anonymous reward with zero extra effort.

Is there anything in place to try to prevent such theft? Providing an option for username/password encryption would be a good start, but if people (especially people inexperienced with computers) are going to use bitcoins with large sums of money, they should have a way to protect it.

Another issue is one of backup. If a hard drive fails and there is no backup of the bitcoins purse you loose it all. There should be a way to back up the latest version of the purse file in another place (either on another computer or on the internet), and that one needs to be at least as secure as the one you're using.

Finally there's the issue of mobility. If you use bitcoins on a non-mobile platform, there should be an easy way to access the funds from other places. People who aren't very good with computers will find it hard to move the bitcoins program along with the purse to another device.

These three issues seem to need a good balance of ease of usability and security. Banks can achieve a good level of security because everyone using their services is identifiable. How can we achieve high security in an anonymous environment?
1481198868
Hero Member
*
Offline Offline

Posts: 1481198868

View Profile Personal Message (Offline)

Ignore
1481198868
Reply with quote  #2

1481198868
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481198868
Hero Member
*
Offline Offline

Posts: 1481198868

View Profile Personal Message (Offline)

Ignore
1481198868
Reply with quote  #2

1481198868
Report to moderator
1481198868
Hero Member
*
Offline Offline

Posts: 1481198868

View Profile Personal Message (Offline)

Ignore
1481198868
Reply with quote  #2

1481198868
Report to moderator
fabianhjr
Sr. Member
****
Offline Offline

Activity: 322


Do The Evolution


View Profile
January 09, 2011, 03:46:57 AM
 #2

As of security if you don't want to get infected don't install or download shit. Smiley

As of the hardrive failure use a RAID 1 or 5 and do remote backups to a box you have in a vacation house or with a trusted party.(With your wallet encrypted over there + stego)

As of the mobility part there is a bounty for an Android app. Maybe that is what you are searching.

Basically there are ways to prevent this scenarios(theft || loses) from happening and once they happen you are pretty much srewed.

davux
Sr. Member
****
Offline Offline

Activity: 289


Firstbits.com/1davux


View Profile WWW
January 09, 2011, 04:35:08 AM
 #3

I totally agree that the keypairs should be stored or exportable/importable as files that one can carry around, backup etc., pretty much like GPG and SSH keys. They would then need to be passphrase-protected, too.

1DavuxH9tLqU4c7zvG387aTG4mA7BcRpp2
México (Oaxaca) – France - Leeds
Mike Hearn
Legendary
*
expert
Offline Offline

Activity: 1526


View Profile
January 09, 2011, 12:53:19 PM
 #4

I'm not sure I agree that "banks achieve a high level of security", there is an endless stream of horror stories of people getting their online banking sessions stolen by Zeus and having tens of thousands of dollars drained out of it. Some banks do security right and others don't.

For BitCoin, I think the right approach here is mobile apps that automatically make encrypted backups (which is why I'm working on one). Mobile OS' aren't 100% bulletproof but they're a lot harder to infect than Windows/MacOSX/Linux, so that's a good place to start.

If you want something more like what regular banks provide, you could host your wallet at a remote "BitCoin Bank" like mybitcoin, and use a 2-factor calculator to sign transactions. This is how my bank (UBS) handles it and it works pretty well, at a cost of convenience.
brocktice
Sr. Member
****
Offline Offline

Activity: 292


Apparently I inspired this image.


View Profile WWW
January 09, 2011, 06:59:46 PM
 #5

For backups, I recommend just scripting a dump of the wallet backup from bitcoin, encrypting it to yourself with GPG, and putting it anywhere. I like Dropbox or JungleDisk, but whatever floats your boat.

I'm less clear about the best way to protect one's wallet in case of compromise. I think distributing one's wallet contents around a few machines might help reduce risk, but I don't want thousands of bitcoins to be susceptible to compromise of my computer, even if I try very hard to keep things secure.

http://media.witcoin.com/p/1608/8----This-is-nuts

My #bitcoin-otc ratings: http://bitcoin-otc.com/viewratingdetail.php?nick=brocktice&sign=ANY&type=RECV

Like my post? Leave me a tip: 15Cgixqno9YzoKNEA2DRFyEAfMH5htssRg
Nefario
Hero Member
*****
Offline Offline

Activity: 602


GLBSE Support support@glbse.com


View Profile WWW
January 09, 2011, 08:12:10 PM
 #6

Once your system is compromised (you have a virus/trojan) then you have lost. Even with encryption, at some point you must enter a password to access your bitcoins, and once you do the virus/trojan will have your password, with which it can use to decrypt your wallet.

Don't get infected, don't become compromised. Use an Apple computer with OSX or Linux, these are the safest options. Staying with windows will become very risky in the future.

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
brocktice
Sr. Member
****
Offline Offline

Activity: 292


Apparently I inspired this image.


View Profile WWW
January 09, 2011, 08:46:57 PM
 #7

Once your system is compromised (you have a virus/trojan) then you have lost. Even with encryption, at some point you must enter a password to access your bitcoins, and once you do the virus/trojan will have your password, with which it can use to decrypt your wallet.

Don't get infected, don't become compromised. Use an Apple computer with OSX or Linux, these are the safest options. Staying with windows will become very risky in the future.

Well, I use Linux for everything, but I'm sure if the financial motives are high enough, someone will find a way to sneak something on to Linux boxes.  I try to be secure, but there's only so much I can do. I might consider keeping my wallet in a maximally-isolated and locked-down machine.

http://media.witcoin.com/p/1608/8----This-is-nuts

My #bitcoin-otc ratings: http://bitcoin-otc.com/viewratingdetail.php?nick=brocktice&sign=ANY&type=RECV

Like my post? Leave me a tip: 15Cgixqno9YzoKNEA2DRFyEAfMH5htssRg
jgarzik
Legendary
*
qt
Offline Offline

Activity: 1470


View Profile
January 09, 2011, 10:48:06 PM
 #8

First step:  the devs should enable the db4 database feature that AES-encrypts the wallet.dat database on disk.  The wallet should never be stored unencrypted by default, IMO.

Jeff Garzik, bitcoin core dev team and BitPay engineer; opinions are my own, not my employer.
Donations / tip jar: 1BrufViLKnSWtuWGkryPsKsxonV2NQ7Tcj
Gavin Andresen
Legendary
*
qt
Offline Offline

Activity: 1652


Chief Scientist


View Profile WWW
January 10, 2011, 12:32:55 AM
 #9

"Just turn on Berkeley db encryption and you're done" -- ummm:

First, unless I'm reading the bdb docs wrong, you specify a password at database creation time.  And then can't change it.

So, at the very least, somebody would have to write code that (safely) rewrote wallet.dat when you set or unset or changed the password.

Second, encrypting everything in wallet.dat means you'd have to enter your wallet password as soon as you started bitcoin (because user preference are stored in there right now), when ideally you should only enter the password as you're sending coins.

And third, there are all sorts of usability issues with passwords.  Users forget their passwords.  They mis-type them.  I wouldn't be terribly surprised if doing the simple thing and just encrypting the whole wallet with one password resulted in more lost bitcoins due to forgotten passwords than wallets stolen by trojans.

I think creating a safe, useful wallet protection feature isn't easy, and there a lot of wrong ways to do it.

How often do you get the chance to work on a potentially world-changing project?
davux
Sr. Member
****
Offline Offline

Activity: 289


Firstbits.com/1davux


View Profile WWW
January 10, 2011, 01:09:17 AM
 #10

encrypting everything in wallet.dat means you'd have to enter your wallet password as soon as you started bitcoin (because user preference are stored in there right now),

Are there plans to change this? bitcoin.conf or any other file would sound like a better place than the very wallet for storing user preferences.

1DavuxH9tLqU4c7zvG387aTG4mA7BcRpp2
México (Oaxaca) – France - Leeds
ByteCoin
Sr. Member
****
expert
Offline Offline

Activity: 416


View Profile
January 10, 2011, 01:17:27 AM
 #11

There is no effective solution to this problem until the wallet handling code can be completely separated from the networking client. See http://bitcointalk.org/index.php?topic=1691.msg20718#msg20718
Attempting to improve security by having a password on the client is no improvement as noted by Nefario and has significant problems as noted by gavinandresen.

ByteCoin
brocktice
Sr. Member
****
Offline Offline

Activity: 292


Apparently I inspired this image.


View Profile WWW
January 10, 2011, 02:18:03 AM
 #12

IMO there is a market for a very secure bitcoin bank. Not sure how that would best be done, nor how people could know to trust it, but I would certainly be interested. Bonus points for being in a jurisdiction that's likely to give any government that comes calling the finger.

No, mybitcoin and mtgox are not suitable.

http://media.witcoin.com/p/1608/8----This-is-nuts

My #bitcoin-otc ratings: http://bitcoin-otc.com/viewratingdetail.php?nick=brocktice&sign=ANY&type=RECV

Like my post? Leave me a tip: 15Cgixqno9YzoKNEA2DRFyEAfMH5htssRg
bitcoinex
Sr. Member
****
Offline Offline

Activity: 350


probiwon.com


View Profile WWW
January 10, 2011, 02:32:37 AM
 #13

Platinum threads of the bitcoin.org

New bitcoin lottery: probiwon.com
- Может, ты ещё и в Невидимую Руку Рынка веруешь? - Зачем же веровать в то, что можно наблюдать непосредственно?
jgarzik
Legendary
*
qt
Offline Offline

Activity: 1470


View Profile
January 10, 2011, 04:47:39 AM
 #14

Sure there are all sorts of problems with passwords and passphrases; those are at least a well known and defined solution space.

But most modern crypto software has the ability to ensure your private keys remain in an encrypted store on the filesystem.  Good software has that encryption enabled by default.


Jeff Garzik, bitcoin core dev team and BitPay engineer; opinions are my own, not my employer.
Donations / tip jar: 1BrufViLKnSWtuWGkryPsKsxonV2NQ7Tcj
Local
Member
**
Offline Offline

Activity: 109



View Profile
January 10, 2011, 07:42:40 AM
 #15

IMO there is a market for a very secure bitcoin bank. Not sure how that would best be done, nor how people could know to trust it, but I would certainly be interested. Bonus points for being in a jurisdiction that's likely to give any government that comes calling the finger.

No, mybitcoin and mtgox are not suitable.

Double bonus points from me not existing legally and existing physically in two unrelated jurisdictions so called.
asdf
Hero Member
*****
Offline Offline

Activity: 527


View Profile
January 10, 2011, 09:04:50 AM
 #16

A cheap solution could be to store your "savings" in an offline "vault" and keep smaller amounts in your online client for day to day spending. this limits your risk.
doublec
Legendary
*
Offline Offline

Activity: 1078


View Profile
January 10, 2011, 09:45:44 AM
 #17

Don't get infected, don't become compromised. Use an Apple computer with OSX or Linux, these are the safest options. Staying with windows will become very risky in the future.

Linux servers get compromised all the time thanks to badly written web applications (just to pick one common vector). If I was a malware author the first servers I'd be targeting would be those offering bitcoin services so I could get access to the wallet.
Hal
VIP
Sr. Member
*
expert
Offline Offline

Activity: 314



View Profile
January 10, 2011, 08:10:20 PM
 #18

If the private keys in the wallet were encrypted, then the virus couldn't get them until you entered your password to make a payment. This might give you a chance to discover and eliminate the virus before it can do harm.

Hal Finney
ShadowOfHarbringer
Legendary
*
Offline Offline

Activity: 1470


Bringing Legendary Har® to you since 1952


View Profile
January 10, 2011, 08:57:42 PM
 #19

If you're using Linux for bitcoin & only install software from signed repositories & keep system up to date, then probability of infection is almost unexistant.

You should be more worried if You're using Windows however.

jgarzik
Legendary
*
qt
Offline Offline

Activity: 1470


View Profile
January 10, 2011, 10:31:49 PM
 #20

If you're using Linux for bitcoin & only install software from signed repositories & keep system up to date, then probability of infection is almost unexistant.

You should be more worried if You're using Windows however.

Sadly Linux installs with outdated patches tend to get penetrated quite often.  Hosting software, in particular, is often copied into a webspace by an "install script" and just left to rot, unpatched.

The rate of infection on Windows is very high, much higher than Linux, but I'd argue that is due as much to raw numbers -- the largest attack audience with a single binary -- as shoddy engineering, today.

And I say this as a die-hard Linux hacker, who was proudly Microsoft-free for over ten years (sadly this is no longer the case, with the Xbox and wife's laptop).

Jeff Garzik, bitcoin core dev team and BitPay engineer; opinions are my own, not my employer.
Donations / tip jar: 1BrufViLKnSWtuWGkryPsKsxonV2NQ7Tcj
Pages: [1] 2 3 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!