Can my Bitcoins be stolen?

[Scarecrow]

I am really hopeful that Bitcoin emerges from Beta to become the Internet currency of the future.

For this to happen people must have confidence that their wallet cannot be emptied by some crook out on the net. So if I am running the Bitcoin software in the background, could a virus installed on my pc send a copy of my .bitcoin folder or wallet.dat to the crooks pc, who could then send all my coins to his own wallet thus stealing all my coins?

As a Newbie and not that techi, this is a concern I think many possible adopters will have. For example if I am tempted to install an animated wallpaper that happens to come with an unwanted payload designed to steal my .bitcoin folder. The wallet.dat that I think is the essential part is available unencrypted just begging to be stollen. Am I right? If not then thats a relief but if this is the case what would be the recommended procedure to protect your coins? I won't accept "don't install the wallpaper" as a fair answer. 

[1713483257]

1713483257

[1713483257]

1713483257

[1713483257]

1713483257

[SmokeTooMuch]

Can my Bitcoins be stolen?

short answer: yes.
with the Bitcoin client you are your own bank and you have the full responsibility for storing and using your wallet in a safe way.

Also, there is at least one thread about this topic already.
-> https://www.bitcoin.org/smf/index.php?topic=2698.0

[caveden]

Yes, they can be stolen.

If you want to protect your bitcoins yourself (instead of trusting on a web service), best thing you do is to keep your "savings" on a wallet that's on offline media. Encrypt it (check TrueCrypt if you don't know how) and make multiple copies (on different media, of course). Save at least one copy on a remote server like Dropbox, Gmail etc.

[Scarecrow]

Yes, they can be stolen.

If you want to protect your bitcoins yourself (instead of trusting on a web service), best thing you do is to keep your "savings" on a wallet that's on offline media. Encrypt it (check TrueCrypt if you don't know how) and make multiple copies (on different media, of course). Save at least one copy on a remote server like Dropbox, Gmail etc.

I am familiar with TrueCrypt so that’s not a problem. If I always use an empty online wallet.dat and keep my coins in my encrypted "savings wallet.dat", then I should be okay. But is it only the wallet.dat that needs to be copied/pasted from/to the .bitcoin folder? Can copies be made while the client is running?

Alternatively should I be running two completely separate Bitcoin clients e.g. one for hashing and receiving Bitcoins being basically empty and one for spending Bitcoins being my encrypted savings wallet.

What if my empty wallet.dat has been copied by a crook and then sometime later I am sent some coins, if the crook gets to them first they could disappear right from under my nose even though I had been taking precautions. Yes/No?

Sorry I'm so full of questions but it seems to me the client needs to be providing basic user protection prior to v1.0

[theGECK]

Yes, they can be stolen.

If you want to protect your bitcoins yourself (instead of trusting on a web service), best thing you do is to keep your "savings" on a wallet that's on offline media. Encrypt it (check TrueCrypt if you don't know how) and make multiple copies (on different media, of course). Save at least one copy on a remote server like Dropbox, Gmail etc.

I am familiar with TrueCrypt so that’s not a problem. If I always use an empty online wallet.dat and keep my coins in my encrypted "savings wallet.dat", then I should be okay. But is it only the wallet.dat that needs to be copied/pasted from/to the .bitcoin folder? Can copies be made while the client is running?

Alternatively should I be running two completely separate Bitcoin clients e.g. one for hashing and receiving Bitcoins being basically empty and one for spending Bitcoins being my encrypted savings wallet.

What if my empty wallet.dat has been copied by a crook and then sometime later I am sent some coins, if the crook gets to them first they could disappear right from under my nose even though I had been taking precautions. Yes/No?

Sorry I'm so full of questions but it seems to me the client needs to be providing basic user protection prior to v1.0

If somebody steals your wallet, they have complete control over any addresses that are a part of that wallet. That's one reason you may want to keep using different wallets, to mitigate that threat.

[Scarecrow]

I read this thread https://www.bitcoin.org/smf/index.php?topic=2698.0 and its a bit complex for me but my conclusion so far is that if you connect your wallet to the internet at any time, there is a possibility that you have created a situation that at some time in the future you will lose any coins associated with that wallet. If so, there is still much work to be done.

[myrkul]

I read this thread https://www.bitcoin.org/smf/index.php?topic=2698.0 and its a bit complex for me but my conclusion so far is that if you connect your wallet to the internet at any time, there is a possibility that you have created a situation that at some time in the future you will lose any coins associated with that wallet. If so, there is still much work to be done.

Your wallet is data. If you connect a computer to the internet, there is the possibility that the data on that computer may be compromised. Take precautions. Use a secure operating system. Encrypt your wallet. Do not install programs from sources you do not trust. Practice safe computing, and you don't need to worry about your wallet.

[ronaldmaustin]

No.  It is technologically impossible and THAT is the value of Bitcoins.  Send me your wallet.dat file and I will prove to you what you need to know.

[myrkul]

No.  It is technologically impossible and THAT is the value of Bitcoins.  Send me your wallet.dat file and I will prove to you what you need to know.

Either you are mis-informed, or attempting to defraud our new friend. I sincerely hope it is the former. Even if you couldn't just load up his wallet and send his coins to yourself, several threads have been written (and the bounty collected) about collecting coins using nothing but the private key, which is included in the wallet.dat. Other threads have been written about extracting the private key from a wallet (again, bounty collected).

tl;dr: don't send your wallet to anyone.

[caveden]

What if my empty wallet.dat has been copied by a crook and then sometime later I am sent some coins, if the crook gets to them first they could disappear right from under my nose even though I had been taking precautions. Yes/No?

Yes. If you suspect your wallet has been compromised, you should:

• Generate 100 new addresses, and discard them (never use)
• Transfer any remaining coins on that wallet to a address generated after the 100 above.
• Never use any of the older addresses for any transaction.
• Most important, try to understand what happened in order not to keep your new addresses in the same compromised machine. Maybe a format if it was a virus, a divorce if it was your wife etc.

Sorry I'm so full of questions but it seems to me the client needs to be providing basic user protection prior to v1.0

I agree, the thing is that it's just not that simple. If you keep your wallet on the same machine you use to surf the web, there's always risk. If besides that you use windows, the risk is greater. It's impossible to fully protect a user's computer if the user executes malicious code or if s/he trusts in people s/he shouldn't. And sometimes you may get a worm just for viewing the wrong web site, without executing anything else but normal browsing...

I think that the best solution for those who don't feel comfortable in keeping their own coins is:

• Have an offline wallet for your savings, as suggested before.
• Use a "bank" (MyBitcoin, MtGox, Bitcoin-central...) to keep the bitcoins you want to move more frequently.

[markm]

Any user accounts on any of your machines that are used to run untrusted software such as random screensavers and such that you impulse download while surfing the net should probably not also be used for financial applications, at least if one feels the concern that you feel.

Log in to your user account that has the financial apps only when you have finances to transact. For recreational computing log in to your recreational account.

It is much the same as not using your system-administrator account for recreation. Regard your financial-administration account similarly.

Treat your recreational account like En Guard's "red light district" activity: each time you visit you might be mugged so only take as much money there as you are prepared to lose.

-MarkM-

[Scarecrow]

I am pleased to get all your helpful answers but disappointed Bitcoin has this security hole. My fear is not that I will get my coins stolen as I am very careful not to allow my Linux system to be attacked. My worry is that where a shop does decides to accept Bitcoins, only then to see their takings randomly disappear, surely this would effectively strangle Bitcoin at birth.

[caveden]

This is not a security hole of bitcoins, Scarecrow. Any sensitive data is vulnerable if not properly protected.

If bitcoins go mainstream, people will just trust their assets to bitcoin banks.

[Scarecrow]

This is not a security hole of bitcoins, Scarecrow. Any sensitive data is vulnerable if not properly protected.

If bitcoins go mainstream, people will just trust their assets to bitcoin banks.

Are you saying that if I had an online shop all my Bitcoin receipts would go straight into my online Bitcoin bank and so would be retained securely for me?

[FatherMcGruder]

Are you saying that if I had an online shop all my Bitcoin receipts would go straight into my online Bitcoin bank and so would be retained securely for me?

He's saying that if Bitcoin goes mainstream, we'll see a huge demand for really good security. However, we'll also see a demand for really good thieves.

To reassure you, I'll say that you'll have less vulnerability to theft with bitcoins than with regular paper money. It's harder to counterfeit, and no one can print it on a whim. Also, you can't back up paper.

[myrkul]

Perfect security is an illusion. Physical currency can be stolen, too... no vault is completely secure. Bitcoins even have a few advantages over physical currency, just as FatherMcGruder explained.

[Beremat]

Perfect security is an illusion. Physical currency can be stolen, too... no vault is completely secure. Bitcoins even have a few advantages over physical currency, just as FatherMcGruder explained.

Exactly. This is as much a "security hole" as someone breaking into your house and stealing your jewelry.

[ronaldmaustin]

No.  It is technologically impossible and THAT is the value of Bitcoins.  Send me your wallet.dat file and I will prove to you what you need to know.

Either you are mis-informed, or attempting to defraud our new friend.
tl;dr: don't send your wallet to anyone.

Third option -> I was joking.  It's as if he said, can my cash be stolen and I say, "No way, give me your wallet and I'll prove it to you."  I would no more expect him to mail me his wallet.dat than the wallet in his back pocket.

[myrkul]

tl;dr: don't send your wallet to anyone.

Third option -> I was joking.  It's as if he said, can my cash be stolen and I say, "No way, give me your wallet and I'll prove it to you."  I would no more expect him to mail me his wallet.dat than the wallet in his back pocket.

Indeed. The "flat" nature of internet text communication means sudden left turns like this usually get misunderstood.

My apologies.

[Scarecrow]

Bitcoin currently is like an unbreakable titanium chain linking two computers but attached each end with cotton thread.