How to lose your Bitcoins with CTRL-C CTRL-V

[GSpgh]

There's also malware that monitors 2.3 million Bitcoin addresses: thanks to the public blockchain it's easy to create a list of all addresses that are worth stealing, and include a couple million similar addresses in the malware.

Another argument for not reusing Bitcoin addresses but that's unfortunately not feasible when you have for example exchanges that issue one deposit address and don't even allow to change it manually (an argument to not use centralized exchanges I guess).

[1714781945]

1714781945

[1714781945]

1714781945

[1714781945]

1714781945

[1714781945]

1714781945

[dothebeats]

Was wondering the same, how many checked characters would make the process safe?
I read that vanity gen is able to do 50mils keys per second, let's keep this number, multiply by 10 seconds and at this point, I still believe checking the first and last 4-5 characters is enough.
And without having a clue I doubt the malware would store billions of addresses in text files and filling up the HDD with those.

Given the sheer amount of addresses in the whole key space of bitcoin and other cryptocurrencies, this is already a good practice knowing that two addresses having almost the same characters as another one would be pretty slim. Though of course for the ultra-paranoid in us, 4-5 characters isn't really enough and therefore having two addresses side-by-side is still a (somewhat) bulletproof practice as suggested by o_e_l_e_o.

-snip-

The horrors of Windows in general. Every single data we have on our PCs we don't own completely, but we actually share it with Microsoft the moment we started using their operating system. The mere fact that most of the computers in the whole world runs with Windows is already an alarming thought, but what is there to do when Microsoft knows how to make things work with laymen? Of course, you wouldn't expect non-techie people to use CLI-based OS such as Linux just to be secured, and while being secure, Mac isn't really an option too knowing how costly it is to have one. Hackintosh is possible, but with limitations and bugs too.

[Artemis3]

How to prevent this
1. Don't use Windows, but we both know you're not going to change that.

This is the only choice that matters. You are a pessimist by rejecting the only logical choice beforehand.

Most people don't need Windows, all they need is a browser, and the likes of Chrome run in Linux perfectly fine. That attitude of yours, i have seen it in decades, and it only ends in grief.

Drop Windows and 80% of the issues are gone. If you need a "games" computer, have both separate. Money and serious things in one, the rest in the other.

Don't bother with dual boot, people lack the discipline to NOT boot Windows (or OSX).

None of your "tips" are really effective under a malware ridden windows computer, because you don't know beforehand the exact nature of the malware. Its not just malware that recognizes bitcoin addresses and change it, there are several more vectors for stealing, such as taking your privkeys/seed words, or hijacking your dns, but to name them all would make a book.

Money handling should not be done with insecure OSes, period.

[LoyceV]

Money handling should not be done with insecure OSes, period.

Of course But 1.5 billion people use Windows for anything. If we could wipe out that insecure OS that would be great, but I'm trying to be realistic here: it's not going to happen.

[Sancho18]

How to prevent this
1. Don't use Windows, but we both know you're not going to change that.

This is the only choice that matters. You are a pessimist by rejecting the only logical choice beforehand.

Most people don't need Windows, all they need is a browser, and the likes of Chrome run in Linux perfectly fine. That attitude of yours, i have seen it in decades, and it only ends in grief.

Drop Windows and 80% of the issues are gone. If you need a "games" computer, have both separate. Money and serious things in one, the rest in the other.

Don't bother with dual boot, people lack the discipline to NOT boot Windows (or OSX).

None of your "tips" are really effective under a malware ridden windows computer, because you don't know beforehand the exact nature of the malware. Its not just malware that recognizes bitcoin addresses and change it, there are several more vectors for stealing, such as taking your privkeys/seed words, or hijacking your dns, but to name them all would make a book.

Money handling should not be done with insecure OSes, period.

I think you are too categorical. Ideal operating systems do not exist, and the romantic halo around Linux often disappears when you try to make him friends with your computer hardware. If you are not a bearded admin in a sweater, but an ordinary user, migrating to Linux may not be an easy task. I use a hardware wallet and check the address before sending, and until everything is fine.  

[jseverson]

This is the only choice that matters. You are a pessimist by rejecting the only logical choice beforehand.

Don't bother with dual boot, people lack the discipline to NOT boot Windows (or OSX).

Aren't you being a little pessimistic yourself as well? I understand that getting people to stop using Windows is an uphill battle, but I'd think more people would be open to a dual boot set up than having two different devices for different purposes. (Edit: Maybe we should be promoting the use of Raspberry Pis instead lol)

Either way, while I completely agree that people shouldn't be using Windows for crypto (or anything else you could do with Linux really), I wouldn't go as far as saying it's insecure. It's certainly much less secure, but I don't expect a person who knows what they're doing to have any issues with it. Awareness is so much more important for security because no OS will protect you from everything. The info that LoyceV provided would probably help more users than simply saying "Don't use Windows!", for one.

Of course But 1.5 billion people use Windows for anything. If we could wipe out that insecure OS that would be great, but I'm trying to be realistic here: it's not going to happen.

The funny thing is, if everyone started using Linux instead and it got all the attention from bad actors that Windows does, users would probably just as vulnerable even with Linux's fundamentally stronger security. People do a lot of stupid shit for free stuff and/or whatever else they want, and no OS can really address that lol.

Ideal operating systems do not exist, and the romantic halo around Linux often disappears when you try to make him friends with your computer hardware. If you are not a bearded admin in a sweater, but an ordinary user, migrating to Linux may not be an easy task.

I've found that things have gotten a lot better on this end in recent years. Even then, most people only really have basic stuff anyway, and people with the more technical hardware tend to be more technical themselves.

[stompix]

There's also malware that monitors 2.3 million Bitcoin addresses: thanks to the public blockchain it's easy to create a list of all addresses that are worth stealing, and include a couple million similar addresses in the malware.

I sincerely don't understand what "monitoring" means here...
Are they monitoring used addresses so if a user tries to send a transaction to a known adress they have one resembling it to replace it?
That would be more effective for a reused address but a total fails with newly generated addresses.

Also, one of the exchanges I use gives me the same deposit address each time, but every time I deposit something the adress is emptied in the next block in a batch transaction collecting funds, so ...that would probably make the adress free from monitoring?    I really wonder how they are choosing them..

How to prevent this
Don't use Windows

Drop Windows and 80% of the issues are gone

But a monkey behind a Volvo and it will become the deadliest car in history.

[Sancho18]

Ideal operating systems do not exist, and the romantic halo around Linux often disappears when you try to make him friends with your computer hardware. If you are not a bearded admin in a sweater, but an ordinary user, migrating to Linux may not be an easy task.

I've found that things have gotten a lot better on this end in recent years. Even then, most people only really have basic stuff anyway, and people with the more technical hardware tend to be more technical themselves.

The situation is really changing for the better and the Linux desktop is becoming more and more friendly to the average user, but it's too early to talk about any significant successes. Linux is the king of servers, and the market share is near zero on desktops. This is the reality of today.

It would be easier for Linux to succeed on desktops, but in fairness, I note that Windows 10 is not so bad, it has a built-in security center and rumors about the impossibility of disconnecting Cortana are greatly exaggerated.

[LoyceV]

I sincerely don't understand what "monitoring" means here...

Good question, now I'm not so sure. I would have expected the malware to detect Bitcoin addresses based on the format, instead of based on a very long list of known addresses. It's quite easy to know if a certain string is a Bitcoin address.

Linux is the king of servers, and the market share is near zero on desktops.

From loyce.club last month:
Windows 63.2%
Linux 17.2%
Macintosh 1.6%
iOS 4.4%
Unknown 13.3%

Meanwhile, 4.1% of all pages was loaded from Windows XP (I'm not sure if Tor-browsers still identify themselves as Windows XP), 23.8% Windows 7 and 33.8% Windows 10.
And 3.9% of the users use Android, which is counted as Linux.

[Sancho18]

I sincerely don't understand what "monitoring" means here...

Good question, now I'm not so sure. I would have expected the malware to detect Bitcoin addresses based on the format, instead of based on a very long list of known addresses. It's quite easy to know if a certain string is a Bitcoin address.

Linux is the king of servers, and the market share is near zero on desktops.

From loyce.club last month:
Windows 63.2%
Linux 17.2%
Macintosh 1.6%
iOS 4.4%
Unknown 13.3%

Meanwhile, 4.1% of all pages was loaded from Windows XP (I'm not sure if Tor-browsers still identify themselves as Windows XP), 23.8% Windows 7 and 33.8% Windows 10.
And 3.9% of the users use Android, which is counted as Linux.

People interested in crypto are usually more advanced in IT and are difficult to consider as ordinary users. I also want to note that if you consider Android as Linux, it would be logical and iOS + MacOS should also be considered as Linux, because they also have common roots. I'm talking about Linux desktop, such as Ubuntu. Market success of Android is difficult to question.

[khaled0111]

My PC got infected once with this malware.
It changes Eth addresses from the one you copy to the hacker's address.
I was lucky and didn't lose anything because I discovered it when I was checking tokens values on etherdelta.
I was copying the token's contract address and pasting it in the navigation bar which redirects me to the exchange's home page everytime.

َAll I did to resolve the problem is copying a part of the address (all of it except the last char).
I confirm that this solution works for Ethereum addresses since they all have the same length which is not the case for Bitcoin addresses.

[LogitechMouse]

2. Check the entire address after copy/pasting, and not just the first few (or last few) characters. Check some in the middle too. That's a lot of work, so chances are you won't do that either.

This is for me the best thing to do to prevent getting scammed by these hardcore stupid scammers/hackers.

Yes it is a lot of work to do. You will see if what you have pasted is the same with the one where you get your address but if you are sending a huge funds, you will double or triple check it so that you will be comfortable in sending it.

Lucky for me that I didn't encounter such things like this at this moment and I hope I will not encounter it .

[mk4]

Just comes to show how careless people are in general. It only takes like what? less than 5 seconds to double check the address you're sending the funds to? But yet people don't do it. It's so mind boggling how lazy and careless people are knowing that you can never do chargebacks with bitcoin.

Isn't it enough to check just the fist 4-5 and last 4-5 characters? This is what I do every time, if the first and last match I don't think I'm in danger.  If they manage to generate address similar to the address you are paying to with the first few characters, checking the last ones should make it super save, am I wrong?

It should suffice. This is what I do too. It's enough unless for some ultimately very unlucky reason the address you're sending the funds to and the hacker's receiving address has the same first and last 5 characters.

[Kakmakr]

I think the length of these addresses and also the case sensitive requirement for Bitcoin addresses are forcing people to use "Copy & Paste" to use their wallets. It is a pity that something cannot be done to shorten the address like with URL shorteners to just post a shorter description for your wallet when you have to use it. <That description can be linked to your longer address to make it easier for you to remember it too.>

So you configure that on your own and link it to your address and when you type it, it converts the wallet description to your Bitcoin address. <This can be done on the users computer and also encrypted to protect it from hackers>

So no need for developers to add this to the Bitcoin code <Protocol> Obviously people will still have to double check the end result.   

[LoyceV]

Just comes to show how careless people are in general. It only takes like what? less than 5 seconds to double check the address you're sending the funds to?

There's more to it than that: when I receive a PM with a payment address, I first have to make absolutely sure it came from the real account. With email, most people don't use encryption. That makes it even more difficult to be absolutely sure the sender is who he says he is.

It is a pity that something cannot be done to shorten the address like with URL shorteners

There used to be a site for this, but it was discontinued (and I forgot the name). But the most unique thing about Bitcoin is being able to make payments without having to rely on third parties, and I wouldn't want to trust them for giving me the correct address.
Google's first result on a search shows a site which Google says may be hacked:

So you configure that on your own and link it to your address and when you type it, it converts the wallet description to your Bitcoin address. <This can be done on the users computer and also encrypted to protect it from hackers>

I see many problems with this, but not a single way to do it absolutely safe.

And even if you would make a safe implementation, you'll lose error correction. Currently, there's a 1 in 4 billion chance of making a typo in a Bitcoin address, that still leads to a valid address. If you shorten the error correction, mistakes become much more likely.

Obviously people will still have to double check the end result.  

That defeats the purpose

[mk4]

Just comes to show how careless people are in general. It only takes like what? less than 5 seconds to double check the address you're sending the funds to?

There's more to it than that: when I receive a PM with a payment address, I first have to make absolutely sure it came from the real account. With email, most people don't use encryption. That makes it even more difficult to be absolutely sure the sender is who he says he is.

..aaaaand not only that! Personally, even though I'm already certain that the bitcoin address came from the legitimate person, I always ask the person to verify the pasted address! Like so:

Tradee: my address is bc1jf5jxxxxxxxxxxxx
Me: bc1jf5jxxxxxxxxxxxx
Me: ?
Tradee: bc1jf5jxxxxxxxxxxxx

And I even do that even with transactions as low as $20. You can never be so sure.

[Saint-loup]

Just comes to show how careless people are in general. It only takes like what? less than 5 seconds to double check the address you're sending the funds to?

There's more to it than that: when I receive a PM with a payment address, I first have to make absolutely sure it came from the real account. With email, most people don't use encryption. That makes it even more difficult to be absolutely sure the sender is who he says he is.

..aaaaand not only that! Personally, even though I'm already certain that the bitcoin address came from the legitimate person, I always ask the person to verify the pasted address! Like so:

Tradee: my address is bc1jf5jxxxxxxxxxxxx
Me: bc1jf5jxxxxxxxxxxxx
Me: ?
Tradee: bc1jf5jxxxxxxxxxxxx

And I even do that even with transactions as low as $20. You can never be so sure.

I don't understand you're doing trades by phone? The vendors spell their adresses letter by letter?
If I'm right. Why not using emails instead? If your sender use URIs you just need to click on the link, you don't even need to do a copy/paste manipulation, like bitcoin:bc1jf5jxxxxxxxxxxxxxxxxxx

[stompix]

~

..aaaaand not only that! Personally, even though I'm already certain that the bitcoin address came from the legitimate person, I always ask the person to verify the pasted address! Like so:

Tradee: my address is bc1jf5jxxxxxxxxxxxx
Me: bc1jf5jxxxxxxxxxxxx
Me: ?
Tradee: bc1jf5jxxxxxxxxxxxx

I don't understand you're doing trades by phone? The vendors spell their adresses letter by letter?

Chat logs, he asks the person to confirm the address so he can make it a bit safer.
If the other party just copy-paste the adress he will probably not notice the change.

Now, if you ask him again, he will have more chances to see that what he copied isn't what he pasted.
Plus, due to the dialogue he can protect himself better in case of a dispute. Not bulletproof of course as the other user could simply not pay attention both times but it's better than nothing.

And no, I don't know a single person that dictates addresses by phone

[Lafu]

Sry that i have seen the thread so late and only now !

I have written and Thread over an year ago about this here for copy and paste https://bitcointalk.org/index.php?topic=4601535.msg41533052#msg41533052

Sadly to see that it happens already to somebody .

The copy+c and copy+v about btc adresses is i guess normal for the most but you should think about and always watching what you are install .

[Saint-loup]

Sry that i have seen the thread so late and only now !

I have written and Thread over an year ago about this here for copy and paste https://bitcointalk.org/index.php?topic=4601535.msg41533052#msg41533052

Sadly to see that it happens already to somebody .

The copy+c and copy+v about btc adresses is i guess normal for the most but you should think about and always watching what you are install .

Thank you for this thread but a good way to fight clipboard hijackers is to encourage the use of BIP21 URI scheme instead of raw bitcoin addresses bitcoin:xxxxxxxxxxxxxxxxxxxxxxxxx