Hi guys,
Below is a rough guide for what I believe to be a good way to buy and secure your bitcoins. I think one of the main reasons for why there is uncertainty around bitcoin is due to the nature of the internet and the potential security flaws it can create i.e hackers etc.
Can you guys read through what I have written below and possibly answer my question? It will help me and many others who are trying to enter the bitcoin market, but do not want the possibility of losing their BTC.
So here we go:
You want to buy Bitcoins and store them safely.
The process requires buying bitcoins from an exchange, and then sending the bitcoins to an offline wallet, so your safety cannot be compromised.
Step 1:
Before you do anything, complete a thorough malware scan with an accredited piece of anti-virus software. While you’re doing this, you might as well just clean all the crap out of your computer.
Question: Which software would you guys recommended? At the moment I have McAfee Live, but reviews suggest it only catches roughly 98% of new malware.
I am confused. You are talking about offline storrage. Is this for the offline system or the online system? Anyway. There is no good anti malware or antivirus software. They can only catch what has been found.
Step 2:
Firstly download Multibit (or Armory) to your computer. Multibit is a piece of software created to manifest a wallet ID, along with extra encryption, which you can store offline.
Question: Which software is better, or do they basically do the same thing?
Armory requires bitcoin core resp. bitcoind which requires a full blockchain. Again I am writing while reading this, so I am not sure if you are on your offline or your online system. If you just want a quick wallet setup to send the coins to cold storrage armory is not what you want. Armory however can be good if you use it as well on the offline system as it allows watch only wallets. AFAIK Multibit does not yet support watch only addresses.
Step 3
Once downloaded, take the computer offline. Then install the Multibit software to a directory on your USB, which must be new so you are certain there are no types of malware on the USB.
Paranoid level: tin foil hat - new USB sticks could also have hardware trojans/keylogger/malware installed.
Also make sure the USB package has not been tampered with.
Can be done durring production/before packaging.
The reason you take the computer offline after the download is so that when you install and subsequently create a wallet from your USB, there is no internet connection, meaning there is no chance of ‘prying eyes’ on the creation of your wallet and its subsequent information that you want to keep to yourself.
You have now installed the multibit software onto your computer (which is offline), so the next step is to create a new wallet. Just hit ‘create new wallet’ and there you go. You now have an offline wallet, from which you can receive coins only. For added protection, encrypt the wallet with a password of your choice, and remember/write down this password.
Questions:
• Can you send coins from the offline wallet?
Nope, you need to create a TX on an online machine, transfer it to the offline machine for signing, transfer it back for broadcasting.
• Is there any other way a hacker could access your wallet offline now?
Well, does the hacker know where you have your machine? For your everyday malware writer an offline machine is not reachable. Depending on your paranoia level it is not safe. Someone could sneak into your home while you are not there and install a keylogger on your offline machine, etc. pp.
• If I was to reconnect my wallet to become a ‘hot’ or now online wallet temporarily via my USB to send coins, am I not temporarily at risk?
Yes, you need to keep your online machine safe as well. A way to prevet problems is if you use different OS for cold and hot storrage. E.g. if you use a Mac for your everyday online work and you have your watchonly wallet on a Mac, use Linux for cold storrage. Very few (if any) malware can work in both systems.
• Can you only send coins through the wallet, i.e need access to the wallet to send coins, or does someone just need my private key only?
Private key is all you need. The signature provided by the private key is what allows anyone to spend the coins accociated with it. However it is not possible for someone to just generate one of your private keys by accident. The only way currently for this to happen is if your random number generator is very bad.
• If I were to plug in my USB into another infected computer, is my wallet safe as long as the wallet is encrypted? Will I know or see any other files on my USB to signal a virus/malware implant if another computer was infected?
Yes, as long as it is encrypted and your password is reasonably strong you are safe. 9 symbols take ~1.2 million years to bruteforce IIRC. Id suggest a password/-phrase of 20 or more symbols though. Make sure its not something you use elsewhere or can easily guessed.
Step 4
Copy all of this information into a physical format, i.e. using paper and pen, and store this somewhere safe. This is so that if you lose your wallet information or your USB screws up for some reason, you still have your wallet information, allowing you to access your bitcoins. In the unfortunate case that this does happen, create a new wallet using the steps already mentioned, and transfer your bitcoins to the new uncorrupted wallet. It would also be wise to have a spare USB with the information. Overall this = 2 USB’s + 1 paper format.
Question: Which USB would you recommend? How about a USB with a pin, so if you USB were to be used by someone else, they would not be able to connect it to any computer without permission i.e the PIN code, therefore reducing the chance of the USB becoming infected.
IMHO thats overkill. Either you know your online machine is infected and you dont use the USB stick or you dont and you remove the security anyways. Also keep in mind to make regular backups if you are using multibit as newly created addresses need new backups. Something like electrum where you only need to backup a seed once might be more easier to handle esp. when backing up to paper.
Step 5
Register with an exchange depending on your location (may take a few days), buy some bitcoin, transfer to your wallet using the public address and you are done.
Question: Which secure exchange can I use if I am from the United Kingdom or New Zealand? Is there a global exchange present at the moment?
Thanks for reading and I look forward to your responses.
Kash
AFAIK bitstamp is located in the UK, but most (if not all) allow international money deposits. There is a list somewhere with an overview, I did a quick search but didnt find it. The big ones are basically those that are listed on bitcoinwisdom.
