Bitcoin online bank robbery - "because that's where the money is"

Filed Under: Cryptography, Data loss, Featured

If you've got your wallet handy, take out a banknote - pretty much any banknote will do, in any currency - and find the serial number.

You shouldn't have much difficulty - most central banks consider the serial number important enough that they print it more than once, sometimes in different colours and orientations.

Now write the serial number down on a piece of paper.

Chances are, for most of you, that'll be the first time you've ever done anything that actively involves a banknote serial number. (There was no point in asking you to write it down, other than to make that point.)

For some of you, perhaps, it may even be the first time you've noticed that each banknote is uniquely labelled .

But I bet you one thing: if real banknotes didn't exist, and all you had was a list of serial numbers like the one you just copied down, you'd look after that list pretty carefully.

You certainly wouldn't hand the list to a stranger on the street and say, "Be a good chap, won't you, and keep this in your pocket until I see you next week," any more than you'd hand him your wallet full of cash to store for you.

But Bitcoins - the unregulated digital currency that has been hugely in the news lately, both for its soaring street value and its usefulness in paying the CryptoLocker malware ransom - are, very loosely speaking, stored and traded like our imaginary list of banknote serial numbers.

There are no offical Bitcoin banknotes or coins; just strings of digital data that act as cryptographic serial numbers, denoting which Bitcoins (or fractional parts of Bitcoins) are yours.

So, if you're into Bitcoins, you want to watch that digital Bitcoin wallet of yours pretty closely, especially given the steepling surge in the cryptocurrency's value in the past month.

→ Even the crooks behind CryptoLocker, who seem to have found that $300 is the sort of price point at which victims will pay up, while, say, $2000 is too high, have been forced to drop the Bitcoin cost of their extortion. What cost BTC2 a month ago is "only" BTC 0.5 now.

Nevertheless, many Bitcoiners seem to be big on risk, entrusting their precious Bitcoin assets to a wide range of online wallet services, where they are firmly in the sights of cybercrooks.

Bad luck if it all goes wrong, of course, because you're not likely to get your money back.

Without any financial operators' rules or consumer protection laws to help you out, things don't end like they usually do with disputed credit card transactions. (In those, the bank takes the disputed amount back from the merchant and gives it to you. The merchant wears the loss.)

Sadly, a number of boutique Bitcoin merchants and wallet services have been cleaned out by hackers in the past month, including:

Each of these companies had been operating officially for only a few months, yet already had entrusted to them millions of dollars that are now in the hands of cybercrooks.

Just over a year ago, we wrote about the regrettable story of a youngster named Roman Shtylman, whose security lapse during a server upgrade led to unecrypted backups being stolen, costing his sideline Bitcoin business some $250,000 overnight.

That was back when Bitcoins were worth just over $10 each, compared to nearly $800 today.

So, you can see why hackers are more than merely interested in online Bitcoin repositories - and why you need more than just a hunch about a repository's trustworthiness before you hand over your Bitcoin data.

Remember, you don't have to keep your Bitcoins online with someone else: you can store your Bitcoins yourself, encrypted and offline.

In fact, you can do that with any and all of your digital possesions.

There was life before cloud storage, and there will be life after it!

Bitcoin banknote image from bitcointalk.org.

, ,

You might like

10 Responses to Bitcoin online bank robbery - "because that's where the money is"

  1. Astral_Nomad · 148 days ago

    With all due respect to your second last sentence - "In fact, you can do that with any and all of your digital possessions"; the statement is not entirely true.
    You can only back up the things that a software developer *allows* you to back up, and its only getting worse with devs trying to protect against piracy.
    Most games and various other apps only allow you to download. If you lose it to corruption or what have you, thats your loss unless they provide you with the means to do so. Even to the point that your data is streamed to their servers (ie. savegames) so you cant even back that up in offline mode.
    All things being said, this is a good article, however, I have no plans to invest in Bitcoin any time in the near future.

    • Paul Ducklin · 148 days ago

      I hear you. Mobile devices like iPads have this problem in Spades - you don't actually get access to the whole filing system on the device, so you can't back it all up. "Apple says No."

      (I was being a bit circular: you are best off choosing digital technologies that permit you to encrypt and back up anything and everything if you want. Having made that choice, make sure you keep your own encrypted backups...)

      I think I'll change my wording to say, "You should do that with any any all of your digital possessions that you can."

      • Andrew Ludgate · 148 days ago

        Well, to be minorly pedantic, you can, by definition, back up any digital items you own. If you can't, you don't really own them, they're just sitting on your hardware but belong to someone else. If there's data the vendor claims is yours, but they don't give you unfettered access to it, something's wrong.

        • Paul Ducklin · 147 days ago

          I like your thinking. That's how I should have put it :-)

    • wac · 137 days ago

      The answer would be not to buy those devices. Like iPads and iPhones. Just don't, there are better alternatives with less restrictions. Together we can make a statement to Apple Inc. Ahh and btw is not developers is company directors. Actally many developers don't care about the media companies.

  2. Black A.M. · 148 days ago

    There's still no proof that these were outside attacks on the wallet providers. Inputs.io have refused to bring the police into the matter.

    • Paul Ducklin · 148 days ago

      I know. I was careful to say that "many Bitcoiners seem to be big on risk, entrusting their precious Bitcoin assets to a wide range of online wallet services, where they are firmly in the sights of cybercrooks."

      The crooks could be on the inside, the outside or anywhere in between. Whether the breaches are due to the venality or the incompetence of the server operator doesn't matter too much to the victims. They're not going to see their money again, like as not.

      You can probably start by assuming that incompetence is a more likely explanation, on the grounds that while the companies concerned may have had faced a crook on the inside, they *definitely* faced any number of unstintingly keen crooks on the outside...

  3. J2897 · 148 days ago

    My three security principles with regards to Bitcoin...

    1. The PRIVATE KEY must be generated by your PCs CPU.

    2. The PRIVATE KEY must remain on your PCs HDD exactly where it was generated.

    3. The PRIVATE KEY must be wiped (not deleted) from your PCs HDD if copied to another location.

    • Philip Raymond · 90 days ago

      Normally, I would agree 100% that PKI is not worth it's reputation if not for locally generated and maintained private key. But with the wallet component of an online service, I make an exception. If each userI generates and control the key then the service must keep all of their cash connected to the Internet. That's too risk. They should only keep online the necessary float for current transactions.

      Of course, this means that I must trust a far away player in a very immature industry. Yes, but not for very much or very long. Best practice suggests that traders move coins away from an online wallet immediately after any transaction. You are only trusting that the service will remain functional for the amount of the current transaction and only for a minute or two.

      Incidentally, a new NakedSecurity article on Jan 23 sets forth some best practice guidelines for Bitcoin wallets (disclaimer...I am the author).

  4. SecurityGround COM · 144 days ago

    The Bitcoins - is going to become the second generation of "blood money" after "diamonds". Regulatory authorities will wake up only after "lot of bloodshed" comes to light. Very Very sad that no government body is bothered while bitcoins are still in its infancy and menace can be curbed easily. I guess a nexus has already formed between politicians and underworld for not keeping an eye on this.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog