Reports that $500,000 worth of Bitcoin currency was stolen from one user’s computer this week has highlighted the poor security of the digital cash and the systems available for managing it. For the currency to gain large-scale popularity, it may need to create or work with financial institutions—making Bitcoin less distinct from the conventional currencies some users hope to supplant.
To use Bitcoin, a person downloads the official software client, which connects over the Internet to a global network of other copies of the program. Together, these implement the mathematical scheme that ensures that bitcoins can be transferred, created, and verified without any need for a central authority such as a bank (read TR’s explainer on how Bitcoin works).
That official client stores the security needed to use a stash of bitcoins with minimal security, in an unprotected file known as wallet.dat. In a forum post this week, a bitcoin user whose screen name was “allinvain” claimed that a remote attacker gained access to his or her wallet file and stole over 25,000 bitcoins. The value of a single bitcoin at the time of writing (just over $19) makes the alleged heist worth nearly $500,000, although in practice converting such a large number of bitcoins at once would be tricky. It is impossible for the alleged victim to know who stole the money because the cryptographic architecture of Bitcoin is designed to preserve the anonymity of people transferring the currency. Today the security company Symantec reported it had caught a piece of malicious software that infects computers over the Internet and attempts to steal wallet files.
The vulnerability highlighted by the controversy is very real, says Jeff Garzik, one of the lead developers of the official Bitcoin client and one of a few individuals who are the closest thing the currency has to official spokespeople. Today, anyone able to access the machines of Bitcoin users, either directly or remotely—via malicious software—can grab their wallet files, he acknowledges.
An upgraded version of the client, which will encrypt a person’s wallet and ask for a password each time it is accessed, will be released in “just a week or two,” says Garzik.
Yet users will still essentially be maintaining their own bank vaults on their computers. “[Wallet encryption] does nothing against many modern malware techniques, such as keystroke logging,” says Garzik. He advises Bitcoin users to keep encrypted backups of their wallet files away from the Internet, for example on a USB stick, since the file is needed only when sending money to others.
This may be an option for technically minded early adopters. But if the currency is to be used more widely, a new generation of simple and secure tools for using bitcoins is needed, says Amir Taaki, who leads a U.K.-based consultancy of software developers working on a range of technologies for use with Bitcoin, which operates the exchange site Britcoin.