One of our employees asked me recently what's the best way to secure a Bitcoin. I had no idea. Do you have any...
advice on Bitcoin security? There's no chance we'll ever need to deal with this in a business context, right?
While there's no pressing need to rush into upgrading your payment system to accept Bitcoins, it is worth monitoring its usage, particularly for businesses with a big Internet presence or that sell digital products and services such as online games or subscriptions.
Crypto-currency is probably here to stay, and although some countries, such as China, have banned their use, many countries -- including the U.S. -- appear more relaxed about their existence. Some large organizations have started accepting payment for products and services in Bitcoins (e.g., Overstock.com, Zynga, Virgin Galactic and Tesla). One benefit for merchants is that Bitcoin transaction fees are typically lower than the 2% to 3% charged by credit card processors. The top benefit for customers paying with Bitcoins is that they leave no data behind that can be used in identity theft.
Cryptography controls the creation and transfer of a crypto-currency, and the protocols underlying Bitcoin are proving to be robust. However, this hasn't stopped attackers from exploiting vulnerabilities within Bitcoin exchanges or wallets (the software used for storing Bitcoins on computers or smartphones). Bitcoin exchanges are not regulated by the government and generally do not provide enough insurance and security to be used to store money in the same way as a bank. The Mt. Gox and Flexcoin exchanges both shut down after hackers allegedly stole hundreds of thousands of Bitcoins from the two exchanges in separate attacks. Wallet software receives, stores and sends Bitcoins, and, not surprisingly, a study by Dell SecureWorks showed that as the value of a Bitcoin rose last year, so did the number of viruses designed to steal Bitcoins from wallets.
Ideally, wallet software should be installed on a bootable USB or a live-CD to ensure that the operating system is virus-free and doesn't cache, log or store wallet keys anywhere. Users have to treat their software wallet the same way they would a real one, and best practice is to use two wallets, keeping only a small amount of Bitcoins on a computer or mobile phone for everyday use with the balance kept in a separate offline wallet. This safeguards the majority of a user's Bitcoins from malware trying to intercept the password used to access a wallet or find unencrypted wallet data in the device's RAM.
The offline wallet needs to be kept physically secure -- maybe even in a traditional bank vault -- as the loss or theft of a wallet means the permanent loss of the Bitcoins it contains. A computer hard drive storing more than $4.6 million worth of Bitcoins was thrown away and lost when the owner forgot it contained 7,500 Bitcoins. Offline or "cold storage" services are available, but note that they aren't regulated by the financial services industry. Additionally, if an offline wallet is encrypted, it is important to not forget the passphrase. Some experts prefer not to encrypt this type of wallet because in the event of death, descendants would not be able to access their inheritance.
Regular backups of a Bitcoin wallet are essential to protect against computer failure, theft and human error, but never store them online, especially if the backup is not encrypted. Finally, always use the latest version of Bitcoin software and use a password at least 16 characters long. Although Bitcoin is a purely digital currency, it can be kept secure in analog form. Paper wallets can be used to store Bitcoins offline which significantly decreases the chances of the crypto-currency being stolen by hackers or computer viruses. Printing the contents of a wallet (basically the private keys and their corresponding public keys) creates a physical record which, of course, must be kept secure.
Keeping Bitcoins secure is complex and time-consuming, but well worth the trouble for anyone with a reasonable-size holding of Bitcoins. Bitcoin is more than a passing Internet fad, and when dedicated hardware wallets appear on the market, they should provide a better balance between security and ease of use, possibly increasing the general acceptance and use of Bitcoins and crypto-currency for online transactions.
Ask the expert!
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)
Related Q&A from Michael Cobb
Expert Michael Cobb explains how an HTTP referer header affects user privacy and outlines changes that can be made to ensure sensitive data is not ...continue reading
Expert Michael Cobb explains the difference between the REESSE3+ and IDEA block ciphers and explores when each is applicable in an enterprise setting.continue reading
While cookies are critical to delivering personalized Web content, they are a privacy concern. Learn how adding Bloom filters to cookies can help ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.