New Malware Targets Bitcoins To Steal
from the if-your-money-needs-malware-protection dept
It's been fascinating to watch the back and forth discussions about Bitcoin. The big story recently was the supposed "theft" of $500,000 worth of Bitcoins. But, perhaps a lot more interesting is the report of new malware specifically targeting Bitcoins. The malware specifically looks for a Bitcoin wallet, which it then looks to email to a specific server. Among the many concerns people have raised about Bitcoins, this one hadn't received that much attention earlier, but could potentially scare a lot of people. The lack of traceability is one of the selling points, but it also has a downside in these types of situations.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Just like cash
So, if you take precautions with cash, and your online bank account and credit card info, you need to take them with your BitCoins, too. A significant difference between an online bank account and your BitCoins is that you are in 100% control of all the information related to your BitCoins. You don't have to worry that after buying something from a merchant, that they'll save or leak your credit card number and its out in the wild.
Say you mine BitCoins on a Windows box that's connected up to the Internet. When you mine one, it goes to the wallet file on that machine. Get a non-networked Linux box for your "real" wallet, and transfer any mined coins from one to the other.
[ link to this | view in chronology ]
Re: Just like cash
[ link to this | view in chronology ]
well,
[ link to this | view in chronology ]
Re: well,
If people want to be safe with their coins, make a separate account for BC and put deny access to everyone else on the BC wallet file. Then you can run BC as that user and no malware you randomly decide to install will get your wallet.
If people didn't randomly install crap on their machines, they would get malware.
[ link to this | view in chronology ]
Re: Re: well,
Not saying 7 or Linux is easier to "hack" than the other, I'm saying that neither's security should be ranked based on conventions where vendors' interests are at stake more than those that wish to breach them.
[ link to this | view in chronology ]
Re: Re: well,
Would have been easier if they had connected to the network.
[ link to this | view in chronology ]
Re: Re: well,
Citation needed.
[ link to this | view in chronology ]
Re: Re: Re: well,
[ link to this | view in chronology ]
Re: Re: Re: Re: well,
The news said you were a liar. Look it up yourself.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
COINcidence? I don't think so.
[ link to this | view in chronology ]
Re: COINcidence? I don't think so.
[ link to this | view in chronology ]
Tracibility
The lack of traceability is a myth. People can follow the stolen bitcoins through the network as each transaction is public. It's going to be pretty hard for the thief to cash it out somewhere.
[ link to this | view in chronology ]
Re: Tracibility
Only if someone validates the BitCoins they are receiving against this list will they be stopped. Just like serial numbers on paper money. Unless you're looking for it, the 'cash' is just 'cash'.
[ link to this | view in chronology ]
Re: Re: Tracibility
That does little good if 25,000 people receive a bitcoin from this thief - it doesn't mean that those 25,000 people become thieves, just as a store clerk receiving a stolen $20 bill in return for groceries doesn't make them a thief.
[ link to this | view in chronology ]
Bitcoin should require a password after selecting an 'account number'.
So you have all these bitcoin account numbers and you select one. You shouldn't just willy nilly be able to select an account number and then suddenly transfer bitcoins from one account to another. A password should be required and that password should be the password required to decrypt the necessary information to transfer bitcoins.
Sure, most people will likely choose easily crakable passwords, and bitcoin should give some advice on recommended password parameters, but at least it slows down the process of malicious bitcoin transfers by third party software, which could give a later alerted user time to transfer his bitcoins to an uncompromised account before the password is cracked.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
You can always encrypt the wallet file, store it offline, or send your bitcoin to a website that "stores" them for you (mybitcoin.com for example)... but that doesn't stop the fact that stored bitcoin can be taken from your machine if you don't protect it somehow.
[ link to this | view in chronology ]
Re: Re:
Of course, but you assume that all cases of malware intrusion are succeeded by someone typing in all of their bitcoin passwords before discovering the intrusion.
Also, a password can deter someone with physical access to the computer from simply copying the file over and getting easy access to that information. It gives time for users who periodically transfer money from account to account for security reasons to do so or to discover the intrusion and transfer the money before anything gets cracked. More work is needed to gain access to those coins, that extra work will act as a thief deterrent, and people will weigh the work necessary to steal those coins with the work necessary to earn them.
Also, malware creators will need to extend more work creating an appropriate keylogger to work with the data transfer software (or if it's a general keylogger they have to spend lots of time looking through the logs, especially if they are looking through the logs of hundreds of users, and by then many of those users could discover the intrusion and transfer the money to another safer account).
It's like a lock on a door. It won't keep a determined criminal out by any stretch of the imagination, but it's enough to deter many criminals.
[ link to this | view in chronology ]
Re: Re: Re:
It's important to note that the bitcoin software is not necessarily a single program - anyone can create their own "secure" bitcoin program if they want (it's open source)... so this problem is likely to solve itself as people actually care enough to do it.
There's no central authority involved here, so trying to say what they "should do" is sort of pointless, as no one person, or group of people is necessarily responsible for how bitcoin is stored or managed.
[ link to this | view in chronology ]
Re: Re: Re: Re:
I know.
"There's no central authority involved here, so trying to say what they "should do" is sort of pointless, as no one person, or group of people is necessarily responsible for how bitcoin is stored or managed."
'They' refer to the bitcoin client developers, and there is a point, to point out the need to create such security features. Yes, they will likely be created anyways, but I was just making a suggestion for discussion purposes since such a suggestion is relevant to the OP.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Yes, but general key logs are a time consuming pain to analyze, especially when you have hundreds of them, such extra needed work acts as a deterrent and gives alerted users time to transfer the money to other accounts before it gets stolen.
[ link to this | view in chronology ]
Re: Re:
Yeah, but in order to transfer data, at some time that file needs to be decrypted, and a keylogger can monitor the password necessary to decrypt it. So your 'solution' suffers the same shortcoming just as well.
[ link to this | view in chronology ]
Re: Re: Re:
I don't know about you, but I keep my money in multiple locations - some easy to get to (my actual wallet), some in a safe (locked in my house), and some in my bank account (obviously protected by the institution itself).
That way if someone mugs me in the street, they only get what's in my wallet at the time. If someone breaks into my house (and somehow figures out my safe combination - perhaps because they somehow saw me use it through a window or something), they still don't get what's in my savings account.
Anyone can do the same with bitcoin, they just tend to be lazy because it's "convenient" to just keep it all in one place, on their trusty, secure computer.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Implementing client based password protection and the above aren't two mutually exclusive possibilities.
[ link to this | view in chronology ]
The protocol for the bitcoin system is pretty much unbreakable
[ link to this | view in chronology ]
[ link to this | view in chronology ]