As documented here, most bitcoin thefts are due to poor wallet security management. The specific threats are discussed in more detail further down the page and here is a summary of the known items of interest to bitcoin thieves:
In the interest of general wallet security and to specifically safeguard your wallet against these forms of attack, follow the tenets outlined in the following “security best practice” checklist:
* Special mention needs to be made of the innovative BitGo multi-signature wallet in relation to Online (Web) Wallets. The BitGo wallet, although an online wallet, implements the Bitcoin protocol’s multi-signature functionality, and requires both an online and offline signature to sign off transactions. Consequently, this online “multisig” wallet is highly secure – more so than any other standard online wallet.
Malware is typically acquired by unwitting users when they install misrepresented or obscure applications and widgets via the web. Malware Trojans masquerade as officially certified applications in, say, the Apple Store. What you end up installing is software that scours your PC or mobile device for wallets, passwords and private keys, and that then reports back to a cybercriminal or botnet. Dell SecureWorks estimates that at least 140 of these types of Bitcoin-targetting malware are active in the wild.
Sometimes one of the components of a trusted software application can be vulnerable. For example, the recent OpenSSL Heartbleed vulnerability which allowed a snooping attacker to extract (amongst other things) your username and password whenever you logged into a web service.
Once your username and password are known to a snooper, they can access your precious bitcoins, whether the credentials are for an online exchange account, an online wallet, your mobile wallet or your PC wallet. If your PC or mobile is connected to the internet, an attacker can access it using security vulnerabilities specific to the device’s OS.
If, like most people, you use a password formula for various logins then you should consider strengthening your passphrase scheme (formula) to generate more secure passwords. Often, the theft of one of your password can reveal all of your other login passwords, because they are variations of a formula. Botnets exist to decypher and extrapolate these formulaic passwords.
A standard Bitcoin transaction requires your private key to unlock its bitcoin outputs. If a third party obtains one or more of your private keys (stored in your wallet) then, he can transact any coins previously received by that public-private key pair. Such a transaction doesn’t have to be made using your wallet – it can be initiated on any device and from anywhere. This is a design feature of Bitcoin which allows, amongst other things, the ability to import and export addresses between wallets.
Exchanges host wallet accounts for all their clients, so they are vulnerable to the same “hack attacks” as Online Wallet services. To date, over 12 Bitcoin exchanges have been hacked and have had bitcoins stolen from them. This type of attack seeks access to the core of the service’s servers where account credentials and wallets are stored. Typically the database containing user credentials is compromised, and usernames and passwords harvested. With these, users’ wallet contents are then trivially transferred to the fiendishly lucky attacker.
Bitcoin transactions, by design, digitally sign hashes of transactional components, and these are combined and signed again as a means of validating the contents of the transaction. The inevitable outcome of the process of digital signing of other signatures is that there will always remain one final signature – the one that was used last in the chain. This natural fact makes Bitcoin transactions vulnerable to Transaction Malleability whereby an attacker can change the id of a transaction. This is a known vulnerability but not of concern to wallet users specifically.
Mining powers the Bitcoin network and should any group of miners (or a single entity) command 51% of the overall network hashing power, they would effectively control the network. This means that they could reverse transactions, fork the blockchain, etc., with all manner of network damaging repercussions. Users of the network cannot do anything to prevent this outcome at the moment. This threat will become a concern later – for now it’s a theoretical problem with no contention surrounding control of the Bitcoin network.
Protect Your Bitcoins From Hackers and Thieves [Infographic] by the team at WhoIsHostingThis
This post was last modified on 12/07/2015 10:43