While many of the reports of stolen bitcoins are true, it is important to remember that this is not a fault of the Bitcoin code itself, but a fault in the way the bitcoins are stored. The Bitcoin protocol so far has proven to be extremely resilient to hacks or attacks. That Bitcoin has been around for nearly 6 years with literally billions of dollars up for grabs to anyone who can find an exploit attests to this. A hacker who could actually hack all of Bitcoin would have much to gain, and many of them have surely been scouring the open-source code of Bitcoin to find an exploit with nothing to show for it.
Most recent thefts of Bitcoin can be attributed to one of three faults: users relying on other to hold their bitcoins, storage of bitcoins on an insecure device, or lack of basic security measures on the user’s part.
Relying on others to hold your bitcoins, typically done through online Bitcoin wallets, is not a terrible thing, but cautiousness is rewarded when doing so. Banks, credit unions, and various other online services hold your dollars, and you probably don’t give it a second thought. But your bank-held money is federally insured to protect you against the bank defaulting. Bitcoin services, so far, are not.
In several instances in the past, Bitcoin services holding thousands or millions of dollars worth of bitcoins have either absconded with them or have been “hacked” (I use the term lightly as it is highly suspected that many “hacks” aren’t actually hacks at all, but simply the operators running off with the users’ money). Either way, the users of those services lost the bitcoins they entrusted to the service.
If you plan to hold your bitcoins in an online wallet or other Bitcoin service that you have no control over, research the entity carefully to find out where they are headquartered, what laws and regulations they are following, and if they are regularly audited. Ideally, the Bitcoin service you use should be located in your own country, follow local laws and regulations, have regular, transparent audits of reserves, and have some outside-investor backing. While this doesn’t guarantee your protection, it certainly gives you a large edge over picking whatever shows up in your first Google search.
I can currently recommend Circle and Coinbase, as they follow local regulations and have significant venture-capital funding.
Storing bitcoins on an insecure device is something that many people do without even realizing it. Computers, smartphones, and tablets are all inherently insecure. If you use bitcoins on your computer, it is as easy as accidentally downloading a file with malware to lose them all. Even if you have enabled password protection, the malware can track your keystrokes and find out your password the next time you use it.
The best way to combat this type of insecurity for online services is to use two-factor authentication. Scroll down to “Cryptocurrencies” on the Two Factor Auth List to find out which Bitcoin websites support 2FA.
For storing Bitcoins on your local computer, the best security comes in the form of a USB device that stores the keys to your bitcoins on a device called a Trezor. While you do have to trust that the team behind the Trezor is honest, they have done their best to be transparent by making the code used by the device available for anyone to look at and critique. The result is a method of storing bitcoins that has been impossible to hack, no matter what malware you have on your computer (though you must still be cautious about malware that changes the Bitcoin addresses you see on the screen).
For storing bitcoins on a smartphone, you must always trust the app-maker, as they can potentially code in backdoors to allow for theft of your bitcoins. Beyond that, the app that currently provides the best security appears to be breadwallet. Either way, you probably don’t want to store more than a “spending amount” on your phone, just like you would only carry a small amount of cash in your wallet for spending.
Another option, though a bit more technical in nature, is to print out paper wallets from a generator such as bitaddress.org. This option is only completely safe when used from a computer not infected with malware, so if you question whether your computer might have malicious software on it, you should not generate paper wallets from the computer.
And finally, the most technical method for security is probably multisig. This method is still in its infancy, so research it well and proceed with caution, but combined with some of the other methods listed, is probably the best security you will find.
A lack of basic security measures builds on the previous post by reminding people to be diligent about using best practices for their devices and passwords. Here are a few recommendations:
- Keep your computer/smartphone/tablet up to date with any recommended updates.
- Use anti-virus/anti-malware software on your computer, and keep it up to date.
- Hover over links before clicking on them to be sure the link is taking you where you expect.
Use passwords that are at least 10 characters in length (12+ is preferable) and do not have words in them, as this can render a brute-force attack virtually useless if an attacker manages to get a copy of your password-protected bitcoins.
Be extremely careful about any email that claims to be from a Bitcoin service you use. Many phishing emails have been sent to Bitcoin users urging them to log in to take care of an issue, only to actually take the user to a copy-cat site that steals their username and password. If you do receive such an email, go to the site directly by typing in the address in your browser instead of clicking on the link in your email.
Bitcoin is still young, and not nearly as user-friendly and secure as we’d like to see it. I liken it to where the internet was in 1992 – it existed, but it was difficult to use and not particularly useful to the average user. But many developers are working on solving these issues for good with devices like the Trezor, to provide security that the masses can rely on.