How secure is Bitcoin?
It’s probably safe to assume that Bitcoin is here to stay. Yes, it’s a bit volatile and yes, other cryptocurrencies are a lot easier to mine and a lot cheaper to buy, but the ever-growing number of ways to spend bitcoins – plus the fact that it’s still around after being proclaimed dead numerous times over the past few years – is a testimony of the resilience of the world’s most popular, and polarizing, cryptocurrency.
Thing is though, this doesn’t mean that you should blindly jump into Bitcoin. Aside from the high price of entry, a string of events over the past year have shown that while the Bitcoin protocol itself may be secure, the wallets and services used to store and exchange Bitcoin may not.
Here’s a quick look into the security of the bitcoin protocol itself as well as some notable instances of large-scale bitcoin theft.
Bitcoin is one of many cryptocurrencies available today. Cryptocurrencies are digital currencies that implement cryptography as a central part of the protocol, in order to establish pseudonymous (or anonymous) and decentralized currencies. Bitcoin uses SHA-256 encryption for both its Proof-of-Work (PoW) system and transaction verification. The security of the bitcoin protocol lies in one of its fundamental characteristics, the transaction blockchain.
The blockchain is basically a chain of multiple “blocks” containing transaction history. The blockchain starts with the initial block, known as the genesis block. Transactions and solved hashes add new blocks after this genesis block, creating a blockchain.
Within the bitcoin protocol, the blockchain that has seen the most work put into it is considered to be the best blockchain and the one that the entire protocol refers to when verifying transactions. Bitcoins are considered spent once a transaction has been verified.
It’s possible (despite belief in the contrary) to trick the blockchain and spend the same bitcoins twice, an action known as double spending.
There are a number of ways this can be done. If a merchant doesn’t wait for transaction confirmation, bitcoins can be double spent by attacker(s) quickly sending two conflicting transactions into the network. Another way is to pre-mine one transaction into a block and then spend the same coins, before releasing the block into the blockchain.
However the amount of computing power required to succeed at this renders it less productive than just to mine bitcoins legitimately.
Bitcoins are stored in wallets, but unlike, say, a PayPal account, these “wallets” don’t actually store the bitcoins themselves. Despite a number of different implementations and formats, generally wallets will contain a public key that is used to receive bitcoins (similar to a bank account number). It also contains a private key that is used to verify that you are indeed the owner of the bitcoins you’re trying to spend.
Storing Bitcoins Offline
Wallets are usually stored digitally, either locally or online, but there are more secure ways to store bitcoins. Your bitcoin “wallets” can be printed out and stored on paper. A paper wallet is a slip of paper with both your private and public keys printed on it.
As mentioned earlier, the bitcoin protocol itself may be secure enough, but this does not extend to all the sites and services that deal in bitcoin. Here’s a quick rundown of some of the more notable instances of security-related issues over the past year or two.
October 2013, online Bitcoin wallet service inputs.io was hacked twice. A total of 4,100 Bitcoins, worth about $1.2 million at the time were stolen via a social engineering attack, gaining access to inputs.io’s systems hosted on Linode, a cloud-hosting provider.
By compromising a series of email accounts, beginning with an email account that the inputs.io founder had set up six years prior to the attack, the hacker managed to gain access to the site’s account on Linode and reset the site’s account password.
Mt. Gox, which used to be one of the leading Bitcoin exchange services, has filed for bankruptcy protection, having lost a staggering amount of bitcoins: $468 million worth!
Mt. Gox’s demise began in early February when it, alongside other Bitcoin exchange sites such as BTC-e, froze Bitcoin withdrawals citing heavy Distributed Denial of Service (DoS) attacks aimed at taking advantage of bitcoin’s transaction malleability.
Simply put, transaction malleability means that it’s possible for valid transactions to be modified so that the transactions appear to not have gone through, when in reality it was succesful.
However, transaction malleability is not a new issue. Neither is it one that is impossible to solve, as Bitcoin developer Greg Maxwell has pointed out.
In fact, other Bitcoin exchanges such as Bitstamp and BTC-E are still operational, having resolved the issues on their side and resumed processing transactions within days after initially freezing transactions. Most damning of all, though, is the aforementioned lost bitcoins and poor security and accounting in Mt Gox, as detailed in a leaked series of slides. There might have been more going on behind the scenes than just issues with transaction malleability.
Silk Road 2.0
In February this year, $2.7 million worth of bitcoins were stolen from Silk Road 2.0‘s escrow account. This heist occured at roughly the same time as the aforementioned DoS attacks on bitcoin exchanges such as Mt. Gox, and exploited the same transaction malleability in the bitcoin protocol.
However, unlike the bitcoin exchanges, which shut themselves down as a precautionary measure, Silk Road 2.0 did not shut itself down and was attacked during a re-launch phase when all bitcoins were stored in hot storage.
However, some users, such as those on Reddit’s DarkNetMarkets, believe that the hacking story was a cover-up – and that Silk Road 2.0 was a scam from the start.
The idea is that the new Dread Pirate Roberts set up the site expressly to steal users’ bitcoins, leveraging on the trust present in the Silk Road name. The illicit nature of the goods bought and sold on Silk Road 2.0 would help such an endeavour, since it would make victims think twice about seeking aid from law enforcement.