- Published: Wednesday, 05 March 2014 09:11
- Written by Editor
With Flexcoin, yet another online bank aka wallet being hacked recently with all Bitcoin stolen, it would be easy to think that people do not understand the risks involved or indeed even care. It is quite remarkable in fact that people routinely and without a second thought entrust the electronic equivalent of a wallet stuffed with money to a complete stranger for safekeeping, without a thought for the fact it could be lost or stolen. It is only when the assets are lost or stolen that there is retrospective thought and regret.
This is typical however of most computer users who simply trust technology or services with valuable data or assets without ever considering the fact that it could be lost forever. There are countless millions of computer users who amass valuable data on their hard disks such as financial information, irreplaceable photographs, documents however, never backing up the data, assuming that the computer will always switch on and it will be there. The reality is that sooner or later the computer, often the hard disk as a mechanical device will inevitably fail, and everything not backed up will be lost.
The same lack of care and awareness currently exists amongst Bitcoin owners who seem content to dump Bitcoin in a web based wallet or exchange out of laziness or convenience, assuming it will always be there when they need it. Recent and ongoing events suggest quite the contrary however, indicating that sooner or later those Bitcoin will be lost to theft, incompetence or both.
So who is to blame - the web based service for losing the Bitcoin or the user for entrusting their Bitcoin to that service? The blame always lies with the owner of the Bitcoin because they have freedom of choice. Everyone can choose whether or not to use an web based service, if so which one, and how to secure the Bitcoin once deposited. Neglecting that responsibility and apportioning blame is not an option.
Ideally every Bitcoin user will have a local "cold storage" - offline - wallet for the vast majority of Bitcoin, using a secure wallet system such as can be implemented with Armory, only transferring residual funds to a "hot" online wallet as and when required, ensuring that the the online web based wallet is secure.
The question is, what constitutes a secure web base wallet?
Ultimately no web based wallet is totally secure, because if the service as a whole is taken offline for any reason, then the Bitcoin will be lost unless the private keys have been saved securely. The only services that can fulfil these requirements are the on-blockchain wallets, notably the de-facto we based wallet service Blockchain.info. Being on-blockchain, this service is free of external interference and also allows private keys to be saved, so that the Bitcoin owner is always in control. In contrast, off-blockchain wallets are subject to external interference, hacking, and total loss of Bitcoins, because the service stores the Bitcoins in their own wallet to which only they hold the private keys and therefore have access to the Bitcoin of users. Anyone using a web based wallet such as this is asking to have their Bitcoin stolen.
Even on-blockchain web based wallet services are not completely secure because passwords can be stolen, e.g. by trojan key loggers, stolen or used without authorisation by someone trusted. So what additional security measures can be taken?
Secondary Authentication - a.k.a. Two Factor Authentication
A secondary means of authentication is becoming an absolute necessity, so what are the options?
There are a number of ways in which secondary authentication can be achieved, here are some of the most popular ones.
1. SMS Message. The system using two factor authentication sends a code by SMS to a mobile phone, which is then entered in addition to the usual password.
2. Email. The system using two factor authentication sends a code to an email address, which is then entered in addition to the usual password.
3. Google Authenticator. Google Authenticator is a dedicated second factor authorisation system for Google services, but can also be used for Bitcoin services. This software is installed on a smartphone and when running displays a code which can be used on the host site as secondary authentication to the main password.
4. Yubikey. The Yubikey This is a hardware solution which comprised a small device that plugs in to a USB port and sends one time password - OTP - in conjunction with the host service when a button on the device is pressed.
So already there are several options available for securing stored Bitcoins by requiring a secondary code.
In view of the number of account hackings, service hackings and computer trojans that use key loggers to steal passwords, in future anyone not using an offline, cold stored local wallet or online hot wallet or on-blockchain wallet, with two factor authentication is asking to have their Bitcoin stolen.
Vote in The Poll