Bitcoin: Protection in demand

Precautions must be taken to protect your Bitcoin horde, says LogRhythm's Mark Vankempen

Bitcoin: Protection in demand
Bitcoin: Protection in demand

Since its launch in 2009, Bitcoin has been a presence in news headlines. As global commerce increases, some say Bitcoin has the potential to play a large role in revolutionising how people pay for their goods. However, as with any other cryptocurrency, there have been reports of numerous scams, hacks, thefts, defunct “stock exchanges” and lost wallets. And this has led to concerns being raised about just how safe is this e-currency? Therefore, to take full advantage of the flexibility and cost-saving benefits Bitcoin offers, there are several security challenges that need to be addressed.

First, let's look at what Bitcoin is and how it works. Bitcoin is essentially a decentralised digital currency which is based on an open-source, peer-to-peer internet protocol. While it isn't linked to real money, it is traded on various electronic exchanges, which establishes its value.

A Bitcoin wallet (BTC) is basically just like a real wallet filled with cash, which means if it is lost or stolen, there are often large sums of money at stake.

So far there is no airtight solution for those wanting to keep their BTC safe and secure. With the unregulated, decentralised BTC market still in its infancy, and each coin worth such a significant amount of money, it creates the perfect opportunity for bad actors to try and exploit it in any way possible. Fortunately for the Bitcoin miners, the Bitcoin protocol is built in such a robust fashion that there haven't been any reported exploits against the Bitcoin protocol itself. This narrows down the threat vectors to scams, hacks and user negligence.

One notable scam is the Ubitex scam. Ubitex was the first company to be listed on the now-defunct GLBSE “stock exchange”. Its business model was simple – provide the service to let anyone buy and sell BTCs for cash by charging a small fee. It sounds like a good idea. However, the service ended up raising around 1,100 BTCs before the founder disappeared with the BTCs.

More recently, a targeted Bitcoin theft campaign was identified that was actively targeting users of popular Bitcoin exchanges. Arriving in the form of a phishing message, researchers found that one true piece of malware, Password.txt, and a launcher file, Password.txt.lnk, were amongst two other ruse files, which, when run, made several registry changes creating a backdoor into the system. This type of malicious activity, which successfully duped thousands of users, draws further attention to security flaws.

So what needs to be done to better trust Bitcoin? Secure wallet software needs to be created which automatically keeps BTCs safe while also making access to wallets user friendly. The wallet must also include multifactor authentication that requires transactions to have a signature from more than one private key in order to spend the BTC. This adds different layers of protection, as something like this would require a thief to compromise not just a wallet, but all of the private keys as well.

Once a secure method of storing BTCs is in place, all that is left is the due diligence of the user.

With no standards or regulations in place, cyber criminals are more easily able to avoid law enforcement when using or stealing Bitcoins. Therefore, doing some homework on the company or services one plans to spend BTCs on is key. In addition, to better protect a wallet from loss or theft, BTC wallets should not only be backed up and encrypted, but copied and stored in more than one location. And finally, as Bitcoin's value increases, users would be well advised to follow one golden rule: Never keep all of your Bitcoins in the same wallet!

Over the past year, the level of hype around Bitcoin has grown, and will only continue throughout 2014. With a single Bitcoin recently peaking at US$ 1,240 (£761) before dropping back a little, the long-term promise of this currency is big – and it's only matter of time before cyber criminals find a way to exploit this.

Mark Vankempen is senior network security research engineer at LogRhythm