Just over a week ago, Fr33 Aid, an anarchist mutual aid organisation that is centred around supporting volunteers who provide medical and educational services, had it’s Bitcoins stolen from it’s online wallet located at Blockchain.info.
Approximately 23 bitcoins were taken, with a value of about 14,500 USD. No small sum. This theft occurred despite reasonable safety measures undertaken by Fr33 Aid on the Blockchain.info site. Including the use of two factor authentication. This kind of event is not new. Frequently we are given stories of bitcoins being stolen from people’s wallets. This has happened at coinbase, it happened to MtGox to the tune of $500 million dollars, which ultimately brought down the exchange, and it also happened to Fr33 Aid’s account at Blockchain.info.
The common theme in all of these is that the wallets were stored in online accounts. Storing ones bitcoins in an online wallet on a third party server is one of a few options that users of the cryptocurrency have. In keeping with my argument that Internet security is our responsibility I will argue that a locally stored wallet should be the option used by those who wish to keep their bitcoins safe.
While there are no shortages of horror stories to be found from people who have lost bitcoins from local storage due to malware or data loss, this can be mitigated and potentially eliminated by following best practices. The issue with online third party storage is that we are required to trust that they are undertaking best practices, in cases such as MtGox, where poor practices were followed, many found out too late.
Probably the most secure way to protect your bitcoins from online theft is to have it air gapped, ie on a device that is not connected to the internet. An example could be to place your wallet on a thumb drive, and put it in a safe place. If you are using a Linux OS, taking the extra step of encrypting the thumb drive is trivial while formatting the drive. While safe, this is probably best if you are only collecting bitcoins, or if you want to use it to store the majority of your bitcoins while using a secondary wallet for frequent transactions, because while you are still able to be on the receiving end of transactions, you must physically find the thumb drive, and break the air gap before using it. There is also the issue of losing the physical media – which thumb drives appear especially prone.
A practical middle ground that I endorse is a multi-factor solution that uses a few simple tools to keep your wallet secure from theft and from coin loss. It’s not particularly revolutionary, and these basic principles are outlined on bitcoin.org. Here is a simple specific example of how to undertake these steps.
This example will be using Bitcoin Core (formerly Bitcoin-QT) as the wallet program. Though not feature rich, it is simple and secure. When downloading your wallet, always make sure to download from a trusted source. A random website serving you Bitcoin Core may have malware designed to steal your coins with it. Barring a breach of the Bitcoin foundation’s servers, you can be reasonably sure that you are getting the software you asked for from their site. If you are using an older version of Bitcoin-QT, it is good practice to keep your software up to date and install the latest version of Bitcoin Core.
When using Bitcoin Core, the first step to securing your wallet is to use the encryption feature in the wallet. This can be accessed from Settings > Encrypt wallet.
Choose a strong passphrase that you will not forget. If you forget this passphrase, you have effectively lost your bitcoins. This feature encrypts your private keys and prevents bitcoins being sent from your address without an authorisation with the passphrase. This means if someone gains physical access to your machine, or an air gapped physical storage, they will be able to see the contents of your wallet, including your address, but they will not be able to steal your coins without breaking the encryption – which is not trivial.
Such a simple feature protects against coin theft, though coin loss presents a far greater risk than theft. So we move on to backing up our wallet. Online storage is far more convenient than physical storage, and less prone to loss. Often these storage solutions are not secure, so when backing up a wallet, an extra level of security is not to be disregarded.
In order to backup your wallet using Bitcoin Core, from the menu go to File > backup wallet.
Choose a save location and save. This creates a copy of your ‘wallet.dat’ which contains your private keys. An extremely secure solution to back this up is to use PGP to encrypt and email the file to yourself. This has a number of advantages, as it obscures the fact that you are even sending a wallet backup, meaning it will be less likely to be targeted by a malicious entity. You can use a keyword in the subject line of the email to make it searchable later, It will automatically time-stamp the email. This is important because right now because you will need to create a new backup if you create a new address within your wallet. If you have mulitple email accounts using PGP, you can automatically have a copy saved in each account.
If you have not yet, but are interested in setting up PGP with your email, you can follow this guide here.
If you do not wish to set up PGP, another solution is to take your wallet.dat and encrypt it with WinRar/Rar. To encrypt a file using Rar, on most machines will involve right clicking on the file and selecting “add to archive”. From here select the Advanced tab, and then Set Password.
As always, a strong passphrase is crucial. Checking the Obscure file names box will increase security by concealing the existence of the wallet backup from any potential attacker. From here you can take this encrypted compressed file and place it in some online storage such as dropbox, or email it to yourself for safe keeping.
Technologically there is nothing stopping cryptocurrencies from changing the world, bypassing the need for conventional banking systems and flouting government regulation of commerce. We just need some great minds to implement this, and we need people to have the confidence to adopt it.
Following these steps is just one way to conveniently access your wallet while at the same time keeping your Bitcoins safe from theft or loss. The future of crytocurrency is predicated on trust and confidence in the system. Over time, better integrated solutions are likely to be developed for wallet security. In the meantime keeping ourselves safe from loss and theft not only benefits us personally, but also creates better confidence in the concept of cryptocurrencies, and ensures a more robust future for these technologies.
Translations for this article:
- Portuguese, Como garantir a segurança do seu bitcoin.