The Dying Problem of Bitcoin Hacks and Thefts

Although the days of massive bitcoin thefts are not behind us, better security solutions are slowly making their way to market. As we saw with the recent theft from Bitstamp’s hot wallet, even the largest, most-experienced players in the bitcoin space can have trouble securing their own bitcoins. Having said that, there have been a variety of new security solutions, such as multisig addresses and hardware wallets, that will make bitcoin security much simpler for everyone. As the proper tools and security techniques for safely storing bitcoins become common knowledge throughout the community, we should see a continued decline in the number of large thefts that take place on a regular basis.

 Bitcoins vs bitcoin IOUs

The first issue with thefts and hacks in the bitcoin world has to do with education. For whatever reason, many people who use online exchanges or wallets seem to believe that they are holding bitcoins in their various accounts at Coinbase, Bitstamp, Circle, and other online bitcoin solutions. The reality is that users of these sites are storing bitcoin IOUs, not actual bitcoins. One of the golden rules of bitcoin is that the owner of the private key to an address is the one who owns the bitcoins associated with that address.

The largest thefts in the bitcoin space have happened at the various exchanges and online wallet services that pile up bitcoins from a large number of different users, so it’s important for the general public to realise that they are responsible for the security of their own bitcoins. The point of building bitcoin, which was outlined in Satoshi’s original white paper, was to create a “peer-to-peer electronic cash system.” Perhaps many of the risks associated with bitcoin security could be avoided if more users simply read the white paper. In this paper, the need that was fulfilled with the invention of bitcoin was clearly laid out on the first page:

[blockquote]What is needed is an electronic payment system based on cryptographic proof instead of trust, allowing any two willing parties to transact directly with each other without the need for a trusted third party.[/blockquote]

Although the removal of trusted third parties is a key point mentioned by Satoshi in the paper, many people are still building and using centralized, trusted third parties built on top of the bitcoin protocol. It may take more time — and unfortunately more thefts — for the basic point of bitcoin to become implanted into the minds of bitcoin users. The amount of trust placed in these third parties is often quite unbelievable, even after the MtGox debacle in early 2013. For example, the potential bitcoin ETF coming from the Winklevoss Twins includes no insurance for shareholders, and the creators of the ETF are not liable in cases of stolen or lost bitcoins. It should be noted that Circle is one of the few online wallet providers who offers insurance for the entirety of their hot and cold wallets — with the exception in cases where a user’s password was compromised.

Secure storage is becoming easier

The good news for anyone who is looking to take back the responsibility of securing their own private keys is that plenty of new options have hit the market over the past two years. Hardware wallets, such as Trezor, allow users to store their private keys offline, while also having the ability to sign transactions to be sent to an Internet-connected device. Malware on the Internet-connected smartphone or laptop may attempt to trick the Trezor user into sending bitcoins to the wrong address, but the screen and buttons on the Trezor make it clear which address the bitcoins are being sent to before the transaction is authorised.

Multisig addresses have also gained some notoriety over the past year, and Bitstamp has finally decided to join the multisig movement after their own hot wallet was hacked earlier this month. The premise of a multisig address is that multiple signatures are needed for a transaction to be sent. One example of a company using multisig to their advantage is GreenAddress. This is an online wallet where transactions must be signed by both the user and GreenAddress before they can be sent. This allows users to get some added security from a third party without giving control of their funds over to that third party. If GreenAddress starts behaving badly or simply disappears, full control over the wallet can automatically return to the user after a predetermined amount of time. The setup of GreenAddress’s online wallet gives users access to traditional banking security options, such as daily spending limits, in addition to an unique solution for instant confirmations.

Multisig addresses are not limited to requiring signatures from multiple people before a transaction can be sent, this special kind of address can also be used by individuals who wish to require signatures from more than one of their own computing devices. This creates a new form of two-factor authentication based on bitcoin where a user can require a signature from their desktop computer and their smartphone before a transaction is sent. Bitcoin Authenticator is one of the wallet providers currently working on this sort of functionality.


What needs to happen next?

Education on proper bitcoin security and responsibility over one’s private keys is going to be a crucial element to preventing more large-scale thefts in the future, but hardware wallets and multisig addresses also need to become more available to the general public. The Trezor is still a bit expensive for the average bitcoin user, but Ledger is currently working on improvements to their own alternative, smartcard-based solution that could bring these sorts of hardware devices to the masses in the near future. As long as more people decide to take control of their own private keys and take advantage of the new security solutions that are becoming available each year, we should see the slow death of bitcoin thefts continue to improve the integrity of the entire ecosystem.

Banner image courtesy of

Leave a Comment

Your email address will not be published.