One of the most powerful myths about Bitcoin — the encrypted, independent online currency that’s become a huge trend in recent months — is that Bitcoin is “secure.”
Bitcoin.org, the semi-official voice of the Bitcoin community, says “the whole system is protected by heavily peer-reviewed cryptographic algorithms like those used for online banking. No organization or individual can control Bitcoin, and the network remains secure even if not all of its users can be trusted.”
But Bitcoin is not secure.
There have been dozens of robberies of Bitcoin banks and exchanges, and millions of dollars have been lost.
To put that in perspective, if robbers were routinely walking into brick-and-mortar banks and taking millions of dollars, with zero consequences and no arrests, it would make huge headlines every day. The media would be on high alert for the next heist.
But on the Internet, Bitcoin thefts worth hundreds of thousands and millions of dollars happen on a weekly basis and no one cares.
Here are a few recent examples of Bitcoin robberies, and then we’ll explain why Bitcoin is not 100% “secure.”
- The Chinese Bitcoin GBL went offline earlier this month, taking $4.1 million in users’ accounts with it.
- In Australia, a Bitcoin exchange run by an 18-year-old user named “Tradefortress,” claims to have lost $1 million of his users’ money.
- Also in November, a Czech exchange, Bitcash.cz, declared that hackers had made off with an undisclosed amount stored in its users’ Bitcoin wallets.
- In September, Bitfloor announced that it had lost $250,000 in hacked Bitcoins.
- Last year $228,845 was stolen from a trading platform known as Bitcoinica.
Perhaps the biggest heist was pulled off by the U.S. government. After Ross Ulbricht, the alleged “Dread Pirate Roberts” who ran the online drugs market Silk Road was arrested by the FBI, authorities reported they had seized nearly $29 million in Bitcoins controlled by him. Techdirt later noted that some of the money may have belonged to users who did business on his site, and not all the business transacted there was illegal.
Don’t hold you breath for refunds.
The user known as “allinvain” is a long-time contributor to the Bitcoin forums. He says he’s been mining Bitcoins for over a year, and had amassed a fortune of 25,000 BTC. This was a modest sum a few months ago, when Bitcoins were worth pennies, but over the last two months the value of a Bitcoin skyrocketed to around $20, which means 25,000 BTC would have been worth half a million dollars. “I remember watching the price like a hawk,” he wrote.
And then disaster struck. “I just woke up to see a very large chunk of my bitcoin balance gone,” he wrote. “Needles [sic] to say I feel like I have lost faith in bitcoin.” He speculated that a Windows security flaw may have allowed the culprit to gain access to his digital wallet. “I feel like killing myself now,” he said.
Bitcoin is vulnerable in the same way any other online asset is vulnerable: Passwords can be stolen or guessed, accounts can be hacked. Most of the thefts involve hacking into users’ accounts. Bitfloor’s description of how it lost $250,000 in Bitcoin is typical. A hacker found an unencrypted copy of the coded keys to users’ wallets:
“Last night, a few of our servers were compromised. As a result, the attacker gained accesses to an unencrypted backup of the wallet keys (the actual keys live in an encrypted area). Using these keys they were able to transfer the coins. This attack took the vast majority of the coins BitFloor was holding on hand. As a result, I have paused all exchange operations.”
In fact, Bitcoin defenders say this is exactly the point. Bitcoin isn’t insecure — you are!
“Although these events are unfortunate, none of them involve Bitcoin itself being hacked, nor imply inherent flaws in Bitcoin; just like a bank robbery doesn’t mean that the dollar is compromised. However, it is accurate to say that a complete set of good practices and intuitive security solutions is needed to give users better protection of their money, and to reduce the general risk of theft and loss.”
The idea that Bitcoin is “secure” even though it can be stolen is a bit like saying that gold is “secure,” even if it is being spirited away by gangsters. They can’t destroy the gold, after all.
What they really mean is that Bitcoins themselves cannot be copied or faked, like counterfeit bills. Anyone receiving a Bitcoin can be confident that it is real and valuable.
But that aspect of its security — the permanence of the value in the transaction — turns out to be Bitcoin’s biggest security flaw. Once a Bitcoin transaction has been approved by both sides, it cannot be reversed without the permission of the receipient. So when hackers engineer the transaction, the cash is gone forever.
That’s not what happens with traditional currency. In the U.S., if your bank is robbed or even if the bank goes out of business, the FDIC backs up the lost deposits and replaces your money, up to $250,000 per bank.
And then there is this new theory from Cornell University which posits that there is an incentive in the system for users to cooperate and hoard their coins until they control a majority of available Bitcoins. At that point, the currency collapses.
Bitcoin is only as “secure” as the fallible, ill-intentioned users who open accounts, create passwords and covet their fellows’ wallets.
Which is to say, not especially secure.