NEW YORK (InsideBitcoins) — If there’s anything bitcoin users learned over the last year, it’s that the technology around digital currency still needs time to evolve. The current state of bitcoin security has been put to the test ever since the Mt.Gox fiasco in February, where users lost thousands. Since then, MintPal was taken over by new management who shut down bitcoin withdrawals unexpectedly, withholding nearly 4,000 bitcoins to this day. Along with that, Blockchain.info reported a vulnerability allowing a white-hat hacker to remove 200 bitcoins from the platform, in effect saving them from other hackers with malicious intentions.
According to Dmitry Murashchik, community manager at Mycelium, the bitcoin community needs to focus improvement on two major areas to both protect users from adverse situations and spur bitcoin adoption: privacy and security.
Worried about privacy and regulators
In 2001, the United States passed the USA Patriot Act requiring Know Your Customer (KYC) laws for all U.S. banks. KYC laws verify customer identities in order to prevent identity theft and money laundering by linking people directly to their banking information and monitoring their transactions based on their expected behavior.
“The traditional banking model achieves a level of privacy by limiting access to information to the parties involved and the trusted third party,” Satoshi Nakamoto said in his original bitcoin white paper. “The necessity to announce all transactions publicly precludes this method, but privacy can still be maintained by breaking the flow of information in another place: by keeping public keys anonymous.”
The core technology of bitcoin, the blockchain, is an open ledger that doesn’t keep secrets, but also doesn’t link personal information to an address. All transactions can be traced to a source, but not to a particular person if they choose to remain anonymous. Unless users store their bitcoins with a company who is required to collect personal information, such as Coinbase, their transactions can remain anonymous.
“Bitcoin is a very radical technology, and we have no doubts that it will cause a lot of friction with a lot of established powers that are, let’s say, unfriendly to their citizens,” Murashchik said.
Bitcoin should be anonymous by default
Earlier this year, the New York Department of Financial Services (NYDFS) announced their proposed BitLicense regulation that required strict KYC laws for bitcoin businesses on all transactions.
One of Murashchik’s worries about regulations like BitLicense is the theory of white and black bitcoin addresses. By linking personal information to bitcoin addresses, it creates categories of identified and anonymous addresses that could be used in government regulations similar to BitLicense.
In theory, white addresses contain bitcoins that are held in and pass through government-registered addresses and are permitted as long as they can be traced back to a company or individual. Black addresses contain bitcoins that are not identifiable to a particular person or company.
The NYDFS eventually eased the proposed BitLicense regulations in December, saying that as originally proposed the rule was “not workable” for digital currency, but the notion initially spurred the theory of identifiable white addresses and anonymous black addresses. While the NYDFS hasn’t imposed these regulations on bitcoin users and companies yet, Murashchik thinks the issue should be handled proactively.
“If we can get bitcoin to be anonymous by default, without any intentional action on user’s part, possible regulations like blacklisted addresses and requirements for citizens to register addresses to their names will be dead before they can even be proposed,” he said. “We want to make sure that bitcoin will still be usable, even in hostile environments, and want to make sure we get some technologies in place before certain regulations come out that may harm bitcoin in certain countries, such as white addresses and address blacklists.”
Security innovations still a significant problem
In November, a Polish Computer Emergency Response Team, CERT Polska, reported that they found a malware that replaces bitcoin addresses copied to a clipboard with a hard-coded one, sending bitcoin to an unintended address. While the address they found only contains 6.5 bitcoins, the malware they uncovered is one of the many threats to properly securing bitcoin wallets and transactions.
— CERT Polska (@CERT_Polska_en) August 20, 2014
According to a poll of avid bitcoin users on Reddit last April, 292 of 714 bitcoin users responding utilized three different wallets to store and secure their bitcoins: Bitcoin Core on their personal computer, Coinbase or Blockchain.info online.
By using the Bitcoin Core wallet, users have control of their private keys but are still susceptible to malware like the one CERT Polska identified. Coinbase and Blockchain.info users must trust each wallet to keep their bitcoins safe. While Coinbase claims to insure customer’s lost bitcoins, Blockchain.info does not.
“It still takes a bit of skill and bitcoin knowledge to be able to secure your bitcoins properly.”
There are known avenues that make bitcoin as secure as possible, such as multi-signature wallets. Such wallets eliminate the necessity to trust a third-party provider. While they’re proven methods of securing bitcoins, multi-signature wallets aren’t an industry standard; they still take quite a bit of knowledge to fully understand, making the education gap even wider to an average consumer base.
“It still takes a bit of skill and bitcoin knowledge to be able to secure your bitcoins properly, and viruses and zero day exploits are still a threat,” Murashchik said.
There are other ways besides multi-signature wallets to secure bitcoins as well. Through multi-factor authentication, offline transactions and routine backups, bitcoin holders can make sure their coins are safe as long as they have the dedication. However, users need to undergo different processes for each choice that can be hard to grasp in order to properly secure their finances, even while using core services.
“We hope to get to the point where people could store and carry their bitcoins with them on their phones or dedicated devices, with security being easy enough for anyone to do properly, and risk from hacks or thefts being almost impossible,” Murashchik said.