SAN FRANCISCO – BITCOIN’S future may not rely on stabilizing its price swings or signing up more merchants to accept the virtual currency. Rather, it may rely on its image.
In the last few months, the value of Bitcoin has been cut in half, in the face of questions about security issues and concerns about new regulations.
Warren E. Buffett referred to the currency as a “mirage” in an interview last month and told people to “stay away.” Would-be adopters and investors have grown fearful as hackers develop new ways to steal Bitcoin and major Bitcoin exchanges shut down. The Internal Revenue Service has even weighed in on how Bitcoin will be taxed.
Proponents have a mounting public relations crisis on their hands, particularly as Bitcoin becomes hackers’ preferred payment method. Hackers have recently taken to mounting large scale denial-of-service attacks on tech start-ups — most recently, Meetup.org, a social meeting site; Vimeo, the video sharing service; and Basecamp, a project management software company — and demanding payments via Bitcoin as ransom to cease.
Even the Bitcoin Foundation, a nonprofit group that was set up to promote Bitcoin’s legitimate use, was marred after one of its board members was arrested and charged with money laundering.
In fact, the biggest Bitcoin holder is the United States government, after the F.B.I. seized some 144,000 coins — roughly $66 million at current prices — from Silk Road, the now-defunct digital market that prosecutors say aided drug deals and other illicit transactions.
Consumer confidence in and adoption of new technologies — especially regarding money — is highly dependent on security, or at least the public’s perception of security. To that end, Bitcoin enthusiasts, cryptographers and security researchers are putting renewed focus on security and self-policing.
They face an uphill battle. While the Bitcoin system itself is protected by strong cryptography, thieves have pilfered hundreds of millions of dollars’ worth of coins by exploiting weaknesses in private key storage systems and hundreds of millions more from exchanges.
Joe Stewart and Pat Litke, two security researchers at Dell SecureWorks, set out in recent months to evaluate the threats facing Bitcoin. They discovered more than 120 unique families of malware on the Internet that had been specifically engineered to steal Bitcoin wallet files from people’s computers, or to steal coins through other means such as recording a user’s keystrokes so an attacker could grab a user’s private keys as they type them in.
The most common strains of malware they discovered were so-called wallet stealers, software specifically designed to search for a user’s Bitcoin wallet on a hard drive or in well-known file locations. The attackers would then upload the information to a remote server, extract the keys and steal coins.
Security experts have long advised the use of long, secure passwords, but Mr. Litke and Mr. Stewart found that in some cases, the attackers managed to bypass strong passcodes by using a keylogger, which records passwords when victims type them in, or by monitoring the copy-and-paste clipboard function.
When the researchers tested the cryptocurrency malware against popular antivirus systems, they found the average detection rate was an abysmal 48.9 percent. More than half of major antivirus solutions failed to detect attackers’ malicious code. And, unlike cases of credit card fraud, in which credit card companies can reimburse the victims, Bitcoin theft is similar to theft of cash. Once it’s gone, it’s probably gone for good.
“It’s incredibly easy for malware to steal Bitcoin, especially if you’re keeping them on the same computer you use to casually browse the Internet,” Mr. Stewart said. “There are so many holes for criminals to walk through.”
Mr. Stewart and other security researchers now advise users to keep their Bitcoin in so-called cold storage. The private keys needed to conduct a transaction are stored on a secure offline device, or even printed out, much like storing the bulk of one’s cash in a physical safe.
Some of the biggest Bitcoin thefts have occurred at the exchanges. Mt. Gox’s operators say hackers were able to steal more than $450 million worth of Bitcoin using a bug that tricked its system into moving a user’s coins to an attacker’s account, while simultaneously fooling Mt. Gox’s system into thinking the withdrawal did not go through.
Mt. Gox would then resend the requested amount, effectively doubling the withdrawal from a user’s account. Mt. Gox asserted that hackers used this bug to make off with 850,000 coins — 750,000 owned by customers and 100,000 owned by Mt. Gox at the time of the announcement. One month later, Mark Karpeles, Mt. Gox’s 28-year-old chief executive, said the company had found 200,000 coins in an old wallet.
But last week, two Swiss researchers compared Mt. Gox’s assertions with what they had witnessed across Bitcoin’s distributed network. By creating specialized nodes that could trace and dump all transactions across the Bitcoin network, they found that only 386 coins could have been successfully stolen from the Bitcoin network using the bug Mt. Gox cited. Their conclusion: Some 650,000 coins were unaccounted for.
Representatives for Mt. Gox did not return requests for comment. But after Mt. Gox was shut down in late February, other prominent exchanges were suddenly attacked. Flexcoin said it was hacked on March 2, forcing it to shut down. On March 5, Crypto-Trade also said it was attacked, but recently said it had resumed allowing Bitcoin withdrawals. To avoid similar fates, Bitcoin proponents, researchers and exchanges have started new systems and self-regulations to help instill confidence among adopters and bring Bitcoin into mainstream use.
Two programmers from the Czech Republic, Marek Palatinus and Pavol Ruznak, created the Trezor Wallet after Mr. Palatinus lost more than 3,000 coins to cyberthieves. The wallet, a hardware device that cannot be infected by malware, makes cold storage more practical. A new Bitcoin vault service, Xapo, is promising to insure deposits from any losses to hacker attacks, theft by a Xapo employee, break-ins at its vault or any bankruptcy.
Elsewhere, exchanges are working to improve “transaction integrity verification,” or the system by which transactions can be tied back to identities. An initiative called the Bison Network — or the Bitcoin Identity Security Open Network — is working with Jumio, a four-year-old credential management company backed by Andreessen Horowitz, the venture capital firm, to validate buyer’s identities using Jumio’s software.
And after the I.R.S. announced last week that Bitcoin would be considered property and taxed as such, media reports pointed out that those living in the United States would have to begin the onerous task of tracking their Bitcoin purchases, or risk submitting fraudulent tax returns. Customers of Overstock, for example, may need accountants to figure out capital gains taxes on all the ups and downs of their Bitcoin holdings if they use the virtual currency every time they buy furniture on the site.
The worry, many say, is that mounting security and a proliferation of rules could mean death by a thousand cuts. Max Levchin, a co-founder of PayPal, the digital payment system that itself was the target for hackers before it achieved acceptance, said in an interview this week that Bitcoin’s fate would ultimately be dictated by whether users could find the right balance between security and convenience.
“What is slowing down adoption is that Bitcoin can be hard to understand and hard to use,” Mr. Levchin said. “It has to get really simple. For that simplicity to really happen, most often it necessarily has to become less secure to become more convenient.”
“But at PayPal,” Mr. Levchin added. “I’d like to claim we found the intersection. So I know it’s doable.”