Community Pick: Many members of our community have endorsed this article.
Editor's Choice: This article has been selected by our editors as an exceptional contribution.

5 Steps to Protecting Your BitCoins from Internet Thieves and Wallet Stealing Viruses

DrDamnit
CERTIFIED EXPERT
Published:
Updated:
By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet.

BitCoin is an incredible invention. It is a decentralized currency system, which is the freest of all currency and trade systems conceived to date. Send and receive money with anyone in the world right from your computer without the need of any special subscription service or bank account.

But there's a problem: your money can be easily stolen.

The BitCoin application stores your BitCoins in a file called wallet.dat. The file, under normal circumstances and when it is in use, is unencrypted and vulnerable to theft.

And so comes the classic dichotomy between security and usability. If you're savvy enough to be using BitCoin, then you don't need to be told that ease of use and security are at odds with one another. Further, you also know that the more valuable something is, the more it needs to be protected because it becomes a larger target for the "bad guys".

BitCoin is no exception. Imagine the hundreds of thousands of computers on the internet who are actively running a BitCoin application. Now imagine that you have written a virus, which you cleverly distribute as "update" software or via email. Once run, the virus exploits the system with one goal: find your wallet.dat file, and send it back home to the mothership.

Now, imagine that you were only successful 1% of the time. As of this writing, there are approximately 6,809,350 BitCoins (BTC) valued at $14USD each. That's $95M USD. If you were to scam just 1% you would have yourself your first million dollars.

Now comes the ultimate question: am I the first one to think of this? Of course not. It has already been done. On June 14th, a member of the BitCoin user forum reported being hacked and losing 25,000 BTC ($350,000 USD) in a single evening.

It has already happened. It WILL happen to you if you do not take immediate action to protect yourself.

Five Steps to Protecting your BitCoins


1. Use Two Wallets


Because you need to be able to accept BitCoins at any given time, you must have the BitCoin program running at all times. Moreover, the system itself needs the processing and computing power. But, in order to receive BitCoins, you must have an active, unencrypted, and usable wallet.dat file. Thus, as a best practice, use a bank wallet and an operating wallet. The concept is easy and simple: use your operating wallet to receive money, and use your bank wallet to store it. Keep a minimum amount of BitCoin in your operating wallet, and keep your "bank roll" in your bank wallet.

2. Rename Your Wallet

Viruses, hackers, and thieves are going to be on the lookout for a file called "wallet.dat". They will know where it is normally located, and they will search for it. Rename your wallet.dat file to something like bank.dat, and move it from the default directory. Making it harder to find is the first step in protecting your BitCoins.

3. Encrypt Your Bank Wallet


Your bank wallet should be encrypted. Many recommend having it on an encrypted drive, and while this may be a good idea in theory, it is not the best and most ideal case because an encrypted drive may stay mounted on your operating system for days or weeks at a time. You may inadvertently (or stupidly) set it to automatically mount under some condition (such as a reboot), which will leave the wallet available. The preferred methodology is to use GPG encryption. The technology relies on a public / private key system, and can be used to encrypt files on a file-by-file basis. By Encrypting the bank.dat file, you are ensuring that even if it is stolen, it will be completely unusable. (Of course, this brings up another topic: keep your secret key private. See the notes at the end of this chapter for a best practice on that).

4. Backup Your Bank Wallet


Now that you have successfully moved the vast majority of your BitCoins to a secondary, "bank" wallet, you need to back it up. You need multiple copies of that wallet in secure locations. Because the wallet is encrypted using your GPG (or PGP) keys, you can safely use whatever off-site backup method you find the most convenient. You can use Mozy Online Backup for Free, or any other remote backup system that encrypts your data as well as provides automatic backup against fire, flood, and other disasters. (Dropbox is frequently used, but does not provide automatic backups unless you are actually storing your encrypted wallet in DropBox).

5. Don't Trust the Backup


We are talking about money here. You don't trust any one source with your backups. Keep a current copy of your Bank Wallet on an encrypted thumb drive, and keep that thumb drive under lock and key. Believe in yourself above all other people. That includes banks and corporations. You are the only person who truly cares whether or not your investments pan out. No one puts your financial safety as high of a priority as you do. So, don't count on your backup to work. Don't count on your DSL to stay online to backup your files after you just received a big transfer. Keep copies yourself!

The Nitty Gritty: Finding your files


Finding your files on different operating systems may be daunting if you don't know where to look. So, I've made it convenient for you:

Windows XP:
C:\Documents and Settings\USERNAME\Application Data\Bitcoin\wallet.dat

Windows Vista & 7:
C:\Users\USERNAME\AppData\Roaming\Bitcoin\wallet.dat

Ubuntu/Linux:
/home/user/.bitcoin/wallet.dat

Mac OSX:
/Users/user/Library/Application Support/Bitcoin/wallet.dat*

*The Mac OSX location has not been verified. If you can verify this, please do so by leaving a comment below.

If your system has been compromised


If your computer is infected with a virus or is otherwise compromised, take the following action immediately:

1. On a separate, secure computer, create a new BitCoin wallet
2. Transfer your BitCoins from your compromised wallet to the new wallet (Do not delete the compromised wallet!)
3. Change your passwords (especially those for your encrypted drives, password managers such as Keepass, and your backup service).
4. Ensure the security of the Bank Wallet.
5. Restore order to the system.

Conclusion


Your security is first and foremost your own responsibility. By treating your BitCoin data files with the same reverence and protective instincts you would cash or gold, you can easily and significantly limit your exposure. The beauty of a P2P virtual currency like BitCoin is the freedom it bestows upon us. But, like all freedom, it is a double edge sword: it comes with responsibility.

Recommended Programs and Services

Mozy Online Backup (Free up to 2GB) (Recommended because it is automatic).
Dropbox (Free up to 2GB)
Cryptophane - Windows GUI for GnuPG Encryption (Recommended to encrypt your Bank Wallet)
TrueCrypt - Encrypt Your USB Drive (Recommended for the on-site, do-it-yourself backup of your Bank Wallet)
BitCoin.org - Download Your BitCoin Client
Keepass Password Safe - Use this to generate random, strong passwords for your account and to keep a copy of your private GPG / PGP keys stored securely in the notes field in Keepass database. Be sure to back this up too!

Pariticpate!

Want to know more about BitCoin? Like the Facebook Fan Page for news, updates, and how-to's!
Get to know the Author on Facebook!
10
12,398 Views
DrDamnit
CERTIFIED EXPERT

Comments (6)

Jason C. LevineDon't talk to me.
CERTIFIED EXPERT

Commented:
Nice.  +1
CERTIFIED EXPERT
Most Valuable Expert 2011
Top Expert 2015

Commented:
Hypothetical situation: let's say you didn't encrypt your wallet, but you did make backups. I am confused as to how having a backup of your wallet protects you if a person or virus steals your wallet. Wouldn't spending the captured BitCoins be the first thing done after acquiring them? How would having a backup file negate this?
Kevin CrossChief Technology Officer
CERTIFIED EXPERT
Most Valuable Expert 2011

Commented:
Michael,

Thank you for writing this. As usual, a very interesting read; you definitely have my Yes vote above. Your five tips in conjunction with TerryAtOpus's "Risks of Bitcoins - Don't Get Virtually Mugged" Article will hopefully allow me to hold on to the tiny bits of coin I do have. *smile*

Best regards,
Kevin
Terry WoodsWeb Developer, specialising in WordPress
CERTIFIED EXPERT
Most Valuable Expert 2011

Commented:
I only just discovered this article, after I wrote my 2nd one relating to Bitcoins - fortunately we haven't overlapped much! I will have to investigate how to set up alerts for new articles.

Your comment "Because you need to be able to accept BitCoins at any given time, you must have the BitCoin program running at all times" doesn't entirely make sense - you can receive Bitcoins at any time to a wallet address that isn't currently being accessed by any Bitcoin client (ie to your banking wallet addresses). It doesn't matter if the only wallet file containing the data for the address is in your encrypted backup file (hopefully, with multiple copies stored in multiple physical locations). You can find the balance against each receiving address using http://blockexplorer.com so you don't even need to open the wallet in a Bitcoin client to determine your balance. There would be no harm in storing an online list of your wallet's receiving addresses with an untrusted 3rd party so that you can easily get a total balance whenever you like.

The technique you describe is definitely still useful for when you want to spend a small number of Bitcoins without going through the hassle of booting a Live CD with your secure wallet (or whatever technique you use). A nice analogy might be how businesses have a petty cash box for convenience, but everyone knows it's vulnerable to theft and it never holds an amount that will bankrupt the business.

Voted helpful!

Cheers,
Terry
there is allready a bitcoin minig botnet . Security sites are reporting a large botnet seeking to rip off bitcoin users

btw nice article

View More

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.