"Online wallet services" are an invitation to theft and fraud. Do not use them. I've been saying that since July 2011 (https://bitcointalk.org/index.php?topic=26260.0), before MyBitcoin ran off with everyone's money, and it's just as true today as it was then.
If you lost money today I feel for you, but seriously, it's your own damn fault. A Bitcoin is only yours if it was last sent to an address that is yours, and an address is only yours if no one else knows what it is - in other words, you have to have generated it anew on a secure, malware-free computer, and avoided ever putting the wallet file on any computer that has malware or that is not yours.
Which is essentially saying BTC will never become more than a semi-serious play thing for the tech community. How is the non-tech user ever going to be able to use this with anywhere near level of trust/safety they do with current traditional currencies. Hell, a lot of my tech friends can't keep their computer secure/clean, not to mention backed-up, so how are Joe and Jane Average?
Or, alternatively BTC embraces the same banking industry setup it is trying to get away from.
That said, I don't disagree with what you are saying (and upvoted) - just pointing out some implications.
Those who want to trust BTC banks can do so. But now people have the choice not to trust them and instead manage their wallet themselves. You don't have that choice in the current banking system.
When I moved to the US, I spent a week+ living on cash until I had my bank account set up. Being able to buy pre-paid VISA cards for cash at retailers solves the part of the online issue as well. You can be a 'mattress' banker with cash if you wish, securing your house just like you would secure your computer.
Not sure there is as big as a difference between BTC and the current as people would lead you to believe. Emphasis on as since there obviously are differences - at least until new laws get thought up and passed.
Yes, right now using these online wallets is not really an option if you are at all concerned about your bitcoins. But it will be in the future. Because online wallets are not less secure than an E-Banking account at a conventional bank. The difference is that banks spend a lot more money on security than the current online wallet operators (think penetration testing, code review, dedicated security staff, option to have two-factor authentication etc).
> Because online wallets are not less secure than an E-Banking account at a conventional bank.
Nope. Look at everything you can do with your online bank account. Transfers to other accounts, wires, bill pay, stop payments, ACH (if you're lucky), etc. What's the common there? All those transaction are reversable. This makes it hard for hackers to steal money from banks, they need an unwitting third party (mule) to accept an account transfer, and then go to a branch or ATM to withdraw cash.
So it's not like your online banking accounts are secure, you can purchase any number of stolen online banking credentials from trojan/botnet operators. The price for those accounts is quite low, because the real effort is in finding unwitting mules.
The problem with bitcoin, is that bitcoin transfers are irreversable. So banks will never be able to protect bitcoin wallets effectively, because they can't rely on being able to reverse transactions for compromised accounts.
I worked in a bank designing systems at one point. Even with methods to retrieve money lost through fraudulent transactions, they still had monthly 'Fraud' budgets much larger than my salary for money they couldn't retrieve. Imagine BTC services 'Fraud Budget' when all transactions are non-reversible.
Banks do have a massive advantage in 'Practical' security as well in the form of a 'big stick' aided by the government. Since the practical risks of fraud against a bank are much higher than fraud against an online BTC service (who is the FBI more likely to help), the exposure would be much bigger.
You make strong points, but (and without wanting to rehash some tedious arguments) there is still the fundamental difference that "e-banking" is not dealing with "e-cash" the way Bitcoin is "e-cash." Different members of the audience perceive this variously as a benefit or a drawback, but either way it will complicate security.
> How is the non-tech user ever going to be able to use this with anywhere near level of trust/safety they do with current traditional currencies.
Near everyone I know, regardless of age, does their banking online. I don't see how this is any different than a username/password being stored on some banking server, and getting stolen.
Best case? You boot to a clean ISO, make a wallet, generate an address, write down the public/private key, transfer all your btc to it, and call it a day. There is no digital trace, and you have a paper wallet.
If your bank is hacked you as the user are not liable for the loss. Online transactions are traceable and reversible. Banks are heavily regulated and the legal regime is well defined. Etc etc etc.
Having your online banking hacked is a bit like being mugged on the way out of the bank. Having an online wallet service hacked is like someone driving in a truck, emptying the vault and leaving without a trace.
Insurance works on risk profiles. Insurance also works by limiting exactly what situations they do and do not cover (see: All the people who 'thought' they had flood insurance over the years).
Something tells me insurance is going to be a lot more expensive for BTC, which can have a range of impacts that will make it unpalatable for the average consumer, if they or online services can even get (try insuring a Audi R8 under an 18 year old's name...)
Not surprising; 'Insurance' is less likely to have the impact people are saying it will - either it will be incredibly hard to get insurance in the first place (making it more of a non-factor), and/or it will not provide the same level of coverage/safety-net as you get with a Bank, and hence BTC will never get to the same level of trust.
Either case, I don't think 'Insurance' is going to be the magic thing that will make BTC as viable as traditional currencies.
Actuaries happen to be quite good an quantifying risk. If the price is right, someone will be willing to insure it. An insurer with a specialist background in systems and security could do well.
The actual problem is the implications of underwriting a fiat currency with a "real" currency.
While this is true, it's extremely hard to keep your computer free of any kind of malware. There are many trojans that go undetected for enough time to do serious damage. I personally know a guy that, even with having anti virus installed, had 2500 BTC stolen from his personal computer.
So really, so far the most secure way to store Bitcoin is either to encrypt private key and only then store it somewhere, or print it out, store it in a safe and remove all traces from the computer. Better yet - use a locally hosted javascript app to generate the pair and never write it to disk, from where it could be recovered even after deletion.
I'm now working on developing a Bitcoin platform that will enable you to do exactly this - your private keys will be generated on your computer, encrypted with PBKDF2-derived passphrase from your password and only then stored on our servers. This way no one except you can ever touch the coins.
Yes, I learned it the hard way when I had around 200 BTC stolen from the online service I was using. I kept blaming the service but the fact is it's stupid to think of bitcoins = hard currencies and online wallet services = bank.
Someone on bitcointalk.org [1] noticed that approximately 42,000 BTC (currently worth about US$4.3 million) was just transferred out of one of Instawallet's accounts [2]. No idea whether the transaction was Instawallet's doing, or the attacker's.
Ah wait a minute. That address is worth $4.3m, but the number of coins transfered from Instawallet cold storage is $1.5m. There are three transactions. One is old. Two are new, and only one of the new ones is labeled as "Instawallet Cold Storage".
One of the other addresses in that list has a history of moving around thousands of BTC. Perhaps it's all some sort of behind-the-scenes Instawallet address.
If it's actual cold storage, then it's probably just them taking precautions. The whole point of cold storage is to make the wallet immune to a server breach. But who knows? It sounds like their security was sloppy.
[Apr-1 10:30 CET] Bitcoin-Central and Paytunia update: Our customer's bitcoins and euros are safe and will not be affected by the security breach. We have taken the websites off-line for proper investigation.
The address 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy is under our exclusive control.
You can't prevent double spending without being able to track where individual coins go. So we can know that X BTC went from wallet A to wallet B. Bitcoin is anonymous in the sense of linking owners to wallets. Even if someone asks to send Y bitcoins to wallet C as payment for something, you can't know from the wallet address where the wallet is stored or even if it isn't the wallet of a third party to whom that someone owes bitcoins.
Instawallet has always only been meant to keep spare change for quick transactions. For the longest time you could type into google site:instawallet.org/w and get a list of URLs with money in them, it's not secure.
Neither is Strongcoin who had all their wallet labels leaked recently, some of which users had decided to type in the hints for their key passwords.
If I remember correctly Instawallet is a ruby/rails app run by the same people who do Bitcoin-Central.net. If you look at their other app Instawire you see lot's of ruby gems used, in a financial application, not good.
I'm a big believer in the future of bitcoin and hold a significant amount. However I find holding bitcoin terrifying. There is just so much that can go wrong - from data loss, to personal tragedy, to hackers, to algorithmic weaknesses.
Ultimately we probably need insured, trusted third parties to hold keys, such that even if there is a breach, someone financially viable is on the line to reimburse.
Individuals holding their own keys may be a nice dream, but its highly impractical for most people if they have a significant portion of their wealth in bitcoin. Certainly there will be very high net worth people and security maniacs who want to hold their own keys, but I believe most people will want a third party to guarantee them.
Printing out cryptographic keys and storing them in a safety deposit box, or using a clunky key management utility, is exactly the sort of step that will not work for most people.
I'm not talking about techies, early adopters, and fanatics. I'm talking about buckwild and clerks.
Only if you don't trust the encryption on your cold wallet backup where you generated the keys. Personally I'd keep both, encrypted drive and printed keys then if say the bank is robbed or burns to the ground you can still transfer the coins.
You'd want to also make sure the printer isn't storing memory of those keys that were printed.
Some weird startup out of Europe is splitting up $2mil worth of coins on 3 USB encrypted sticks, using Shamir's secret sharing as the master key to decrypt (this according to Bitcoin magazine). Sounds like a bad idea I don't trust wear leveling drives that could fail taking all your coins with them
You can make Shamir's secret sharing redundant if you are worried about that.
You could make say, 6 USB drives, any 3 which can recovery your wallet. As long as no more than -half- fail you would then be fine. And you can set either number as high or low as you like, of course.
And it's not like wear leveling should come in to play if you aren't actually writing to them.
This is true. Until BTC can be insured, and thus, easy for most people to feel secure having, bitcoin is going to have a serious drag on widespread adoption.
1.
Keep your own self-generated, backupable and recoverable wallet without dependency on any third party babysitting services that are being consistently broken into (and your money is lost).
Electrum wallet is recommended as it also allows you to export "master public key" using which you may launch your own online store business and accept bitcoins as a payment without risk of losing money if someone hacks your online store.
2.
Use third party service only for buying and selling bitcoins. As soon as transaction is complete - transfer bitcoins back to your own wallet.
3.
Have a will so your loved one could get a hold of coins. Just in case.
Yes Electrum is good but remember you're relying on somebody else's blockchain instead of your own. Though I generally trust the Electrum blockchain servers you never know.
Your online store key, you should be using some sort of script to generate receive payment addresses offline and stick those in a db. The payments should go to a cold wallet you can either with a serial cable send a txn or manually enter the signed transactions, but that's just my paranoid security
The beauty of electrum master public key is that it can be used to generate unlimited number of "receive only" bitcoin addresses. Server script could do it for each sale. If someone hacks into server - he can't steal anything, because Electrum's master private key (to send money) never stored in server.
The server appears to no longer be responding. That would appear to indicate a non-April fools joke (coupled with the fact that they shouldn't really be pulling pranks in the first place).
Though I like seeing sites pulling an April Fool's joke, I do think any money-related sites (so bitcoin sites as well) have to say no to pulling pranks on their users.
...I can't imagine a financial company would ever actually take down their main site and claim to have been compromised just as a joke. For one thing, it's not even funny, so where's the joke? And second, it's obviously really bad for business. I think it's safe to assume this is real.
If it is an April fools joke, it's a terrible one. They should have been more creative. As it is, they're just destroying the trust in their brand. Nothing funny about it.
If you lost money today I feel for you, but seriously, it's your own damn fault. A Bitcoin is only yours if it was last sent to an address that is yours, and an address is only yours if no one else knows what it is - in other words, you have to have generated it anew on a secure, malware-free computer, and avoided ever putting the wallet file on any computer that has malware or that is not yours.
Seriously, stop it, you fools.