Bitcoin, the decentralized virtual currency whose value has skyrocketed in recent weeks, faced a key test Monday as a veteran user reported that Bitcoins worth hundreds of thousands of dollars had been stolen from his computer.
Ars Technica was unable to independently verify the user’s story, and he did not respond to our request for an interview. But whether the story is true or not, it highlights a major disadvantage of the currency’s much-touted lack of intermediaries. Bypassing middlemen frees users from government meddling and bank fees. But it also deprives them of the benefits those intermediaries provide, including protection against theft and fraud.
As we reported last week, Bitcoin’s key selling point is its clever peer-to-peer scheme for recording transactions. Rather than relying on a centralized database, the Bitcoin protocol allows any computer on the Internet to participate in the payment clearing process. At the end of each 10-minute round, one of the nodes is chosen at random to receive a payment for his contribution to the process. For this reason, participating in the clearing process is known as “mining” Bitcoins.
The user known as “allinvain” is a long-time contributor to the Bitcoin forums. He says he’s been mining Bitcoins for over a year, and had amassed a fortune of 25,000 BTC. This was a modest sum a few months ago, when Bitcoins were worth pennies, but over the last two months the value of a Bitcoin skyrocketed to around $20, which means 25,000 BTC would have been worth half a million dollars. “I remember watching the price like a hawk,” he wrote.
And then disaster struck. “I just woke up to see a very large chunk of my bitcoin balance gone,” he wrote. “Needles [sic] to say I feel like I have lost faith in bitcoin.” He speculated that a Windows security flaw may have allowed the culprit to gain access to his digital wallet. “I feel like killing myself now,” he said.
Some other members of the Bitcoin forum expressed skepticism about allinvain’s story, but most believed it. Another member of the Bitcoin forums chimed in to report that he’d lost a smaller amount of money to the same Bitcoin address.
Forum members discussed several options, including calling the police and asking MtGox, the popular Bitcoin currency exchange, to block the funds from being converted into more traditional currencies.
Ars Technica talked to Gavin Andresen, the leader of the Bitcoin software project, about the incident. Andresen said that it would be difficult to confirm the authenticity of the report. “All Bitcoin transactions are broadcast on the network,” he said. “So if someone wanted to claim they lost a bunch of bitcoins, they could claim that any transaction on the network belonged to them.”
Still, the kind of attack described in the post is certainly possible. Andresen says he always emphasizes that Bitcoin is an experiment, and not (yet) for the faint of heart. “Unfortunately, this is an expensive test case for the guy who lost the Bitcoins,” he said.
Andresen says that there’s currently no good infrastructure for tracking down stolen Bitcoins. And, he said, there may never be a good mechanism for reversing unauthorized transactions because Bitcoin transactions are designed to be irreversible. “Once a transaction hits the network, you can generate other transactions that depend on that transaction,” he said. “So Bitcoin transactions get tangled up fairly quickly.”
Even if it were technically feasible, adding a mechanism for disputing transactions would create headaches of its own, because that mechanism could be used fraudulently as well. “Merchants like that there are no chargebacks” with Bitcoin transactions, Andresen said.
Right now, then, Bitcoin is a “work in progress” only suitable for the most technically savvy users. Will Bitcoin eventually be ready for the masses? Andresen thinks so. He told Ars that the Bitcoin protocol is flexible enough to support clients that handle security in a more sophisticated way. For example, a future client could split a user’s private key between his PC and his cell phone. As long as no one compromised both devices simultaneously, the user’s bitcoin would be safe.
Still, a financial system without intermediaries has some inherent downsides. Splitting a Bitcoin user’s private key between a computer and a cell phone makes it harder to compromise, but it also creates new risks. For example, unless the user backs up his cell phone separately from his computer, losing the phone would mean losing the Bitcoins. A multifactor authentication scheme also can’t protect a user who is tricked into authorizing a payment to the wrong party.
Indeed, the traditional banking system offers consumers protections against fraud that are hard to replicate in any system without intermediaries. For example, federal regulations limit consumer liability for fraudulent credit card transactions to $50, and some banks offer cards that reduce the consumer’s liability to zero.
And because liability for fraud falls mostly on the banks and credit card networks, these parties have invested in infrastructure to detect and deter fraud. They set minimum standards for getting a merchant account to exclude fly-by-night companies. They carefully monitor their customers’ transactions and investigate any that look suspicious. And with the help of law enforcement, they aggressively prosecute fraud, both to recover lost funds and to deter other potential criminals.
Of course, some anti-theft and anti-fraud services can be built on top of the extant Bitcoin infrastructure. For example, Clearcoin holds payments in escrow for sellers until buyers receive their orders, making Bitcoin purchases less risky. And services like MyBitcoin hold Bitcoins on their customers’ behalf. Presumably, these “online wallet” services can invest more heavily in securing their systems than individual users would.
But this is just to say that the disadvantages of an intermediary-free banking system can be mitigated by reintroducing intermediaries. And if most users are interacting with Bitcoin via intermediaries like ClearCoin and MyBitcoin, it’s not obvious how many of the system’s much-touted advantages are preserved. If your Bitcoins are held by a third party like MyBitcoin, then a government can force MyBitcoin to freeze your account just as it can force a traditional bank to do so.
In any event, Andresen seems unfazed by the heist and confident of Bitcoin’s long-term viability. “These problems will get solved,” he told Ars, arguing that the Bitcoin community simply hasn’t grown large enough to throw serious engineering resources at them. And the broader Bitcoin community seems to agree. The market price of a Bitcoin has been stable over the last 48 hours at just under $20.