Pages:
Author

Topic: Be careful when copy-pasting a Bitcoin address (Read 372 times)

legendary
Activity: 3416
Merit: 1912
The Concierge of Crypto
February 19, 2021, 01:30:48 PM
#24
bc1qc6qu0yurccrrfaqcqvafaw2u5ae9r4q5nuk4mszjeyt4klf4m6rqjyzzx8
bc1qc6qu0yurccrrfaqcqvafaw2u5ae9r4q5nuk4mszjeyt4klf4m6rqjyzzx8

Yes, they are the same, but that's one hella of a long address. (It's valid too.)
legendary
Activity: 2716
Merit: 1225
Once a man, twice a child!
Be careful when copy-pasting a Bitcoin address. Current clipboard malware tries to replace them with similar-looking addresses, that start and end with the same characters.
This post is really inspiring for me as an eye opener and that's why I am commenting thus. I don't intend to resurrect a dead thread, even though that looks like what it may be now. Howbeit, it will also help alert newbies of the antics of scammers with wallet address. Normally, I do check three parts before sending out —the first 4-5 letters, the middle of the address and the last 4-5 letters. I like taking my time while doing this and it doesn't matter how much I am sending out because I believe in financial dealings, there isn't any need for hastiness. It should be handled with the precision of a lawyer handling a murder case.
legendary
Activity: 2618
Merit: 6452
Self-proclaimed Genius
AFAIK it's disabled by default but the config that I'm using is still the same as the old builds that I've tinkered with the settings so it could be wrong.
Anyways, it's not a newbie-friendly way to send bitcoins so it must be disabled.
HCP
legendary
Activity: 2086
Merit: 4363
It has been a while since I first used the 4.0.0a0 beta that I compiled, but I really don't recall setting (or even seeing) that option... is it enabled by default? Huh I'd assume from the "advanced" name that it isn't and my memory is just bad. Undecided
legendary
Activity: 2618
Merit: 6452
Self-proclaimed Genius
Once you click on that, you are presented with the "Create Transaction" window that lets you set the fee, RBF (and even LockTime! Shocked) and shows all the relevant details, such as the inputs and outputs etc:
That will only show directly of you enabled it in the settings (Tools->Preferences->'Transactions' tab->Advanced preview).


Otherwise, it will only show a fee-slider, 'advanced' button (same as preview) and 'send' button.
HCP
legendary
Activity: 2086
Merit: 4363
Correct. There are separate buttons for "Send" and "Preview", and only clicking the latter will give you a preview of the addresses you are sending to. Clicking the former gives you a confirmation of the amount and the fee only (and asks for your password if you have one), but not the addresses.

I would agree that if you are using Electrum as a hot wallet, it would be a good idea to always show the preview window prior to signing.
Looks as though you're going to get your wish, as the workflow looks like it is being changed in the upcoming v4 release of Electrum...
No, I'm just a moron that forgot about ticking boxes in the prefences... thanks nc50lc! Wink - See next post!


Now on the initial "send" tab, there is just a "Pay" button:



Once you click on that, you are presented with the "Create Transaction" window that lets you set the fee, RBF (and even LockTime! Shocked) and shows all the relevant details, such as the inputs and outputs etc:



Once you click "Finalize", you then see the final transaction size and details and can export, save, combine, sign+broadcast etc:

legendary
Activity: 2730
Merit: 7065
just like verifying the address is mandatory on Ledgers.
It actually isn't mandatory. I thought it was in the past as well. But you can open up your Ledger Live software and generate a new receiving address without checking and verifying it on your hardware device. You'll see a warning that the address has not been verified and no hardware wallet is connected, but it is still possible to do.

Regarding the clipboard virus. +1 for the way Nano S handles this. Each address is divided into 3 parts because of the screen size of Nano S. It makes it even easier to check the address.   
legendary
Activity: 2268
Merit: 18771
I haven't used Electrum for sending BTC, is preview non-mandatory?
Correct. There are separate buttons for "Send" and "Preview", and only clicking the latter will give you a preview of the addresses you are sending to. Clicking the former gives you a confirmation of the amount and the fee only (and asks for your password if you have one), but not the addresses.

I only use Electrum either in conjunction with a hardware wallet or on a permanently airgapped machine, so I am always forced to confirm my transactions prior to them being broadcast. I would agree that if you are using Electrum as a hot wallet, it would be a good idea to always show the preview window prior to signing.
legendary
Activity: 1134
Merit: 1599
Problem is in fact that most Electrum users do not use preview button before they click send button
~
I haven't used Electrum for sending BTC, is preview non-mandatory? If so, then it should be mandatory to avoid this issue from occuring, just like verifying the address is mandatory on Ledgers. Although it doesn't avoid the issue completely as one can simply ignore the preview window, it does pop up to subconsciously remind you "hey, check the address again!".

Same thing goes for seed backup upon wallet creation. All wallets should impose a mandatory seed backup and verification without the possibility of taking a screenshot of the seed or copying it to the clipboard for extra protection. I have seen too many wallets letting their users skip the process. It's a crucial step for any of us, not only for newbies. I have ignored the seed backup step many times recently although I am aware of how important of a step it is!

Now that I'm using HWs only, it feels pretty scary to think about using a wallet without having to confirm a tx by pushing the buttons of an external device Cheesy
legendary
Activity: 2268
Merit: 18771
a lot of users struggle with how much bitcoin is "worth".
It's ridiculous really. If you were moving $10,000 between bank accounts, or transferring to someone else, or paying off a bill, etc., then almost everyone is going to double check the details on the paperwork or the online form. But when it comes to moving a bitcoin or two around, suddenly cutting corners and only checking three or four characters is the norm.

Can you imagine if your fiat bank called you up and said "Sorry, we lost your money because we didn't double check the account number we were sending it to". You'd be up in arms, taking legal action, definitely moving to a different bank. Why should bitcoin be any different?

As you say, unfortunately some people aren't responsible enough to be their own bank.
hero member
Activity: 2716
Merit: 904
It is best practices for me compared to just pasting the BTC address and send that you don't know if you sent it to the correct address or sent the wrong amount of BTC.
I'm aware of this malware as I also got victim of this in the past, lucky it's just a certain amount that I could easily move one and learn.
Now, this is new, they are going for a similar address and I think I like your tip as normally when I verify the address, I just look at the last 3 chars.

And I think it's the best to use segwit address because I don't heard any segwit users experienced copy-paste malware what do you think?
If only our local exchange supported Segwit then I'd certainly use segwit instead of legacy address.



@bL4nkcode thanks for the warning... got electrum accounts but I don't put all my btc in different wallets.
legendary
Activity: 3472
Merit: 3217
Playbet.io - Crypto Casino and Sportsbook
That's why I keep my Electrum wallet disconnected to any nodes/server and always use the https://coinb.in/#verify before I broadcast the transaction. So that I can check my transaction first if the address and the amount are correct before I broadcast it on Coinb.in and Viabtc.

It is best practices for me compared to just pasting the BTC address and send that you don't know if you sent it to the correct address or sent the wrong amount of BTC.

And I think it's the best to use segwit address because I don't heard any segwit users experienced copy-paste malware what do you think?
HCP
legendary
Activity: 2086
Merit: 4363
Even if you think my method takes a few seconds longer, then surely it's worth it for your security? We are talking literal seconds. The average person wastes over 2 hours per day on social media.
Sadly, I think you're tilting at windows o_e_l_e_o Undecided

People are lazy... and I suspect that because of the volatile nature of bitcoin (in $$$ terms) and the fact that you can't really spend bitcoin on anything, a lot of users struggle with how much bitcoin is "worth"... until it all gets "stolen" due to their own laziness and failure to "Be their own Bank's security department".

This is why we constantly see threads pop up where users have fallen victim to copy/paste malware... or simply copy/pasted the wrong address from another app/program... or not written down their seed mnemonic on paper and just copy/pasted it into an email/txt document or taken a screenshot...

I've had instances where I thought I had copied the correct address and then pasted it, but when checking the transaction details before sending, I discovered that I had actually pasted in a previously copied address that had already been on the clipboard (not malware, I just hadn't ctrl-c'd properly).

So, I totally agree with you. It isn't hard to check a full address... and like you say, if the value is any more than $5 you can be sure I'm double checking my work at a minimum! Tongue
legendary
Activity: 2268
Merit: 18771
the problem is finding a valid address that has a private key. the second one is not valid and there is no way to find an address that has so many similar characters from a private key since it would take until the end of time!
But that's exactly my point. Even with two addresses which are more similar than anything malware can achieve, or indeed, which are more similar than is even possible, it is absolutely trivial to immediately spot the differences when you just physically put them next to each other.

I've never understood the arguments about checking 5 characters, or maybe it should be 6, or maybe 8, or maybe 5 at the start and 5 at the end, or maybe 3 is ok if you also check some in the middle, etc. My method is both quicker and more secure than reading x characters, alt-tabbing to a new window, checking the x characters, reading x more characters, alt-tabbing back, checking those x characters, and so on. Even if you think my method takes a few seconds longer, then surely it's worth it for your security? We are talking literal seconds. The average person wastes over 2 hours per day on social media.
legendary
Activity: 3472
Merit: 10611
1Ny9qqL7qsyzCmLjfUzVRMy8ej569wGQey
1Ny9qqLNqsyzFmLtf2zVAMy2ej539wGQey

the problem is finding a valid address that has a private key. the second one is not valid and there is no way to find an address that has so many similar characters from a private key since it would take until the end of time! the malwares do the former.
otherwise, to by annoying, you could easily find a collision to an address without a private key. here is my tiny attempt:
1Ny9qqL7qsyzCmLjfUzVRMyBS3HmoWGQey
1Ny9qqL7qsyzCmLjfUzVRMxopVwyQrGQey
1Ny9qqL7qxb1tYX2XmPY2Run9tVJgCGQey
1Ny9qqL7r1XpRjeevXJQfeTEFfLyndGQey
1Ny9qqL7qsmxZSauMYSrr6PHGEfasNGQey
1Ny9qqL7qzL46Tfd8U5AV2h2fonMuoGQey
copper member
Activity: 2142
Merit: 1305
Limited in number. Limitless in potential.
But I don't see it as a problem because I usually check a lot more than 3 chars... I usually check around 5 or 6 at beginning and end and look for a distinctive pattern in the middle as well.
Well, I usually check 3-4 chars start and end, but I think that's the most recommended thing even there are installed anti-virus or whatever, checking from start and end of the address with 5-8 characters, no less.
legendary
Activity: 2268
Merit: 18771
I honestly do not understand why we keep seeing this debate popping up again and again. It takes less than 10 seconds to check the full address. Why are people trying to cut corners of a few seconds when potential thousands of dollars are at risk? Just hold your mobile phone/hardware wallet/whatever up to your computer screen, or resize two windows on your screen, so the address you are actually sending to is right next to the address you think you are sending to. Once the two addresses are physically right beside each other, it is trivial to compare the full address and see any differences. You don't even have to memorize any characters. For example:

1Ny9qqL7qsyzCmLjfUzVRMy8ej569wGQey

1Ny9qqLNqsyzFmLtf2zVAMy2ej539wGQey

Those two addresses are more similar than any copy and paste malware by several orders of magnitude, and if you compared the first 6 and last 6 characters they would all match, but I bet you could all tell in less than 2 seconds that they were different.
legendary
Activity: 1624
Merit: 2481
How many characters can we say are safe if we verify them?

IMO this depends on the amount you are transferring.
For like 5$, checking just a few chars should be enough. The worst case is you lose 5$.

If you however transfer multiple thousands of $, i'd check at least 8 chars.
Generating a vanity address with 8 given chars costs around 1k$. And an attacker can't know whether you are checking the first or the last 8. Or if you maybe split it into 4 from the beginning and 4 at the end.

So, with 8 chars you should be on the safe side.



Do such viruses affect QR scanning?

Probably not.
But malware can still change QR codes to either change the address or the amount.

This exact type of malware which changes your clipping board with a similar looking address probably won't do that.
But whether THIS malware does it, shouldn't be your concern.


legendary
Activity: 2702
Merit: 4002
How many characters can we say are safe if we verify them? I don't think there is a database or even an attempt to generate a similar address for the first and last 6 characters (58^12 = 1.45 * 10^21)? True.
Generally, you can increase the difficulty by taking the first 3 letters, the last 3 letters and 2 random letters from the middle.
Do such viruses affect QR scanning?

#Edit: Maybe I found an answer:

In the instance that was reported to us, only the first and last 2 characters matched. Excluding the starting '1' , that's 3 characters. Might be bruteforced locally.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
Problem is in fact that most Electrum users do not use preview button before they click send button, and if this malware is replaced first and last 3 characters of BTC address to look like a legitimate address, loss is guaranteed. If this is not some new clipboard malware, then any average antivirus/antimalware would prevent such attempt very easy.

I am in crypto for 6+ years, and I was never experienced something similar to this, even though I've used Multibit and Electrum, and some other desktop wallets for years on PC with cracked Windows, with torrents and all usual stuff. But I always have top protection which stop all bad things before they even infect my PC. Today I use only hardware wallets, and they force you to check all transaction details before confirm transaction,

So I wonder if this warning is only for those using Electrum without using the brain at all - copy/paste address + send = my coins are gone?
Pages:
Jump to: