Topic: How to lose your Bitcoins with CTRL-C CTRL-V - page 7. (Read 4309 times)

My PC got infected once with this malware.
It changes Eth addresses from the one you copy to the hacker's address.
I was lucky and didn't lose anything because I discovered it when I was checking tokens values on etherdelta.
I was copying the token's contract address and pasting it in the navigation bar which redirects me to the exchange's home page everytime.

َAll I did to resolve the problem is copying a part of the address (all of it except the last char).
I confirm that this solution works for Ethereum addresses since they all have the same length which is not the case for Bitcoin addresses.

People interested in crypto are usually more advanced in IT and are difficult to consider as ordinary users. I also want to note that if you consider Android as Linux, it would be logical and iOS + MacOS should also be considered as Linux, because they also have common roots. I'm talking about Linux desktop, such as Ubuntu. Market success of Android is difficult to question.

Good question, now I'm not so sure. I would have expected the malware to detect Bitcoin addresses based on the format, instead of based on a very long list of known addresses. It's quite easy to know if a certain string is a Bitcoin address.

From loyce.club last month:
Windows 63.2%
Linux 17.2%
Macintosh 1.6%
iOS 4.4%
Unknown 13.3%

Meanwhile, 4.1% of all pages was loaded from Windows XP (I'm not sure if Tor-browsers still identify themselves as Windows XP), 23.8% Windows 7 and 33.8% Windows 10.
And 3.9% of the users use Android, which is counted as Linux.

The situation is really changing for the better and the Linux desktop is becoming more and more friendly to the average user, but it's too early to talk about any significant successes. Linux is the king of servers, and the market share is near zero on desktops. This is the reality of today.

It would be easier for Linux to succeed on desktops, but in fairness, I note that Windows 10 is not so bad, it has a built-in security center and rumors about the impossibility of disconnecting Cortana are greatly exaggerated.

I sincerely don't understand what "monitoring" means here...
Are they monitoring used addresses so if a user tries to send a transaction to a known adress they have one resembling it to replace it?
That would be more effective for a reused address but a total fails with newly generated addresses.

Also, one of the exchanges I use gives me the same deposit address each time, but every time I deposit something the adress is emptied in the next block in a batch transaction collecting funds, so ...that would probably make the adress free from monitoring?    I really wonder how they are choosing them..



But a monkey behind a Volvo and it will become the deadliest car in history.

Aren't you being a little pessimistic yourself as well? I understand that getting people to stop using Windows is an uphill battle, but I'd think more people would be open to a dual boot set up than having two different devices for different purposes. (Edit: Maybe we should be promoting the use of Raspberry Pis instead lol)

Either way, while I completely agree that people shouldn't be using Windows for crypto (or anything else you could do with Linux really), I wouldn't go as far as saying it's insecure. It's certainly much less secure, but I don't expect a person who knows what they're doing to have any issues with it. Awareness is so much more important for security because no OS will protect you from everything. The info that LoyceV provided would probably help more users than simply saying "Don't use Windows!", for one.


The funny thing is, if everyone started using Linux instead and it got all the attention from bad actors that Windows does, users would probably just as vulnerable even with Linux's fundamentally stronger security. People do a lot of stupid shit for free stuff and/or whatever else they want, and no OS can really address that lol.


I've found that things have gotten a lot better on this end in recent years. Even then, most people only really have basic stuff anyway, and people with the more technical hardware tend to be more technical themselves.

I think you are too categorical. Ideal operating systems do not exist, and the romantic halo around Linux often disappears when you try to make him friends with your computer hardware. If you are not a bearded admin in a sweater, but an ordinary user, migrating to Linux may not be an easy task. I use a hardware wallet and check the address before sending, and until everything is fine.  

Of course But 1.5 billion people use Windows for anything. If we could wipe out that insecure OS that would be great, but I'm trying to be realistic here: it's not going to happen.

This is the only choice that matters. You are a pessimist by rejecting the only logical choice beforehand.

Most people don't need Windows, all they need is a browser, and the likes of Chrome run in Linux perfectly fine. That attitude of yours, i have seen it in decades, and it only ends in grief.

Drop Windows and 80% of the issues are gone. If you need a "games" computer, have both separate. Money and serious things in one, the rest in the other.

Don't bother with dual boot, people lack the discipline to NOT boot Windows (or OSX).

None of your "tips" are really effective under a malware ridden windows computer, because you don't know beforehand the exact nature of the malware. Its not just malware that recognizes bitcoin addresses and change it, there are several more vectors for stealing, such as taking your privkeys/seed words, or hijacking your dns, but to name them all would make a book.

Money handling should not be done with insecure OSes, period.

Given the sheer amount of addresses in the whole key space of bitcoin and other cryptocurrencies, this is already a good practice knowing that two addresses having almost the same characters as another one would be pretty slim. Though of course for the ultra-paranoid in us, 4-5 characters isn't really enough and therefore having two addresses side-by-side is still a (somewhat) bulletproof practice as suggested by o_e_l_e_o.


The horrors of Windows in general. Every single data we have on our PCs we don't own completely, but we actually share it with Microsoft the moment we started using their operating system. The mere fact that most of the computers in the whole world runs with Windows is already an alarming thought, but what is there to do when Microsoft knows how to make things work with laymen? Of course, you wouldn't expect non-techie people to use CLI-based OS such as Linux just to be secured, and while being secure, Mac isn't really an option too knowing how costly it is to have one. Hackintosh is possible, but with limitations and bugs too.

Another argument for not reusing Bitcoin addresses but that's unfortunately not feasible when you have for example exchanges that issue one deposit address and don't even allow to change it manually (an argument to not use centralized exchanges I guess).

I can imagine malware that connects to an external server, which stores a large database of pre-created addresses.

It's probably enough, but I prefer a higher degree of certainty than just "probably".

Isn't it enough to check just the fist 4-5 and last 4-5 characters? This is what I do every time, if the first and last match I don't think I'm in danger.  If they manage to generate address similar to the address you are paying to with the first few characters, checking the last ones should make it super save, am I wrong?

Was wondering the same, how many checked characters would make the process safe?
I read that vanity gen is able to do 50mils keys per second, let's keep this number, multiply by 10 seconds and at this point, I still believe checking the first and last 4-5 characters is enough.
And without having a clue I doubt the malware would store billions of addresses in text files and filling up the HDD with those.

I become aware of that two years ago it was big news back then, that was one of the reasons I add another anti-malware on my computer I also develop a habit where I will wait 30 seconds before sending the funds I will look on the first three character and the last three character to make sure I'm sending to the right address, if you're aware on something like this you will develop a precautionary measure so that it will not happen to you.

No, the post says to select a part of the pasted address, I assume to avoid triggering the clipboard malware. It wouldn't make sense to do Ctrl-V immediately after selecting a piece of text. Anyway, it's been fixed so not an issue anymore.

Your method works too but only if malware doesn't do reverse substitution.

OK for the keyboard host settings.
But I think vm remain one of the most secure and safe behavior against theft.
But this is true, if you just use this virtual machine for that task.
Never navigate on internet fron bank box, neve read email from there.
Do just bank/Crypto transfert from saved Link.

I also used a virtual machine for some time and it was with lubuntu too.
But still, this method, although safer, also has drawbacks if a trojan settles on the main computer.
Therefore, over time, I moved to an old dedicated laptop.

I hope did you turn off access to the host clipboard in the guest isolation settings?

I also think that 3+3 characters is not enough. It is possible to do hijacker that will pick up a larger number of characters.

Nothing wrong with that tutorial, Why CTRL+V, then CTRL+F, then CTRL-V, After you have copied wallet address, you need to paste clipboard. It means we need the first CTRL+V, After we are pasted wallet address, we need to check wallet address from clipboard results, then we need CTRL+F.  The last CTRL+V is for a paste wallet address on the search form.

So, for complete process is CTRL+C > CTRL+V > CTRL+F > CTRL+V, like LoyceV says.

Yes. Windows 10 has a built in keylogger, and it sends everything you type to Microsoft for "analysis". See the following links:

https://www.pcworld.com/article/2974057/how-to-turn-off-windows-10s-keylogger-yes-it-still-has-one.html
https://www.technorms.com/45807/turn-windows-10-keylogger-improved-data-privacy
https://www.techadvisor.co.uk/how-to/windows/how-disable-hidden-keylogger-in-windows-10-3639643/

But on a much wider scale, Windows 10 is a privacy nightmare. It collects everything from your keystrokes and voice input to your contacts, emails, browsing history, location history, etc., etc. Turning off all the telemetry and turning all the privacy settings to max doesn't help. Have a read of these reports if you want to be really worried:

https://arstechnica.com/information-technology/2015/08/even-when-told-not-to-windows-10-just-cant-stop-talking-to-microsoft/
https://thehackernews.com/2016/02/microsoft-windows10-privacy.html

Even with these features disabled via group policies, Cortana is still sending your search history to Microsoft, and OneDrive is phoning home for unknown reasons, for example. Even with all telemetry features disabled, Windows 10 still made a staggering 5,500 connections to almost 100 different IP address in only 8 hours.

As LoyceV says, don't use Windows.

---

Any time I am sending coins from any wallet I physically place the address I know is correct directly from the source, right next to the address I have entered to send to. That usually means either holding my hardware wallet or phone up next to my computer screen, or resizing two windows on my phone or computer to put the two address physically right next to each other. Once you have two addresses which are less than inch apart, its very easy to check the entire address and not just a few characters at the start or end.