Topic: Trojan Wallet stealer be careful - page 25. (Read 50276 times)

I'm using keepass for my passwords, but you can also store wallet.dat and other important files inside the encrypted password db.

And why would a Macbook pro be any safer then whichever other system? Care to explain, or are you just ignorant and do you think that website cannot install stuff on your system?

my wallet is running on a macbook pro so is safe! thanks god

Even if I don't end up making much profit from BTC, my security standards online have already been raised threefold in the past month. ✓+

I assumed i would hear about something like this pretty soon. if they make trojans to steal from banks, then bitcoins make a tasty target because there easier to transfer and more anonymous.

i think this is probably the best solution and also the beauty of bitcoin. going this route, a user could leave their savings account wallet offline for X number of years. the only reason ever to load the wallet would be to make withdrawls. actually, combine this with jrwr's offline paper storage and you have a pretty secure system. it might be a lot of hoops to jump through, but it would be difficult to crack.

It's helpful to keep bitcoin open all the time to see if transactions are coming in. If I do that, keeping the wallet inside an encrypted container doesn't help much, as others already explained. If you have a trojan with a keylogger it also doesn't help if bitcoin itself encrypts the file.

But I'd suggest that bitcoin separates the private keys out of the wallet.dat and keeps those encrypted. Because you need them only for sending coins. This way you can at least prevent people that have only temporary access to your computer (like physically walking in front of it) from stealing your coins and if some offsite-backup gets stolen your coins are safe even if you didn't encrypt it [1]! I don't want to argue if bitcoin is responsible or not, but I say if you are able to make it more secure, it really should be a priority task.

To sum up, i'd suggest that bitcoin should:
* Store the private keys encrypted on disk.
* Ask the user for the passphrase when coins are about to be sent.
* Delete (=overwrite) the keys and the passphrase in memory immediately after sending the transaction.

This would improve security a lot and can be only implemented in bitcoin. You can't do that as user.

[1] You should still encrypt it, because there is other information to be gained. Like how much money you have, where you got it from, etc.

Thanks for the warning i will be watching out
  you should tell us how we are supposed to report someone if we find out they are scamming

In fact you should create a separate 'savings' wallet where you keep the most of your coins. Create it on a system (preferably via a linux live cd) of which you are sure it has not been compromised. Instructions can be found here https://en.bitcoin.it/wiki/Securing_your_wallet.

In fact the point is to create a new wallet on a secure system, then shutdown the bitcoin client, make an encrypted backup of the wallet.dat file and delete the whole thing again (the live OS, I mean)
Then regulary move funds from your 'normal' wallet to the secure one (make a payment to one of those addresses). The balance of a wallet is kept on the network, and it is not needed to keep the savings account "live".

I've came across another link the other day with a clear explanation about this, I'll see if i can find it again.

Ok, but wouldn't that make any payments i should get fail because the program doesn't have write access to the wallet?

I mean, i could create a copy of the wallet and encrypt it, but then the original would still be insecure 

I'm still new to the whole infrastructure of the program, sorry.

That's a good start. But if you want to be safe against 0-days viruses, at least encrypt the wallet.

And this is also a problem because until there is a standardized, easy way to secure your wallet, BTC will have a difficult time gaining mainstream approval.

but thats the problem. its not "bitcoin"'s responsibility to encrypt wallets. bitcoin is only a network for moving btc between two accounts. its the users that need to be secure about their usage. it might be nice if the apps that connect to bitcoin start to offer certain protections, but the users are the first line of defense: unique passwords everywhere, encrypted and backedup wallets and smarter, safer browsing

Even though I'm running a Windows7 machine, I should still be safe if I generally don't open attachments, use a Virus Scanner, have all programs patched up-to-date and No-script active in FireFox?

Don't want my precious BTC to get stolen 

sadly, it would be only too easy for even the lamest of script kiddies to make a wallet stealer.
It would be nice if bitcoin would auto encrypt wallet file based on a password, which you enter every time you open bitcoin client.
That would atleast slow down the script kiddies.
Just be sure to move your main bitcoins to a secure (& preferable offline) wallet & you should* be safe.

Thank you for bringing this to our attention.

Theft if not the only thing you have to secure against: you have to secure your wallet against data loss as well. If you don't make back-up copies, you disk may fail tomorrow, taking all of your bitcoin with it. If you do make backup copies, you disk may still fail tomorrow, but you would be able to recover you wallet from the back-ups.

For the paranoid: you don't really have back-ups until they are verified and stored off-site (preferably encrypted).

encrypted wallets don't do anything when you've already been trojan'd, they can just steal your passphrase/key. it makes you feel better at best and prevents someone from stealing your hard drive to get your wallet, but other than that it's a waste.

The idea is to create an encrypted back up of the wallet, not just a copy.

I've read quite a few times in this thread to make backups of your bitcoin wallet. But if I'm not completely wrong, then even stealing just the backup data results in losing all your bitcoins. So from a security perspective, better don't make backup copies!

Instead of buying a notebook, I would store a wallet with a fixed amount on a new memory stick. Plug it in only when you intend to pay with it. Don't store more than you could afford to lose on each stick. Delete all backups on computer after using the wallet. And plug it only into computers you know that are clean.