Here’s what bitcoin newbies normally end up doing:
Mr. Coin, our average newcomer on the bitcoin block, does a Google search for bitcoins. He finds out about mining, tries it, and after a couple of days of mining failure, gives up. In all probability, after sifting through a dozen barely legitimate-looking websites, he finds Coinbase, Multibit or some similar online wallet, or directly finds Mt. Gox and opens a trading account. Mr. Coin makes a wire transfer to his Mt. Gox account and in a week, he’s ready to trade his fiat money for bitcoins!
Soon, Mr. Coin is bored of just buying bitcoins and waiting for their value to go up. He finds that there are a few online and retail stores in his country/area which accept bitcoin payments. Eager to put his newfangled currency to use, he shops with bitcoin from his Coinbase or input.io account. And this is how it goes for some time, until he runs out of bitcoin, and the cycle continues.
Mr. Coin has made almost all the possible errors in securing his bitcoin. Here’s what he should have done:
Mr. Coin should have recognized that Bitcoin stored for him at Mt. Gox are not technically his – they are owned by Mt. Gox and Mt. Gox can technically do whatever it wants with his coins, apart from the fact that Mt. Gox is the no. 1 target of bitcoin related hacker attacks. When he transfers bitcoin to his online wallet, it then becomes technically “his”, held in his name by a third party. If he chooses well, they might make his private key available to him to export. But better still, Mr. Coin could download and synchronize an offline wallet on his PC. This would have given him full control on his “money” and nearly the best security. If Mr. Coin is truly paranoid (or is rich), he could store his bitcoin on paper in a bank vault.
Here’s the why behind all these security measures:
All bitcoins stored are associated with 2 keys – a public wallet address and a private wallet key. The public address is what is used to receive transactions (or messages) while sending (signing) bitcoins requires the private key of the address, as shown below:
Basically anybody with a bitcoin client or wallet software can access and use a bitcoin “account” (wallet) from anywhere in the world, if he has the private key. Hence, it is very important to have access to the private key of the wallet in which your bitcoins are stored.
This is where a Mt. Gox account fails. Mt. Gox retains the private keys of all its user accounts, essentially making it the operator of all the account’s bitcoins, with all its users at its mercy.
But it’s not enough to simply have his own private key, it is equally essential to prevent others from finding it out. This is where online or e-wallets fail. Keys of these wallets are usually stored at the e-wallet’s central server – connected to the internet, and hence vulnerable to malware, spyware or other security breaches. In using an online wallet, Mr. Coin would be trusting the wallet service provider to not reveal his wallet’s details (and possibly also your identity) to 3rd parties.
Offline wallets are the safest kind of digital wallet – they give Mr. Coin full control over his wallet’s public and private keys, often also allowing him to make as many addresses and associated keys as he likes. Some of them would also allow him to add an extra layer of security – password encryption – on his wallet. Of course, Mr. Coin must connect to the internet at some point to make transactions, and he must be aware of the possibility of hidden spyware on his computer. But this possibility is remote, and is easily avoided by booting the PC in Linux from a remote drive. Offline wallets allow him to backup his wallet on a remote drive, or print his keys on paper for storage in a vault – the maximum security possible, if he ever wishes to do so.
Bitcoin is an enabling currency – it enables people to take control and responsibility for their own money. Not recognizing this responsibility is one of the biggest errors one can make in this new world.