Two weeks ago, Charlie Shrem got hacked and robbed, Bitcoin-style.
Criminals got into a brokerage account used by his transaction services company, Bitinstant, and emptied more than $12,000 worth of the digital currency. Banks can sometimes reel back online transactions and recover the money when it gets stolen by hackers, but Bitcoins don’t work that way. Bitcoins are the digital equivalent of cash, and they can be traded instantly and anonymously. So once they’re gone, they’re gone for good.
Shrem’s hackers made off with a big pile of Bitcoins, but there was a much larger pile — about one-third of Shrem’s total Bitcoin savings — that they couldn’t touch. That’s the pile he keeps on his finger.
About a month ago, Shrem bought a brand new netbook online (from Bitcoinstore, naturally). Without plugging it into the internet, he installed a program called Vanitygen, which generated both a Bitcoin address (a cryptic set of numbers and letters that people could use to give Shrem Bitcoins) and a private key (a longer, cryptic set of numbers and letters needed to give Shrem’s Bitcoins to anyone else).
Then Shrem asked his father, a jeweler, engrave the private key on a ring. Yes, a physical ring he could slip onto his finger. “I took the key, and I literally called my father and said it to him over the phone,” Shrem remembers. “He wrote it down on a piece of paper. In his factory here in New York City, he has a jewelry engraver. He took a piece of silver, and he engraved it into a ring.”
Well, he engraved most of it into the ring. To add a little extra security, Shrem had his father leave out one of the digits from the private key. That’s stored in Shrem’s head — and only his head.
You see, Shrem — like many other Bitcoin traders — doesn’t trust digital copies of this most digital of currencies. “Even if all of your assets are in Bitcoins, you have to diversify them,” he says. “Twenty percent you should keep on your computer. The rest should be kept in cold storage.”
Cold storage can mean an encrypted USB drive, a computer that is not connected to the internet, a piece of paper, or some other physical medium. Shrem puts his on a ring, but other Bitcoiners are using paper — or even physical coins.
Yes, there’s irony here. Storing the keys to a digital currency on good old-fashioned paper or physical coins seems so very odd at first, but if you’re determined to put your money in Bitcoins, it makes sense.
Nearly two years ago, a long-time Bitcoiner known as Allinvain had 25,000 Bitcoins stolen from an unencrypted digital wallet saved on his Windows computer. At the time, the haul was worth about $500,000. He panicked and briefly felt like killing himself. But in a forum post written on the day of the theft, he also said that he should have known better. “I do feel like this is my fault for not moving that money to a separate non-Windows computer,” he wrote.
A few weeks later, the antivirus company Symantec said that it had discovered a Bitcoin-stealing Trojan, called Infostealer.Coinbit.
Gaven Andresen is the chief technology officer with the Bitcoin Foundation, the group that’s chartered with promoting and developing the technological infrastructure behind Bitcoin. All too often, he gets emails from panicky Bitcoin users. “Somebody stole my electronic wallet,” the emails say. “What can I do?”
He hates getting these messages. There isn’t anything that anybody can do.
“People are learning, if you have $100,000 worth of Bitcoins, you’re going to need a lot more security than if you have $100 worth of Bitcoins,” he says. Andresen keeps his Bitcoin wallet encrypted on a computer that isn’t connected to the internet. And many people go further.
Around the time that Allinvain got hacked two years ago, a Salt Lake City, Utah Bitcoin enthusiast named Mike Caldwell started thinking about ways of creating physical Bitcoins — metal coins engraved with hidden, tamper-protected private keys that could be exchanged much like money. He calls them Casascius coins. Casascius is a word he made up. It’s derived, he says, from an acronym for “call a spade a spade.”
At first, Caldwell thought he’d be making a quirky collectable that would only interest a fringe audience, but since he started minting his Bitcoins, he’s produced about 15,000 physical coins and (for serious collectors) gold-plated bars, ranging in denomination from 0.5BTC to 1,000BTC. Bitcoin values have been on a bit of a surge lately, so he’s also looking at minting aluminum 0.1BTC coins pretty soon.
Caldwell makes the data about his Bitcoins openly available, and according to a website that tracks them, he’s minted over $2.5 million in Bitcoins to date.
Although Caldwell says he takes great care to ensure that the private keys he engraves onto his coins do not exist anywhere else, he admits that at the end of the day, people who buy the Casascius coins just have to trust him.
With so much money now created, Caldwell says that — quite frankly — they shouldn’t, but he said he’s made it “deliberately unattractive” for him to steal. “I’ve published my identity. I’ve published my address. I’ve published a list of coins that I’ve produced,” he says. “There’s no way that I can prove that I did not keep the private keys. But instead, what I’ve offered is basically people can have recourse against me if I were to have stolen from them.”
You still don’t trust him? You can write your own key on piece of paper. Or engrave it on a ring. But you might lose your piece paper. Someone might take your ring. There’s always a security hole. The trick is to make it as small as possible.