public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
* [Bitcoin-development] Proposal to address Bitcoin malware
@ 2015-01-31 22:15 Brian Erdelyi
  2015-01-31 22:38 ` Natanael
  2015-02-01 14:28 ` mbde
  0 siblings, 2 replies; 33+ messages in thread
From: Brian Erdelyi @ 2015-01-31 22:15 UTC (permalink / raw)
  To: bitcoin-development


[-- Attachment #1.1: Type: text/plain, Size: 1869 bytes --]

Hello all,

The number of incidents involving malware targeting bitcoin users continues to rise.  One category of virus I find particularly nasty is when the bitcoin address you are trying to send money to is modified before the transaction is signed and recorded in the block chain.  This behaviour allows the malware to evade two-factor authentication by becoming active only when the bitcoin address is entered.  This is very similar to how man-in-the-browser malware attack online banking websites.

Out of band transaction verification/signing is one method used with online banking to help protect against this.  This can be done in a variety of ways with SMS, voice, mobile app or even security tokens.  This video demonstrates how HSBC uses a security token to verify transactions online.  https://www.youtube.com/watch?v=Sh2Iha88agE <https://www.youtube.com/watch?v=Sh2Iha88agE>.

Many Bitcoin wallets and services already use Open Authentication (OATH) based one-time passwords (OTP).  Is there any interest (or existing work) in in the Bitcoin community adopting the OATH Challenge-Response Algorithm (OCRA) for verifying transactions?

I know there are other forms of malware, however, I want to get thoughts on this approach as it would involve the use of a decimal representation of the bitcoin address (depending on particular application).  In the HSBC example (see YouTube video above), this was the last 8 digits of the recipient’s account number.  Would it make sense to convert a bitcoin address to decimal and then truncate to 8 digits for this purpose?  I understand that truncating the number in some way only increases the likelihood for collisions… however, would this still be practical or could the malware generate a rogue bitcoin address that would produce the same 8 digits of the legitimate bitcoin address?

Brian Erdelyi

[-- Attachment #1.2: Type: text/html, Size: 2393 bytes --]

[-- Attachment #2: Message signed with OpenPGP using GPGMail --]
[-- Type: application/pgp-signature, Size: 842 bytes --]

^ permalink raw reply	[flat|nested] 33+ messages in thread

end of thread, other threads:[~2015-02-03  7:38 UTC | newest]

Thread overview: 33+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-01-31 22:15 [Bitcoin-development] Proposal to address Bitcoin malware Brian Erdelyi
2015-01-31 22:38 ` Natanael
2015-01-31 23:04   ` Brian Erdelyi
2015-01-31 23:37     ` Natanael
2015-01-31 23:41       ` Natanael
2015-02-01 12:49         ` Brian Erdelyi
2015-02-01 13:31           ` Martin Habovštiak
2015-02-01 13:46             ` Mike Hearn
2015-02-01 13:54             ` Brian Erdelyi
2015-02-01 13:48           ` Mike Hearn
2015-02-01 14:28 ` mbde
2015-02-02 17:40   ` Brian Erdelyi
2015-02-02 17:54     ` Martin Habovštiak
2015-02-02 17:59       ` Mike Hearn
2015-02-02 18:02         ` Martin Habovštiak
2015-02-02 18:25           ` Mike Hearn
2015-02-02 18:35             ` Brian Erdelyi
2015-02-02 18:45               ` Eric Voskuil
2015-02-02 19:58                 ` Brian Erdelyi
2015-02-02 20:57                   ` Joel Joonatan Kaartinen
2015-02-02 21:03                     ` Brian Erdelyi
2015-02-02 21:09                       ` Pedro Worcel
2015-02-02 21:30                         ` devrandom
2015-02-02 21:49                           ` Brian Erdelyi
2015-02-02 21:42                         ` Brian Erdelyi
2015-02-02 21:02                   ` Pedro Worcel
2015-02-03  7:38                   ` Eric Voskuil
2015-02-02 18:10         ` Brian Erdelyi
2015-02-02 18:07       ` Brian Erdelyi
2015-02-02 18:05     ` Eric Voskuil
2015-02-02 18:53       ` Mike Hearn
2015-02-02 22:54         ` Eric Voskuil
2015-02-03  0:41           ` Eric Voskuil

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox