Bitcoin Besieged by Hackers and Regulators

The bitcoin wallet issue arises from a flaw in the Android random number generator which, warned, renders “all Android wallets generated to date vulnerable to theft.” It does not affect wallets where the user doesn’t control the private keys. “For example, exchange frontends like the Coinbase or Mt Gox apps are not impacted by this issue because the private keys are not generated on your Android phone.”

The problem lies in Android’s implementation of the Java SecureRandom class. “As a result all private keys generated on Android phones/tablets are weak and some signatures have been observed to have colliding R values, allowing the private key to be solved and money to be stolen,” announced Google engineer Mike Hearn on the Bitcoin developers list

This is apparently not a theoretical vulnerability. Discoverer Jean-Pierre Rupp has told The Register that he discovered the problem while investigating a complaint from a friend who suspected that his phone had been hacked. As a consequence, all Android wallet users are advised to update to the latest version as soon as one becomes available.

Meanwhile, the success and potential misuse of digital currencies such as bitcoin has drawn the eye of authority. The New York Department of Financial Services (DFS) recognizes both opportunities and challenges in virtual currencies. In an explanatory notice from Benjamin M. Lawsky, superintendent of financial services, the DFS explained that they “can help improve the depth and breadth of our nation’s financial system;” but their anonymity “has helped support dangerous criminal activity, such as drug smuggling, money laundering, gun running, and child pornography.”

The DFS has consequently launched “an inquiry into the appropriate regulatory guidelines that it should put in place for virtual currencies.” It has issued 22 subpoenas to both digital currency companies and virtual currency investors such as Marc Andreessen, Ben Horowitz, and the Winklevoss twins. These subpoenas do not indicate any specific belief in wrongdoing, but are a legal demand for information. The DFS is considering both the application of existing financial controls, and the formulation of new virtual currency guidelines. It cites three primary arguments.

The first is to help build confidence in the currencies. “Safety and soundness requirements [will] help build greater confidence among customers that the funds that they entrust to virtual currency companies will not get stuck in a digital black hole.”

The second is that “Taking steps to root out illegal activity is both a legal and business imperative for virtual currency firms.”

And finally, “Similar to any other industry, greater transparency and accountability is critical to promoting sustained, longterm investment.”

The end result could prove costly for the bitcoin companies. The Wall Street Journal notes that although some bitcoin exchanges have registered with the Treasury’s financial crimes enforcement agency, they have moved more slowly at state level. This is possibly because the process is slow and costly, where “states also typically require companies to put up a bond that could run as much as several million dollars.”

What’s hot on Infosecurity Magazine?