Author: mbde at bitwatch.co 2015-02-01 14:28:38
Published on: 2015-02-01T14:28:38+00:00
The increasing number of malware targeting Bitcoin users is a growing concern in the Bitcoin community. One category of virus, in particular, involves the modification of the Bitcoin address before the transaction is recorded in the blockchain, allowing the malware to evade two-factor authentication. Out-of-band transaction verification/signing is one method used with online banking to protect against this type of attack. This can be done in various ways, such as SMS, voice, mobile app, or security tokens. A video demonstrating how HSBC uses a security token to verify transactions online can be found at https://www.youtube.com/watch?v=Sh2Iha88agE. OATH-based one-time passwords (OTP) are already used by many Bitcoin wallets and services. The Bitcoin community might consider adopting the OATH Challenge-Response Algorithm (OCRA) to verify transactions. However, it would involve the use of a decimal representation of the Bitcoin address, which would need to be truncated to 8 digits. Truncating the number increases the likelihood of collisions, but it may still be practical. It's unclear if malware could generate a rogue Bitcoin address that would produce the same 8 digits of the legitimate Bitcoin address.A second factor scheme called "cardTAN" or "chipTAN" is also mentioned. Authentication codes are generated on a device that is not specifically linked to an account. The authentication process for online banking transactions involves inserting a bank card into the TAN generator, scanning the flickering code on the screen with the device's photodetector, confirming the amount to transfer and recipient on the generator, and finalizing the transaction by entering a challenge-response generated by the device. More information about chipTAN/cardTAN can be found at http://en.wikipedia.org/wiki/Transaction_authentication_number#chipTAN_.2F_cardTAN.
Updated on: 2023-06-09T16:12:55.693804+00:00