Author: Natanael 2015-01-31 22:38:55
Published on: 2015-01-31T22:38:55+00:00
The number of incidents involving malware targeting Bitcoin users continues to rise. One category of virus that is particularly nasty is when the Bitcoin address is modified before the transaction is signed and recorded in the block chain, allowing the malware to evade two-factor authentication by becoming active only when the Bitcoin address is entered. Out-of-band transaction verification/signing is one method used with online banking to help protect against this. Many Bitcoin wallets and services already use Open Authentication (OATH) based one-time passwords (OTP). The Bitcoin community is asked if there is any interest or existing work in adopting the OATH Challenge-Response Algorithm (OCRA) for verifying transactions. The video demonstrates how HSBC uses a security token to verify transactions online. However, converting a Bitcoin address to decimal and then truncating to 8 digits may increase the likelihood of collisions, making it impractical. Vanitygen can bruteforce 8 characters. Therefore, it is recommended to use something more like HMAC instead of relying on mechanisms intended to be used for one-shot auth where the secret is supposed to be unguessable for another system where the attacker knows what the target string is and has a fair amount of time to attempt bruteforce.
Updated on: 2023-06-09T16:13:15.360108+00:00