Quick links: Breaking Election Invest Bitcoin Syria North Korea Startups Scandal
Wall Street Journal / Biz - Money

How Do You Keep Your Bitcoin Safe?

While bitcoin does offer some advantages to users, it also creates serious challenges, like security. Here are some important points to understand before you invest.


Paul Vigna

In recent days, there were reports of another hack in the world of bitcoin. While the digital currency does offer some advantages to users, it also creates serious challenges, like security. Here are some important points to understand before you invest.

Bitcoin is supposed to be like cash, so there is no requirement to have an identity attached to a transaction.Photo: Dan Kitwood/Getty Images

Q: I want to buy bitcoin, but I’m worried about security. What should I do?

Well, you could always avoid it.

Q: that is not the answer I wanted.

This isn’t for everybody. It is important to understand how bitcoin operates if you’re going to invest, and what the risks are.

Q: OK, so let me have them.

One big risk is the volatility. It is hard to ignore. But another fundamental one is this: if you lose your bitcoin, it is gone. If you get robbed, or lose control of your account, it is no different than if you lost a $5 bill.

Q: Why?

Bitcoin transactions are designed to be final upon completion. They get recorded in an open ledger, which can be updated but never altered. It is that quality—open and permanent—that allows bitcoin to operate without a bank or government controlling it.

Q: Wait, you said “open ledger.” So, I can see where my bitcoin went, right?


Q: Then why can’t we get it back?

Since bitcoin is supposed to be like cash, there is no requirement to have an identity attached to a transaction. This is mainly to keep government from prying into your accounts, but it also ends up offering a cloak to malefactors. In some instances thieves can be found, but it isn’t easy.

Q: So if I get robbed I’m out of luck?

Basically, yes. This is why it is very critical to understand security. Your bitcoins will be only as safe as you can make them.

Q: How do I do that?

It depends upon how much control you want. Coinbase is a very popular service right now, and part of its appeal is that it maintains your account for you, just like a bank, and streamlines the security. But that means you’re trusting a third party. For some people, getting away from third-party control is the whole point of bitcoin.

Q: OK, assuming I want that, what do I do?

It starts with having two keys that control access to your wallet, one public and one private.

Q: My wallet?

It is a nickname for an online account. Every wallet is protected cryptographically with two “keys,” in this case long strings of numbers and letters. One is the public key, and it is like an email address. When you want to receive bitcoin, you give out this key. The other is the private key. This is what allows you to access your wallet, and to take money out of the wallet.

Think of this like a password. Or a real key to a real lock. Anybody who gets that key can open the lock. You should store it someplace safe and never give it out.

A: Well, duh, of course. Why would I?

A lot of phishing schemes are predicated on clever ways to get you to give up your private key. It might look like an official email from your wallet provider, for instance. In reality, hacks and phishing scams in bitcoin aren’t much different from the real world. It is all about either gaining access by brute force (hacks) or by manipulation (phishing).

Mobile phones are acutely vulnerable. Some hackers have realized they can trick phone-service providers into porting your phone number over to a new phone—one they control. After that, they can start resetting your passwords and cracking into any accounts you have on that phone—because the phone number often acts as the backup access point.

This can and has happened to even sophisticated bitcoin holders. Some services, like Coinbase, have advised customers to use Google Authenticator as their backup access.

Q: So what do I do?

Some users keep their accounts on devices that aren’t their phones, for one thing. Some are “hardware wallets,” such as USB sticks with the software for a wallet loaded on. You would transfer the balance onto the stick, detach it, and you’re done.

Q: And that is totally safe?

Not totally. If you lose the stick, it is the same as losing cash. The money’s gone forever. It happens. There are estimates that 3-4 million coins have been lost forever because users lost the USB stick, or the private key, or something similar. At current prices, that is at least $45 billion of wealth that is completely lost in the ether.

Q: Sounds risky.

Like we said, this isn’t for everybody.

Write to Paul Vigna at paul.vigna@wsj.com