Published: 24.09.12

Better security for the internet currency Bitcoin

The internet currency Bitcoin was created in 2009. It should offer the same advantages as cash. The new electronic currency has an increasing number of support¬ers. But ETH-researchers found out, that there is a securitiy problem. They also have a suggestion, how this problem could be solved.

Felix Würsten
Security loopholes make electronic payment systems potentially unsecure. (Illustrator: Aurel Märki)
Security loopholes make electronic payment systems potentially unsecure. (Illustrator: Aurel Märki) (large view)

More and more we use the internet for payments. But there are still some security problems to be solved. Scientists of the ETH Zurich from the System Security Group recently tested the security of the internet currency Bitcoin.

An uncomplicated, electronic pay­ment system that offers the same ad­vantages as cash – this is exactly what everyone has been dreaming of who has been fighting for more free­dom on the internet and against the might of the banks. Precisely one such system was created in 2009: the internet currency Bitcoin. Despite all the prophecies of doom that the system would soon burst like a bub­ble, and despite all the warnings that Bitcoin promotes trading in illegal goods, the new electronic currency has an increasing number of support­ers.

Modern encryption technology

The virtual money was made pos­sible by modern encryption technology. Every Bitcoin is secured by a key; every transaction that the (anonymous) users perform is regis­tered so that the same coin cannot be used twice. However, the verifica­tion of a payment usually takes ten whole minutes. Sometimes, the seller even has to wait for an hour before he can be sure that the money trans­ferred is actually his. For online trad­ers who sell books on the internet, this amount of time is not a problem. For quicker transactions, such as pur­chasing a hamburger at a snack bar, however, it is a major obstacle. If the buyer is not to wait unnecessarily long, the seller has to hand over the goods without any definitive confir­mation.

Security loophole

Together with Ghassan Karame and Srdjan Capkun, Elli Androulaki, a postdoc at the Institute of Information Security, managed to demon­strate that there is actually a security loophole here, even if it has never been exploited in concrete daily life. With an elaborate configuration, the buyer can actually spend his electronic coins twice: first, he buys the goods he desires; then he transfers the same amount to his own account. As the transactions are verified via a complex process in the Bitcoin network and not by a central office, the buyer can perform an exchange manoeuvre: the seller sees that the Bitcoins have been transferred to his account, so he is willing to dispatch the goods. However, if the buyer is clever enough, the network only registers the sec­ond illegal transaction instead of the first legal one, and the buyer ends up with both: the goods and the money.

If Bitcoin is to establish itself as an everyday, viable alternative, this gap needs to be plugged, confirms Capkun, in whose group the study was con­ducted. “We are already in talks with the operators of the Bitcoin network and have proposed a concrete solution, which is now due to be imple­mented.”

Globe in the currend issue: “Safely into the networked world»

Further articles about IT-security are available at the currend issue of Globe. The magazine of ETH Zurich and ETH Alumni, shows some of their projects. With concrete issues derived from practical experience at the heart of what they do, scientists from ETH Zurich are working under high pressure with partners from industry at the Zurich Information and Privacy Center (ZISC) to make information systems more secureThe magazine is also available as a free iPad version.
The Globe iPad app is available for download in German and English from the iTunes store, with additional picture galleries and films on individual articles. As of next year, there will also be a version for Android devices.
Globe is also in the internet.