Bitcoins at risk of theft on flawed Android apps
A weakness in the Android mobile operating system has left users of the virtual currency Bitcoin vulnerable to theft, the Bitcoin Foundation has said.
The issue affects some Android "wallet" apps, the organisation said, including Bitcoin Wallet and BitcoinSpinner.
To protect an Android wallet, the developers said users must update their apps once a new version was available.
The news came as a US banking regulator ordered companies to co-operate with a probe into the way Bitcoin is used.
HOW BITCOINS WORK
Bitcoin is often referred to as a new kind of currency.
But it may be better to think of its units as being virtual tokens that have value because enough people believe they do and there is a finite number of them.
Each of the 11 million Bitcoins currently in existence is represented by a unique online registration number.
These numbers are created through a process called "mining", which involves a computer solving a difficult mathematical problem with a 64-digit solution.
Each time a problem is solved the computer's owner is rewarded with 25 Bitcoins.
To compensate for the growing power of computer chips, the difficulty of the puzzles is adjusted to ensure a steady stream of about 3,600 new Bitcoins a day.
To receive a Bitcoin, a user must also have a Bitcoin address - a randomly generated string of 27 to 34 letters and numbers - which acts as a kind of virtual postbox to and from which the Bitcoins are sent.
Since there is no registry of these addresses, people can use them to protect their anonymity when making a transaction.
These addresses are in turn stored in Bitcoin wallets, which are used to manage savings. They operate like privately run bank accounts - with the proviso that if the data is lost, so are the Bitcoins contained.
Bitcoin said the wallet problem had to do with Android's ability to generate sequences of secure random numbers needed to keep the wallets safe.
Analysts say Android's SecureRandom Java program sometimes repeats the number sequences, which must be unique in order to keep each Bitcoin secure.
Members of a Bitcoin forum have suggested that the equivalent of thousands of US dollars may have already been stolen.Number sequences
"Because the problem lies with Android itself, this problem will affect you if you have a wallet generated by any Android app," the Bitcoin statement said on Sunday.
The issue affects only programs where the number sequences - or private keys - are controlled on the user's device.
For wallet apps that were vulnerable, Bitcoin said it would be necessary to change keys.
This involves "generating a new address with a repaired random number generator and then sending all the money in your wallet back to yourself", according to the Bitcoin statement.
Some of the affected apps were in the process of updating their wallet apps to fix the problem, including Bitcoin Wallet, BitcoinSpinner, Mycelium Wallet and blockchain.info, Bitcoin said.
But experts say virtual currencies could face ongoing problems of a similar nature because of the way they have been designed.
Dr Joss Wright, a research fellow at the Oxford Internet Institute, said that cryptographers relied heavily on a computer's ability to generate random numbers in order to keep information secure. But, he added, that computers did not always do this reliably.
"Choosing good random numbers is the key issue," Dr Wright said. "If the random numbers can be predicted by somebody else, this could lead to all sorts of security problems."
Meanwhile, The New York Department of Financial Services has told about two dozen firms associated with Bitcoin it wants information on anti-money-laundering programmes, consumer protection measures and investment strategies, .
The newspaper said there were concerns that virtual currency companies did not comply with money transfer rules and the state of New York was considering legislation aimed specifically at virtual currencies.
Bitcoin is the most well-known of a handful of virtual currencies. The currencies are developed through a computer process called "mining" and can be traded on exchanges or privately between users.