In an amusing real life story that provides an interesting lesson in information security, a Bloomberg TV anchor found that his $20 worth Bitcoin holding was stolen by a viewer when the anchor displayed his private key on the show. The private key which was in the form of a QR code was shown to the camera and one of the viewers captured it getting control of the wallet. He transferred the 0.28 BTCs which were in the wallet. Though he later indicated that he wants to return it to the anchor, the anchor has asked him to retain it. (Refer article)
Beyond the amusing part of this story, there is a lesson in information security to all in this story. First it should be clear to everyone that the “Private Key” in a digital signature should always be kept confidential and revealing it is like revealing your password to the Bank account. The second aspect is storing a confidential information in the form of QR code. QR code itself may look like a puzzle to the human eye. But it is easily read by any QR reader which is today a standard mobile app and found with everybody. Hence displaying the QR code to the private key was like reading out the password to the bank account.
Public should therefore learn not to reveal their private key in any form to others.
We may recall here that in India we are using the digital signature system as a legally accepted means of authentication of electronic documents and all company directors are mandatorily required to use such digital signatures for filing their returns to the Government. Since filing of returns are often done by the Chartered Accountants and Company Secretaries, it is a common practice amongst many directors to leave their private keys with the chartered accountants or company secretaries. This is a serious compromise of the confidentiality of the private key and just as the bloom berg viewer above stole the bitcoin holding of the anchor by knowing the private key, the director of a company revealing his private key to another can see any contract entered into in the name of the director and face the adverse consequences including filing of a false income tax return which may declare all his Swiss bank wealth tot he IT authorities!.
Hope the lesson is learnt.