The only thing that matters is the checksum, because who cares if the destination address is not currently in the blockchain. It is obviously possible to send BTC to a new address which is not already there.
Are people typing Bitcoin addresses by hand? Aren't they far more likely to c&p a spoofed Bitcoin address?
Shameless plug: we created an OSS "Clipboard Firewall" for Windows [1] to protect against those attacks but feel free to fork it.
People use this against cryptocurrencies. It should be an argument against stupidity instead. You get a confirmation popup as well asking if you are sure about the address in many wallets.
> Each is at least 20 bytes (160 bits) long, with at least 4 bytes (32 bits) of checksum.
Not quite. More modern addresses have 30 bit checksums (so not at least 32 bits!), but rather than being a truncated cryptographic hash the check digits are a BCH code that guarantees any 4 or fewer substitution or transposition errors will always be detected (or 5 bitflips IIRC)... along with one in a billion or better detection of other kinds of errors.
So although the newer formats provides somewhat less protection against wildly incorrect, the protection against likely errors is much greater. The newer addresses are also case insensitive which was the biggest source of transcription errors in most contexts before.
Beyond being better for real errors the use of a error correction code also makes it impossible to intentionally generate 'fragile' addresses where there does exist a one character typo which is a valid address. It also makes it practical for wallet software to highlight the position of a likely typo, which can greatly speed things up when fixing a mistake. (The spec strenuously cautions against correcting errors, because any correction undermines detection strength).
And as hleszek's comment says, existing addresses don't help, generally addresses should not be reused-- they're not accounts, reusing addresses doesn't make the system work better. Early on in Bitcoin's life people created a scheme for shortened addresses where you used truncated addresses that were unmapped to the first user of that prefix. This obviously bad idea ran into immediate spoofing problems, and people quickly learned better.
> but address typos are not a major concern.
Yeah though malware that substitutes addresses in clipboards and copying the WRONG address are both real risks.
What you also might have heard is advice about _Ethereum_, which in spite of being created long after Bitcoin has addresses with no meaningful checksum and which has caused quite significant losses. (There is an optional very weak checksum using mixed case hex, but AFAICT it's not widely used).
Scan a displayed QR code of the address whenever possible.
Isn't that actually worse option? I mean, I don't know about BTC but there are multiple instances of attacks with fake QR codes placed over parking meters. And last time I was looking for QR code generator for some random website the first one I found one "looked to be working", but actually quietly replaced the URL with own link shortening service.
> Isn't that actually worse option?
When done correctly by a payment processor, the receiver's QR code for a Bitcoin payment varies for every transaction. It completely eliminates the risk of mistyping it. Granted, malware could replace it, but replacing it is a lot harder than replacing a simple address.
> there are multiple instances of attacks with fake QR codes placed over parking meters.
Sure, but if someone can change your QR code, they could change the address just as easily. With websites you can see if the URL looks like something legitimate, so URLs are slightly better, but Bitcoin addresses are just a long random string, so being able to see the address wouldn't actually help anything.