After a recent hack, it is important to have an understanding of how a Bitcoin Wallet (or one for any other crypto currency) works
This week’s Parity hack was the latest in a series of substantial wake-up calls for people who own and invest in Ether, Bitcoin, and other cryptocurrencies, not merely because of the fact that money is being stolen seemingly with increasing frequency, but also because the thieves seem to be getting away with it more.
In the case of Parity, Coindesk reported that 153,000 ethers were removed thanks to a security bug in Parity’s multi-signature wallet. The thief was able to then cash out, converting the ethers through an intermediary exchange house. The method and speed by which the thieves converted the money, paired with their use of Tor to cover their tracks makes it appear the money is gone for good.
Such an unfortunate event, following so closely on the heels of other high-profile robberies including the CoinDash ICO debacle of July 17 points to a constant fact of life: thieves are everywhere, and sophisticated thieves make it their business to find every weakness in every system. Even for the long-anticipated Bitcoin fork of August 1, it was recommended that customers shift their investments into hard wallets, away from the immediate grasp of those whose job it is to profit from confusion.
So, what does this mean for people who simply want to own some virtual currency for investment purposes or maybe to actually buy something? The same rules apply as in the physical world. You have to know where your money is and how safe it is. This requires a bit of an understanding of a Bitcoin Wallet.
Most people start their cryptocurrency adventure by making a purchase through an online marketplace like Coinbase. As opposed to being a true wallet, Coinbase, and companies like it are more like traditional banks, in that they will hold your money, bitcoin, ether or litecoin, and they make it very easy to buy and sell. Officially called hosted wallets, they allow the purchase of cryptocurrency to be done via credit card, which makes it an easy entry point for amateurs to try their hand. Your money and its security stays essentially under their control.
This leads people to want more privacy and ownership over their holdings, at which point they turn to software Bitcoin Wallet apps that they install onto their smartphone or desktop.
Most people go for Bitcoin Wallet apps like Breadwallet or Copay. Some brands are exclusively for one platform like iOS or Android, while others have a version for each. A great summary can be found at Bitcoin.org. With wallet apps, the idea is to keep small amounts in numerous wallets, rather than putting all your savings in one single app. Two-factor authentication is recommended, and users should back up the entire Bitcoin Wallet to ensure all the private keys are included. Ideally backups should be placed on disconnected media like USB keys or disks.
A Bitcoin Wallet app that is connected to the internet is often referred to as a “hot wallet.” Some of these apps synchronize by downloading the entire blockchain containing all of your transactions. That is because a full blockchain review is the only way your wallet’s balance and transactions can be reviewed and approved. This can be an extremely large download and is not advisable when you are on cellular and away from Wi-Fi.
For users who wish to keep their crypto-money safe for longer periods of time (as opposed to using it to trade or to make purchases), the next level of sophistication is called cold storage. This refers to offline wallets that use two computers that must talk to each other to allow transactions to happen. The computer that has the authorization power must be physically disconnected from any network to prevent unauthorized transactions. It then gives permission to the connected computer to continue. The connected computer acts simply like a messenger with no knowledge of the keys being used.
Other technologies that seek to keep your data and money safe include:
- Hardware wallets – dedicated physical devices that act as wallets and nothing else. They have no software, but they do allow backup.
- Paper wallets – your passcodes and keys are printed out onto paper and must be entered manually.
- Brain wallets – your passcodes are memorized and must be entered manually
- Multi-signature wallets – require numerous authorizations to approve a transaction.
The Parity heist happened because of a bug in its multi-signature wallet. According to Business Insider, “Parity ranked the severity of the bug as ‘critical’ in its public remarks, urging ‘any user with funds in a multi-sig wallet” move their funds to a secure address.’” This shows that even with the strictest of precautions, technologies, especially new versions of a technology still have vulnerabilities.
So, is there any technology you can completely trust?
That’s a loaded question. Most often, the best type of security isn’t absolute security, but simply one that makes the robbery effort unprofitable. Some will argue that absolute airtight security is better, but as Parity and CoinDash and DAO demonstrate, it is almost impossible to make absolute. There is always an error, a slip of some type that makes the entire thing vulnerable, and very often, that weakness is human in origin. Sloppy password hygiene, or software that has been rushed to market, old code that has been overwritten with patches, or which has not been fully and redundantly tested, leave openings for ever-vigilant hackers to find their way in. Merely being connected to the internet can be sufficient opportunity for them to at least try.
By dividing one’s assets into numerous wallets, the prize for thieves is substantially reduced. They, too, must spend time and resources in working their craft, and if it doesn’t appear worth it, they will likely move on. High profile events like the CoinDash ICO or the Bitcoin fork that had been proposed for August 1 prove this in their opposite. They are so well publicized, and there is so much at stake that sophisticated thieves see merit in scrutinizing code, websites, even tweets to locate a weak spot. This is the same problem that bedevils software giants like Microsoft and Apple. They are so popular that every release of software or hardware is an invitation for crackers and vandals to try their luck.
These are still early days in the Bitcoin/blockchain era. Many people are leaping onto a bandwagon that promises great progress and great riches to early adopters, and bad news, like hacks and thefts tend to tarnish the technology’s image, especially in the media. Since thieves have always been part of human existence, the obligation for self-protection start and end with the individual. Whatever time you are currently spending on password hygiene and due diligence, triple it, and check back regularly.