I have already wrote plenty of tutorials about storing cryptocurrency safely, and there were many others who did the same, yet there are still people who store large amounts very insecurely and then wonder why they lose it.
If you haven't read my tutorials, then please do to have an idea about this:
- https://steemit.com/cryptocurrency/@profitgenerator/cryptocurrency-storage-method
- https://steemit.com/howto/@profitgenerator/strategy-to-store-wealth-in-cryptocurrencies
- https://steemit.com/security/@profitgenerator/generate-secure-random-passwords-or-private-keys
- https://steemit.com/steemit/@profitgenerator/tutorial-secure-your-steemit-account
- https://steemit.com/bitcoin/@profitgenerator/tutorial-generate-bitcoin-private-keys-securely
- https://steemit.com/security/@profitgenerator/top-5-things-you-thought-were-secure-but-are-not-100-sp
- https://steemit.com/security/@profitgenerator/passwords-and-dices-tutorial-to-create-secure-passwords
- https://steemit.com/technology/@profitgenerator/biometrics
- https://steemit.com/security/@profitgenerator/what-is-a-safe-password-or-private-key
So as you can see, I have been writing a lot about this, and so did many others here on Steemit and Bitcointalk...
1) Online Wallets
By "online wallet" I mean services where you don't have direct control over the coins. You can't withdraw money directly, you need to ask their permission, and then they will send you the money, or NOT.
This includes exchanges, crypto debit cards, mobile wallets, basically most Bitcoin services operate like this, they are a custodian of your funds, and you don't really own the coins, you just have a claim over them, which most of the time will be fulfilled, however it's enough if it is not only 1 time, and your money is gone.
Of course there are online wallets that promise that the keys are generated locally, and only you have control over them, like Blockchain.info, I am not sure if they still operate like that since their outlook has changed since I last used them.
But even if online wallets promise that the keys are generated locally, you can't prove this. I mean even if they open-source their code, you can't prove that the code running on the website is the actual open sourced code.
C'mon people, the point of open source is that you can compile the code yourself, and in the case of a website running a code this is impossible to do. Unless somebody invents a deterministic website building software, but until then this is not a proof.
So anyone can say anything, just like your e-mail provider pre-2013 said that they are not spying on you. Well it turned out to be a bad joke.
If you have decent amounts of coins 10,000$+, don't use online wallets, the risk is just too big, and you might never know if they will get hacked or not, or who knows what else.
In fact it's not even the hacker that are the biggest problem but the civil asset forfeiture. Most Bitcoin are tainted by illegal activity.
So you bought a 5$ gift card from a person who also sells drugs? On the blockchain it looks like you have bought drugs, because in the eye of the investigator, it's just a transaction. Now the Government will seize all your 10,000$, it's just that simple. And you will never get it back, even though you are innocent.
2) Mobile Wallets
People who advocate for mobile wallets are idiots. It's not just a bad joke, to have money stored on a "communication device", that can transmit data both ways, but it's also encourages systematic risk from cyberwars.
Banks started giving out mobile-banking apps to customers, but there at least the money is inside the bank, and you just have access to a read only platform where you can check your account balances. I don't know whether you can send wire transfers out of a mobile banking app, but I hope they have daily withdrawal limits there. Of course from a desktop online-banking platform you can send out wire transfers, which is a huge problem, but that's another topic.
With Bitcoin mobile wallets the risk has doubled essentially, it's not just that you have no privacy, after all it's a communication device, and the proprietary operating system is probably backdoored. So they can just send out your private keys via SMS and you are literally fucked.
The security risk with phones is huge:
- http://www.computerworld.com/article/2860742/chinese-android-phone-maker-hides-secret-backdoor-on-its-devices.html
- https://www.digitaltrends.com/computing/apple-vs-fbi-backdoor-to-data-already-exists/
- http://investmentwatchblog.com/nsa-monitoring-your-cell-phone-code-insterted-into-android-operating-system-spy-proof-app-in-the-works/
- https://theintercept.com/2014/12/04/nsa-auroragold-hack-cellphones/
- https://www.scmagazineuk.com/nsa-hacks-70-of-global-mobile-phone-networks/article/540915/
- https://www.theregister.co.uk/2013/12/31/nsa_weapons_catalogue_promises_pwnage_at_the_speed_of_light/
- https://www.theguardian.com/technology/2015/feb/20/mobile-phones-hacked-can-nsa-gchq-listen-to-our-phone-calls
- https://arstechnica.com/tech-policy/2014/12/exposed-nsa-program-for-hacking-any-cellphone-network-no-matter-where-it-is/
- http://www.spiegel.de/international/world/how-the-nsa-spies-on-smartphones-including-the-blackberry-a-921161.html
Not to mention we have no idea how good the random number generator of a phone is, so that is a secondary problem, however it pales in comparison to the malware problem, where the private keys can just be smuggled out via SMS and all your money that you store on the phone can be gone in an instant.
You know the Government is really stupid, they created all these spying devices and malware, but now due to their trendy nature, everyone is using them now, for finance, and now that cyberattacks and hacks are happening, the population is caught with their pants down.
Don't fall into this trap. Storing Bitcoin on a phone is like printing out the private key on your T-shirt and walking around in the city.
3) Desktop Wallets
Well they can't send out the private key through SMS, but they can via wireless, bluetooth, internet, and even the blinking of the LED lights on your computer can be used to send out private keys in Morse Code to a nearby hacker:
But of course these are low threat events, their probability is lower, and you can somewhat defend against these by removing the wireless card from your PC, covering up LED lights, remove microphone and webcamera, and plug out the network cable when working with keys.
Essentially you need to have an Airgapped PC, but even that is not perfect security, althought I bet it already eliminates 99% of threats, and hackers always go after low hanging fruits, so probably the mobile phone users will be their targets.
But even then some malware or a bad RNG generator is enough to steal money. Computer random generators are pretty weak, and you should probably use at least Linux, where the /dev/random system has been shown to be pretty robust.
4) Hardware Wallet
Hardware wallets are pretty much the best bet you have now, although I don't know how good their random number generator is. It might as well be pretty flawed, unless it used some kind of secure electric component to generate it , like a Zener Diode that can be used for perfect random number generation.
Now we don't know how they do this, they can just use the CPU clock, which is a big problem, since that contains too little entropy. So unless they have a good RNG device built in it, it's rubbish.
Some wallets allow you to add your own entropy, which is necessary, then I guess the device is secure,unless there is some code vulnerability on it.
Of course there are claims that private keys can be extracted from a Trezor via Power Analysis attack:
So I guess it's not perfect, but still these attacks are very impractical in nature, so you should have no worries about storing large amounts on hardware wallets if the above conditions are met.
Sources:
https://pixabay.com
