Secure Bitcoin self-custody: Balancing safety and ease of use
Bitcoin’s supply is capped at 21 million, but a significant proportion of that total sum is likely lost forever. This situation is due to a variety of reasons such as lost private keys and discarded storage devices containing substantial amounts of Bitcoin (BTC).
When Bitcoin owners are not being careless with their wallet passwords, they can sometimes be targeted by hackers looking to steal their precious crypto. Those who utilize third-party custodial solutions place their Bitcoin fortune at the mercy of the security protocols adopted by such services.
Indeed, several attack vectors are constantly being utilized to try and gain access to people’s Bitcoin funds. These exploits, which range from the simple to the sophisticated, target any perceived weaknesses inherent in any storage method.
Not your keys, not your coins
Crypto exchanges cater to millions of customers, and it’s reasonable to assume that a significant proportion of that number uses these services as their primary Bitcoin custodian. Under such a custodial arrangement, the cryptocurrency owner does not possess the private key of the wallet.
“Not your keys, not your coins” is a popular refrain in the crypto space, and the maxim serves to warn people of the risks involved in storing cryptocurrencies with third-party entities. Indeed, the crypto landscape is dotted with numerous exchange hacks where cybercriminals broke into poorly-secured platform wallets to steal customer funds.
Sometimes, the exchange recovers from the theft, and other times, the platform goes bankrupt. Mt. Gox and QuadrigaCX serve as examples of the latter, with affected customers still striving to recover their funds.
These days, exchanges are attempting to upgrade their security protocols to prevent hacks. Exchanges holding uninsured and substantial crypto sums in vulnerable hot wallets is now greatly discouraged. Some platforms still make this grave error and often pay the price.
Crypto forensics is also evolving by the day, making it more difficult for cybercriminals to liquidate their loot. In all, 2020 saw a significant decline in the number of crypto-related thefts with rogue actors reportedly stealing $3.8 billion from over 120 attacks throughout the year. However, the emergence of decentralized exchanges has opened up another way for criminals to launder money.
The reduction seen in 2020 has broken a four-year trend of increasing cryptocurrency crime. However, decentralized finance now seems to be the new playground for crypto thieves and other rogue actors with the novel market niche accounting for more than half of the stolen cryptocurrency in 2020.
No magic bullet
When it comes to robust security for self-hosted Bitcoin storage, it’s perhaps important to realize that there is no magic bullet. Indeed, Ruben Merre, CEO of hardware wallet maker NGrave, touched on this point, telling Cointelegraph that BTC owners are often torn between the choice of keeping their coins on exchanges with decreased security or in cold wallets that are typically not user-friendly.
In theory, every conceivable method for holding BTC has tradeoffs, and some of the drawbacks associated with any of these systems can act as an entry point for malicious actors.
Take air-gapped devices for instance. On the face of it, simply isolating a computer from the internet should provide robust security against hacks. However, according to a study recently published by Mordechai Guri, a cybersecurity researcher at the Ben-Gurion University of the Negev, it is possible to “generate covert Wi-Fi signals from air-gapped computers.”
In the research paper, Guri established that “air-gapped networks are not immune to cyber attacks.” Indeed, a skilled hacker can exfiltrate sensitive data like keylogging credentials and biometrics from air-gapped computers.
Perhaps even more alarming are portions of the research study devoted to the possible means of data exfiltration from air-gapped computers placed in Faraday cages, shielded enclosures that block electromagnetic fields. So, relying only on a Bitcoin wallet stored in a computer isolated from the internet might not be as secure as previously thought. A person utilizing this method might need to run signal jammers continuously.
Then, there are hardware wallets that offer robust security with private keys stored offline. Though these devices interface with a computer when in use, they never actually connect to the internet.
A hardware wallet owner needs to either encrypt their keys or store them in a safe place. For the former, if the encryption is performed using a computer that has or will be connected to the internet, then there is a significant risk of losing the keys to malware.
A user can even utilize every security measure available with hardware wallets and still lose their Bitcoin. Hardware wallet maker Ledger has suffered severe breaches leading to the theft of sensitive customer information. With their phone numbers and personal addresses out in the open, several Ledger customers are facing the threat of physical attack.
For Monero’s former lead developer, Riccardo Spagni, Ledger’s failure to protect customer information has exacerbated the difficult nature of secure crypto self-custody, telling Cointelegraph:
“Securing Bitcoin is hard, and people often overestimate their technical abilities. This is made doubly complex by companies, like Ledger, failing to keep customer data secure. Ledger is amazingly competent at building a secure hardware wallet that is also easy to use, but customers are getting caught out by social engineering due to their customer data being leaked. This makes robust Bitcoin storage even more difficult.”A few helpful suggestions
An ongoing survey by NGrave revealed that 25% of crypto users are not securing their coins as well as they think. While hardware wallets might not offer the ease of use associated with keeping Bitcoin on an exchange, the consensus among commentators was that the former option is still the safest method.
According to Merre, when the user opts to own their own assets, they can no longer use the centralized exchange model and have to move to decentralized exchanges, or hot wallets, like mobile apps, adding:
“With all online solutions, you have some level of convenience as everything is easily accessible, but you’ll be giving up a lot of security. For example, your hot wallet will give you a private key to begin with, and hence, that key’s first touchpoint is immediately with the internet. A huge security risk already.”For Spagni, Bitcoin self-custody for the less tech-savvy is a balancing act between security and ease of use. The easiest methods tend to have the least security and the most secure methods require a fair few configuration protocols.
Back in November 2020, Whirlpool Stats’ Matt Odell tweeted his favorite Bitcoin storage setup that combined running Bitcoin Core and desktop-based wallet Specter with a ColdCard hardware wallet. According to Odell, the setup costs about $150 and required at least 10 gigabytes of storage space. Specter works directly with the Bitcoin Core, so combining both eliminates the need for running an Electrum server. The user can then verify transactions on ColdCard directly.
For users who might find the above setup overly daunting, it’s important to include as many security layers as possible on top of their chosen storage method. These include two-factor authentication and encrypted keys, among others.
It is also important to note that backups and retrieval processes for additional security protocols must be carefully stored. According to Spagni, Bitcoin owners should treat information such as seed words, wallet passwords, passphrases and encryption keys as though they were physical gold bars and keep them safely ensconced.
The inability to remember key wallet data has led to many Bitcoin owners locked out of their accounts. As many as 3.7 million BTC, or 20% of the circulating supply, is thought to be lost forever. Some examples of such stories include an IT engineer accidentally discarding his BTC into the trash and now offering $72 million for an opportunity to dig it up. Meanwhile, another early-day crypto enthusiast has forgotten a password for his hard drive containing around $266 million in BTC and only has two password tries left to unlock his stash or it will be lost forever.
To ensure that one does not add to that sad statistic, it’s important to treat seed words, encryption keys and the like as valuable data and guard them accordingly.