Along with paper wallets, there are also the so-called “hardware-wallets.” These look like conventional USB sticks. When using a USB stick like this, you would write the private keys on the stick, remove it, and place it in a safe. So far, so safe—at least, if the computer was not connected to the internet and never will be again. Otherwise, it could be that a malware that was silently active in the background quickly sends the data to a hacker. The same situation would arise as with a paper wallet. So only use these hardware wallets with great care.
Two companies offer secure hardware wallets
For this reason, two (at present) firms have made significant advancements when it comes to sticks like this. They have developed a stick of their own which computes the keys in this crypto-chip and stores them encrypted. The stick—or in this case the hardware wallet—is connected to the USB input of a computer. The transactions are then created with an application or a program running on the computer.
If a transaction is created, say, one Bitcoin is transferred from Alice to Bob, this software accesses the hardware wallet and the hardware wallet signs the transaction.
The private key is not given out to the software. It stays securely encrypted and hidden in the hardware wallet.
This is probably—together with a paper wallet generated on a one-hundred percent offline PC—the safest method. Hardware wallets naturally require you to write a passphrase—along with the password that you use to open the wallet itself. This is in case the private key itself is needed. The 24-word chain is generally used in hardware wallets and the passphrase is typed in via small buttons attached to the stick. If you use a system like this, no data are fed in via the PC and so cannot be discovered and passed on by a virus or Trojan. Of course, the passphrase must be written by hand and kept securely, preferably several copies in separate, secure locations.
The hardware wallet can stay securely in the safe, even when you’re receiving Bitcoins
Like all wallets, the hardware wallet has a Bitcoin address and can be left in the safe when someone sends Bitcoin to this address. They will arrive safely and increase the balance to which you have access with the private key, which is encrypted in the safe. Remember, the Bitcoins are not kept in the wallet, just the right to transfer the number of Bitcoin noted in the blockchain using this saved private key.
An important safety notice
There is an important safety notice to be made at this point. USB sticks are often distributed as part of a promotion at exhibitions. This is a very popular method for the bad guys to feed viruses into computers. Therefore, never connect a stick to your PC that is not in its original packaging and comes from a trustworthy third party! A trustworthy producer might be, for example, a company like Wells Fargo, Citybank or Mercedes. It is important that even if the stick comes from one of these big companies, it must be in the original packaging. You can never know what it was connected to before!
You can trust hardware wallets – if you know the history well!
It can be even worse. We’ve established that you can trust hardware wallets. That is what it says in this book and in many other reports. But can you trust a hardware wallet that has been given out at an exhibition or as part of a publicity campaign? The answer is clearly: No! Because they have their own chips, hardware wallets are expensive to give away. In the summer of 2017, there were only two producers left who could be trusted. One is the Ledger wallet (from $70 ) and the other is the Trezor wallet (from $85). It is highly unlikely products like these would simply be given away.
Other hardware wallets are not as well-known, and unknown products should always be treated with suspicion when it comes to the security of your assets. Connecting unknown chips to your PC is criminally stupid because you can never know what these sticks will do or who is behind them. Even if they do not maliciously send the private key, it would be devastating if a malfunction were to destroy the key or if the passphrase was wrongly generated due to poor quality. The two named producers have been on the market for a long time and have a good reputation.
Some wallets have additional functions beyond their basic functions. The export of private keys and/or the passphrase go without saying. An interesting additional function is the so-called “multi-sig procedure.” This is basically a simple function that is commonly used in everyday life. Access or rights to transfer money do not depend on one private key with multi-sig wallets, but on several. That means that the 1,000 BTC are only sent if two out of three private keys are used.
A procedure similar to this is a daily practice in most businesses. Transfers must be signed by two directors or one director and an agent. It also common with some married couples with joint accounts; both signatures are needed to carry out transactions. This is nothing more than multi-sig, which is short for “multi-signatures.”
This procedure is intended to protect assets from being transferred by one single person, especially when the assets in question are joint assets. In some cases, this would be a sensible thing. These multi-sig wallets are considered especially safe because there is no danger of misuse by one individual. That was the assumption until the “Parity-multi-sig wallet” of the cryptocurrency Ethereum was hacked during an ICO—an “initial coin offering.” Hackers siphoned off Ether (ETH) to the value of $30 million at the time. In an ICO, donors can invest in an idea; there is more about this in the chapter on ICOs and other cryptocurrencies
White hat hacker vs. black hat hacker
A group of so-called “white-hat hackers” simultaneously withdrew the rest of the deposits, to protect them from access by the black-hat hackers. The secured Ether were given back to the company that had organized the ICO. The white-hat hackers, that is, the good guys, used the same trick as the black hats, the bad guys, by stealing the Ether from the wallets. It is yet another strange story from the crypto world that you couldn’t make up, but there are many such tales and the best that you can do is to learn from them. The problem was quite clearly with the multi-sig wallet, which until then was regarded as secure. The real problem was that the software was in a relatively early stage of development and the error in the code had not yet been discovered. That is why it is so critically important to use only tried and tested systems, where those that have been hacked, then optimized and secured by the developers can be regarded as tried and tested.
Only use proven systems
For this reason, the same security advice applies to “new” hardware wallets. You should first let the experts test them out. If they find this new thing good, it will prevail, and you can use it. Good wallets always come through because the crypto world is very active and the wheat is quickly separated from the chaff. So, you can see that owning cryptocurrency is not that simple; you have to know what you are doing if you want to be your own bank.
Spend 100 dollars to secure millions
Someone who had lost a lot of money once said in an interview: “When I installed the wallet, I loaded it with $100 and it worked fine. Then it kept getting more and more. When I then had a six-figure sum stolen, I realized that my safety precautions were only worth $100.” The reporter asked why, and he responded: “Well I had no private keys and no passphrases, but then there was the password that I use on the online exchange, only two characters long. The numbers one and two”. What can you say? If you want to secure $100, you need to think about $100, but if you want to secure $100,000, then you have to consider measures that are proportionate to that. You need to be 1,000 times more secure and know what you are doing much more.
Ultimately, no-one is immune from attacks. If you want to keep your assets or part of them on an online system, then you have to act quickly if it becomes known that this service has been compromised. That would be all over the press for big exchanges or wallet providers. But what do you do then.
This a short story out of my book
Bitcoin, Blockchain & Co.
The Truth, and Nothing but the Truth