It’s all about the keys 

Cryptocurrencies and their switchback rise and fall continue to grab news headlines, prompting security fears among more cautious investors. It helps to have a clearer understanding of the actual threat to one’s private wallet, as Sepior explains

The Interviewer asks: “So, Professor, the public needs to know: can parents be one hundred percent sure about the safety of their child when it takes your vaccine?” The professor is angry and frustrated – wanting to say that the child will be safer than if it does not take the vaccine. But that might be interpreted as  “evading the question”.

It is a real dilemma: people tend to think of “security” as an absolute. We are often asked about some internet-connected online service:“is it secure?” – as if security was the definitive state of being one hundred percent free from any risk or harm. The unfiltered reality is:“no, there are no definitively secure solutions for any online service, including crypto wallets”.

Like the interviewer, they are asking the wrong question. It would be more relevant to ask:“is my crypto wallet suffiicently secure that no-one is likely to invest the time, effort and expense necessary to defeat the system and steal the funds?” Of course, the unfiltered answer to that question is “it depends”.

If, for example, we’re talking about a single, privately owned and controlled wallet that is securing the private keys for some $100 in cryptocurrency, the answer is almost certainly “yes, it’s good enough”. Highly skilled cyber adversaries would hardly invest the time and resources needed to defeat an even minimally secured system for just $100.

If, however, we’re talking about an exchange that is managing the security for thousands or millions of customers’ wallets – collectively representing hundreds of millions of dollars –then it would take a substantially more secure solution to be “secure enough”.Any hacker could justify the enormous time, effort and expense required to reap such a massive reward.

A quick review of publicised theft metrics through the end of 2018 illustrates that most crypto criminals are indeed focused on exchanges. During 2018 nearly 96% of all publicized 2018 cryptocurrency thefts were from exchanges, versus 4% from privately controlled wallets. Since Bitcoin was launched in 2008, a total of over $1.5B in crypto assets have been stolen from exchanges. Of those losses, more than half occurred in 2018 – $950m stolen in 2018, up from $266 in 2017 – suggesting that cybercriminals are becoming more sophisticated and that hacking risks are increasing.

So the big, scary news headlines about cryptocurrency theft are predominantly about theft from exchanges – the equivalent of physical bank robberies. Whereas theft from your private wallet is more like the risk of being mugged in the street. So, what is the actual risk? How would a hacker steal from your private wallet?

There is a common misconception that your crypto wallet actually stores and protects your cryptocurrency coins. In reality, no coins physically exist –instead the quantity and type of coins associated with your account are recorded on the blockchain ledger. All that your wallet stores and secures are the cryptographic keys that are used to generate a unique cryptographic “signature”. This signature is used to authorize the withdrawal of a specific amount of coins for a specific transaction from that ledger. Without that key, and the generated authorization signature, no coins can be transferred from your account.

Should, however, your private cryptographic key be lost or stolen, your funds would also be lost or stolen. Your wallet is only as secure as your private key. This is familiar territory, for securing a cryptographic key is like securing any other key – such as a password or PIN – and the same rules apply. For example: you must be very careful about writing it down in an insecure location or sharing it with other people. Above all, be aware that hackers are more likely to try to trick you to betray your key via “social engineering” such as phishing messages. As with the adoption of two (or more) factor authentication, wallets can also be secured in such a way that two or more keyholders’ signatures are required to open the wallet.

So the question “is your crypto wallet secure?” is really a matter of “are your capable of keeping your cryptographic keys secure?” For a private individual it is just like securing any other type of key. But if the wallet is a large one shared between business partners, then it becomes more attractive to hackers and you may need to look into recent advances in multi party approved wallet.