Topic: Electrum wallet - Update safely and avoid phishing wallets? (Read 694 times)

Thanks for the topic. I will take a look at it later to see whether I can add new points for my OP. But on smartphones, it is safer to store a very small money, just in case we need to spend for something during our hang-out time.
It is not wise to stop using Electrum like that. The wallet is one of the best wallet for bitcoin. All wallets have their technical specifications that can be compromised by hackers but if their developers show their good capability to fix, it will be great.

In addition, carefully using and updating your wallet will keep you safe. What I wrote in OP can be avoided if people care of wallet verification before making transactions.

Very interesting thread for beginners and others, thank you for it but now it would be even more interesting if you could do the same for smartphones.
It's not very easy to do on Android, so it would be great if someone could tell us which apps are the most suitable for that.

When I did it I had to install a shell terminal on my smartphone which is not convenient on a small screen, and to install gpg packages in it  

https://bitcointalksearch.org/topic/which-app-to-check-pgp-file-signatures-on-android-5189114

I stopped using Electrum, after the hacking incident and I totally stopped using Electrum so I'll be safe and my coins, but after seeing this thread I am thinking of making a comeback to diversify my portfolio, but I prefer the Litecoin version since I'm accumulating Litecoin right now.

It is a useful reminder for tenured users too, not only newbies. I know there are some tenured users are still lazy to ignore the verification steps.
You are right that people should never click on any popup messages from any softwares that remind updating to newest versions. The correct steps to do is always visit and check official update news on official websites, not social media channels (facebook, twitter).

For people who store decent funds in wallets, verification is a must thing to do.
Prevention is better than cure. Don't start to mind about verification wallets after losing your funds.
As always, not all people care to do steps that can help them to increase their security.
It is wrong (somewhat) because the security of your funds depends on some components: The wallet's quality and security; your devices' security; your methods to take care of your PIN, private keys, passwords, and more things.

This is a nice thread which has important pictures that will help newbies understand how to update their Electrum wallet, and after the last few attacks I’m sure people will want to follow the instructions written in this thread. Another method of keeping one’s Electrum wallet safe is by using it’s app, because I never got any notification to update it in the app and overall I feel Electrums mobile app is secure and super easy to use.

Useful topic especially for newbies who are using electrum wallet. That's quite important to be careful during update of electrum wallet since there was an attack in few months back. To be honest I don't not update my electrum wallet from any popups or from update button. When I think I need to update electrum then I go to their official (original) website and install new version. So once new version will be installed older version will be replaced with new version and your wallet file will never effected as well. So I think it's safe way for me handle with update. Of course everyone should verify signature to confirm if its original and there is instruction how to do it. Don't be lazy so you will not be on risk.

Additional information for electrum wallet users.

More specifically https://bitcoinelectrum.com/creating-a-p2sh-segwit-wallet-with-electrum/

If you are a fan of Electrum wallet, you have to learn how to download, verify, install it as safely as possible.

You need to be careful with links always, not only when downloading a wallet.

I always try to search on official media channels, like Reddit, Bitcointalk Ann, Facebook, etc. If all addresses are redirecting to the same domain, I know it is safe to use the application.

Electrum doesn't have social media or whatever, but anyone can find confirmations on forums that electrum.org is the only official website

I think it is easy to follow those steps to verify wallet. Nothing is easy for the first time, even installing Windows, so people have to try hard for the first time.

Verifying Electrum wallet after downloading it from official website is secondary protection from phishing attempts.

I want to re-emphasize that people should never upgrade their Electrum wallet (or other wallets too) by using direct link given in their wallets. Wallets might give warning message that there is new version and ask for upgrade but people (after seeing such wallet upgrade warnings) should visit to official websites to check that there is actually new version or not. If there is new version (on official websites), they can start to download.

After downloading, they can move further by verifying wallets, but I think if they download from official websites, they will be nearly free from phishing attempts. They should do verify, nevertheless, just to be recheck and to be safer.

Relates to official websites, they should not search from Google. Instead of searching, they should remember exactly website address or note those sites on their own ways. Bookmarking on web browsers can be compromised too.

Nice info but a normal user of electrum wallet usually do the simplest way to update the software without checking the authenticity of it especially if the process is a little bit techy like verifying the GPG signatures that needs another 3rd party software like Gpg4win on windows, Is there any other way to verify our electrum wallet besides stated above?

I agree to disagree. Having automatic update-checking feature is good, but wallet should have (at least) a warning message that reminds people to verify wallet manually. This will play as a second-security layer, and is only good for people, not bad.
The warning message should contain links to: official website (from which they will check official announcement on latest wallet version); and wallet verification guide.

Technical revolution help human life become easier and more comfortable, but totally relying on automatically technical process is always bad, especially for such highly interested and vulnerable asset like bitcoin in particular and crypto currencies in general.

I would rather automate it, than having 1000's of people's wallets emptied, because they did not know how to verify a signature to validate a legitimate update. Also, when you make things too complicated, it creates a psychological barrier to entry for people who are not educated or intellectually challenged to adopt this technology. 

Technology helps us to make life easier and to improve on ineffective ways of doing things. Having to remember 1000's of telephone numbers are not practical at all and you can now send a message to say 300 people in seconds on a WhatsApp group.    

People mostly want to do easy things, like upgrading their wallets by available links inside wallets
In my opinion, everything gives users automatic supports will put them under higher risks. Over time, they will become lazier, that in turn will force them under higher risks of attacks from abusers.
For example: Around ten years ago, I do believe that we all remember phone numbers very well, because we had to tap on phone keyboards in order to make phone calls. Since the technical revolution of smart phones, originated by Apple, nowadays, most of us don't remember too many phone numbers.

This is a very good thread, so I will give you some merit for the effort that you put in to compile it, but I think most "newbies" might find this whole process too daunting to simply "update" their wallet.  

The fact that most of these software "updates" and "firmware updates" on hardware wallets are so complex, makes it easy for lazy and newbie people to make mistakes. Wallet providers should develop automated processes to check for the validity of the software updates signature to protect their customers.

Most people are just used to clicking on the "update" button for their software and the software will automatically update without any problems.    

note that in most cases if you are downloading the binaries instead of the source code and compiling it yourself, you are still trusting the developer 100% because you are running a closed source application when you download the compiled version.
although there is a simple (to use but complicated to create) solution to this and i only know two wallets that do it, it is called "deterministic builds". bitcoin core and Electrum are the only wallets that i know of which do this. it means if you compile the code you will end up with the same binaries (eg. both have the same hash). so you could verify if for example the .exe that Electrum releases is the same thing as their source code or if it is different.

I just want to point out that more people looking into Electrum is good under the original context of the quote. bob123 was basically saying that plenty of people with the technological know-how have already reviewed its code considering its popularity, meaning you don't necessarily have to review it yourself, and that you need to trust the developer less. I'm not saying that popularity doesn't have its downsides, but it's one of the reasons why Electrum is generally considered trustworthy.

Electrum wallet is one of most favorite non-custodial bitcoin wallets. This wallet is light, high trusted, and has advanced features that some low-quality bitcoin wallets don't have.

It is natural that all wallets have to be upgraded by their developers and by users over time. Unfortunately, there is a fact
Today, I give you all - who have not yet known how to update your Electrum wallet safely - to know how to do it safely.

Let's get started by the first step to know when your Electrum wallet is outdated.
Help > Check for updates. (first image); then you will see this popped up windows (second image)

Now, what should you do to download newest version of Electrum?
I believe what most of you will do is clicking on the available link in popped up windows.
"You can download the new version from https://electrum.org/#download"
Is this what you should do?
NO! You will be under risks if doing this.
This is the first important step that you have to avoid.
There was attacks on Electrum wallets months ago, directly on links provide in their wallets.
Electrum vulnerability allows arbitrary messages, phishing
Such attacks might occur anytime in the future, so just be careful.
In reality, there are more other types of phishing sites, this one is an example, so you have to take care yourself by being very carefully download Electrum wallet.

Tutorials to verify GPG signatures
Tutorials for:

• Windows
• MacOS

After successfully verify ThomasV's GPG signatures, you are safe to use your Electrum wallet for your bitcoin.

---

SUMMARY
[1] Check for updates from official website (can check from wallet first, then re-check on official website)
[2] Always type site address to visit it: electrum.org
[3] Verify ThomasV's GPG signatures before installing new wallet versions
[4] Do all these three steps before doing bitcoin transactions in your newly updated wallet.

---

Read more, to have more fears on fake, phishing Electrum wallets, and being more careful.
[Warning]: Another Electrum Phishing site on the loose
⚠⚠️⚠~Beware on active phishing Electrum websites~⚠⚠️⚠ (Collection list updated)
Electrum vulnerability allows arbitrary messages, phishing