Author

Topic: Private key security level (Read 415 times)

HCP
legendary
Activity: 2086
Merit: 4361
February 20, 2018, 12:07:34 PM
#16
I think they may have been referring to the "old" 2FA system that sent codes via SMS. As you've pointed out, most of the 2FA systems these days work with Google Authenticator app... and the "Secret Key" is on the device itself, not just tied to your phone number.

Although, I have experience a couple of services over the last 6-12 months that still use SMS codes, at least, for initial signup confirmation of a telephone number etc.
sr. member
Activity: 658
Merit: 282
February 20, 2018, 04:10:28 AM
#15
...

Any system have flaws. 2FA can be breached (for example perpetrator can impersonate you, restore your SIM card and further steal your identity). ...

This only works if someone can access an exchange account using your mobile
phone number (e.g. reset the exchange account password using a SMS verification code).

After all the 2FA application is running on the application layer and not on the SIM card.
E.g. even if someone manages to impersonate me at my mobile phone provider and manages to get
a SIM card he will still not be able to breach the 2FA of my exchange accounts.

The real risk is that you back-up your 2FA recovery seed/code in a way where a third person
can access it (e.g. storing it digitally, storing it in your wallet or similar questionable behavior).
Merely obtaining a SIM card for the mobile phone number should not be enough to breach 2FA.

member
Activity: 392
Merit: 41
This text is irrelevant
February 20, 2018, 12:43:06 AM
#14
Any of a kind Bitcoin wallet need to share private key on the internet-connected machine.

Bitcoin client has no responsibility for to keep private key secure. If your's machine connected to the internet, your keys can be hijacked, because your machine can be hacked before you import keys.

The questions is, how to trust any of existing crypto-wallets to store private keys?

P.S. My answer is "no trust" to all of them.

I also wonder about the security of our private key putting it in an online world so it would be possible to the attackers to do anything about it because it is an internet connected machine so it would be always possible to all hackers to do evil things. Unless if we have that kind of security like authenticator that no one can access your credential and good things about its an offline mode.

Any system have flaws. 2FA can be breached (for example perpetrator can impersonate you, restore your SIM card and further steal your identity). However you need to weight all those risks against 2 key things:
1. How much do you keep in your wallet? (If the amount is insignificant or less then the effort attacker will need to take to get to it, you are probably safe)
2. How much have you told "world" about your holdings?

Also you probably want to care about "random" attacks. I.e. malware that don't have specific target, just attack anyone that it managed to infect. Basic internet safety precautions should help you with that, but don't guarantee you don't get attacked.

If you are holding below 1 BTC (this is my personal measure, it may vary for you) I would suggest you to use most basic means (encrypted wallet, standard anti-virus, follow basic rules like "don't run things if you don't know where they came from" or "don't click links... EVER"). If your holding above 1BTC (again - it's my measure) - just put whatever you don't need in immediate reach offline. 

Always remember - Better safe then sorry.
Good luck and stay safe!
jr. member
Activity: 199
Merit: 2
February 19, 2018, 05:51:14 PM
#13
Any of a kind Bitcoin wallet need to share private key on the internet-connected machine.

Bitcoin client has no responsibility for to keep private key secure. If your's machine connected to the internet, your keys can be hijacked, because your machine can be hacked before you import keys.

The questions is, how to trust any of existing crypto-wallets to store private keys?

P.S. My answer is "no trust" to all of them.

I also wonder about the security of our private key putting it in an online world so it would be possible to the attackers to do anything about it because it is an internet connected machine so it would be always possible to all hackers to do evil things. Unless if we have that kind of security like authenticator that no one can access your credential and good things about its an offline mode.
newbie
Activity: 101
Merit: 0
February 18, 2018, 12:09:56 AM
#12
The wallet have private key is the best security level. But you have a lot of options to storage cryptocurrency.
1. If the coins platform i recommend cold wallet such as ledger, trezor, paper wallet...(https://en.bitcoin.it/wiki/Hardware_wallet)
2. If the tokens platform, almost based on ETH i recommend MEW...
full member
Activity: 168
Merit: 100
February 17, 2018, 02:51:41 PM
#11
Paper wallet is the answer, i use it to store most of my coins.
member
Activity: 434
Merit: 10
February 17, 2018, 12:46:47 PM
#10
Any of a kind Bitcoin wallet need to share private key on the internet-connected machine.

Bitcoin client has no responsibility for to keep private key secure. If your's machine connected to the internet, your keys can be hijacked, because your machine can be hacked before you import keys.

The questions is, how to trust any of existing crypto-wallets to store private keys?

P.S. My answer is "no trust" to all of them.
completely trust online services can not. Everybody understands this, but they have to do it because of the comfort. Owners of large sums leave only a small fraction of the online.
HCP
legendary
Activity: 2086
Merit: 4361
February 16, 2018, 02:35:05 PM
#9
Well I really don't have to border much about that where the site has been proved to be a trusted site by the symbol of the locked key. And , if I get hoodwinked after confirming is a trusted site, so be it and it then means the site will not exist again after losing the trust of so many investors who actually believed in the genuity of the site and trusted to invest their money with them.

Or, otherwise, how then do we invest again when the sites we trust with their locked key at the left side of their web page defraud us.
That "locked key" just indicates that the site has an SSL certificate and that any data being transferred to/from the site is encrypted and "private".

ANYONE can make an SSL certificate for their website... It does NOT indicate in any way that the site is trusted!!?!

If you are trusting sites based purely on whether or not they use HTTPS and have an SSL certificate, you are likely to scammed at some point.
member
Activity: 1302
Merit: 25
February 16, 2018, 06:53:32 AM
#8
Well I really don't have to border much about that where the site has been proved to be a trusted site by the symbol of the locked key. And , if I get hoodwinked after confirming is a trusted site, so be it and it then means the site will not exist again after losing the trust of so many investors who actually believed in the genuity of the site and trusted to invest their money with them.

Or, otherwise, how then do we invest again when the sites we trust with their locked key at the left side of their web page defraud us.
full member
Activity: 294
Merit: 104
✪ NEXCHANGE | BTC, LTC, ETH & DOGE ✪
February 15, 2018, 07:30:05 AM
#7
Any of a kind Bitcoin wallet need to share private key on the internet-connected machine.

Bitcoin client has no responsibility for to keep private key secure. If your's machine connected to the internet, your keys can be hijacked, because your machine can be hacked before you import keys.

The questions is, how to trust any of existing crypto-wallets to store private keys?

P.S. My answer is "no trust" to all of them.

You're right about that. Never trust those online wallet service.
legendary
Activity: 3024
Merit: 2148
February 13, 2018, 09:01:34 AM
#6
Any of a kind Bitcoin wallet need to share private key on the internet-connected machine.


No, this is wrong, you need some sort of connection to send transactions - which might not even necessarily be Internet connection, since there are already methods that allow you to send BTC transactions via SMS, but you can create transactions in an isolated offline environment, which will prevent malicious code from sending your private keys to its masters. However, malicious/poorly written clients can make you lose your coins in other ways, like replacing your receiving and change addresses with attacker addresses, replacing destination addresses, using weak random number generators, reusing k parameter of ECDSA, and so on. So, you will always have to put some trust in wallets, and you should check discussions of wallets that you use from time to time to keep them up to date and receive all the recent bugfixes.
member
Activity: 392
Merit: 41
This text is irrelevant
February 13, 2018, 07:47:20 AM
#5
Any of a kind Bitcoin wallet need to share private key on the internet-connected machine.

Bitcoin client has no responsibility for to keep private key secure. If your's machine connected to the internet, your keys can be hijacked, because your machine can be hacked before you import keys.

The questions is, how to trust any of existing crypto-wallets to store private keys?

P.S. My answer is "no trust" to all of them.

Short answer: Your answer is correct.

Long answer: The issue of "trust" is pretty complicated. If we look at any problem from security officer point of view it is easier to mark everyone as untrustworthy and simply deny everything (because everything is a possible threat to some extent). In perfectly safe condition nothing really works. However to maintain reasonable productivity you need some way of risk-tolerance. Whole human infrastructure piled upon this concept and every time you take a plane or drive your car you accept potential risks of those activities. To be successful in assessing your risks you need to carefully consider:

what you trying to achieve?
what path you can take in acheiving it?
what risks each path bares?
what is the cost of taking each path?
what will happen if your worst risk will actually happen?

Applying all of the above there are 2 usual scenarios that comes to mind:

1. You are small bitcoin holder that involved in day trading on some exchanges. This way it will be convenient to simply keep your assets on your favorite platforms and store profits in either cold wallet or in fiat.
2. You have alot of BTC that you don't often use. In this case you probably want to store everything in cold wallet.

In real life it is usually a mixture of two above cases where you want to assess and decide how much of your assets to store online and how much to store in cold storage. But ultimately - unless you are the only one who have access to private key - you are NOT in control of the coins.
sr. member
Activity: 257
Merit: 343
February 13, 2018, 04:02:25 AM
#4
same question here: https://bitcoin.stackexchange.com/questions/70662/private-key-security-level/70676?noredirect=1#comment81975_70676

Yes, dealing with funds and crypto currency is basically a question of trust.
There has been to many lost funds due to exchanges going down. So be extremly careful to secure your funds. Only when you have the private keys yourself, the funds are secure. At the point when you use a an exchange, "they" control the keys, with the keys the funds, and you could only trust them.

Storing the keys locally on your machine depends on your willingness to invest in security measures.
As I replied already in stackexchange, security is a trade-off.
See my answer to a similar question here: https://bitcointalksearch.org/topic/m.29442089

I think an offline solution is the best you can achieve nowadays, and it provides enough trust, that you can sleep without fear of loosing coins.
staff
Activity: 3458
Merit: 6793
Just writing some code
February 12, 2018, 11:53:49 PM
#3
The questions is, how to trust any of existing crypto-wallets to store private keys?
Most wallets are open source, and the ones that aren't are ones that you should not use.

So because they are open source, you can go and read through the code yourself and make sure that it is secure. Then you can compile the wallet from source (so that you don't have to trust any distributed binaries) so that you know that the source code that you read is exactly the code that went into the wallet program that you are running.
HCP
legendary
Activity: 2086
Merit: 4361
February 12, 2018, 09:35:45 PM
#2
You either set up a two computer "cold storage" system with one "online" (internet connected) that only has public keys... and one "offline" (air gapped) that is never connected to the internet or any network and has your private keys

OR

You get a hardware wallet so that your private keys are never exposed to any computer... even if you connect it into an internet connected computer.

refer: https://en.bitcoin.it/wiki/How_to_set_up_a_secure_offline_savings_wallet
jr. member
Activity: 36
Merit: 3
February 12, 2018, 08:09:23 PM
#1
Any of a kind Bitcoin wallet need to share private key on the internet-connected machine.

Bitcoin client has no responsibility for to keep private key secure. If your's machine connected to the internet, your keys can be hijacked, because your machine can be hacked before you import keys.

The questions is, how to trust any of existing crypto-wallets to store private keys?

P.S. My answer is "no trust" to all of them.
Jump to: