Written By Esco Obong, CTO @Tokens Express
An inaccessible vault is just as good as empty
If you hold any cryptocurrency, you’ve probably heard horror stories of people opening their wallets to find all of their coins missing. Last week, cryptocurrency investor and influencer Ian Balina suffered a hack that drained $2 million worth of cryptocurrency live during one of his regular youtube streams. This week MyEtherWallet, a popular free web based ethereum wallet fell victim to a DNS attack which emptied the wallets of some of its users.
With all the bad press about millions being stolen through cryptocurrency hacks, the average consumer may wonder why anyone would risk their hard earned money on crypto. As it turns out, cryptocurrency is actually the safest form of currency you could possibly use online today. With some extra effort, you can safely view your balances, send and receive transactions all with near 0% chance of your funds being stolen. Sound too good to be true? It’s simple.
If you want to use cryptocurrency without getting hacked then you need to both create your wallets and make your transactions entirely OFFLINE.
No, that wasn’t a joke. Unlike with traditional banks, you have the power to create accounts (wallets) and transactions by yourself and while your computer is completely disconnected from the internet. To understand how this works let’s use ethereum as an example and take a brief look into what makes up an ethereum wallet:
Note: this only protects your holdings if they are stored in an offline wallet that was generated, has always been, and always will be offline. This is commonly referred to as “Cold Storage” in the industry and is a practice used by many cryptocurrency exchanges such as Coinbase and Binance.
Your ethereum wallet is made up of a private key, public key, and address.
The private key is like your account’s password. Its used to “sign” transactions (think sign off or approve). It should never be shared with anyone. It’s a long string of text that is randomly generated when you create your wallet.
0x3a1076bf45ab87712ad64ccb3b10217737f7faacbf2872e88fdd9a537d8fe266
The private key is used to generate an even longer string called a public key. Public keys are used to validate transactions with the private key. You can learn about how public-key cryptographic works from this article.
0xefb99d9860f4dec4cb548a5722c27e9ef58e37fbab9719c5b33d55c216db49311221a01f638ce5f255875b194e0acaa58b19a89d2e56a864427298f826a7f887
The public key is used to generate a 40 character string called your ethereum address. This is like your username. It can be used to look up your balances and receive funds.
0xc2d7cf95645d33006175b78989035c7c9061d3f9
The only two things you need to keep track of are your ethereum address (username) and private key (password). If you’ve ever used a random password generator you can think of your private key the same way. It was generated through a process that randomly selected each letter/number in a way that is so random the result is nearly guaranteed to be unique for practical purposes. This process happens directly on your computer without any need for an internet connection.
With this, we have all we need to create a new and unique ethereum wallet entirely offline. As described above, once you have your private key generated offline its used to create your public key which is then used to create your ethereum address.
This process can be done for you safely and automatically with the click of a button using a wallet app such as MyEtherWallet in offline mode. Using MyEtherWallet in offline mode is safe from DNS attacks because you run it directly from your private computer, instead of visiting a public url.
Receiving ether and tokens to your account only requires you share your ethereum address which is safe to do. This is similar to giving out your bank account and routing numbers so that someone can wire you funds. They can send funds but not withdraw. Viewing balances is just as simple.
Unlike traditional bank accounts where your balance and transaction information is stored privately on the bank’s computers, all current and historical ethereum account data is publicly available to the world.
Ethereum is a desktop application that can be installed by anyone from ethereum.org. Think of it like BitTorrent where you download a torrent application that allows you to download public files directly from other computers. When you download and run the Ethereum app, it will start downloading files directly from other computers too, except it’s for one big thing called a “blockchain”. Instead of movies and mp3s, these blockchain files contain all ethereum account information that ever existed.
You wouldn’t want to run this on your personal computer because as of now, even using a lighter version of the blockchain you’ll need to dedicate nearly 70GB of hard drive space and this number continues to grow overtime. There are a few online tools such as etherscan.io and ethplorer.io that download all of this information on their own servers and organize it for you. All that’s required is to enter your ethereum address and it will show all the ether and tokens that it contains instantly. There’s no need to load your private key into an online wallet.
Look up the balances of any address. Even from one of the top cryptocurrency exchanges, Binance.com
Sending transactions securely is a bit more involved. In order to avoid online hack risks, it will need to happen offline. To understand how this could possibly be done offline let’s take a quick look at how ethereum transactions work. For a more detailed explanation check out this article.
An ethereum transaction is a digital record of the transfer of value. It stores the amount being sent, the address that sent it, the address that received it, and other metadata normally added automatically by your wallet. This information is used by the ethereum blockchain to figure out what the balance of every ethereum account should be and who made/received what transactions.
Anyone can make one of these transactions on their computer and it doesn’t require an internet connection since its just a simple record of senders, receivers and amounts. When I say anyone I really mean anyone, including hackers. Because of this, there is a security measure in place which uses that private key (password) we keep talking about to “sign” every single transaction made (remember it’s like signing-off or approving). Since you never shared your private key with anyone (right?) and you created the private key on a computer that is entirely offline (no internet hackers can get to you) this means that it’s impossible for anyone else but you to make a real transaction with your ethereum account without your consent.
All you need to do is press a simple button and your wallet application will handle loading and using your private key to sign transactions with public-key cryptography in the background. It will give you a 128 character string of text that proves you made that transaction with the help of math and cryptography. This string is called the signed transaction hash. For this transaction to actually affect the public ethereum network and be processed by miners, it needs to be broadcasted online.
Since your transaction was signed with your private key, it’s impossible for any hacker to change the sender, recipient or amount being sent due to the power of public-key cryptography.
Because of this security you can freely copy your signed transaction from the offline computer to an online device that can broadcast it. Heck, you could even tweet it publicly, nothing will be able to change the transaction.
Keep in mind that the computer you use to make ethereum wallets offline always needs to be offline…present and future. Using an offline computer grants us near zero hack risk for two reasons:
Reason 1: The machine is protected from the outside world.
If the machine has no internet access then the internet has no access to it, including hackers. This protects the private key from being stolen by remote hackers. Without the private key, hackers can’t sign fake transactions. If they can’t sign fake transactions, then it will be rejected by miners.
Reason 2: Even offline machines can be hacked.
If your machine was hacked before being put offline or through later external usb drive insertion, it could be comprised with malicious code that steals your private keys or broadcasts signed transactions without your consent. If your machine is brought back online without being wiped, there is a chance that dormant hacks can become active and funds can be stolen. Deleting your wallet from the machine is not enough because malicious code could have copied it elsewhere.
The wallet software you install on your offline machine could also be hacked to produce modified transactions with unintended recipients. Make sure to download from a trusted source over a secure verified https connection
Secure connections can be verified via: Chrome, Firefox, Safari, Edge).
If you find the above method too cumbersome, you could always opt for a hardware wallet like the Ledger Nano S which automates the cold storage method and doesn’t require a second computer. The private keys are stored on a “secure chip”, the kind used on bank debit and mobile SIM cards. The secure chip is completely isolated from USB communication which prevents it from being infected by hacked computers. For the most part, hardware wallets provide significant security advantages for the average user but aren’t without their issues.
Even with all of these security precautions, vigilance is still needed. Over $400M was stolen from ICO contributions as of 2017. The biggest ICO frauds happened through phishing attacks. This is when a hacker impersonates a party receiving funds, in this case the ICO team. Victims are tricked through fake websites and social accounts into sending funds to what they think is a real ICO address and never receive their tokens.
Another attack involves fraudsters impersonating popular names in the crypto industry on social platforms and tricking users into sending them funds with the promise of returning it with a profit that never comes. These phishing scams are considered social hacking. The best way to avoid social hacks is to confirm the identify of the person or address you are sending funds to.
There aren’t many options for verifying recipients today, but we at Tokens Express are working on a social network for cryptocurrency HODLers that will maintain a verified list of tokens and ICOs along with social profiles that are verified through blockchain technology and realtime chat designed with safeguards against phishing attacks and spam.
Download the alpha today https://play.google.com/store/apps/details?id=express.tokens.tokens
Stay safe out there!