Every few months you hear of another bitcoin exchange that has been hacked somewhere in the world. There are more and more exchanges, and that means there are a growing number of targets for hackers. Hackers know that exchanges are mostly honey-pots, filled with private user information, and more importantly bitcoin that can be virtually instantly stolen and transferred away to an anonymous bitcoin wallet.
There are two types of bitcoin exchanges — those that have already been hacked and those that are going to be hacked. If 500 people have a digital wallet and each wallet controls some bitcoin, the hackers will have to attack 500 wallets to get all the money. But once you centralise them, you create a honey pot and it will be attacked [sooner or later]
Most exchanges have a hot-wallet, where they store the bitcoin they need for withdrawals, and a cold-wallet, where they store the bulk of the user funds securely offline. That being said, with the price of bitcoin on the rise, even a hot-wallet can hold a lot of money and be a huge temptation for hackers.
Bitcoin exchanges need to be fast, so most handle transactions ‘off-chain’, so when you do a bitcoin buy or sell on an exchange, that transaction does not appear on the blockchain….transactions are handled by a database on the server. Only when you withdraw, does the bitcoin move from the exchange hot-wallet, to your intended wallet, and then it is recorded on the blockchain.
Bitcoin exchanges should be used as intended, so in other words, you deposit, exchange, and withdraw once you are done. Only leave the funds on the exchange that you are using to trade. Any bitcoin that you are not trading with, you should withdraw to your own secure wallet, one that YOU control the private keys for.
If you do not control the private keys for your bitcoin wallet, its not your bitcoin! Since exchanges do not provide you with any private keys, once your bitcoin is on an exchange its not technically yours anymore. The exchange just owes you that bitcoin, much like a bank owes you any money you deposit.
When it comes to storing your bitcoin on an exchange, you also have make sure you use a reputable exchange as these days it is easy for them to go bankrupt, get hacked, or even have internal corruption, losing you your bitcoin.
The easy and logical solution is to ONLY store your bitcoin on a wallet that you control the private keys for.
What are private keys?
Well known bitcoin evangelist Andreas M. Antonopoulos is quoted as saying “Not your keys, not your bitcoin“. The ‘private key’ of your bitcoin wallet is literally the key to spending the bitcoin in the wallet (AKA the public key). Without the private key, nobody can spend / steal your bitcoin.
When you setup a decent bitcoin wallet you control your own private keys, and need to secure them yourself. Exchanges make it easy for users to stay ignorant about the security of their bitcoin. Users should learn about the security properly and be actively securing their bitcoin themselves.
When you setup a secure wallet yourself instead of using an exchange, you often get a random collection of 12 or 24 words, which is the private master seed backup, AKA the ‘recovery seed’ used to create your wallet private key.
If anyone gets access to your recovery seed (and understands what it is), they can steal ALL your bitcoins. To re-create your wallet and restore your bitcoin balance if you lose your bitcoin wallet or it gets stolen, all you need is the recovery seed. So the seed creates the private key, and the key gives you access to the bitcoin on that wallet. It is therefore extremely important not to lose your recovery seed, you must keep it in a very safe place.
This seed is what you store securely in a remote location away from your physical wallet, maybe in a physical safe, or even a safety deposit box, and NOT in your gmail or on your computer in an easy to find place. The point is that you are aware that it is important, and you store it securely and appropriately.
All good bitcoin / crypto wallets have at least for the last couple of years given extremely easy to follow and detailed instructions, on how to restore your wallet if your pc gets stolen / lost / damaged, using the recovery seed, and they all explain how extremely important it is to store that seed securely.
User Security on Exchanges
These days exchanges are more secure and an attacker might find that it is often easier to hack the user of the exchange instead of the actual exchange. The cloud based ‘online’ wallet approach works great for many situations, but when you are talking about only a username and password (like most exchanges) as the security for your bitcoin, its not enough.
If someone can remotely access your bitcoin exchange account using only your username and password, you are at great risk. If you use an exchange, you should ALWAYS have 2-Factor Authentication enabled on your account. If you have 2-FA enabled, then an attacker would need your login details as well as your mobile phone to access your account.
What happens if a user does not have 2FA enabled, and their email account is hacked?….Maybe their email comes to their work PC, and another user has access it….What happens if the IT guy or a work mate decides to take a sneaky look at your email? Would you trust them knowing your bitcoin account details?….What happens if they see there is an account on the bitcoin exchange, and they simply reset the password, then check the mailbox and use the new password details to login? Now the ‘hacker’ or person with email access, can take all the bitcoin.
Without 2FA, the account on the exchange is only as secure as the email account…sometimes its a shared / family computer with any number of family / friends / kids friends / staff etc who have access. So if you have an account on an exchange 2-FA is a necessity, you would be a fool not to have it enabled.
Most exchanges protect themselves well against the loss of bitcoin, so that if bitcoin leaves your account, its more than likely your own fault, not theirs…..they are most likely not going to listen to your sorry story and find it in their good hearts to restore your balance if your email was hacked and you didnt have 2-FA enabled.
Mobile wallet apps connected to your exchange account
The next problem with app / mobile based / cloud wallets, is the mobile device itself and how secure it is. If you are known as the ‘guy with bitcoin’ then your phone could be a target to an attacker, especially if it is not secured. Smart phone theft, hacking and malware is on the rise, so be weary about connecting it to your bitcoin wealth.
If a phone is connected to your email, and a baddie who knows you have bitcoin takes ownership of your phone, they can easily reset your password on the exchange, see the new password in the email on your phone, and then login to your account on the exchange website, using the 2-FA app on your phone. So having a bitcoin wallet on your phone means you should always have a password lock on your phone. If your phone does not have a password to open it, a criminal can easily take your bitcoin off the exchange using this method.
Most mobile app wallets at least have a password pin, which unless the baddie knows that, means they can exactly use the app to empty your wallet, but Google Authenticator used for 2-FA has no password, and if your phone is permanently connected to your mail, and unlocked, you are at high risk.
If you want to secure your bitcoin and use a cloud based wallet, you need to secure your account with 2-Factor Authentication, Secure your email with 2-Factor Authentication, Secure your mobile phone with a password.
If you secure your bitcoin on a secure app / wallet that gives you the recovery seed, you need to secure that adequately, preferably in a remote location, and again have password protection on your device.
The easiest way to securely store your bitcoin
A bitcoin hardware wallet such as a Trezor, or Ledger Nano S makes securing, and transacting with your bitcoin extremely easy. You are provided with your recovery seed upon setup, and can secure that accordingly. So you are immediately in control of your own private key, no 3rd party is involved.
A hardware wallet for storing bitcoin should be put somewhere safe and secure. It is not like a mobile phone wallet, where just by the fact that it is on your phone, is usually within arms reach. Your full bitcoin balance should be secure and only your ‘spending’ balance should be on your mobile phone wallet.
When you use a hardware wallet you are much more aware of where it is, and how securely it is stored than most people are with their phones wallets. It is far better than securing all your bitcoin wealth on a mobile app / wallet, especially since at some point in time, most people who have a mobile phone have lost one, or had one stolen, which can potentially be your bitcoin gone.
Your bitcoin security depends on you
When it comes to bitcoin, you need to be on control of your own private key securing your bitcoin. Exchanges get hacked, and go bankrupt, and even the users accounts get hacked, email gets hacked or is vulnerable, and mobile phones are often not secure and can be lost or stolen. You should not rely on an exchange to secure your bitcoin, use it as an exchange and withdraw your bitcoin after you are done exchanging.
The lesson here is that if you don’t control the keys, you don’t control the bitcoin. Possession is nine-tenths of the law, and in bitcoin, possession of the keys is ten-tenths of the law. If you don’t control the keys anymore, it’s not your bitcoin! That lesson will be learned as many times as it needs to.
If you want a decent wallet that you control the private keys for, we suggest the Airbitz, Mycelium, or Greenbit app. For some more information on wallets available visit our page on bitcoin wallets.