Since the beginning of 2015, the bitcoin industry has seen an increasing number of data breaches targeted at bitcoin wallet service providers and exchanges, leaving the private keys of bitcoin accounts and user funds vulnerable to potential hacking attacks.
Leading bitcoin exchanges and wallet platforms have begun to implement backup encryption systems, the multi-signature technology and provide hierarchical deterministic (HD) wallets to secure user funds.
Deterministic & Multi-Sig Wallets
Leading deterministic bitcoin wallet platforms include Electrum, CarbonWallet, TREZOR and Armory.
Carbon Wallet is a web based deterministic bitcoin wallet which generates private keys from the passphrase that does not hold a server side storage. Transactions are signed locally in the browser and private keys are not shared with the server.
Carbon Wallet requires users to control at least two private keys using the multi-signature technology. The web-based platform automatically encrypts private keys with the passphrase of the browser.
Furthermore, unlike popular bitcoin wallet platforms including Coinbase and Circle, Carbon Wallet implements a unique 2 factor authorization system called Out of Band 2 Factor, which “means that users’ 2 factor security is not open to social engineering.”
Most importantly, the wallet operators (Carbon Wallet Administration Team) does not have any access to user funds. Thus, even if the platform is hacked, users will not lose their funds.
“The mechanism used by Carbon Wallet is more complicated, replicating the one used internally by Electrum, but it shares the same ability to generate as many addresses as the user requires,” explains Ethereum founder and developer Vitalik Buterin.
Armory is an open-source, python-based, wallet-management application for the Bitcoin network that offers:
- An Encrypted Wallet
- SecurePrint for all Backup Types
- Message Signing
- Decentralized Multi-Signature “Lockboxes”
- Cold Storage / Wallets
- Fragmented Backups.
Armory has been considered the most secure bitcoin wallet since its launch in 2011 and is known as the “pioneer” of cold storage and distributed multi-signature technology.
“Armory pioneered easily managing offline Bitcoin wallets using a computer that never touches the Internet. Users are empowered with multiple encrypted Bitcoin wallets and permanent one-time ‘paper backups’,” stated Armory.
Bitcoin users and investors who hold tens of thousands of dollars in bitcoin are advised to store their funds in an easily accessible cold storage. Armory guides users in creating paper wallets or secure cold storage for their funds and broadcast it to the network to store in an online wallet.
“Plus, Armory employs many security practices so that even if someone physically stole your offline system then it still may take centuries for them to get through the advanced wallet encryption,” explained the Armory team.
2015 Spring Bitcoin Privacy Rating Report released by the Open Bitcoin Privacy Project rated Armory as the second most secure wallet in the world behind DarkWallet, giving 54/100 as the overall rating.
Mycelium is a mobile bitcoin wallet awarded the prestigious “Best Mobile App” award by Blockchain.info in 2014. Mycelium is ranked the third most secure bitcoin application and wallet platform by the Open Bitcoin Privacy Project mainly for providing users with 100% control over their private keys, which never leave the device unless exported.
Mycelium mobile application offers multiple security and privacy-focused features to secure user funds. These include:
- Encrypted PDF backup and restore of single key accounts
- Watch-only addresses & private key import for secure cold-storage integration
- Trezor enabled – directly spend from trezor-secured accounts.
- Directly spend from paper wallets (single key, xPriv or master seed)
- Mycelium Entropy compatible Shamir-Secret-Shared 2-out-of-3 keys spending
- Deterministic signatures for Bitcoin transactions (RFC6979)
Poor and Unsecure Bitcoin Wallets
Bitcoin users or investors that own a large number of bitcoins are highly advised to avoid bitcoin wallet platforms including Coinbase and Circle that have full or partial access to user funds.
This could be an incredibly dangerous if the platform or the operators are targeted with a series of hacking attacks as it may leave users’ private keys vulnerable to hackers.
For example, more than 1,500 bitcoins were stolen from multiple hot wallets in bitcoin exchange Bitfinex in May 2015.
At the time, Bitfinex announced that 99.5% of its users kept their bitcoin in a multi-signature technology implemented bitcoin wallets. However, the remaining 0.5% of users, who did not implement any additional security measures were targeted by hackers in a data breach.
“Dear Customer although we keep over 99.5% of users’ BTC deposits in secure multisig wallets, the small remaining amount in coins in our hot wallet are theoretically vulnerable to attack. We believe that our hot wallet keys might have been compromised and ask that all of our customer cease depositing cryptocurrency to old deposits addresses. We are in the process of creating a new hot wallet and will advise within the next few hours. Although this incident is unfortunate, its scale is small and will be fully absorbed by the company,” announced Bitfinex.
For best practice, it is recommended to use HD wallets, implement the multi-signature technology and store funds in a cold wallet or paper wallets.
Reference
http://www.openbitcoinprivacyproject.org/2015/05/spring-2015-wallet-privacy-rating-report/
seems like a lot of good contenders are missing from the list. any plans to maybe do an updated analysis separating hardware wallets from lightweight/or mobile only ones?