Fundamental question about storing crypto safely

[simon43]

This is a very basic question.

 

I have a trading account with BX.  I have used it to speculate with ETH and have made a profit (not difficult!) and have withdrawn those funds.

 

I want to do some more (modest) speculating, but have been reading about the possible risk of losing all if the exchange is hacked or 'disappears.  The solution is to store one's crypto currency in a hardware or even paper wallet.  Then if the exchange is hacked, one's investment is 'safe' - correct?

 

The information I'm missing is the link between buying some coins on BX and then storing those coins in a hardware or paper wallet, not on the exchange.  What is the process to do this? (BX refers to a mobile wallet, but this doesn't seem to be the offline or hardware wallet for safe storage).

 

Bottom line - when I start to speculate with ETH or Dash or Litecoin or...., how do I minimise the risk of having my invested funds stolen from or by the exchange?  (I'm not referring to losing my investment if the crypto value plunges - that is my own risk).

[phycokiller]

you just set up a wallet, go to the exchange and send from there to the address of your wallet. but you will have to send them back to an exchange whenever you want to trade them. if you leave them on an exchange theres really nothing you can do to reducing the risk of the exchange stealing them or getting hacked

[simon43]

Thanks very much for your reply.  BX really doesn't provide any support files about this - looks like they much prefer to keep them on their exchange!

 

I checked another thread on this forum about exodus.io, which looks like a good way to safely hold my crypto.  I can now understand the process of sending bitcoins or Ethereum etc from BX exchange to my wallet.

 

I'm a little wary of BX exchange.  For example, my verified account previously was linked to my Bangkok Bank account, and I previously sent some small funds from Bangkok Bank to my BX account, and traded with these.

 

Today, when I logged into BX, I found that my bank account data had been deleted!  How did that happen?  I never deleted it.  Very worrying.

[phycokiller]

for trading you can use any exchange, I think the japanese ones have no fees for example, no reason to use a Thai one, unless its for your initial purchase. might be better off using something like localbitcoins.com for that. guess depends on who has the best deal

[speedtripler]

On 07/09/2017 at 9:02 PM, simon43 said:

Thanks very much for your reply.  BX really doesn't provide any support files about this - looks like they much prefer to keep them on their exchange!

 

I checked another thread on this forum about exodus.io, which looks like a good way to safely hold my crypto.  I can now understand the process of sending bitcoins or Ethereum etc from BX exchange to my wallet.

 

I'm a little wary of BX exchange.  For example, my verified account previously was linked to my Bangkok Bank account, and I previously sent some small funds from Bangkok Bank to my BX account, and traded with these.

 

Today, when I logged into BX, I found that my bank account data had been deleted!  How did that happen?  I never deleted it.  Very worrying.

This is bulletproof as far as hacking goes but make sure you don't lose the paper wallet!! 

 

 

[tpkhk]

I'm no expert, but you are looking for offline wallets.  Examples are Exodus (Various coins, downloadable & you can also exchange between coins) and Electrum (for Bitcoins alone).

 

Transfer in - You would simply transfer the bitcoins to the address provided by your wallet, just like you would to any address.  

You can back up the actual wallet file - and store it on an unconnected Hard Drive, USB stick etc.  Keep the passphrase etc. all safe...if you loose it &/or the actual file, no one can help.  Turn on 2 factor authentication (Google Authenticator), if applicable.  Try transferring the smallest decimal allowed from your exchange to the wallet as a test.  Sending out from your wallet to any address is just as easy.

 

The ultimate in safety seems to be the Ledger Nano S (hardware like a small USB stick) - holds various types of coins.  Said to be safe even if the computer is infected.  Even if you loose the device, you can recreate your coins by buying a new one and using the passphrase.  I have no experience with this, but all good until the next big vulnerability is revealed.

[tpkhk]

Simon 43, some exchanges, offer their own Safe Wallets in addition to the trading account (analogy - current account vs. a fixed deposit w/ certificate stored offsite). Some exchanges even add delays - for instance moving coins from their offline Wallet, to your trading account takes 3 days.  

 

Sounds good in theory, but the problem is if the entire site is down, goes bankrupt/frozen etc. not sure how they will facilitate access to the offline wallet.

[zib]

If you plan on storing more than the cost of a hw-wallet then just get a hw-wallet. Cost for Ledger Nano S is around 3000 baht.

 

It's not worth bothering with the possible headaches of normal "software" wallets.

[simon43]

I'm based in Myanmar, so cannot do an online purchase of the Ledger (for various reasons such as thieving post office, thieving customs, Paypal and Eay not supported in Myanmar etc).  Is it possible to buy the Ledger Nano S from a bricks and mortar shop in Bangkok?

[zib]

24 minutes ago, simon43 said:

I'm based in Myanmar, so cannot do an online purchase of the Ledger (for various reasons such as thieving post office, thieving customs, Paypal and Eay not supported in Myanmar etc).  Is it possible to buy the Ledger Nano S from a bricks and mortar shop in Bangkok?

https://groov.asia/locations maybe. If not I've heard people just ordering directly to a post office and just go pick it up.

[ThailandLOS]

On 9/7/2017 at 9:02 PM, simon43 said:

Thanks very much for your reply.  BX really doesn't provide any support files about this - looks like they much prefer to keep them on their exchange!

 

I checked another thread on this forum about exodus.io, which looks like a good way to safely hold my crypto.  I can now understand the process of sending bitcoins or Ethereum etc from BX exchange to my wallet.

 

I'm a little wary of BX exchange.  For example, my verified account previously was linked to my Bangkok Bank account, and I previously sent some small funds from Bangkok Bank to my BX account, and traded with these.

 

Today, when I logged into BX, I found that my bank account data had been deleted!  How did that happen?  I never deleted it.  Very worrying.

Exodus is considered very safe, there are no reports of hacks - I use it myself for some of my holdings (bulk kept on Nano Ledger S). Issue with Exodus is that they don't let you have the private keys, only public blockchain address (they will provide a list of random words for the purpose of recreating the wallet if lost). The pair of private key and public address together are the credentials to your 'account' in the blockchain. Any wallet can be seen as only an interface to access this. If your private key is safe, your balance in the blockchain can never be stolen.

 

Install the Exodus locally on your computer - backup the recreation phrase and keep it safe. Never install on a mobile device and make sure that your computer doesn't get compromised (best by keeping it offline if possible). You can check your balance directly thru a blockchain explorer by using your public address for ETH, BTC and other without even need to open up your wallet.

 

A hardware wallet will bring your security up one notch - as it is safe if even if the device your are connecting it to is compromised. But the eternal issue of backup phrase to recreate the wallet if lost and storing private keys is still there.

 

Don't know abt the BX bank account issue. Abt until a month back they allowed cash withdrawals to any bank account (and funding also), then they introduced the verification and my account disappeared before I had gone thru the new verification process. Maybe this is what you are seeing.

 

Edited September 14, 2017 by ThailandLOS

[ThailandLOS]

Also, would advice against Jaxx - which has a nice interface and everything. It was hacked a few months back and there is some fishy stuff going on around this wallet - ppl have reported suspected skimming, e.g. 0.01 BTC/ETH disappearing here and there. I saw it on my own BTC account using Jaxx the other week - funds hadn't been touched for weeks but decreased mysteriously.

 

Plus, the public address in the wallet can not be checked against the blockchain balance - it is based on a Jaxx internal logic.

[taiping]

Exodus works ok for storing Ether and other cryptos, although I use Electrum for Bitcoin. I'm not convinced of the merits of using so-called hard wallets since I do not know how reliably the electronic data is saved (flash memory is not 100% reliable). I do keep a hard copy print out of the addresses and private keys. Using Exodus/Electrum I can access the coins anywhere using the 12-word seed. I think mobile phone wallets should only be used to keep small amounts of crypto.

 

[zib]

7 minutes ago, taiping said:

Exodus works ok for storing Ether and other cryptos, although I use Electrum for Bitcoin. I'm not convinced of the merits of using so-called hard wallets since I do not know how reliably the electronic data is saved (flash memory is not 100% reliable). I do keep a hard copy print out of the addresses and private keys. Using Exodus/Electrum I can access the coins anywhere using the 12-word seed. I think mobile phone wallets should only be used to keep small amounts of crypto.

 

Then just keep a hard printout of the recovery seed from your hw-wallet. It's not different from printing out the recovery seed from any other wallet. And if your hw-wallet breaks just input that recovery seed into Electrum.

 

The benefits of hw-wallets are many. You don't have to worry about malware/hacks stealing your wallet files. Of course it is possible that there's malware/hacks in the future which also exploits the hw-wallet but it's far more difficult than just copying the wallet files from your harddrive.

Also you get to have all your different coins (granted only the 10 most common ones are usually supported) under the same recovery seed so you don't have to keep track of multiple recovery seeds.

 

Also you can use the hw-wallet for pure signing. Continue to use Electrum etc and just sign your transactions with the hw-wallet.

 

 

There is really no downside to it. Since hardware failure can always be recovered by inputting the seed in another client.

[taiping]

23 minutes ago, zib said:

Then just keep a hard printout of the recovery seed from your hw-wallet. It's not different from printing out the recovery seed from any other wallet. And if your hw-wallet breaks just input that recovery seed into Electrum.

 

The benefits of hw-wallets are many. You don't have to worry about malware/hacks stealing your wallet files. Of course it is possible that there's malware/hacks in the future which also exploits the hw-wallet but it's far more difficult than just copying the wallet files from your harddrive.

Also you get to have all your different coins (granted only the 10 most common ones are usually supported) under the same recovery seed so you don't have to keep track of multiple recovery seeds.

 

Also you can use the hw-wallet for pure signing. Continue to use Electrum etc and just sign your transactions with the hw-wallet.

 

 

There is really no downside to it. Since hardware failure can always be recovered by inputting the seed in another client.

Is there any particular brand of hw that you recommend? I would like to experiment with one, although i don't think there is much danger from using Exodus/Electrum on my home PC. Even if the wallet is hacked, without the password they could not access the coins. Am I correct about that?

[seancbk]

On 9/7/2017 at 9:02 PM, simon43 said:

Thanks very much for your reply.  BX really doesn't provide any support files about this - looks like they much prefer to keep them on their exchange!

 

I checked another thread on this forum about exodus.io, which looks like a good way to safely hold my crypto.  I can now understand the process of sending bitcoins or Ethereum etc from BX exchange to my wallet.

 

I'm a little wary of BX exchange.  For example, my verified account previously was linked to my Bangkok Bank account, and I previously sent some small funds from Bangkok Bank to my BX account, and traded with these.

 

Today, when I logged into BX, I found that my bank account data had been deleted!  How did that happen?  I never deleted it.  Very worrying.

 

I wouldn't worry about your bank details not being saved.  That sounds like a security feature in fact.

I have been using BX for some time.   I only use it to purchase Bitcoin which I then send to Bittrex where I do my actually trading.

For security sake you should be using 2FA on all accounts (BX, Bittrex, etc).   It is also a good idea to create a separate email account to setup your crypto accounts and absolutely use 2FA to access that email account.

For offline storage I prefer myetherwallet which is a paper wallet for ETH and ERC 20 tokens.   

 

[zib]

4 minutes ago, taiping said:

Is there any particular brand of hw that you recommend? I would like to experiment with one, although i don't think there is much danger from using Exodus/Electrum on my home PC. Even if the wallet is hacked, without the password they could not access the coins. Am I correct about that?

You are correct. But some malware can of course also grab your password when you input it.

 

One good example is with the BitcoinCash fork. Immedietly after ElectronCash (Electrom for BitcoinCash) came out someone registered a bunch of similar domains and put up a "backdoored" client that sent your private key to some server. It was up for about a week until the domains got cut off. Some people either lost all their new found BCC or they also lost their old BTC if they put the same recovery seed into ElectronCash. With a hardware this would never have happened. You could even have used the backdoored ElectronCash successfully and it would not be able to send any private keys since it never sees them.

 

I actually have 3 hw-wallets because I'm doing some testing. Trezor, Keepkey and Ledger Nano S. The Ledger Nano S seems so far to be superior atleast when it comes to the software.

 

I hate printing out my recovery seed and storing it somewhere because I don't consider that safe either. I'd rather take these 3 brands of hw-wallet and use the same recovery seed on all of them and give for example 1 to a friend for safe keeping. It would be extremely unlikely for all 3 to fail at the same time. Unless there's a huge tsunami but then the printed recovery seed would most likely be gone too

[zib]

8 minutes ago, seancbk said:

 

I wouldn't worry about your bank details not being saved.  That sounds like a security feature in fact.

I have been using BX for some time.   I only use it to purchase Bitcoin which I then send to Bittrex where I do my actually trading.

For security sake you should be using 2FA on all accounts (BX, Bittrex, etc).   It is also a good idea to create a separate email account to setup your crypto accounts and absolutely use 2FA to access that email account.

For offline storage I prefer myetherwallet which is a paper wallet for ETH and ERC 20 tokens.   

 

I would never recommend any online service myetherwallet included. However it is completely safe, and easy,  to use for example myetherwallet together with a hardware wallet. They currently support Trezor or Ledger.

 

If you have ERC20 tokens then Myetherwallet is the best one to use. If you have a hw-wallet it is also a must since none support ERC20 tokens.

[DeeMak9]

Use paper wallets and rent a safe deposit box ?

[speedtripler]

51 minutes ago, DeeMak9 said:

Use paper wallets and rent a safe deposit box ?

Use encrypted paperwallets because they're useless without the password as well

 

 

[speedtripler]

2 hours ago, taiping said:

Is there any particular brand of hw that you recommend? I would like to experiment with one, although i don't think there is much danger from using Exodus/Electrum on my home PC. Even if the wallet is hacked, without the password they could not access the coins. Am I correct about that?

If you have a non trivial amount of  money in crypto you could get an old 2nd hand laptop  just for the purpose 

 

Create your wallets on that and maintain an "airgap machine " at all times (so it never goes online) 

 

That's the best way to get as close to maximum security as possible but it depends how you value your investment and how much losing it would hurt

[seancbk]

A good way to securely store your passphrase is to hide it in plain sight.

Your passphrase will be some thing like 12 random words.    

So go to a random word list generating site.    I use this one - https://www.randomlists.com/random-words

Generate a list of 200+ words  (the more the better)

Choose a single word you will remember - for example Artichoke.

Somewhere in the list of 200+ words you created type in the Key word.    Then immediately after that key word paste your passphrase words.

Now anyone finding the document has no idea which 12 words out of the 200+ words are your passphrase.   

You can find the passphrase because you know which key word proceeds it.


Print it out and put it in a file, and store it in an email to yourself as well as in Google docs.   Just remember the key word.

 

 

 

[zib]

18 minutes ago, seancbk said:

A good way to securely store your passphrase is to hide it in plain sight.

Your passphrase will be some thing like 12 random words.    

So go to a random word list generating site.    I use this one - https://www.randomlists.com/random-words

Generate a list of 200+ words  (the more the better)

Choose a single word you will remember - for example Artichoke.

Somewhere in the list of 200+ words you created type in the Key word.    Then immediately after that key word paste your passphrase words.

Now anyone finding the document has no idea which 12 words out of the 200+ words are your passphrase.   

You can find the passphrase because you know which key word proceeds it.


Print it out and put it in a file, and store it in an email to yourself as well as in Google docs.   Just remember the key word.

 

 

 

So then I just take your let's say 1 Million words wordlist. Create a script that takes 12 words -> save, step 1 word, take the next 12 words -> save and then generate electrum wallet files with all those seeds and then cycle through them with electrum cli until i find addresses with balance.

 

Would probably take a few hours for a 1 million wordlist. For a 200 one...a minute?

 

Smart suggestion dude!

 

Edited September 14, 2017 by zib

[zib]

1 hour ago, speedtripler said:

Use encrypted paperwallets because they're useless without the password as well

 

 

Yeah this is one of the best ways. Take your seed, aes-encrypt it, base64-encode it and then print it out.

[seancbk]

6 minutes ago, zib said:

So then I just take your let's say 1 Million words wordlist. Create a script that takes 12 words -> save, step 1 word, take the next 12 words -> save and then generate electrum wallet files with all those seeds and then cycle through them with electrum cli until i find addresses with balance.

 

Would probably take a few hours for a 1 million wordlist. For a 200 one...a minute?

 

Smart suggestion dude!

 

 

And you guessed which coin each passphrase is for.  Well done.   
 

[zib]

9 minutes ago, seancbk said:

 

And you guessed which coin each passphrase is for.  Well done.   
 

haha guessing what type of coin it is is hardly considered a problem

 

Anyway please give me your wordlist and let's see how long it takes

[zib]

Also most clients (if not all) use BIP39 as the wordlist. This list consists of only 2048 words. So it's easy to for example take a wordlist generated on https://www.randomlists.com/random-words and exclude all words not in BIP39

 

[zib]

1 minute ago, zib said:

Also most clients (if not all) use BIP39 as the wordlist. This list consists of only 2048 words. So it's easy to for example take a wordlist generated on https://www.randomlists.com/random-words and exclude all words not in BIP39

 

If you then also add to look for 12 words in sequential order that are in BIP39 you can probably narrow it down to 1 right away.

[seancbk]

44 minutes ago, zib said:

If you then also add to look for 12 words in sequential order that are in BIP39 you can probably narrow it down to 1 right away.

 

Very smart.   OK my method needs work :-)   

[jago25]

Buy a ledger HW1.1 or ledgerwallet nano if you need ETH. 

Split the recovery phrase into 3 parts using http://point-at-infinity.org/ssss/demo.html on a secure offline computer (difficult...), 

print it out after testing and send 2-3 parts via registered post to different relatives who live at different addresses to store somewhere safe. 

This is a total PITA by the way but I wasn't able to find something better. 

 

An alternative could be find a cheap phone, install Mycelium on it and just put the backup phrase in a safe but that's only as secure as the safe. Possibly just split into 2 parts but without properly splitting with teh shamir method. This again will probably be fine on the basis that hopefully people won't know what the words are and have the ability to fix the split but it isn't the best