We entrust our information to third-party services, who do everything in their power to protect it from cyber-attacks. While this is very convenient, the truth is that we only have their word and a combination of legal, administrative, and technical safeguards. Lately, our trust in third party custodians to keep our information has been slowly declining as it was the case with the people who woke up one day to find out that their Cyprus bank accounts have been raided by another country’s government or the Canadian truckers who lost their right to transact.
In this article we dive deeper into the reasons behind the security issues and offer ways how users can ensure the safety of their private keys.
Why is Data Ownership an Issue?
The main advantage of decentralized technology, the fact that we have the ownership of our information, is also its biggest weakness and one of the reasons why massive adoption did not gain that much traction. We heard a lot of stories about people losing value kept on decentralized networks, like this guy who threw out his hard drive to later rummage through a garbage dump to be rich, or a developer who forgot his password for his crypto wallet and had only 2 more chances to type in the right password before it’s lost forever. Another interesting case is the attack that happened in 2016, when a hacker made away with more than 119,000 Bitcoin, where, consequently, Bitfinex allocated losses of more than 30 percent to all customer accounts. There are many victims who still have not reclaimed their assets which, in the meantime, have surged in value. In essence, when creating a wallet, you are assigned a stream of random numbers which are used in the algorithms for transaction signing and proving ownership. This unique stream of numbers is called a Private Key and is used in Private-Public Key encryption. Only this number can identify the user on the decentralized network and authenticate actions on it. The likelihood of someone else generating the same number is infinitesimally small. You guessed it right — when this key is lost, there is no one who can authenticate with the network to unlock the value attached to that key.
*(Hash Function is a mathematical algorithm that maps data of an arbitrary size (often called the “message”) to a bit array of a fixed size (the “hash value”, “hash”, or “message digest”))
There are a few ways the misplacement or the loss of this key (which then locks the value into the blockchain) can be minimized. However, we need to keep in mind that the ability to fully secure digital wallets is mission-critical. Here are some of them:
Custodial Wallets
The easiest way to keep your assets is to entrust security to a third party, custodian, who will keep them, lowering the chances of its loss. This, however, diminishes the purpose and the value of decentralized networks, where the user has the ownership over their data. In other words, malicious entities can gain access to the third-party service — it becomes more enticing target as the number of users grow, or the third-party service might go rogue.Non-Custodial Wallets
Non-Custodial wallet allows users to keep the Private key in one place only they can access. It can be additionally protected with a PIN or passphrase. They provide security and utility when interacting with blockchains. A wallet can work with multiple blockchains simultaneously including Ethereum & Alt. Coins, Bitcoin, Solana, and more, all on the same device. Non-Custodial wallets can be:- Software solutions
- Complete hardware solutions (where the key never leaves the device)
*(Complete hardware solutions (where the key never leaves the device) — example of a hardware wallet — Ledger Nano S)
How to Backup Private Keys?
Many of Non-Custodial solutions provide the user with a mnemonic phrase consisting of 12 or 24 words (usually in English), depending on the security preferences of the user. These words are shown and verified to the user at the time of the wallet creation. The same Private key can be recreated using these words by going through an algorithm — it essentially works as a backup phrase. The safekeeping of these backup phrases is trusted upon the user, which means that, if access to the wallet and the phrases are lost at the same time, the valuables also get lost.Key Loss Recovery Solutions
It is recommended not to keep a digital copy of this mnemonic on some device or on the cloud, as this allows malicious users to gain access to it more easily than to the physical copy of it. The most effective and safe solution is to write it down. There are services that can engrave it in something more permanent, but the most common solution is probably the paper. The mnemonic phrase can be made safer by keeping multiple copies and can also be split up and stored in many places. The key can also be split up into multiple parts and each part sent to a different cloud service, from where it can be recovered and merged to get the private key. This, though, requires a setup to keep the order of the parts and access to all used cloud solutions.Distributed Backup Solutions
Multi-signature technology is another way of keeping valuables more resilient to cyber-attacks or loss. These are advanced algorithms allowing multiple keys to authenticate operations for the same data, which adds another layer of security and backup. Most frequently, crypto exchanges, brokers/OTCs, investment funds and other crypto companies use multi-signature technology to secure their cold storage funds. For example, a company can have multiple keys needed to sign transactions.- Small value transaction can be signed by any accountant
- Larger value transactions can be signed with both an accountant’s and a supervisor’s key
- Big company investments that involve a board of directors where 4 of the 12 members need to approve the transaction
