Bitcoin Forum

It's true that 'not your key, not your coin', and that there are several wallets and services available to cover yourself.

There may be a point at which any cryptocurrency (whether Bitcoin or another) is held on exchanges/wallets run by small/new companies.

The small players have limited resources. How do they ensure they are sufficiently protected? Why don't there be hacks every other day?

It is quite trivial to take care of your coins, especially if you're knowledgable enough. For those attractive targets, they're likely to have a hot wallet and a cold storage. Their operational requirements requires a hot wallet for faster processing of withdrawal but the majority of it should be stored in the cold storage, where it is very unlikely for an attacker to be able to exploit it.

You cannot eliminate attack vectors completely. Cold storage should have the minimum exposure and thus the best chances against an adversary.

exchanges DO NOT need to have private keys on their webservers.

having 3 simple databases.
a. a database of JUST public keys for users deposits.
b. a database of customers login details
c. a database to save withdrawal requests

(a) exchange owner creates keypairs offline on a remote system and keeps the keypairs on the remote system away from the web server. it then uploads just the public keys as a list of potential deposit addresses to link to users exchange account profiles.

(b)these days with phone apps. even users can add to the protection. by having their phone app create a keypair and offer the exchange the public key as an ID as part of registration().
whereby requesting a withdrawal is no longer inputting a password which the exchange keeps a copy of, but instead where the users app signs a message using the users keypair and sends only the signature.
thus avoiding passwords/private keys on webservers

(c)no actual private key is put in it. instead its just "pay out xbtc to xxx address from x account balance, heres users signature'
and separately, a remote system looks in on this database. and its then the remote system that processes the withdrawal after confirming the request is legit.


thus no hacker attacking the webserver ever gets hold of a private key to spend exchange funds and cant have the users privatekeyID/password to falsify a withdrawal address

and any change to the exchanges webserver database of public keys/user registration ID can be noticed by comparing it to the remote system the exchange has elsewhere.


....
but with all that said. even if an exchange offers good security from hackers. there is still the risk of dataloss/theft BY THE exchange on their remote system (blackout, emp, internal theft, virus, accidents) which can put funds at harm

so its much better to only use an exchange when you want to exchange. and not as a custodial wallet(savings bank)

most exchanges are not fully licenced money services businesses, so dont offer the insurances and refund guarantees that banking institutions offer.

so use them as a temporary service and not a permanent store. otherwise..
MTGOX, cryptsy, mintpal, cryptorush, bitcoinica, btc-e can happen to you

This provides a variety of answers, users will have reference to security advice in various sources and consideration of their own capabilities or resources  (as you said).

We probably won't read wallet service hacking news every day, it's a big effort for a hacker. And I've read that hackers would prefer to hack servers over clients for custodial services.

We think it's pretty safe from external threats, but that doesn't mean we can be safe from internal threats, because the service itself can turn around to threaten you at any time. Almost every day you can find how customers of CEXs are having problems such as, deposits and withdrawals not being processed, account closing without valid reasons, etc.

Until you get to the big ones, like Coinbase, Gemini, etc. the answer is probably no.

But, a better question is are they secure enough for you and the amounts you have on them?

*I* am going to care a lot less about the security of some small exchange if I am dumping on $100 to do something and taking it off in a very short period of time.
To leave $12000 there for a month *I* am going to care a lot more. Your amounts will be different.

An exchange that is only generating $10,000 a month in trades is going to have a lot less security as one that does $250,000 a hour.

-Dave

I never bought any hardware wallets, nor went the extra mile into safekeeping my coins. I'm still using the same device I had back in 2015 as my bitcoin storage, and it rarely connects to the internet, only on occasions wherein I need an extra machine on something I work on. I never had any problems in terms of my wallet security, nor were there any instances of viruses infecting my computer. If you are careful enough with how you use your machines that store your keys, I don't think hacks will even be your problem.

For huge platforms such as exchanges and gambling sites, their security systems can only protect so much. No system is 100% safe, and there exists an attack vector for sure waiting to be exploited, which causes hacks, data leaks, and whatnot.

That is the first thing to do is to learn how to protect your account. The thing is that people do not do this in the beginning, they just buy bitcoin held it on their wallet and thinking they are safe. That's why at least you need to be technically incline when you join crypto space. Because there are a lot of ways that hackers can access our accounts. So there is a learning curve and it's very steep, and that is one thing that everyone should prioritize specially newbies. Learn how to protect our assets and practice good security hygiene.

A new company doesn't always equate to being a small one.

Some of the above users have already answered that part, but there are also a few ^{[small Russian exchanges]} that do little to nothing on that front ^{[most of them use similar templates as well]}.

Assuming you're talking about the normal exchanges in that part, then while hackers try to exploit loopholes in a system, on the other end, there are people that work hard to make sure everything is hack-proof ^{[it's like a race]}.

---

In regards to the first part of the subject field, let me know what do you think after you've read the following two links:

• Quote from: SFR10 on August 30, 2021, 11:12:04 AM
  • CryptoSec - Exchange hacks (https://cryptosec.info/exchange-hacks/)
  • HedgeWithCrypto - Exchange hacks (https://www.hedgewithcrypto.com/cryptocurrency-exchange-hacks/)

Helding coin in a hardware wallet is nearly impossible to be hack since no one can access your coins unless you lost the device. For helding the coins in exchange is like gamble for me, i can deposit for a short time but i will never stack my coins there unless i have to trade it immediately.

Most of the times being hacked is dependent on personal errors, what I have seen is that people spend hours researching about the perfect wallet, then at the end of the day they usually forget the personal security with respect to their mobiles phones and their computers.

You have to understand that there are very good wallet services available everywhere and therefore if you try and find one locally or nationally, that would work perfectly fine for you but I do think it's more important to have knowledge of cyber security.

Knowledge regarding how and how they should not really store their keys and passwords on their drive. I think everything is enough as long as people try and follow up on these things and worry a lil less about the price.

If they were not secure then you will see a lot more people losing their funds from hacks. Exchange wallets or wallets that you do not own the private key are not insecure they just pose extra risks. They are insecure for you to use them because you do not own the private key and therefore if they were compromised or decided to exit scam you will not be able to withdraw your money. You should always have the private key. The exchanges are probably using custodial wallets like Bitcoin core or Electrum to generate the addresses in the background they just do not give you the private key.

exchanges are not safe. the hacks that happen every now and then are proof that anything can happen with your funds when it's on the exchanges. who knows what their employees would do when they are not happy anymore with the company they work for.

it's tempting to keep the funds on them though because you keep trading. if you are this kind of person, make sure the funds keep on the exchanges are something you can afford to lose.

Nothing beats out the security of your coins when you do stored up in on an non custodial wallet compared if you do store it up on an exchange or centralized platforms and it doesnt matter on how small it is
then its never suggested that you would really be needing those to sit on that place for a very long time.It isnt really just worth for the risk but if you do trust and able to handle it out then its your choice.
Risk would be always there and its always been suggested that dont store up your funds on platforms for very long if you cant handle such risk then we do always have the option on transferring on wallets
on where we do own its keys.

I doubt very much the security of an exchange based on past history like Poloniex and a few others which they claimed they were hacked but for me they were inside jobs (just my opinion though,they may have been hacked for real).I am forced to use one of them though in order to exchange my coins and I just do that,converting and exchanging,nothing else,I don't leave any coins there.

For the security of wallets I agree they are much stronger and it depends strongly on the security of a user computer when talking about software desktop wallets.Hardware wallets are the best and third party web wallets are the worst.

If you're worried with the new comers that are entering the business of having an exchange, they've already anticipated and included the security with their plan.

Those that are only testing if their new exchange will click surely don't have the strongest security but I think they're ready to upgrade whenever they have meet the demand.

There's not enough services to see hacking incidents every day. Let's say a service gets hacked once in three years, this means there should be over 1000 notable services to see big hacks every day on average. Of course there's much less prominent services than that.

The thing is, everything gets hacked, not just crypto services. However, hacking is especially dangerous when it comes to crypto because there's no way to undo it. Hacking banks is not a lucrative because banks can undo it if they detect it quickly and they often trace hackers because their systems always require KYC.

A Ledger Nano S and a Trezor One hardware wallet is like $70; any one of those is highly sufficient for an individual to secure his/her funds for the long term. Outside of exchanges, which you should be storing majority of your funds anyway, a huge majority of these hacks are caused by user error in the first place, a lot less so because of the wallet software.

Same here. I didnt bought any Hardware wallet on safekeeping my coins but rather stick into non custodial wallets and keep those secret keys or phrases on an usb on several copies and thats already sufficient and so
far i havent experienced any hacks as long you dont click up links or download something randomly or simply talks about being aware on those possible root of problems which do cause lost of coins.

When it comes to security of those exchange platforms and custodial wallet then we cant deny its good for now but nothing cant be hacked on this world
Therefore, it is still risky on considering on making these platforms or services to serve out as your main storage.

I'm pretty sure any decent company, regardless of whether they're small or big will have sufficient (or at least they claimed to be) security measures, such as offline storage, multi-sig cold storage, provide limited access to their hot/cold wallet, disallow their workers to click suspicious email etc. But at the end of the day, shit happens. The best thing end users can do is to not trust them to hold their money, and just use them for their business.

No exchange is safe, the scammers are getting better even if they have tight security there's always a possibility of getting hacked, you should never make exchange wallets as your storage, only put coins that you will trade and only trade on Big and reliable exchange so even if there is an incident of hacking, the exchange will cover all their trader's coin's and even if they guaranty your coins is safe, still don't go for their service you should be the one responsible for your coins.

How so? I mean, why do you think that such a point will occur?

If it cannot be avoided that you use an exchange, just make sure you are choosing one from among the top and most trusted. And also make sure you are not keeping your coins there. The moment you're finished with your business, pull out your coins and keep them in a storage under your sole control.


Having limited resources is in fact the very reason why small players will have to protect what little they have at all cost. If it means they need to buy a hardware wallet, then they should do it. If a hardware wallet is too expensive for them, there are open-source non-custodial wallets out there that are for free. They just have to make sure they are downloading them from the official sites. They should also make sure they are keeping their seed in a very safe place outside the access of anybody else. In other words, they need to be careful in every step of the way.

Hacks do not happen everyday. A cold wallet or an open-source non-custodial wallet, careful verification in every transaction, safekeeping of password and PIN and seed, and so on will reduce the risk of getting hacked to the minimum.

No exchange is safe but there is lesser risky among them so we should stay on that one but even though they are top still we shouldn't put any huge amount which can hurt us badly when things comes in bad position, we should always think about withdraw the profit always we take on the exchange and store it on hardware wallets since putting it there will really give us huge risk on what you said hacking or maybe an inside job incidents.

Exchanges are definitely not a good place to store your funds long term.

"Not your key, not your coin" is a mantra that has been time tested and every time there has been a hack, this should have been applied beforehand.

Whilst I agree that people will inevitably have to use exchanges/hosted wallets sooner or later, they can minimize this risk by withdrawing periodically and sweeping the coins into a wallet that they actually own.

Why so? It has never been the objective from the bitcoin community to endorse such practices. You said it yourself in the previous line. If you have any reason to think otherwise, do let us know.

Hacking is not a get-rich-quick scheme. A skilled hacker spends a lot of time observing, collecting data and on reconnaissance.

You dont jump the bank on any day you feel like do you? unless you are an idiot. You would want to know what security measures are in there, how much the loot is worth and how to cover yourself.

Hence you dont see hacks happening everyday, but that does not mean that hackers have stopped working. You have to keep yourself secure to avoid getting hacked. Major big exchanges usually get hacked because these are targets that can yield maximum money.

Depends on the person. There are some people who lost access on their coins multiple times despite the fact that they had control on their keys and for these type of people, exchanges are really better options.

Overall, refund in case of hacks, depends on the exchange. I guess as  serious exchanges as Binance and Coinbase are, will refund you in case something happens and as I have heard, Binance was also refunding money to those who were liquidated because of Binance's error (those who set stop loss order and it wasn't activated). I remember cointelegraph was writing something like that.