How to set Additional Fee in Electrum

[BINAYKR]

Hi

I am checking and want to familiar with Electrum 2FA wallet. I write my seed, backup my wallet file, write down my password, write down my master public key and exported my private key.

I think I have backed up my everything. If anything I missed please guide me.

After this I send some BTC from from my blockchain wallet for testing purpose and I got my BTC on electrum. And now I want to send Electrum BTC to somewhere for testing but during sending I see that there are two types of fee is taking by Electrum 1st is Mining Fee and 2nd is Additional Fee which is 0.002 (aprrox $5.50).

I would like to know what is this. Can any one help and may I able to set the Additional Fee.

Thanks and waiting for your kind reply.

[HCP]

Firstly, Electrum doesn't take any fees... You pay "miner's" fee... And if using 2FA, a service fee to the 2FA provider.

What you are seeing is the "service fee" charged by TrustedCoin for providing the 2FA service. They are a 3rd party service and not related to Electrum. You cannot alter or set this fee. They charge 0.0005 for non prepaid, or you prepay 10 or 100 to get a discounted rate.

Click the little blue shield icon in the corner of the window to see the TrustedCoin fees.


Guide here: https://api.trustedcoin.com/#/electrum-help

[BINAYKR]

Thanks for your kind help.

Well I have no other machine where I can create a cold storage. So I created my wallet on that machine where I use Internet. Is this risky?

Thanks and waiting for the reply.

[ranochigo]

Well I have no other machine where I can create a cold storage. So I created my wallet on that machine where I use Internet. Is this risky?

Yes. TrustedCoin 2FA system isn't foolproof, no matter how they say. If any third party controls a multisig for an address when the address should be solely yours, you are at risk. An example would be Bitfinex. A simple wallet would suffice if you are sure that your computer is free of malware.

Else, you can always run a live distribution of Electrum on a spare USB stick and create a wallet there. You can spend the coins there, refer to this: http://docs.electrum.org/en/latest/coldstorage.html.

[BINAYKR]

So I must have to use cold storage wallet to bring down my risk.

Thanks

[HCP]

Well I have no other machine where I can create a cold storage. So I created my wallet on that machine where I use Internet. Is this risky?

It can be if you don't take adequate precautions... Encrypt wallet using strong password, don't visit "dodgy" websites, keep antivirus/antimalware up to date, run regular scans...

You can create "offline" storage using a single computer and two USB thumb drives... You use one thumb drive to install a linux distro like "Tails" or "BitKey", disable all networking within the distro and create a wallet there using persistent storage. You then create the watching wallet on your "normal" OS.

When you want to send coins, create unsigned transaction using watching wallet. Put unsigned transaction on 2nd thumb drive. Boot off thumb drive with the Linux distro ànd wallet with private keys. Sign transaction on 2nd thumb drive. Reboot to normal OS and broadcast signed transaction.

It isn't quite as secure as a properly airgapped machine, but is pretty close... and it will remove a lot of the possible attack vectors compared with having just a hot wallet on an online PC.

If you have enough Bitcoins that this is a real security concern, spend the 0.05 btc and buy a hardware wallet!

If any third party controls a multisig for an address when the address should be solely yours, you are at risk. An example would be Bitfinex.

That isn't really a fair comparison... The flaw in the Bitfinex system was that there was no 2FA involved, it was purely multisig where 1 signer just auto signed any transaction sent to it... Effectively rendering it useless as theft prevention if the thief had just 1 MultiSig key.

With TrustedCoin, because it is a 2FA system, even if the attacker compromised your multiSig key, they'd still need to have compromised your 2FA code as well, as TrustedCoin won't sign without your 2FA code.

[ranochigo]

If any third party controls a multisig for an address when the address should be solely yours, you are at risk. An example would be Bitfinex.

That isn't really a fair comparison... The flaw in the Bitfinex system was that there was no 2FA involved, it was purely multisig where 1 signer just auto signed any transaction sent to it... Effectively rendering it useless as theft prevention if the thief had just 1 MultiSig key.

With TrustedCoin, because it is a 2FA system, even if the attacker compromised your multiSig key, they'd still need to have compromised your 2FA code as well, as TrustedCoin won't sign without your 2FA code.

If the flaw was because BitGo didn't check its validity, its totally possible that there could be an inside job and TrustedCoin's key gets stolen. Granted, it is still possible for attackers to change the payment information before the signed transaction was sent to TrustedCoin for signing.

The main point is that this kind of configuration is still flawed if the third party has an exploit. It isn't fair to be charging fee for that.

[HCP]

They can't change the payment information once it has been signed by the first party... That is the whole point of MultiSig. So the user would need to be running a compromised version of Electrum, which somehow modifies the transaction after you click send and before it gets signed... This should be easy enough to guard against.

If TrustedCoin key gets stolen, they would still need one of the users keys to do anything useful with it...

So you either need to hack a users key AND their 2FA... Or hack the user key AND TrustedCoin's system... Not necessarily impossible, but not exactly what one would call trivial tasks.

It is perfectly fair for them to charge a fee for providing a useful service.