Bitcoin Forum
October 19, 2019, 05:55:58 AM *
News: 10th anniversary art contest
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Electrum wallet - Update safely and avoid phishing wallets?  (Read 298 times)
tbct_mt2
Sr. Member
****
Offline Offline

Activity: 658
Merit: 419


CryptoTalk.Org - Get Paid for every Post!


View Profile
August 25, 2019, 09:51:45 AM
Last edit: September 24, 2019, 03:41:32 PM by tbct_mt2
Merited by Royse777 (3), bones261 (2), wwzsocki (2), Kakmakr (1), dkbit98 (1)
 #1

ELECTRUM - UPDATE SAFELY AND AVOID PHISHING WALLETS ?

Electrum wallet is one of most favorite non-custodial bitcoin wallets. This wallet is light, high trusted, and has advanced features that some low-quality bitcoin wallets don't have.

It is natural that all wallets have to be upgraded by their developers and by users over time. Unfortunately, there is a fact
The more popular a software is, the more people have looked at it.
Today, I give you all - who have not yet known how to update your Electrum wallet safely - to know how to do it safely.

Let's get started by the first step to know when your Electrum wallet is outdated.
Help > Check for updates. (first image); then you will see this popped up windows (second image)
       

Now, what should you do to download newest version of Electrum?
I believe what most of you will do is clicking on the available link in popped up windows.
"You can download the new version from https://electrum.org/#download"
Is this what you should do?
NO! You will be under risks if doing this.
This is the first important step that you have to avoid.
There was attacks on Electrum wallets months ago, directly on links provide in their wallets.
Electrum vulnerability allows arbitrary messages, phishing
Such attacks might occur anytime in the future, so just be careful.
In reality, there are more other types of phishing sites, this one is an example, so you have to take care yourself by being very carefully download Electrum wallet.
Quote
Do you see that little fleck of dust under the domain name in the left screenshot? Actually not dust. Enable show_punycode in Firefox in order to avoid phishing URLs.
Source: https://twitter.com/ElectrumWallet/status/1144678604523147265?s=20

The correct way to download Electrum wallet is: Visiting their website, and check for newest version
How?
Please type: electrum.org, then you will be directed to https://electrum.org/#home
Please do neither trust given link in wallet nor link in your browser bookmark, google search.
Only trust in your memory with the site address: electrum.org


You can see that Electrum provides a warning at their Home page:

To download, you click on Download button, then visit that page: https://electrum.org/#download
Next, just choose which ones are suitable for your need and your devices.

What to do next after finishing downloading wallet? Installing it instantly?
NO! You will be under risks if doing this.
You have to do two things:
  • Checking your seeds backup: Checking wallet seeds and compare to what your wrote in your seeds backup (on paper, whatever)
  • Verifying GPG signature that signed by ThomasV
Checking your seeds backup:
Wallet > Seeds > Enter wallet password (if you set password - of course you should set strong password - for your Electrum wallet).

Verifying GPG signatures that signed by ThomasV:

This step is to make sure that the wallet version you just download is official one, not phishing one and contains malwares. You will lose your bitcoin if you download and install fake Electrum wallets.
make sure to verify the pgp signature of electrum before installing (installer) or running (appimage) it.

Tutorials to verify GPG signatures
GPG signatures are a proof that distributed files have been signed by the owner of the signing key. For example, if this website was compromised and the original Electrum files had been replaced, signature verification would fail, because the attacker would not be able to create valid signatures. (Note that an attacker would be able to create valid hashes, this is why we do not publish hashes of our binaries here, it does not bring any security).

In order to be able to verify GPG signatures, you need to import the public key of the signer. Electrum binaries are signed with ThomasV's public key. On Linux, you can import that key using the following command: gpg --import ThomasV.asc. Here are tutorials for Windows and MacOS. When you import a key, you should check its fingerprint using independent sources, such as here, or use the Web of Trust.
Tutorials for:
After successfully verify ThomasV's GPG signatures, you are safe to use your Electrum wallet for your bitcoin.


SUMMARY
[1] Check for updates from official website (can check from wallet first, then re-check on official website)
[2] Always type site address to visit it: electrum.org
[3] Verify ThomasV's GPG signatures before installing new wallet versions
[4] Do all these three steps before doing bitcoin transactions in your newly updated wallet.




Read more, to have more fears on fake, phishing Electrum wallets, and being more careful.
[Warning]: Another Electrum Phishing site on the loose
⚠⚠️⚠~Beware on active phishing Electrum websites~⚠⚠️⚠ (Collection list updated)
Electrum vulnerability allows arbitrary messages, phishing

 
                                . ██████████.
                              .████████████████.
                           .██████████████████████.
                        -█████████████████████████████
                     .██████████████████████████████████.
                  -█████████████████████████████████████████
               -███████████████████████████████████████████████
           .-█████████████████████████████████████████████████████.
        .████████████████████████████████████████████████████████████
       .██████████████████████████████████████████████████████████████.
       .██████████████████████████████████████████████████████████████.
       ..████████████████████████████████████████████████████████████..
       .   .██████████████████████████████████████████████████████.
       .      .████████████████████████████████████████████████.

       .       .██████████████████████████████████████████████
       .    ██████████████████████████████████████████████████████
       .█████████████████████████████████████████████████████████████.
        .███████████████████████████████████████████████████████████
           .█████████████████████████████████████████████████████
              .████████████████████████████████████████████████
                   ████████████████████████████████████████
                      ██████████████████████████████████
                          ██████████████████████████
                             ████████████████████
                               ████████████████
                                   █████████
CryptoTalk.org| 
MAKE POSTS AND EARN BTC!
🏆
1571464558
Hero Member
*
Offline Offline

Posts: 1571464558

View Profile Personal Message (Offline)

Ignore
1571464558
Reply with quote  #2

1571464558
Report to moderator
1571464558
Hero Member
*
Offline Offline

Posts: 1571464558

View Profile Personal Message (Offline)

Ignore
1571464558
Reply with quote  #2

1571464558
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1571464558
Hero Member
*
Offline Offline

Posts: 1571464558

View Profile Personal Message (Offline)

Ignore
1571464558
Reply with quote  #2

1571464558
Report to moderator
1571464558
Hero Member
*
Offline Offline

Posts: 1571464558

View Profile Personal Message (Offline)

Ignore
1571464558
Reply with quote  #2

1571464558
Report to moderator
jseverson
Hero Member
*****
Offline Offline

Activity: 1120
Merit: 694


View Profile
September 06, 2019, 01:42:39 AM
 #2

It is natural that all wallets have to be upgraded by their developers and by users over time. Unfortunately, there is a fact
The more popular a software is, the more people have looked at it.

I just want to point out that more people looking into Electrum is good under the original context of the quote. bob123 was basically saying that plenty of people with the technological know-how have already reviewed its code considering its popularity, meaning you don't necessarily have to review it yourself, and that you need to trust the developer less. I'm not saying that popularity doesn't have its downsides, but it's one of the reasons why Electrum is generally considered trustworthy.

pooya87
Legendary
*
Online Online

Activity: 1792
Merit: 1974


Remember tonight for it's the beginning of forever


View Profile
September 06, 2019, 04:49:04 AM
 #3

~ plenty of people with the technological know-how have already reviewed its code considering its popularity, meaning you don't necessarily have to review it yourself, and that you need to trust the developer less.

note that in most cases if you are downloading the binaries instead of the source code and compiling it yourself, you are still trusting the developer 100% because you are running a closed source application when you download the compiled version.
although there is a simple (to use but complicated to create) solution to this and i only know two wallets that do it, it is called "deterministic builds". bitcoin core and Electrum are the only wallets that i know of which do this. it means if you compile the code you will end up with the same binaries (eg. both have the same hash). so you could verify if for example the .exe that Electrum releases is the same thing as their source code or if it is different.

Kakmakr
Legendary
*
Offline Offline

Activity: 1806
Merit: 1374

★ ChipMixer | Bitcoin mixing service ★


View Profile
September 13, 2019, 08:19:53 AM
 #4

This is a very good thread, so I will give you some merit for the effort that you put in to compile it, but I think most "newbies" might find this whole process too daunting to simply "update" their wallet.  Roll Eyes

The fact that most of these software "updates" and "firmware updates" on hardware wallets are so complex, makes it easy for lazy and newbie people to make mistakes. Wallet providers should develop automated processes to check for the validity of the software updates signature to protect their customers.

Most people are just used to clicking on the "update" button for their software and the software will automatically update without any problems.  Roll Eyes  

tbct_mt2
Sr. Member
****
Offline Offline

Activity: 658
Merit: 419


CryptoTalk.Org - Get Paid for every Post!


View Profile
September 14, 2019, 06:03:24 AM
Last edit: September 24, 2019, 03:40:31 PM by tbct_mt2
 #5

This is a very good thread, so I will give you some merit for the effort that you put in to compile it, but I think most "newbies" might find this whole process too daunting to simply "update" their wallet.  Roll Eyes
~snip~
Most people are just used to clicking on the "update" button for their software and the software will automatically update without any problems.  Roll Eyes  
People mostly want to do easy things, like upgrading their wallets by available links inside wallets
Quote
The fact that most of these software "updates" and "firmware updates" on hardware wallets are so complex, makes it easy for lazy and newbie people to make mistakes. Wallet providers should develop automated processes to check for the validity of the software updates signature to protect their customers.
In my opinion, everything gives users automatic supports will put them under higher risks. Over time, they will become lazier, that in turn will force them under higher risks of attacks from abusers.
For example: Around ten years ago, I do believe that we all remember phone numbers very well, because we had to tap on phone keyboards in order to make phone calls. Since the technical revolution of smart phones, originated by Apple, nowadays, most of us don't remember too many phone numbers.

 
                                . ██████████.
                              .████████████████.
                           .██████████████████████.
                        -█████████████████████████████
                     .██████████████████████████████████.
                  -█████████████████████████████████████████
               -███████████████████████████████████████████████
           .-█████████████████████████████████████████████████████.
        .████████████████████████████████████████████████████████████
       .██████████████████████████████████████████████████████████████.
       .██████████████████████████████████████████████████████████████.
       ..████████████████████████████████████████████████████████████..
       .   .██████████████████████████████████████████████████████.
       .      .████████████████████████████████████████████████.

       .       .██████████████████████████████████████████████
       .    ██████████████████████████████████████████████████████
       .█████████████████████████████████████████████████████████████.
        .███████████████████████████████████████████████████████████
           .█████████████████████████████████████████████████████
              .████████████████████████████████████████████████
                   ████████████████████████████████████████
                      ██████████████████████████████████
                          ██████████████████████████
                             ████████████████████
                               ████████████████
                                   █████████
CryptoTalk.org| 
MAKE POSTS AND EARN BTC!
🏆
Kakmakr
Legendary
*
Offline Offline

Activity: 1806
Merit: 1374

★ ChipMixer | Bitcoin mixing service ★


View Profile
September 14, 2019, 08:04:59 AM
 #6

This is a very good thread, so I will give you some merit for the effort that you put in to compile it, but I think most "newbies" might find this whole process too daunting to simply "update" their wallet.  Roll Eyes
~snip~
Most people are just used to clicking on the "update" button for their software and the software will automatically update without any problems.  Roll Eyes 
People mostly want to do easy things, like upgrading their wallets by available links inside wallets
Quote
The fact that most of these software "updates" and "firmware updates" on hardware wallets are so complex, makes it easy for lazy and newbie people to make mistakes. Wallet providers should develop automated processes to check for the validity of the software updates signature to protect their customers.
In my opinion, everything gives users automatic supports will put them under higher risks. Over time, they will become lazier, that in turn will force them under higher risks of attacks from abusers.
For example: Around ten years ago, I do believe that we all remember phone numbers very well, because we had to tap on phone keyboards in order to make phone calls. Since the technical revolution of smart phones, originated by Apple, nowadays, most of us don't remember too many phone numbers.

I would rather automate it, than having 1000's of people's wallets emptied, because they did not know how to verify a signature to validate a legitimate update. Also, when you make things too complicated, it creates a psychological barrier to entry for people who are not educated or intellectually challenged to adopt this technology.  Sad

Technology helps us to make life easier and to improve on ineffective ways of doing things. Having to remember 1000's of telephone numbers are not practical at all and you can now send a message to say 300 people in seconds on a WhatsApp group. <We have community groups, where people report security issues within seconds and criminals in our area are tracked via mobile phones with messages that are send by members of the group and forwarded to law enforcement.>   Wink

tbct_mt2
Sr. Member
****
Offline Offline

Activity: 658
Merit: 419


CryptoTalk.Org - Get Paid for every Post!


View Profile
September 14, 2019, 08:11:55 AM
Last edit: September 24, 2019, 03:40:09 PM by tbct_mt2
 #7

I would rather automate it, than having 1000's of people's wallets emptied, because they did not know how to verify a signature to validate a legitimate update. Also, when you make things too complicated, it creates a psychological barrier to entry for people who are not educated or intellectually challenged to adopt this technology.  Sad

Technology helps us to make life easier and to improve on ineffective ways of doing things. Having to remember 1000's of telephone numbers are not practical at all and you can now send a message to say 300 people in seconds on a WhatsApp group. <We have community groups, where people report security issues within seconds and criminals in our area are tracked via mobile phones with messages that are send by members of the group and forwarded to law enforcement.>   Wink
I agree to disagree. Having automatic update-checking feature is good, but wallet should have (at least) a warning message that reminds people to verify wallet manually. This will play as a second-security layer, and is only good for people, not bad.
The warning message should contain links to: official website (from which they will check official announcement on latest wallet version); and wallet verification guide.

Technical revolution help human life become easier and more comfortable, but totally relying on automatically technical process is always bad, especially for such highly interested and vulnerable asset like bitcoin in particular and crypto currencies in general.

 
                                . ██████████.
                              .████████████████.
                           .██████████████████████.
                        -█████████████████████████████
                     .██████████████████████████████████.
                  -█████████████████████████████████████████
               -███████████████████████████████████████████████
           .-█████████████████████████████████████████████████████.
        .████████████████████████████████████████████████████████████
       .██████████████████████████████████████████████████████████████.
       .██████████████████████████████████████████████████████████████.
       ..████████████████████████████████████████████████████████████..
       .   .██████████████████████████████████████████████████████.
       .      .████████████████████████████████████████████████.

       .       .██████████████████████████████████████████████
       .    ██████████████████████████████████████████████████████
       .█████████████████████████████████████████████████████████████.
        .███████████████████████████████████████████████████████████
           .█████████████████████████████████████████████████████
              .████████████████████████████████████████████████
                   ████████████████████████████████████████
                      ██████████████████████████████████
                          ██████████████████████████
                             ████████████████████
                               ████████████████
                                   █████████
CryptoTalk.org| 
MAKE POSTS AND EARN BTC!
🏆
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!