Wallet software security

[Pmalek]

What you said sounds like something that a badly configured AI would say.

In fact password or private key is the same, when you log in.

You don't log in with private keys, you do it with PINs or passwords. You don't sign transactions with PINs or passwords, you do it with private keys.

Of course if your password is good enough.

Good enough for what? Being a substitute for a private key?

Wallet security start with hardware wallet. 

Hardware wallets don't even show you the private keys in their native apps or software, so that a newbie wouldn't mistakenly copy them or save them somewhere digitally. It also doesn't allow a remote hacker to steal the keys.

[1714244588]

1714244588

[1714244588]

1714244588

[1714244588]

1714244588

[1714244588]

1714244588

[rat03gopoh]

The software wallet (Electrum 4.3.2) hacking incident experienced by julerz12, what was possibly the cause?

From what I know, they needed my password to initiate a transaction, correct? They must have somehow logged that password when I opened the wallet to sign an address for the Yomix team to deposit the BTC funds 'cause prior to that $1,000 was just sitting on it from Coinomize for almost a week amd nothing happened to it.

This is exactly what I was worried about earlier in that you only need to enter your PK once at the start and let the password permit all your subsequent activities as long as you're in control of the device.

What do y'all think?

[Pmalek]

The software wallet (Electrum 4.3.2) hacking incident experienced by julerz12, what was possibly the cause?
...
What do y'all think?

I am not familiar with the case, so I can't comment on that incident itself. The newest Electrum version is 4.3.3., released just a week ago. I have just gone through the release notes, and there is no mention of any serious vulnerabilities that were fixed from the version before. In my experience, 99% of all cases where people loss funds or have them hacked/stolen is because the user made a mistake. Fake wallets, phishing, malware, keyloggers, etc. Even the people he talked with from the signature campaign he managed are potential suspects who could in theory have given him an infected file.

If there was something seriously wrong with Electrum 4.3.2, I think we would hear many more complains than only that of julerz12.   

[nc50lc]

The software wallet (Electrum 4.3.2) hacking incident experienced by julerz12, what was possibly the cause?
-snip-
What do y'all think?

He allegedly kept the funds in a "Hot wallet" so there are a lot of possible scenarios in that case.
Google "hot wallet issues" for some insights.
He had the option to create MultiSig, 2FA or connect his hardware wallet (which he mentioned that he has one) but used a standard wallet instead to escrow funds.

As for Electrum, there was a recent vulnerability found in BIP70 payment request: https://github.com/spesmilo/electrum/security/advisories/GHSA-4fh4-hx35-r355
But that wont directly lead to loss of funds, read the security advisory and the linked commit below it for more info.

[Pmalek]

<Snip>

You are talking about a vulnerability that was fixed with the release of Electrum version 4.2.2. The person who lost their coins was using Electrum version 4.3.2., so that issue would have been fixed a long time ago. Julerz12 must have done something else that resulted in someone stealing his money.

[nc50lc]

<Snip>

You are talking about a vulnerability that was fixed with the release of Electrum version 4.2.2. The person who lost their coins was using Electrum version 4.3.2., so that issue would have been fixed a long time ago. Julerz12 must have done something else that resulted in someone stealing his money.

That wouldn't deduct it as an attack vector.
He could have used the vulnerable versions prior to downloading 4.3.2 in December, used a malicious URI that lead to a compromised PC.

That's one directly related to Electrum; But like I said, it's a hot wallet, so there's a lot of other possible scenario.

[Lida93]

The private key is what allows you to spend your funds. If you set a password, you're adding an extra layer of security, passwords are not alternatives to your PK.

In addition to that, even with the password that's been set, one will still be requested to input the private keys in a situation where you change your device to a new one even after inputting your password. So invariably it shows how quintessential the private keys is to a password that's just mainly preventing access to device before assets itself.

[gunhell16]

If someone installs a software wallet (say a mobile wallet) and then sets a password or biometric security instead of using the private key frequently, isn't that the same as thinning the security layer of the asset itself?
Did the privatekey really function as a key asset guard all this time?

What's the name of the software wallet you're talking about dude? Then I haven't tried what you're saying, and I rarely use soft wallets on mobile unless necessary.

And if I do install a wallet on a mobile device, I create a private key in addition to the password that will be requested and keep it in a safe place.

[Pmalek]

And if I do install a wallet on a mobile device, I create a private key in addition to the password that will be requested and keep it in a safe place.

One has nothing to do with the other. You have no influence over the private key that gets generated nor can you choose one that you prefer. The wallet isn't going to "request" the private key when you try to open it, and no one makes backups of individual private keys for each used address nowadays unless they have to. Just backup your seed and it takes care of everything else.

- The private key is a signing key that you need to make transactions. The process is automated and the wallet does that for you. The wallet doesn't ask you to point it towards the correct private key.
- Password and biometric entries aren't automated. You use them manually to access your wallet.

[joniboini]

In addition to that, even with the password that's been set, one will still be requested to input the private keys in a situation where you change your device to a new one even after inputting your password.

If you use a new device, essentially you're creating a new wallet, unless you export your old one and open it on your new device. Even if the latter is the case, you don't need to re-input your private key again afaik, just need your password/fingerprint/etc to unlock it. Of course, this assumes you use the same wallet again. That being said, most wallets use seeds nowadays, so that might be the better choice to back up.

I create a private key in addition to the password that will be requested and keep it in a safe place.

I think you might be confusing something with private keys. Some wallets probably introduce another PIN-like feature that you need to input in addition to your password to make a transaction, but as mentioned above, a private key is not an additional choice, it is necessary. CMIIW.

[rat03gopoh]

- Password and biometric entries aren't automated. You use them manually to access your wallet.

Interested to be more curious, related to the recent "hacking" issue on the coinomi wallet (which I just remembered). I gave several possible causes, one of them:

Btw, the seed phrase can also be seen on the settings page right? simply use a password to access it (or biometrics if you enable it).

Since I don't use coinomi wallet, I tried my trustwallet and... bingo!!!, it really needs biometric authentication to access the seed phrase. Also, the crazy method that trustwallet offers: Gdrive backup 


Anyone who uses coinomi, does that also have the same way as trustwallet to access seed phrases?

[Welsh]

Since I don't use coinomi wallet, I tried my trustwallet and... bingo!!!, it really needs biometric authentication to access the seed phrase. Also, the crazy method that trustwallet offers: Gdrive backup  

The more I read about Coinomi wallet, the more I'm worried about its users. What does the manual backup do? Does it present you with the seed, and then ask you to write it down or is it trying to store a local backup, via storing it on your device? If it's the latter there's a whole lot wrong with that. The final straw is they've specifically stated they recommend both backup options "to help loss of crypto", but I honestly believe the way they're recommending to do it, puts it at even more risk.

Obviously, the fact that's closed source should be enough to deter most users from using their wallet, but I've seen it getting mentioned more, and more recently.

The software wallet (Electrum 4.3.2) hacking incident experienced by julerz12, what was possibly the cause?
This is exactly what I was worried about earlier in that you only need to enter your PK once at the start and let the password permit all your subsequent activities as long as you're in control of the device.

What do y'all think?

I'd rather input my password regularly, especially if it's a hot wallet, since that can be changed if you suspect that you've been compromised, compared to a private key that can't be changed, and therefore once compromised, will forever be compromised.

Although, if you suspect you've been compromised, I'd probably set up a new secure environment, and transfer to Bitcoin to the new securely generated wallet.

If you use a new device, essentially you're creating a new wallet, unless you export your old one and open it on your new device. Even if the latter is the case, you don't need to re-input your private key again afaik, just need your password/fingerprint/etc to unlock it. Of course, this assumes you use the same wallet again. That being said, most wallets use seeds nowadays, so that might be the better choice to back up.

Right, if you have your physical wallet file you don't need to input the private key, same goes when you import your seed to generate a new wallet. Usually, you don't even need your password or biometrics since it's like creating a new wallet with the same private keys.

[Pmalek]

Anyone who uses coinomi, does that also have the same way as trustwallet to access seed phrases?

I still have Coinomi installed on my phone from needing it several years ago. If you want to view your recovery phrase in Coinomi, you need to enter your password. Otherwise, you can't see it. I don't think the software has a biometric feature. I don't see it in the settings.

The wallet features two more privacy features:
- One disallows the phone to take screenshots while the Coinomi app is active. And it works.
- The second one is silly and makes little sense. It hides the balances in your wallet. The silly thing is you can enable/disable this feature with the click of a button. It doesn't ask you for your password.

[rat03gopoh]

What does the manual backup do? Does it present you with the seed, and then ask you to write it down or is it trying to store a local backup, via storing it on your device?

Nothing, just shows the seed phrase, no backup instructions to device storage. Btw, the Gdrive backup option appears only when accessing the seed phrase in online mode.

If you want to view your recovery phrase in Coinomi, you need to enter your password. Otherwise, you can't see it. I don't think the software has a biometric feature. I don't see it in the settings.

Thanks for clarifying this.

- One disallows the phone to take screenshots while the Coinomi app is active. And it works.

Well, it is also available on trustwallet only when the seed phrase is displayed.

- The second one is silly and makes little sense. It hides the balances in your wallet. The silly thing is you can enable/disable this feature with the click of a button. It doesn't ask you for your password.

Just to avoid stalkers or CCTV in public places I think, but it's not really safe to check your bitcoin balance outside of your home.

[aylabadia05]

If someone installs a software wallet (say a mobile wallet) and then sets a password or biometric security instead of using the private key frequently, isn't that the same as thinning the security layer of the asset itself?
Did the privatekey really function as a key asset guard all this time?

The password is only for accessing the app. For example, when someone tries to access our mobile wallet application, it is necessary to enter a password in order to be able to tamper with the contents of the wallet.
Whereas the private key and/or seed phase is to be able to access to our address if the mobile wallet app is lost. So by storing with a good level of security will be able to save our assets.

This is a common explanation that many people already know, but I just wanted to remind you again.