 |
August 27, 2014, 02:08:12 PM
Last edit: August 27, 2014, 02:20:54 PM by konknia |
|
As we all know, there has been a serious security risk for POS wallet to mine online. The Bter’s NXT theft occurred in August 15,2014 was greatly owing to the POS wallet’s online mining in case of unlocking apart from the Bter’s incompetence, and the hacker easily transferred 50m NXT away. We know that multiple signatures can improve the security of electronic wallet, unfortunately, considering simplicity of mining, nowadays there was no virtual currency to achieve mining with multi-signature addresses. If the design of electronic wallet employed multiple signature technologies, the hacker would had to possess the private key of both users and multi-signature center to transfer coins away.
Mining by adopting POS mechanism needs to send coins signed by private key, but such transaction is self-dealing. Obviously, there is neither risk for multi-signature center to give a signature directly to this type of transaction nor necessary of SMS certification for mining request sent by center, and only when you trade with others the SMS certification is needed.
Suppose there is a hacker attacking the user's wallet and getting the private key, you don't need to worry about it at the moment, because the hacker is still unable to take any transfer operation for the reason of that there is a private key still controlled in the multi-signature central server. As long as the hacker launched currency transfer request, the center will send a text message with a PIN number to the wallet holders to validate identities and such request will be invalid unless the hacker intercept and capture the user's SMS.
If the central servers were hacked and all private key leaked, on this occasion, the transaction request only with the central server’s private key also would not be recognized by the whole network since it is impossible for the hacker to acquire the most user client's private key (At least 51% theoretically). However, the odds of losing all private key are still very high for this kinds of wallet, such as BitGo’s current multi-signature wallet of web version, whose all private key saved on a central server. So it is very necessary to allow some private key left to clients to ensure the safety of the wallet completely.
Others were almost impossible to unravel users’ private key in central server apart from users themselves ( Unless a user password is too short can be guessed or brute force ) for the reason that the private key was encrypted by users’ another password. If the center found that hackers are constantly trying password, the center can remind the user to replace the login account or wallet address, even if hackers and multi-signature center staff know the user's login password, the center will send a verification code to the user's mobile phone to authenticate the identity again, such security mechanisms of central server confirmed that even the center staff can not use the server to obtain clients’ private key. As long as users and center replace multi-signature address regularly, the possibility of the theft of two private key simultaneously were reduced significantly.
Be sure to make a backup for your private key and central password soon after applying a real-name wallet successfully, or no one can retrieve the coins. However, the good news is that the Macoin official is going to develop a mechanism not only to retrieve the lost coins, but also to meet the demand of virtual currency inheritance.
If you are interested to learn more information, please visit:http://www.macoin.org/
Thanks.
|
