Storing Cryptocurrency: What the Hot and Cold Talk is About

When it comes to traditional forms of money like the dollar or other national currencies, there are a dozen ways to pay for things even if you walked out without your wallet. In a 2017 Bank of America Trends in Consumer Mobility Report, more than three in five Americans said that they use mobile banking apps, and they’re not just reserved for the young and tech-savvy — adoption is apparently “strong across all generations.”

While the majority of the world is already familiar with cashless options, especially credit cards, the idea of using cryptocurrency is still a relatively new concept for many. More specifically, people may find it hard to wrap their heads around how exactly cryptocurrency transactions occur in the blockchain and why we also need wallets for them.

Drawing parallels with more mature solutions developed for traditional money, we might be able to imagine how security in the cryptocurrency realm should and probably will evolve. Your mobile banking apps, for example, are integrated with a combination of security features:

• Internet banking providers heavily invest in the security of their apps, integrating anti-keylogger, firewalls and anti-viruses to guard against mobile banking trojans.
• Because the phone itself is a physical device, it can function similarly to an OTP token, allowing for two-step verification by requesting temporary PIN codes delivered to a registered phone number.
• And all this is in turn possible because you’ve registered for a phone plan, and your identity has been verified by a telecom company.
• Depending on phone capability, biometric authentication may also be activated.

However, when dealing with cryptocurrencies, there’s no bank or central authority to assure proper verification in the way that it exists for traditional money. Therefore the liability for keeping your account guarded is fully on you and the wallets you choose to utilize.

Do you feel safer when banks implement various layers of checks to verify your identity before authorizing changes to your account? While it can be tedious, some of those checks may be worth retaining when it comes to securing your digital (cryptocurrency) wallets as well. To evaluate them, we must first understand how cryptocurrency transactions work.

A primer on cryptocurrency transactions

In any blockchain transaction, a few basic processes must take place:

1. Transaction requests are broadcast to the blockchain network

2. Transactions are validated by the network

3. Validated transactions are stored in a block and added to the blockchain

The very first process is typically initiated with the cryptocurrency wallet. And if the entire first process can be facilitated by this wallet, it’s very likely to be a “hot” wallet. Now it all seems a little confusing at this point, but no worries because things will get clearer soon.

In order to request a transaction, you can imagine that a few pieces of information are required: where the currency should be pulled from, how much of it, and where it should go. So of course there is a wallet address from which balance will be deducted, and a wallet address where the balance will be increased by the same amount. Those wallet addresses are the sender’s and receiver’s public keys, which have corresponding private keys.

What makes blockchain transactions so useful is the element of nonrepudiation (where there’s proof of integrity of the data provided) enabled by these keypairs. Every transaction is valid based on the assumption that by verifying your possession of the private key, we can know that the transaction has been made by you and only you. If you signed the transaction with your private key (a fact verifiable by anyone who checks it) and if it corresponds with your public key, it shows that you approved of the transaction.

So as you can see, the ownership of your cryptocurrencies is solely tied to the possession of your private keys. But at the heart of it, protecting unauthorized use of both traditional money and cryptocurrencies depend on the same processes of verifying information deemed to capture your identity. The need for multi-factor authentication isn’t negated by the sophistication of blockchain technology because data breach threats still exist even if data integrity threats don’t.

The difference between “hot” and “cold”

So, back to the confusing mention of a “hot” wallet. When you purchase cryptocurrency off an online exchange, your new digital wealth is attributed to you at your newly generated wallet. This is a hot wallet — hot by virtue of being connected to the Internet at all times. Moreover, your private keys are likely stored by the exchange provider.

This sets many on the edge because with all the hacking going on against cryptocurrency exchanges these days, keeping your keys on an exchange is hardly safe. So instead, people opt to store their keys locally on a desktop or a mobile phone app.

But while you may feel that your private key is safe because it’s in your hands, you’re still technically using a hot wallet. The only difference is that your private key isn’t somewhere out there on a third-party server. That’s important because, even if you aren’t holding on to a huge amount of cryptocurrencies, hackers aren’t deterred — they look at the overall value of breaching the entire exchange. But trojans like the CryptoShuffler can also affect software and so, of you care about your cryptocurrencies at all, you’re most likely going to want to keep it largely locked down in “cold” storage. This would mean in paper or hardware wallets.

By taking your wallet offline, a cold wallet can help you avoid the myriad of vulnerabilities that plague the web. However, cold wallets aren’t exactly suited for the same uses as hot wallets. In terms of receiving money, where only your wallet address (public key) needs to be communicated and not your private key, cold wallets are just as convenient. Making payments on the other hand, is a lot more inconvenient when it comes to cold wallets.

For example, let’s take popular hardware wallets like the Ledger and Trezor: they have to be connected by USB in order to initiate a transaction. This means that it takes more than an Internet connection to make any payment — you’ll need a connected device with a compatible port. If your credit card could only be used when connected as a USB, you’d still be carrying cash in your wallet wouldn’t you? The limited form factor of cold wallets on the market hinder their use in a myriad of daily transactions. Just imagine having to lug your laptop to the counter to pay for coffee.

Furthermore, while safe from digital threats, your hardware or paper wallets need to be kept safe from physical theft and damage (think destroyed in a fire, flood or everyone’s nemesis: your plain old washing machine).

In any case, hardware wallets may not be as infallible to tampering as you’d think. Ledger claims to be a hardware wallet that enables you to perform transactions safely even on compromised computers because the private keys never leave the wallet during transactions. However, memory chips in hardware wallets may be a point of weakness, as demonstrated by presenters at DEFCON 25 who hacked a Trezor wallet, and manipulated it to dump passphrase data.

Where security improvements can be made

If we take a look at today’s internet banking as well as other identity management systems, two-factor authentication, biometrics, OTP tokens and the like have already been widely employed. While the Trezor and Ledger wallets enforce physical possession of the wallets by making it necessary to hold down two buttons to approve of any transaction, biometrics and OTP technology have yet to be integrated into mainstream cryptocurrency wallets.

Increasingly, society is progressing towards making payment methods as seamless as possible (some even posit that humans themselves might become payment methods with advancements in biometrics). With governments in India and Marshall Islands planning to regulate crypto exchanges by centralizing trader and transaction records and integrating them with biometric ID systems, it’s not hard to imagine other countries taking a similar path. Therefore, it makes sense for cryptocurrency wallets to also step up security in proportion and integrate biometric verification features. In fact, cryptocurrency that comply with KYC (Know Your Customer) and AML (Anti-Money Laundering) requirements already exist on the market which integrate biometric identification, so a race is bound to ensue for wallets to follow.

So practically speaking… what kind of wallets do we need?

If Goldilocks were picking out a cryptocurrency wallet the way she chooses her porridge, she wouldn’t have sounded very crazy at all.

Since cryptocurrency transactions have to take place online, information necessary for these transactions need to be communicated in some way to a connected device or terminal. Between a hot wallet that’s always connected, and a cold wallet that generates a transaction request offline, perhaps a good middle ground would be a somewhat hypothetical “warm” wallet that allows both offline “cold” storage and convenient “hot” payment akin to wielding a credit card. We’re still awaiting for the arrival of such a solution — though it might not take long.

But for now, it’s not uncommon to come across advice to use hot/cold wallets in combination. Keeping small amounts of cryptocurrency in your hot wallet for easy spending like your current account at a bank, storing bigger amounts in cold wallets like how you would do with your savings account.

It could seem like too much work but that’s actually the kind of distributed solution many of us currently utilize to manage our money with a bank. However, adopting a range of wallet types to suit different use-cases for your digital assets will help maintain the checks and balances that banks traditionally provide to secure access to your money. Take some time to analyze what kind of wallets you’ve seen on the market, and whether they’re as secure as they claim. You might be surprised to find that it’s not always what it seems.