Unpacking Digital Assets Storage with CER Wallets Security Rating (AMA Recap from June 1)
Welcome to our insightful AMA recap focused on the upcoming Wallet Security Rating by CER and the state of digital assets storage.
The discussion delves into the pressing question of whether our digital assets are at risk when stored in wallets. Learn about the importance of continuous security improvements for wallets, the limited adoption of penetration tests and bug bounty programs, the surprising performance of underdog wallets, and the significance of wallet backup and hardware integration. Gain valuable knowledge to make informed decisions about the security of your digital assets.
Kostyantyn Oleshko, Product Manager of CER, presents compelling insights, revealing security gaps in crypto wallets and highlighting the safest options available. Mr. Fantastic, the Community Lead at Hacken, asks questions.
Mr. F: Let’s address the fear of losing all our keys and digital assets. Are our digital assets truly at risk?
K: Our research shows that 70% of crypto wallets have security gaps, including missing features and insufficient measures. Interestingly, mobile wallets on iOS and Android are currently the safest options.
Mr. F: Which wallets are the most secure? Are the top wallets neglecting security assessments?
K: Rather than mentioning specific names, we aim to raise awareness and emphasize the need for continuous security improvements in the industry. We are working on visualizing our data and upcoming reports on wallet security.
Mr. F: What about the well-established wallets? Are they neglecting security assessments?
K: Only a few out of the top 50 wallets undergo regular penetration tests. Additionally, just 32% of these wallets have bug bounty programs. Only 10% of wallets have a reliable security rating.
Mr. F: It’s alarming that only 10% of wallets have a decent rating. What about lesser-known brands?
K: Surprisingly, some underdog wallets outperform established brands, emphasizing the importance of prioritizing security and functionality over brand recognition.
Mr. F: Are the most established wallets more secure due to their years in the market?
K: Well-known wallets are generally more mature and undergo more audits, but they may lack certain security features and innovations found in newer wallets.
Mr. F: How did you gather this information, and what criteria did you use for evaluation?
K: Our methodology considers wallet backup methods, customer security features, bug bounty and penetration tests, and incidents. Incidents negatively impact the security rating, up to a 20% decrease depending on the severity and the team’s reaction.
Mr. F: How many wallets run regular penetration tests and bug bounties?
K: Only six wallets perform penetration testing, with just two undergoing regular tests. Around ten wallets undergo some form of auditing.
Mr. F: Do bug bounty programs contribute to higher security?
K: Bug bounty programs are valuable for enhancing security and incentivizing continuous checks for vulnerabilities. Wallets offering acceptable rewards increase the chances of successful hacks.
Mr. F: How do security incidents impact a wallet’s security rating?
K: If a wallet experiences a breach, its score decreases by a maximum of 20%. The severity and the team’s reaction are considered. Incidents over two years old don’t impact the rating.
Mr. F: Can hardware wallets be integrated with online wallet solutions?
K: Most extension wallets support hardware wallet integration, ensuring secure storage of private keys.
Mr. F: How easy is it to back up your wallet?
K: There are self-custody and third-party custody backup options. Self-custody backup, with a seed phrase written down, is more secure. Third-party backup requires careful examination of the flow to avoid vulnerabilities.
Mr. F: How did you gather such vast data without becoming overwhelmed?
K: It was a challenging task, but thanks to the Trust Army and our team member Dima, we were able to accomplish it. Dima can provide more insights into how we collected extensive data on wallets.
D: Gathering this data was no easy feat. The Trust Army serves as the basis of CER. To aggregate statistics and analytics, we needed to collect comprehensive information on each project. That involved a thorough analysis of official sources, documentation, and using the product itself. For wallet reports, decentralized data gathering on our platform played a crucial role. Users from different levels performed missions multiple times, providing diversified information. Validators then verified the data, checking its accuracy against a mathematical formula developed by our team. Approved reports underwent detailed analysis on CER. It’s a complex process managed by our platforms.
Mr. F: Impressive. How much time and manpower does it take to gather all this data? Can you tell us about the team behind it?
D: Let me refer to the experience of the better version of TrustArmy. We had around 2,000 participants, with approximately 700 successful contributors. As for validators, we currently have a select group of five individuals who meticulously verify thousands of reports. These numbers give you an idea of the substantial effort involved in producing the final information you see. We are actively expanding our community and increasing decentralized data gathering. So, there is a significant amount of work and a dedicated team behind it all.
Mr. F: Skipping my seed phrase during MetaMask registration was a mistake many people make. “Not your keys, not your crypto” applies to wallets as well. Are there any advanced privacy features wallets can have?
K: Firstly, be cautious with pre-scheduled PC setups that might gather your IP address and transaction information. Some wallets support privacy coins like Zcash and Monero, offering shielded or private transactions. There are also services like mixers that can anonymize your transactions. Check privacy features if privacy is crucial to you.
Mr. F: Leaving no footprints is important, but some find it compromising. Simple steps like writing down private keys can work. Wallets aim to ensure even lazy users can regain access. But the statistics on top wallets worry me. Any info on their security audits?
K: Only 10 out of 50 wallets publicly disclose security audits, and the quality varies. Some audits only cover cryptography, neglecting other crucial aspects. No wallet has undergone a full-scope audit of all its features.
Mr. F: Shocking! How about wallets with strict password guidelines? Weak passwords are common. How many wallets enforce strong passwords?
K: Only 10 out of 50 wallets have strict password policies. PIN codes can be brute-forced within seconds. Strong passwords are necessary for transaction authentication.
Mr. F: Few wallets indeed. Maybe banks are more secure. What about biometric authentication? How many wallets support it?
K: About 50% of mobile wallets support biometric authentication, which is relatively easy to implement.
Mr. F: It’s eye-opening. Think twice about where you store your money. The revelations should make you reconsider your approach. Can wallets be integrated with hardware wallets?
K: Half of the wallets support integration with hardware wallets, providing users with that option.
Mr. F: Here, at least, we have something. What about backing up? Ledger allows users to back up their accounts and wallets with third-party services. Is it safe?
K: Backing up with third-party services can be safe if it follows authentication security criteria. That includes something you are (biometric), something you know (email or password), and something you have (hardware or mobile device). A fully secure flow requires accessing multiple assets, making it difficult for hackers. It’s safe if the recovery flow is complex and requires accessing multiple assets.
Mr. F: Great. We’ve covered the main questions today, and the security conditions in app wallets are not reassuring. Let’s move on to audience questions. The first one is about persuading people to feel safe using digital wallets. What steps should be followed?
K: First, check for audits and bug bounty programs. Look for reputable web services that have undergone security audits. Convenience is a major advantage of digital wallets. Understand the backup flow, whether that’s a simple seed phrase or a more complex process. Consider the security features you need, like hardware wallet integration. Make sure operations are restricted until a backup is made.
Mr. F: Definitely. Now, a question about the seed phrase. Is it the best security solution?
K: I believe that a seed phrase is the best solution, as it gives me control over the backup process. I write it down on paper and store it securely. However, new wallets offer alternative backup practices like biometric backup or social recovery with trusted friends. It depends on individual preferences.
K: I’ll interrupt you to mention that we have conducted a backup security assessment on CER. Users can visit the website to check the security options by different wallets and determine if they provide easy access restoration in case of losing the seed phrase.
Mr. F: Moving on to the next question, which is one of my favorites: How can I protect my cryptocurrency wallet from malware or hacking attempts?
K: To protect your wallet, start by ensuring a secure environment on your laptop. Use an antivirus program, and keep your browser and mobile applications updated. Often, users get hacked due to issues on their laptops, like opening malicious files that install malware. Be cautious with unreliable VPN services as well. Focus on securing your environment first. Regarding the wallet itself, on CER, we show you the transactions the wallet asks you to sign. Always check what you’re signing and read the human-readable description provided by the wallet.
Mr. F: Absolutely. Now, let’s address the next question. Are there any legal requirements or accreditations that prove the security of a crypto wallet?
K: No, there are no established requirements or accreditations from regulators specifically for crypto wallets. Regulated crypto services may have auditing requirements, but for non-custodial wallets, there are no such regulations in place.
Mr. F: Alright. Now, onto the next question. Are there any lesser-known methods for backing up and maintaining a cryptocurrency wallet? Maybe there’s an effective yet disregarded method. Do you know of any?
K: Yes, there are some backup methods where only email access is required. However, if a wallet only relies on a pin code and the keystore file is stored in the email, a hacker can gain access to the wallet by acquiring the keystore file. So, if a recovery option solely relies on email, it should be considered carefully. Additionally, taking a screenshot of the seed phrase during the setup process is a popular but unsafe method.
Mr. F: Fair enough. I’m not ready to rely solely on email access for my Bitcoin. That was just a joke. Please continue.
K: Also, be cautious when receiving private keys or phrases via email. If the only backup option is a keystore file and the wallet doesn’t prompt you to set up a secure password, it’s an unpopular and insecure backup method.
Mr. F: Makes sense. Now, let’s talk about the advantages and disadvantages of offline cold wallets, speaking of security.
K: There aren’t many disadvantages to using cold wallets. The main advantage is that the private key is stored only on your device and is not easily extractable unless you willingly expose your seed phrase. There are multiple layers of security, such as physical approval of transactions and transaction description verification. However, the main concerns are potential loss, damage, or theft of the cold wallet. Carrying a visible cold wallet could make you a target for malicious individuals. Backup flow can also be a challenge, as physical storage is required. However, if you choose to type your seed phrase in an insecure space, a hacker only needs to steal it to gain access to your funds, regardless of whether you use a hardware wallet or not.
Mr. F: That’s a great point you raised about cold wallets and the potential compromise of personal security when typing seed phrases. It’s important to emphasize that simply typing and saving the seed phrase as a text or chat message is not enough for proper security.
K: Absolutely. One crucial aspect of maintaining security is to update your software regularly. New attack vectors emerge in the market every day, and what may have been considered secure in the past may no longer be the case. Security updates enhance the overall security of your wallet application. Wallet providers should stay updated with security trends and continuously add new features and layers of security to protect users’ assets. While it may not be a vital requirement, regularly updating your cryptocurrency wallet software is a good practice to adopt.
Mr. F: Noted, that’s valuable advice. I hope this addresses the questions from the chat. We’re approaching the end of our discussion, and I want to express my gratitude to you, Kostyantyn, for sharing such insightful feedback. And a big thanks to Dmitry for organizing and facilitating this AMA session. Thank you, everyone. Are there any exciting updates or juicy information those people should look forward to?
K: Absolutely. We have strived to cover key points, and you can find and analyze them in our wallet security rating on CER. It’s an extensive dataset that will provide answers to many questions regarding wallet security and the safety of your assets. In addition to the topics we discussed, our rating will address other important questions. Can a hardware wallet be integrated with the wallet you use? Do wallets offer secure backup options? Do wallets enforce strong password requirements? Does the wallet prompt you to back up your seed phrase or private key before use? This is a crucial precaution. How responsive is the wallet’s customer support? How many cryptocurrencies does the wallet support? Users often want to know which cryptocurrencies they can store in their wallets. And lastly, how many secure recovery options are available? So, stay connected with CER, join Trust Army, and stay tuned for more updates.
Mr. F: Awesome, that sounds great. Thank you very much, Kostyantyn, for your valuable insights, and thanks to all the participants. Dmytro, any closing words from you?
D: Thank you for inviting me, and a big thank you to everyone who joined us. It has been a pleasure sharing this discussion with you all.
Wallet Security Rating by CER is scheduled for the next week. Stay tuned for the announcements on our official channels.