Should Bitcoin Users Trust Hosted Wallets?

hostedwalletfeat
17 August 2014

In bitcoin’s early days, there were not many options for storing coins: users had to download the Bitcoin-QT client to keep the cryptocurrency.

That way, the platform storing the wallet provided as much security as the user required, with the option of keeping the client offline and encrypted – away from prying eyes searching for private keys.

In the past few years, though, bitcoin has moved off the PC desktop onto web services and mobile wallets. And many of these hosted wallets, as they are called, are managed by a third party.

Users relying on hosted wallets are, in essence, depending on third-party trust to safeguard their coins. However, hosted wallets are not created equal. So users must ask the question: can I trust a particular provider to properly store my bitcoin?

Will O’Brien, CEO of wallet technology provider BitGo, told CoinDesk:

“Ultimately, as bitcoin gains adoption, consumers will trust a wallet provider to be a custodian of their funds. But that trust should not be blind faith.”

Shattered expectations

One of the reasons there is a healthy dose of skepticism in the bitcoin community towards hosted wallets is because of past breakdowns in trust from some providers.

Mt. Gox is an obvious case in point, where its slow decline eventually meant users could not withdraw bitcoin from their wallets, followed by the exchange’s total collapse in February 2014 and the loss of those trapped funds.

In another example, last year, wallet service Inputs.io suffered an attack where hackers stole $1.2m from users.

Kent Liu, co-founder of Purse.io, said:

“I’ve heard users say, ‘Hey, I rather trust – insert company – than to trust myself with securing my BTC’. After all, that’s exactly what banks do with our dollars, and no one complains about that.”

However, he believes that cases like Mt. Gox provide good reason for users to take care when placing trust in hosted wallets.

“If a user chooses a hosted wallet, he [or she] essentially transfers the security liability to the service provider,” he said. “The two major vulnerabilities are hacking – since centralized wallets are more desirable to hack ­– and theft/negligence of the wallet service.”

To the next level

The good news is that there are companies pushing bitcoin wallet technologies to the next level, fostering a rethink about what a wallet really is.

“With multi-signature, the wallet keys can be distributed across multiple institutions so you don’t have one single point of failure,” said O’Brien.

BitGo, in particular, recently raised $12m from investors to develop multi-signature technology for wallets. This improves both key control and security – something that bitcoin users in the future might demand from hosted wallet providers.

The business model for BitGo is to focus on providing enhanced wallet security and provisioning options, selling that technology as a product to other companies looking for powerful and secure wallets. 

Growing choice

Today, there’s an array of wallet options to choose from. The Bitcoin.org website, for example, offers recommendations for different platforms.

People are no longer tied to the original QT desktop client by any measure. While that is liberating and enabling, though, it also brings important decisions that a user must make.

One thing people should consider when choosing a wallet is whether or not they want control of their bitcoin address’s private keys.

This decision could also depend on what specific use the wallet is destined for: is it for regular spending, or primarily for saving?

“We use a system similar to Coinbase: small hosted wallet, large cold wallet – Purse is considered a ‘fast’ spending wallet,” said Purse.io co-founder Liu. His startup allows people to purchase bitcoin through Amazon buyers, and simultaneously allows its users to spend BTC on the e-commerce giant at a discount.

Liu added that an online, or ‘hot’, wallet is ideal for situations where transactions are constantly moving around. Many companies use this internally to ensure enough freely available bitcoin for quick transactions, while keeping the majority of their funds stored in a safer ‘cold’, or offline, wallet.

Cold wallets could be considered similar to a traditional bank’s fiat savings account, while hot wallets are the checking (or current) account.

Private keys are key

Going forward, control of the private keys might be most important users’ wallet security – no matter if it is hosted or not.

“Every user can protect their coins using public key cryptography and initiate transactions by signing with private keys only they control,” say Johann Barbie, a co-founder of SMS-based wallet provider 37Coins.

In fact, it may a slight distortion to call 37Coins a wallet company – at least when Barbie explains exactly what the company does:

“We provide a service that secures wallet transactions through multi-signature and second-factor verification. One key is kept with the partner, one key with 37coins and a third one with a legal entity for backup.”

That sounds like an ideal wallet situation, one many experienced bitcoin users might appreciate. Problem is, most new bitcoiners are not  fully up to speed on bitcoin wallet technology.

In those cases, users won’t care if they don’t have control over their keys, or if transactions are being done on- or off-block chain, which is in and of itself a contentious subject for some.

Blockchain.info is one company that does not store private keys – and now has over 2m wallet users. Blockchain is one company that does not store private keys – and now has over 2 million wallet users.

Jaron Lukasiewicz, CEO of New York-based bitcoin exchange Coinsetter, says that his company has built in-house wallet tech for cold storage and manual withdrawal reviews, among other security measures.

He believes in the importance of users finding the wallet solution that best suits them. Consumer-facing solutions might just be good enough to get started, for example. But those trying to protect larger amounts of bitcoin need to do their research, or at least find someone to investigate the right option for them.

“Every wallet provider is different, and the best way to understand which is suitable for one’s needs is to read documentation released by the provider and to understand the technology behind it,” Lukasiewicz said.

He added that, ultimately:

“Trust is created when the wallet’s technology is matched by the people running it.”

Bitcoin technology image via Shutterstock