Wallets & Security

This article is a translation of the German IOTA Beginner’s Guide by Schmucklos.

Wallets & Security

Important note: IOTA is a very young technology and therefore a very high risk investment. Please only invest money you are willing to lose. IOTA may well drop to 0 $ so the investment could be completely lost.

General security tips

The new Distributed Ledger technologies allow financial freedom like no other technology before. Users are now their own bank.  But being their own bank also means a high degree of personal responsibility. Various security measures must be taken to make it difficult for hackers to access their assets.

These security measures already start with the basics as your email address. Please create your own email address, which you use exclusively for the purchase of cryptocurrencies. Also the e-mail provider should be chosen carefully. The privacy of most providers is zero. Everything is read, analyzed and sold. I can recommend the e-mail provider ProtonMail from Switzerland. They also offer their service with limited memory etc. for free. For our purposes this is sufficient.

You should also pay special attention to the various passwords. Please use different passwords with all service providers and under no circumstances use the same password for both your e-mail inbox and your account with the crypto exchange. For password management I can recommend the free open-source password manager KeePass.

Wallets

Before buying MIOTAs on an exchange you should deal with the safekeeping of your newly bought MIOTAs. The access of third parties to your assets should be avoided at all costs. Under no circumstances should you leave your balance on a crypto exchange because in this case you do not have the seed (private key) and entrust a third party with your balance. In case of a hack of the exchange itself everything is gone.

Your IOTAs are not stored in a wallet and certainly not on your computer. All credits are stored in databases (Tangle). These databases are stored in countless copies distributed over the network on the IOTA nodes. Your IOTA wallet only manages addresses. You can delete them at any time and reinstall them later. A wallet is just a “browser” that retrieves data from a database (Tangle) to show your credit balance. Your transactions are “signed” with your private key. This data is distributed in the network and checked. If everything is in order the sent amount of IOTAs is received by the recipient’s address and stored in the database (Tangle).

Before using a wallet please take a detailed look at how it works. If you make any serious mistakes your MOTAs will be lost. Even after the first purchase I recommend to send a small amount of IOTAs (1 IOTA is enough) back and forth between different accounts to get familiar with the use of the wallet.

Different types of IOTA Wallets

Desktop Wallet: This wallet is located on your computer. This assumes that you protect your PC properly because it offers a relatively large number of attack points for hackers, for example via compromised emails or links. Currently I recommend to use the official Trinity Wallet and to get it only from the official website. This wallet has already passed external security audits and is under constant development. In the future the wallet will get further features like a messenger function.

The IF published in its blog that the Trinity Wallet has been audited by the world’s leading cyber security company SIXGEN. Ethan Dietrich, CEO of SIXGEN: “We have reviewed the security of the Trinity Wallet and found that it has a low risk of compromise from external threats. It is clear that the Trinity team takes security very seriously and has applied best practices in the development of the wallet”.

Note: Do not use online seed generators under any circumstances. Some users have already regretted the use of these bitterly. The Trinity Wallet now has a built-in seed generator so that no one has to rely on external tools.

Update Apr’20: In spring 2020 the Trinity Wallet was compromised via the third-party module Moonpay (the protocol itself is OK). Tokens worth about 2 million Euro were stolen from various wallets before the IF shut down the coordinator to stop the ongoing theft and secure the users’ funds. As a result, the coordinator remained offline for nearly 4 weeks. The Moonpay app was removed from Trinity and David S. compensated all affected users from his private assets. According to the IF, this hack should not have happened in this way. The complete investigation of the incident was communicated very transparently and consequences were immediately drawn. A new senior developer with a focus on wallet security was hired and further security audits (possibly external) became mandatory. PS: All users who had secured their tokens with a hardware wallet were not affected.

Smartphone Wallet: Again, the official Trinity Wallet is the first choice. It can be installed directly from the respective stores. From a security perspective, this wallet should only be used to manage small amounts of money. Your cell phone is relatively easy for a hacker to crack.

Web-based Wallet: The Spark Burner Wallet is such a wallet. Please do not trade large sums of money.

Browser extension: Pegasus will be installed via chrome extensions. Please do not trade large amounts.

Paper-wallets consist of a printed sheet of paper containing a cryptocurrency address and a private key that is accessed with a QR code. The advantage of a paper wallet is that it serves as cold storage meaning that it is not connected to the Internet and therefore there is no danger of being hacked.

With a paper wallet your funds are safe until you use a computer. If the computer you use to access your funds is compromised and you enter the private key from the paper wallet your accounts could be hacked and your funds stolen. If you lose your wallet and have not made a backup copy there is no way to restore your access to your currency. Also, it can be quite tedious to have to get the Paper-Wallet out of hiding for each transaction to enter the private key manually on the computer. With the Trinity Desktop version you can easily create a paper wallet. Please avoid printing your paper wallet on a public printer. These store data and can be read out.

I wouldn’t use a paper wallet and I can’t recommend it to a newbie as this requires that your computer is not compromised (key logger etc.).

Hardware Wallet: A hardware wallet is a physical wallet that stores the user’s private keys offline and securely (cold storage). Hardware wallets contain a special security chip that stores the seed (private key). This stored key never leaves the wallet. Not even the owner knows the stored keys. To access the wallet with the keys a PIN code must be entered, which means that even trading on a compromised computer is more secure. Although each transaction is entered via a terminal device and specific software via a browser the action itself is encapsulated by the system and signed by the hardware wallet. If the hardware breaks down or is lost, you can still access your currency by entering the previously written recovery code (24 words, in a specific order) on a new device. Hardware wallets such as Ledger Nano S or X are mandatory when managing larger amounts of money.

Please pay attention to the following points when buying a hardware wallet:

  • Only buy directly from the provider, like Ledger. Never buy from Amazon or Ebay (too many unknown persons may have access to the wallet)
  • If there are traces of use on the package or the hardware wallet itself please do not use it and return it.
  • Is the paper for the seed (24 words) already filled out? If so, please do not use it and return it.
  • If the device is already pre-configured and asks for a pin code when first switched on please do not use it and send it back.

How to store the seed correctly?

How can the seed or the recovery code (24 words) of the hardware wallet be protected against theft, environmental influences and loss?

In the following I will write down a few points that everyone should keep in mind:

  • Paper is not a good idea. It can be damaged over time by external influences such as water or fire.
  • Please use weatherproof solutions like https://easy-passphrase-saver.de/ or similar solutions.
  • Store the seed in a safe place, e.g. a bank safe or a proper safe.
  • Do not make the seed available to any other person even if they ask for it directly in order to help them with problems.
  • Do not store your seed in a cloud or online.
  • No photographing of your seed.
  • Do not print your seed. Printers can be read out if necessary.
  • Do not enter your seed into a cell phone.

Original source

https://iota-einsteiger-guide.de/wallets-sicherheit.html

Last Updated on 16. February 2021