Preface
Once upon a long time ago, Sir Issac Newton was sitting under an apple tree and something fell on his head. He looks down and to his surprise, its a metal back up for a seed phrase that Satoshi placed in the tree. So he asked himself, exchange or hardware wallet? Instead of answering this crucial question, he went onto do useless stuff like studying gravity. The question has been left, until today.
Intro
Hello crypto lovers!
Recently I have seen numerous posts from both CHADS and BRADS regarding where the best place is to store your crypto - many just masquerading good points but are actually shit posts. I decided to take it a step further by masquerading as a shit post but actually doing some research. Below I will discuss both hardware wallets and exchanges.
For exchanges, I will answer 3 basic questions, these questions will cover, how was security in the past, how is present security, what happens something goes wrong? Here are are the 3 questions:
- Have they been hacked in the past? By hacking, I do not mean individual account getting hacked (due to practices of the individual), but the exchange getting hacked.
- What do they do to secure your crypto/account?
- Do they have insurance?
For hardware wallets, I will answer 2 basic questions:
- Have they been hacked in the past?
- How secure are they? (Security features)
NOTE: This post is for educational purposes, it does not advocate for anything method specifically and if you read till the end you will see why. But 2 points must be stated:
- I have a bias towards hardware wallets (if you read the seed phrase part, you will see why) but I am attempting to speak impartially.
- If I have made a mistake, please tell me an I will fix it.
Let's get into it!
Analysis of Popular Exchanges/Brokers
Coinbase
Have they been hacked in the past?
- Coinbase has actually never been hacked in the past! This is great news considering that they have been around since 2012 and is how a public listed company.
What do they do to secure your crypto/account?
- Coinbase states that 98% of the customers funds are stores in offline storages and sensitive data is disconnected entirely from the internet. Data is AES-256 encrypted (unbreakable by brute force by current computing power), then copied to FIPS-140 USB drives and paper backups. These drives and paper backups are then distributed to geographically in safe deposit boxes and vaults around the world.
- Internal practices - Each employee undergoes a criminal background check, they are required to encrypt their hard drives, utilise strong passwords, and enable screen locking.
- SQL injection filters are used to prevent CSRF attacks (attacks that force a user to execute unwanted actions on web applications in which they are logged into eg: tricking you into transferring your funds).
- Encourage use of strong password and 2FA - they allow 2FA through authenticator apps (eg: Google authenticator). Great way to avoid SIM swaps.
- Whitelisting - This allows the user to designate addresses to an address book. This means that Coinbase can only withdraw funds to designated address books making it difficult for hackers to take funds out in case they get access to your account. Removing addresses or adding addresses requires 2FA.
Do they have insurance?
- Coinbase has insurance that protects a portion of digital assets held across storage systems in case of theft, especially cyber security breaches. If breaches exceed insurance, total recovery may not be possible.
- Coinbase has insurance for US customers on fiat - up to $250,000 USD.
- Insurance policy does not cover losses resulting from unauthorised access to personal Coinbase account due to a breach of loss of credentials.
Binance.US
Have they been hacked in the past?
- In 2019, hackers stole 7000 bitcoin from Binance. The funds represented a small fraction of Binance funds and came out of their hot wallets. Hackers also managed to get user information including 2FA codes. Binance covered incident in full. Check it out here: https://www.binance.com/en/support/announcement/360028031711
What do they do to secure your crypto/account?
- Ok this was a huge issue, Binance is not transparent at all. I did some major digging and for every other exchange they tell you exactly what their security measures are. I am not alone, here is a post on August 30th 2021 by Time.com stating the same thing, scroll down to part about security: https://time.com/nextadvisor/investing/cryptocurrency/binance-us-review/
- I would urge them to be transparent.
Do they have insurance?
Kraken
Have they been hacked in the past?
- Kraken has never been hacked since its launch in 2013 and from multiple sources is considered one of the most secure cryptocurrency exchanges!
What do they do to secure your crypto/account?
- Hired a global team of top security professionals that has experience in building security programs for the world's top brands.
- 95% of deposits are kept in offline, air-gapped geographically distributed cold storage.
- They keep FULL reserves so that withdrawals are immediate.
- Their servers are in secure cages under 24/7 surveillance by armed guards and video monitors. Physical access and code deployment are strictly controlled. Nothing leaves without intensive review.
- Sensitive account info is encrypted at both the system and data level.
- They conduct tests on their own servers by an expert team and has offered the bug bounty program to the community to find broader security issues.
- 2FA
- doesn't allow phone/SMS recover - rules out SIM swaps.
- Interesting note: Kraken as developed "Kraken Security Labs" to test third-party services and products as well as theirs in an effort to help identify and publicise issues before they are exploited.
Do they have insurance?
- Kraken states that cryptocurrency exchanges do not quality for deposit insurance because they are not classified as "saving institutions".
- Kraken actually encourages the use of hardware wallets and states that Kraken should not be treated as a wallet.
Gemini
Have they been hacked in the past?
What do they do to secure your crypto/account?
- Majority of customer's crypto is held offline in an air-gapped cold storage system. Only a small amount is on the online hot wallet. Note: air-gapped basically means not connected to the internet.
- Use of HSM (hardware security module) that has achieved a FIPS 14-2 level 3 or higher. You can see what that means here: https://en.wikipedia.org/wiki/FIPS_140-2#Level_3
- Private keys are generated on the HSMs and stores and managed there for their lifetime.
- HSMs are geographically distributed and stores in monitored, access-controlled facilities.
- Use of multisig - eliminates single points of failure and improves resilience against loss or compromised of individual keys.
- HSMs require coordinated actions of multiple employees to operate.
- 2FA.
- VERY INTERESTING: Gemini support the use of hardware security keys via WebAuthn, you can use your USB security keys (ie your hardware wallet) as a two-factor authentication method to signing into your Gemini account. From my research this doesn't mean you have to give them your seed phrase but rather you can use the physical aspect of a hardware wallet (ie holding down the screen or button) as a method of 2FA.
- Whitelisting of approved addresses.
- For their cold storage, multiple signatories are required to transfer cryptocurrency out of cold storage system.
Do they have insurance?
- Hot wallet insurance.
- Cold wallet insurance - $200 million coverage, company states that this is the most out of any cryptocurrency exchange in the world. My research hasn't proven otherwise.
- Option to buy additional insurance.
Crypto.com
Have they been hacked in the past?
- Could not find evidence of hacking, great job!
What do they do to secure your account/crypto?
- Ongoing training of staff for security and privacy awareness.
- All transactions are monitored for compliance and a dedicated team is in charge of this process.
- An impressive 100% of cryptocurrencies are held in offline cold storage.
- Use of HSM.
- Use of multisig.
- Strict controls of access rights to funds in cold and hot wallets - making it difficult for a single actor to withdraw funds.
- Multi-factor authentication for accounts.
- Hackers One bounty program to find exploits and bugs.
Do they have insurance?
- $30 million USD in cold storage insurance against physical damage or destruction, and third party theft.
- US residents USD balances in exchange are covered up to $250,000 per FDIC insurance - fiat also cannot be claimed by creditors.
Robinhood
Have they been hacked in the past?
- Have had hacks in the past but not crypto specific, so I will omit it.
What do they do to secure your crypto/account?
- States that majority of coins are held in cold storage, some held on hot wallets to support day-to-day operations.
- Strict operational security when managing cryptocurrencies - eg: coin transfers require authorisation of a select group of people. The people who make up this group are rotated for added security.
- Security team at Robinhood routinely reviews code and infrastructure of their crypto.
Do they have insurance?
- Crime insurance that protects a portion of digital assets held against losses from theft and cybersecurity breaches. These do not cover individual user's negligence (similar to Coinbase).
- US residents USD balances are covered up to $250,000.
Analysis of Popular Exchanges/Brokers - AUSTRALIA & NEW ZEALAND SPECIFIC
Swyftx
Have they been hacked in the past?
What do they do to secure your crypto/account?
- Says they supply a "robust security framework" - quite general IMO.
- Runs 24/7 customer DD programs to secure identity.
- Uses JWT tokens.
- Session expiry - ie it'll log you out after a while.
- 2FA.
- Checks for breaches passwords on other websites.
- Undergoing external penetration testing (testing strength of their security).
- Implementing a least privilege security model (idea is that it's difficult for one person to withdraw company/customer funds).
- Integrated with Auth0 - specialises in cloud platform security to maintain the highest level of password and account safety.
Do they have insurance?
CoinSpot
Have they been hacked in the past?
- No evidence of hacking! Good job!
What do they do to secure your crypto/account?
- ISO 27001 certificate - an external audit was undertaken basically checking ALL aspects of security on the exchange and they passed. Very impressive.
- Vast majority (unspecified) of assets are in highly secure offline locations.
- 2FA.
- Session timeouts.
- Withdrawal restrictions.
- Hacker One bounty program.
Do they have insurance?
Independent Reserve
Have they been hacked in the past?
What do they do to secure your crypto?
- Core servers are held in two tier 3 data centres - ensuring 0 data loss should one site have an outage.
- Fully functional backup for data.
- All customer data is signed and encrypted multiple times using geographically dispersed keys, spread across four data centres.
- Vast majority of digital assets are held in cold storage. The cold storage is secured by multi-layer encryption and is stores in physical vaults in geographically diverse locations.
- Accessing vaults has high physical security requiring biometric authentication of all persons.
Do they have insurance?
- You can get insurance on their premium account service, this gives you the ability to insure from $20,000 AUD up to $5million AUD. But you must pay for the service (depending on amount you want to insure).
- No evidence of insurance outside the premium plan.
Easy Crypto (not exchange, a broker/retailer)
Have they been hacked in the past?
- No, but they don't hold funds.
What do they do to secure your crypto?
- Has 2FA on the account.
- No funds are held so understandable that not a huge amount of security in place.
Do they have insurance?
- Their trades are guaranteed. They state that there is NEVER a risk of losing funds while using their platform. From the time they receive customer payment, until order is delivered, Easy Crypto fully grantees the safety of funds.
Analysis of Hardware Wallets
For hardware wallets, the focus is similar but the insurance question is removed as individuals can sort out their own insurance. I will focus on the 4 major hardware wallet providers - Ledger, Trezor, ColdCard, KeepKey.
Ledger
Have they been hacked in the past?
- Security flaw discovered in 2018 which basically allowed resellers to update the devices with malicious code and then siphon the private key and drain user's crypto accounts. But this has been fixed. Read about it here: https://krebsonsecurity.com/2018/03/15-year-old-finds-flaw-in-ledger-crypto-wallet/
- In 2020, Ledger fell victim to a cyberattack are malicious software was installed on one of their servers. It became technically impossible to make an assessment of severity of the data breach.
- The hack was mainly customer personal information from their e-commerce and marketing database.
- Importantly: NO LEDGER DEVICE WAS HACKED DIRECTLY AS LEDGER DOES NOT HAVE YOUR SEED PHRASE, SO DON'T PANIC IF YOU HOLD A LEDGER DEVICE. But many customers received phishing emails and it is likely some fell victim to these and gave away their seed phrase and as a result got compromised.
How secure are they?
- Offline storage.
- Ledger claims to have the only certified hardware wallet on the market. Ledger's wallets are certified for security by the ANSSI, the French cyber security agency.
- Ledger wallets integrate a certified chip, designed to withstand sophisticated attacks.
- Ledger wallets have their own custom OS (BOLOS) to protect against malicious attacks and isolate apps from each other.
- Security seals on packages to avoid tampering.
- Root of Trust - Every time a Ledger device performs a critical action at the firmware level (such as updating OS or installing or removing apps) an HSM will send a challenge to the device (a randomly generated number). This is a way of requesting the device to prove its genuineness - the device proves its genuineness by providing the correct signature for the challenge. If the device cannot provide genuineness, then the server blocks the device. You can read more abut it here: https://www.ledger.com/a-closer-look-into-ledger-security-the-root-of-trust
- Physical confirmation before transfer of funds.
- Passphrase security - this is a password added to your 24 word security phrase. This pass phrase protects your assets if your 24-word recover phrase is compromised, so this means that the attacker will need your seed phrase as well as your secret passphrase.
- Ledger's seed phrase is compatible with BIP-39, so if Ledger ever ceases to exist, then your funds will not be lost.
- Physical button.
Trezor
Have they been hacked in the past?
- No confirmed hacks
- Hacker claimed they have information on Trezor's customers but never confirmed and Trezor believes this to be a false claim.
- Kraken claims that they used specialised hardware to hack into Trezor devices. The trick allowed an attacker to read critical wallet parameters, including the private key. You can read more about it here: https://cointelegraph.com/news/trezor-wallets-can-be-hacked-kraken-reveals
- NOTE: on the above point, the attack requires the Trezor device and it must be opened and extremely specialised hardware to do this. Not sure if it has been "patched" but no reported cases of this happening.
How secure are they?
- Offline storage.
- The Bip-39 Phrase is never remembered nor stored on the device.
- Bootloader verifies the firmware signature - firmware runs only if correctly signed by SatoshiLabs. If signature is invalid, bootloader erases device memory.
- All operations function only if private and public keys are allowed after user authentication via PIN.
- Passphrase security - this is a password added to your 24 word security phrase. This pass phrase protects your assets if your 24-word recover phrase is compromised, so this means that the attacker will need your seed phrase as well as your secret passphrase.
- Trezor hardware case is ultrasonically welded, making it difficult to be restored after breakage (ie 3rd party seller cannot tamper with it then sell it off)
- PIN code protection against brute force - waiting time between attempts on pin code increases by power of two every single time a wrong PIN is entered.
- Trezor is compatible with BIP-32, 39, and 44 wallets. So if Trezor shuts down, you can still access your funds. Also, all of Trezor's code is public meaning that developers can maintain it and add new functionalities.
- Physical button.
- They are transparent on the issues they have faced in the past, you can see them here: https://trezor.io/security/
ColdCard (Bitcoin Only)
Have they been hacked in the past?
How secure are they?
- Offline storage.
- They are sent to you in a temper evident bag.
- PIN code as main defence (has a seed phrase too) - without PIN, there are no backdoors, hints or alternative ways to get into cold card.
- Passphrase security - this is a password added to your 24 word security phrase. This pass phrase protects your assets if your 24-word recover phrase is compromised, so this means that the attacker will need your seed phrase as well as your secret passphrase.
- Bank-grade SE with partially/fully closed source firmware - idea is that the attacker cannot exploit system if they have no knowledge of it.
- Incremental time delays between attempts on PIN>
- Even after brute force against pin, the SHA-256 along with TRNG offers further protection, the search space is now 2^256.
- Air-gapped.
- Physical button.
KeepKey
Have they been hacked in the past?
- No confirmed hackings.
- Hacker claimed they hacked marketing and website servers but never confirmed.
- Kraken said they could crack their device (same method as for Tezor) but KeepKey has denied this.
How secure are they?
- Offline storage.
- Pin protection against unauthorised use.
- Passphrase security - this is a password added to your 24 word security phrase. This pass phrase protects your assets if your 24-word recover phrase is compromised, so this means that the attacker will need your seed phrase as well as your secret passphrase.
- Number randomisation - the KeepKey wallet randomly shuffles your PIN number from time-to-time to prevent malware from copying your code and using it and gaining access to your digital assets.
- Physical Button.
- Seed Phrse.
What does ALL this mean for the CHADS and the BRADS?
As I stated from the start, I have a bias but not choosing sides. But the battle can end here, most popular methods are safe from hacks and malicious actors, your funds regardless are safe but do have some disadvantages and advantages.
A message to the exchange CHADS
On face value, it seems that the exchanges win and are safer! This is not exactly true, I analysed popular exchanges but the list not exhaustive, exchange hacks are far more often than you think, there have been 52 known hacking events. You can see the timeline here: https://cryptosec.info/exchange-hacks/
But you guys are not far from the BRADS as you might thing. Even these popular exchanges, even though they may say outright, probably secure your funds on cold storage and it's safe to assume that they like use services/devices of the popular hardware wallet providers. For example, Crypto.com states that they are partnered with Ledger.
You also have to admit that there is still the issue of a central service controlling your funds and more importantly, your withdrawals. When shit hits the fan, some may stop you. Read some articles from the recent dip in May where users from different exchange/liquidity pools experienced website crashes and removal of withdrawals.
A message to the hardware wallet BRADS
Hardware wallets are pretty secure, actually damn secure, but not fool proof. Also, having funds on an exchange doesn't mean you are screwed. Typing in "not your keys, not your coins" won't automatically win you an argument - I know some of the OGs who witnesses Mt Gox may say otherwise, but the research shows that many of the biggest exchanges do care about the funds and some even are insured.
I'm on your team, but we have to be practical.
Reconciling the CHADS and the BRADS
So BRADS, CHADS, here we are. It seems that both of your methods are actually quite secure but of course black swan events are always possible (never forget Murphy's Law!)
But I found a huge issue and a HUGE liability in both exchanges and hardware wallets. It's.............................................................YOU. Yes! You! You are the biggest risk to your cryptocurrency loss, all these different security checks and functions won't safe your funds from you. So I offer you from advice.
Advice for the exchange CHADS
- Enable 2FA on your account - ideally you want to use 2FA application such as Google authenticator rather than your phone number; this avoids the risk of a SIM swap.
- Enable whitelisting for addresses.
- Check for malware on your computer.
- Never respond to phishing emails - exchanges will never ask you for your password.
- Check if your email has been compromised, if it has, don't use it - https://haveibeenpwned.com/
- On the email itself, you should have a recovery email and a 2FA for extra security.
- Do not reuse password - don't use the password for your Miniclip and Runescape account for your exchange account. (Side note: I am currently trimming rune armour at the Grand Exchange for free if anyone is keen).
- Don't use dodge exchanges to avoid fees or for better returns - if an exchange promises 90% APY on your elonrocketcoin then it's probably not legit.
- Ideally, have a computer that doesn't run on windows just for your crypto - THIS IS FOR GIGA CHADS ONLY.
Advice for hardware wallet BRADS
- Don't give your hardware wallet to anyone (even without PIN, Seed Phrase or Passphrase).
- When buying a hardware wallet, make sure the anti-tampering seals on the device are there and if possible, buy directly from the official website rather than a third party. Saving $30 from a third party, may not be the best if you end up losing all your funds.
- Do not hold your seed phrase or PIN or pass phrase digitally or on perishable material such as paper, stamp or engrave it onto metal or use another metal device.
- !!WARNING: SELF PROMOTION AHEAD!! I have a business that sells 204 grade durable stainless steel plates. They come in a variety of colours and pre-orders are available in October 2021. Check us out at www.testudo.co.nz or search up TESTUDO crypto on google and it should be the first result.
- Here is a list of metal back ups and their strength: https://jlopp.github.io/metal-bitcoin-storage-reviews/
- Do not put your seed phrase next to your hardware wallet device. This is stupid.
- When sending or receiving crypto, make sure that you check the first 5 letters/numbers of the address and the last 5 letters/numbers of the address to ensure that they match with whoever you are receiving from/sending to. If you see that it's different or changing, you may have clipboard malware.
Mini note: For CHADS that want to be BRADS
Many of you that hold your crypto on exchanges want to transfer it to a hardware wallet but too scared to do so. That's fine but understand that it's a very simple process. Do a little bit of crypto so you can get some mental confirmation that it does work! I know that gas fees are a huge on some cryptos, so grab a small amount of a crypto with small transaction fees (NANO or XML for example) and practice with that!
Do be a CHAD or a BRAD?
It's personal choice! You decide what you like to do based on the information provided. I think that if you are just a HODLer, become a hardware wallet BRAD, you can control your funds and keep them secure, but if you are someone who trades, participates in liquidity pools, and move funds a lot then it's probably a better idea to be a CHAD because you can avoid significant transaction fees from moving your funds from a hardware wallet to an exchange and vice versa.
But if I told you, you could be both? OMG!!! You can hold some of your crypto in the exchange (the ones you want to move around and trade etc) and have your HODL bag in a hardware wallet!
But in the end, it's up to you and what you prefer.
Conclusion/TLDR
CHADS and BRADS neither of you are correct nor incorrect. The main issue comes to individuals not practicing basic security in regard to their crypto holding medium. Crypto is still a financial wild wild west - you asked for decentralisaition, you got it. Now it is up to you to secure your bag. Remember, insurance on an exchange doesn't mean that you will be safe from everything - they won't cover a single SAT caused by your ignorance. Keep your funds safe guys. Cheers.
And of course:
https://i.redd.it/rnr70zpptml71.gif