While Coinmama makes it easy to buy amounts of bitcoin (BTC), new users are often unsure about how to secure their Bitcoin once bought. While the cryptography behind Bitcoin protects it against counterfeiting and hacking at the protocol level, the security of Bitcoin wallets remains largely the responsibility of users. While this may sound daunting, the upside is that it allows a diligent user to achieve a very high level of security; easily surpassing the reliability of a bank or trading account.
This guide describes the various types of Bitcoin wallets from a security perspective, allowing users to select the most appropriate wallet for their storage requirements. As a general rule, the higher the monetary value of the bitcoin (BTC) owned, the more resources should be invested in security. Our guide also covers the common types of errors and attacks which are responsible for the majority of coin losses.
Web and Exchange Wallets
If you’re new to Bitcoin and don’t yet have a wallet, then you won’t be able to receive any coins which you buy from Coinmama. For this reason, on our Help page for wallets, we explain how to set up the ZenGo mobile wallet and the Exodus mobile or desktop wallets. These guides will allow you to quickly and easily create a free wallet.
Note that all Bitcoin wallets are free, with the exception of hardware wallets. If you later wish to sell the Bitcoin you bought and live in a SEPA country, we’ll be happy to buy it back from you – see our Sell page for details. However, if you live in a different region or want to sell another cryptocurrency, you’ll probably need to join up with a centralized exchange. Bitcoin wallets allow you to send, receive and store coins but most don’t allow you to buy or sell coins within the actual wallet; for this a trading partner of some kind is required; such as an exchange.
Exchange wallet falls within the broader category of web wallets; Bitcoin wallets which are provided via a third party website rather than hosted on your personal computer, phone, or tablet. Online wallets are very convenient, as they allow you to login from any device with internet access. The downside is that they force you to trust the website to hold your bitcoins securely, exposing you to custodial risk. As web wallets – particularly exchanges – hold large amounts of user funds, they’re often targeted by criminals. The largest losses in crypto history have been due to web / exchange wallet failures, so we certainly don’t recommend them for the long term storage of bitcoins.
On the user side, the security of web wallets depends on keeping one’s login details secure. Never share these details with anyone. Web wallet support staff will never request these details, so any such request, whether by email, phone, or even in-person, should be considered an attack.
If an attacker discovers your username and password then, absent any further protections, they’ll be able to sign into your account and drain all funds. As asking for such details raises suspicions, attackers often create so-called “phishing” sites to trick users into revealing sensitive information. Phishing sites are malicious clones of real sites, designed to resemble the real site in terms of appearance, functionality, and domain name.
For example, you may receive a spoofed email apparently from the Binance exchange, urging you to log in to your account. The email format and logos will likely closely resemble prior, genuine emails from the exchange. Invariably, there’ll be a link in the email pointing to a deceptive domain, such as https://www.b1nance.com – and it’s easy to overlook the sneaky substitution of a “1” for an “i.” As soon as your login details are entered into the fake phishing site, they’ll be used by the attackers to access your account on the real site.
To defeat phishing attacks, only access sensitive sites via bookmarks in your browser – never links in an email or on a website. Also, you should enable Two-Factor Authentication (2FA) on your web wallet. This is a security measure which requires you to authorise logins and / or transactions on a device separate from that used to access the web wallet. The most common and convenient form of 2FA is a verification challenge sent to your phone.
Google Authenticator and similar apps are supported by most web wallets and represent a far more secure form of 2FA than systems which rely upon SMS replies. Sophisticated attackers may highjack your phone number and so intercept and reply to a verification SMS, whereas Authenticator would require attackers to gain physical control over your phone.
Note that email verification is considered a very weak security method, as email accounts are routinely compromised and their contents are often visible to employees of the email service. We strongly recommend employing 2FA via the Authenticator app. Please ensure that you’re familiar with the recovery procedure should you lose or damage your second factor device.
Software wallets eliminate trust in the honesty and competence of a third party custodian but require the user to take responsibility for their own wallet security. For those new to computing in general, certain aspects of software wallet security will likely prove challenging.
There are two major types of software wallet: full and light.
Full wallets such, as Bitcoin Core, will download the entire Bitcoin blockchain when first run, a process which takes between hours and days, depending on internet connection speed. By default, full wallets save the ever-expanding blockchain to the hard drive, although a limit, known as pruning, may be set on how much data to store. Full wallets pull blockchain data from multiple network peers, which virtually ensures that they receive accurate information.
Light wallets, such as Electrum, don’t download and sync the blockchain but rather rely on remote servers to do so. This saves time and hard drive space but does introduce a degree of trust in the server’s accuracy and honesty. The server will also learn which addresses the light wallet monitors and so be able to deduce the wallet’s balance. As far as we’re aware, reputable light wallets have yet to suffer any significant loss of funds through receiving false information from malicious server. Nevertheless, such wallets are considered less secure than full wallets as they do expose some of your crypto activity.
Storing coins in a software wallet largely eliminates custodial risk. However, two significant threats remain: user error and malware.
The most common user error is failure to create proper backups of a wallet’s private key (“privkey”) and password, if any. Private keys are what allow any type of Bitcoin wallet to spend the bitcoins associated with its receiving address(es). Modern wallets, whether full or light, will generate a random private key during initialization and display it to the user, in the form of a seed phrase, for backup purposes.
A seed phrase is a human-friendly representation of the private key; usually the seed is a list of 12 or 24 distinct words. These words must be accurately recorded in the proper order. The wallet’s full BTC balance may then be recovered into any other compatible wallet by correctly entering the seed phrase. Although _ pen and paper recording is easiest, a more enduring solution, such as engraving or stamping the words into stainless steel, is recommended. Specialized seed phrase storage products exist for this purpose.
However you choose to record the seed phrase, it’s vital to keep your backup private and secure. You can apply traditional security measures, such as hiding it or storing it in a safe or bank vault. Note that you can make multiple backups of your seed phrase to store in multiple locations. It’s also wise to make some provision to share the location of your seed phrase backup with your next of kin, in the event of your passing.
Additional to your seed phrase is your wallet password. Note that standard wallet passwords can be bypassed by restoring your wallet from the seed phrase. However, passwords which are encoded into the private key itself – essentially forming an extra, custom word in the seed phrase – cannot be bypassed. Either way, you should include your password as part of your seed phrase backup(s). It’s also recommended to test the recovery of your wallet, ideally on an always-offline device, to ensure the accuracy of your backups before storing any significant funds on the wallet.
You never know when fire, theft, flood, hardware failure, or some other disaster could strike. Any number of problems could make it impossible to access your Bitcoin wallet. Prepare for the worst by making good backups, ensuring that you study the process in depth to avoid costly errors and oversights.
Although the forkcoin craze has died down, over 75 forks of Bitcoin occurred in the past couple of years. Certain forks require your Bitcoin wallet’s private keys to be entered into a website or forkcoin wallet in order to be claimed. It goes without saying that this is a major risk as a malicious site or app could easily steal your coins once it has your privkey.
If claiming forkcoins, always first move all your original bitcoins to a new wallet, for which you’ve created at least one secure and tested backup, as described above. Provided your bitcoins have been safely transferred to a new wallet, there’s nothing left for a malicious forkcoin to steal (except your old wallet’s private keys, which could be used to steal other forkcoins. For this reason, we recommend claiming forkcoins in order of decreasing value).
Software and web wallets are vulnerable to various forms of malware, including but not limited to:
- Key loggers, which can record any data entered via the keyboard into apps or sites. Key loggers can easily steal your passwords. Software key loggers can be detected and neutralised, but a hardware key logger is more difficult problem. Avoid entering any login details into public or untrusted computers to minimize the risk of your keystrokes being recorded.
- Man-in-the-middle attacks, which can intercept data transmission over a WiFi connection. It’s best to avoid connecting to any sensitive accounts over public WiFi. Even private networks can be spoofed.
- Clipboard hijackers, which can replace any Bitcoin addresses which you copy and paste with similar-looking addresses belonging to an attacker. Always check at least the first and last 5 characters of a Bitcoin address; the more characters the better. After a while, this checking will become habitual.
- File scanners, which can scan your hard drive for sensitive wallet files and upload them to an attacker. Keeping a good antivirus program updated is probably the best defence against such attacks.
One way to manage the threat of malware is to dedicate a clean computer to the use of Bitcoin. Install a Bitcoin wallet, as few other software packages as possible, and keep the operating system updated. When not in active use, the system should be disconnected from the internet and other machines. As Bitcoin has low resource requirements, an old or inexpensive machine is suitable for this purpose.
Mobile wallets, such as Samourai, are essentially software light wallets for a phone or tablet. They also employ seed phrases for backup and suffer from similar malware vulnerabilities as regular software wallets. However, mobile operating systems are far more susceptible to malware, as neither they nor their apps are designed with security as a priority. For this reason, we would recommend that users not store more than “walking-around money” on a mobile wallet.
If the above threats to the security of your prized bitcoins all sound a bit overwhelming, don’t worry. There’s a fairly simple way to manage all of these risks, known as a hardware wallet. These are small, specialized mini-computers which plug into your computer or mobile device. Hardware wallets make it easy even for inexperienced users to achieve a really high level of security, provided they use the device according to its instructions.
The primary purpose of a hardware wallet is to randomly generate and then securely store the private keys which control the bitcoins in a web, software, or mobile wallet. As the private keys can never leave the hardware wallet, there’s no way for even the worst malware to steal them. As for physical theft, hardware wallets are set with a PIN code, without which a thief is unable to gain access. Should the device be lost, one can restore the wallet’s contents via a seed phrase, as with other wallet types.
The only real downside to hardware wallets is that, unlike other wallet types, they’re not free. Standard hardware wallets can be purchased from trusted manufacturers like Trezor or Ledger for around $100. Beyond Bitcoin, hardware wallets can also store multiple altcoins and tokens. If your crypto balance is sufficient to justify the outlay, we highly recommend investing in the security of a hardware wallet. While hardware wallets aren’t entirely bulletproof – a technically sophisticated adversary with the proper equipment could probably steal your bitcoins if they take possession of the device – they reliably protect users against 95% of common attacks. It is still necessary to check Bitcoin addresses against the clipboard hijacking attack however.
One caveat to heardware wallets; in light of the unfortunate events that occurred in 2020 involving the hacking of Ledger’s client database, we would recommend ordering a hardware wallet through a company’s name and address, if at all possible. It’s also always best to order any hardware wallet direct from the manufacturer, as a reseller on an auction or similar site may have tampered with the device with the intent of stealing any coins you transfer to it.
Bitcoin security is a serious and complex matter. The optimum way for the average user to protect their coins is to invest in a hardware wallet and use it in conjunction with a trusted software or mobile wallet. Storing coins on exchanges or web wallets is asking for trouble, and should be avoided for significant amounts. We also recommend that you devote some time to studying secure storage solutions before you buy Bitcoin from Coinmama, or anywhere else.