PYMNTS Crypto Basics Series: What’s a Crypto Wallet and How You Can Avoid Losing a Quarter Billion Dollars?

Bitcoin, blockchain and cryptocurrency are words that most people have at least heard of in 2022, as the industry exploded into the mainstream public consciousness.

Over the course of this series of articles, we’ll be delving into the basics of the industry, providing an introduction to crypto that will give you a solid grounding in the technology and a lexicon for its terminology — cryptographers should never be allowed to name anything the public will eventually need to know — in short, enough to understand what people are talking about and decide if you want to dive in.

What we are not going to do is talk about regulation, finance or investing — you’ll find that elsewhere on PYMNTS.com.

See also: PYMNTS Crypto Basics Series: What’s a Blockchain and How Does It Work?

See also: PYMNTS Crypto Basics Series: What’s a Consensus Mechanism and Why Is It Destroying the Planet?

There are many hard-luck stories in crypto, but few are as hard as Stefan Thomas and the $266 million digital wallet he cannot open.

Thomas is a programmer who was given 7,002 bitcoins by a client as a bonus for making an animated video, according to the New York Times, BBC News and about 16.6 million other sources if Google is to be believed. This was in 2011 when BTC briefly soared as high as $30 before ending the year at $4.25 — up more than 1,317%. At this writing, BTC is about $38,500. Math is not Stefan Thomas’ friend.

What happened? The short version is that Thomas stored his 7,002 bitcoins on an encrypted flash drive called an Iron Key, which protects your data from thieves by destroying itself after 10 failed password attempts.

Thomas has tried eight times at last look.

It’s a feature available on many modern crypto hardware wallets. They also have long, onerous ways of bypassing that security — random 25-word security phrases — if you bother to set it up.

So, a wallet is just a flash drive? No.

Well, no for our purposes. You can store the key codes that let your send and receive cryptocurrency on a text file on a drive, or even by writing them down in a “paper wallet” in a drawer.

What’s a Digital Wallet?

The most basic answer is that a digital wallet is an app that stores and protects your cryptocurrency.

There are two core types of digital wallets for cryptocurrency: Hardware, or “cold” wallets and software, or “hot” wallets. They both feature some tradeoffs between security and convenience and have their benefits and drawbacks.

We’ll get into that in a moment, but first, let’s talk briefly about how cryptocurrency works. A bitcoin, ether, dogecoin, even an NFT uses three codes: an address, a public key and a private key. The address is kind of a cross between a routing number and a bank account number. It’s where people send you bitcoins.

Then there are the two key codes, public and private. The public key is viewable by anyone and shows where the bitcoin or other cryptocurrency is. The private key is needed to send that crypto to another address — to spend it. The public code is then linked to a different address, and a different private key is created, making your old one useless.

So, let’s say you want to buy $100 worth of bitcoin. First, you need to open an account with a cryptocurrency exchange.

This can be pretty simple at a top exchange like Coinbase or Kraken. It’s not quick, however. They have to verify your identity for anti-money-laundering (AML) compliance which can take hours. You send some money to that account from a bank or debit card.

(There are a variety of more complex ways, including wire transfers, but we‘re not going that deep.)

More professional user-focused exchanges can get far more complex. That’s especially true of decentralized finance, or DeFi, exchanges — known as DEXs — which have no centralized control and thus no tech support.

Now, you can leave it in your exchange account’s wallet but it’s not in your wallet, so you have no control over it — the private keys are not in your hands. There’s a phrase popular among long-time crypto users: Not your keys, not your crypto.

Crypto kept in an exchange account is only as safe as its security, and the crypto is only yours to the extent the exchange is honest. Now, most of the good ones either offer or require either two-factor authentication (2FA) — a text to your phone or an app like Google Authenticator— or biometric authentication, like your phone’s face recognition.

Read more: PYMNTS Crypto Crime Series: The Tale of QuadrigaCX, Canada’s Longest Crypto Ponzi Scheme

Software Hot Wallets

Any crypto wallet is really just an app, usually on a mobile phone, although desktop versions are available, too. The basic difference between a hot and cold wallet is whether or not it is connected to the Internet. Software wallets all have encryption — generally very strong encryption — but they are always online. This means hackers always have the ability to access them and transfer your crypto to themselves if they have your wallet app password.

So phishing, malware, man-in-the-middle attacks, and various other hacking attacks are feasible, as well as old-school exploit hunting for flaws in the wallet app’s security.

That said, it is a lot easier to use. You just open the app, connect to your exchange account and you can buy and sell with a minimum of fuss beyond (if you’re smart) a complex app password — although plenty default to a simple six-digit passcode — and good 2FA.

One thing they share with hardware wallets is that the recovery “password” tends to be huge — 25-word phrases that are randomly selected. The intention is to write these down rather than storing them on a hackable mobile or desktop.

Some are connected to an exchange — Coinbase Wallet is a highly rated one, and is a separate app from the Coinbase account app’s wallet. Others are standalone like Exodus, which appears in a lot of “best wallet” lists.

They’re also free or inexpensive, as opposed to hardware wallets which run from $50 to $200 or more.

Hardware Cold Wallets

Hardware wallets are, as we said, specialized flash drives with a dedicated app, security software and sometimes physical security like buttons for a numerical code or fingerprint readers.

Hardware wallets are called cold wallets because there is no hot — meaning live — connection to the Internet. They are, in the security business’ term, “air gapped.”

So, they cannot be hacked into except while online, and are generally designed to be malware-proof as there’s no way to install any other software onto the device.

And unlike Stefan Thomas’s Iron Key, they allow private keys to be recovered even from a lost or damaged device by using the 25-word recovery key on a new model. Ledger and Trezor are two of the perennial top-rated brands.

That said, lose the recovery phrase — or get it hacked if you kept it on a computer — and any damage to or loss or the device is fatal.

They are suspectable to a different type of man-in-the-middle attack, however, if you buy one from an untrustworthy vendor who sends a fake. So buying direct from the manufacturer is a wise idea.

Then there’s the “$5 wrench” attack, referring to this XKCD cartoon — which predates bitcoin — but is nonetheless unpreventable with cryptography.

The punchline: “His laptop’s encrypted. Drug him and hit him with this $5 wrench until he tells us the password.”

So, there’s that one last security measure: Don’t tell people you have a crypto wallet — hot or cold.